Texas AG: Business Must Implement and Maintain Reasonable Cybersecurity Safeguards

Texas AG - Reasonable Cybersecurity

Go here to read: Texas Businesses Must Implement and Maintain Reasonable Cybersecurity Safeguards According to State Attorney General

National data breach notification law pros and cons? What do you think?

What are the pros and cons of a national breach notification law?

That is the topic of a discussion among Chief Information Security Officers that I will be moderating for the National Technology Security Coalition (NTSC) CISO Policy Roundtable tomorrow (4/3/17). My goal is to keep my own comments to a minimum, ask good questions, and let the CISOs share their real-world knowledge.

Comments are open so please share your thoughts on this issue. Specifically,

  • What are the questions that need to be asked to facilitate this discussion?
  • What are the critical points that need to be made?

 

Here are a few resources that I found helpful in my research on this issue:

Insider Misuse of Computers: No Big Deal? It Can Be a Data Breach, Ask Boeing

Insider misuse triggers a breach just like outside hackers.

When a company’s information is compromised because of insider[1] misuse of computers or information, regardless of insider’s intentions, the result for the company and the data subjects of that information is often the same as if it were an attack by an outside adversary – it is a data breach.

Boeing’s insider-triggered data breach.

A Boeing employee emailed his spouse an internal company document containing personally identifiable information for about 36,000 co-workers to get help with formatting the document. His intentions were noble and innocent, he wanted to do a good job on the document and believed his spouse could help. The outcome was much different.

See: Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies

Because the sensitive data on its employees left Boeing’s “control” when it passed from an employee to a non-employee, it triggered a data breach. As a result, Boeing had to go through the breach notification process by notifying the 36,000 employees affected, providing them with two years of complimentary credit monitoring services, and notify the attorneys general of Washington, California, North Carolina, and Massachusetts. Read the full story here: Boeing discloses 36,000-employee data breach after email to spouse for help

Why was this a data breach?

In this analysis, you start with the data itself. Was the confidentiality, integrity, or availability of the data compromised? When a company collects, stores, or processes data, it is responsible for the safe keeping of that data, wherever it may be (yes, even if the company entrusts it to another for safekeeping, the company is still responsible). Generally speaking, when that company has employees, contractors, or other workers performing services on its behalf -– insiders — they are treated as being within the company’s control and legal protections of that data and their access to, possession, and use of that data is still within the legal fiction of being within company control. The confidentiality of that data is still intact as long as they are acting within the scope of their permissible role.

Insiders exceeding limitations of access and use of information may trigger breach.

When insiders exceed the boundaries that have been placed upon them by accessing, possessing, or using that data in a manner that is unauthorized by the company, it may result in a data breach, depending upon the particular facts of how it is used, the nature of the data, the type of industry, and any regulatory framework that may apply to that industry. For example, in the healthcare context the HIPAA Privacy Rule would almost certainly classify such a situation as an unlawful use or disclosure, triggering a data breach by the company.

Insiders keeping company information after termination of employment is almost certainly a breach.

When insiders take sensitive company data outside of the company, it will almost certainly trigger a data breach for the company. The most obvious example of this is an employee that retains company data after that employee is no longer employed by the company. Once the employment relationship terminates, the employee’s basic duties to the company also terminate and, unless there is some contractual extension of those duties, the employee possessing that information is no different than the spouse of the Boeing employee possessing the information – it is no longer within the legal fiction of “protections” of the company that maintain its confidentiality. In other words, its confidentiality has now been compromised.

Texas’ breach notification law is triggered by insider misuse.

In most cases, determining whether a breach has occurred will depend on the breach notification laws for the particular jurisdiction where the company does business and where the data subjects of that information reside.[2]

What is a breach of system security under Texas law?

The Texas breach notification law, Breach of Security of Computerized Data,[3] requires any company that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

A “’breach of system security’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[4]

Regarding insiders, the law specifically states that “[g]ood faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.”[5] In other words, if an insider is authorized to access company SPI for a valid business purpose, and does so, but later uses or discloses that information in an unauthorized manner, it is a data breach under the Texas breach notification statute.

What is sensitive personal information under Texas law?

What is often referred to as personally identifiable information is defined by the Texas data breach notification law as “sensitive personal information” (SPI). The law has a fairly detailed definition of SPI that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Does an employee’s unauthorized taking of company data to use for working for a competitor trigger a data breach under Texas law?

Consider a common scenario in the business world, with a few extra twists for emphasis:

  1. An employee who has had access to and worked with her employer’s customer database containing detailed information and SPI decides to leave the company.
  2. Because she has done most of the work in building up the customer database, she believes she is entitled to have a copy of it for herself so, before giving her notice or actually terminating her employment, she copies the customer database to her personal Dropbox account and saves it to a USB thumb drive.
  3. She then gives her notice, terminates her employment, and goes to work for a competitor.
  4. Once she starts work, she looks for the database but discovers that she lost the USB drive, which was unencrypted, so she downloads the customer database from her Dropbox folder, which also happens to be an openly “shared” folder, freely accessible by anyone on the Internet because she is an amateur photographer and it contains the images she uses to display her work on her blog.
  5. She then begins using her former employer’s customer database without telling her new employer but she does secretly upload the database to her new employer’s computer network.

Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse

3 Key Takeaways About Texas’ Unauthorized Access Law

What do you think, data breach or no data breach? In the hypothetical, at which step do you think there became a problem, if any? Please share your answer and reasoning in the comments – this one should be fun!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

[1] The term “insiders” is often used to refer to “privileged users,” that is, users who have at least some rights, or privileges, to access and use the computers whereas the term “outsiders” refers to users who do not have any access rights, or privileges, to access the computers whatsoever. See Shawn E. Tuma, In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse, 18 SMU Sci. & Tech. L. Rev. 3, p.4 (2015).

[2] See Shawn E. Tuma, Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Cybersecurity Business Law (2016).

[3] Breach of Security of Computerized Data, Texas Bus. & Comm. Code § 521.053.

[4] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

[5] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

Two Step Data Breach Risk Test for Texas Businesses

What is a data breach under Texas law?
What is a data breach under Texas law? Hint: it doesn’t take much!

Does your business have this digital information about other people?

1. last name + first name or first initial +

social security number, driver’s license number, or other government issued identification, or

account or card numbers + access codes,

or

2. information that identifies an individual + concerns a health condition or healthcare 

If you answered “yes” to either of those two questions, your business is at risk of a data breach.

That information is called “Sensitive Personal Information” (SPI) under Texas law. If that SPI is taken, accessed, or its confidentiality or integrity is compromised, your business must give proper notification to all of the individual data subjects whose SPI was compromised. Because that SPI is entrusted to your business for safe keeping, a compromise can be something as simple as one of your employees taking copies of the SPI with her when she leaves to go work for a competitor, since that SPI is no longer secure within your business, but is now disclosed to another business.

The penalty for failing to notify the data subjects of the breach is up to $100.00 per individual per day for the time the notification is delayed but cannot exceed $250,000 for a single breach.

If the SPI is encrypted, however, there is no data breach unless the one who obtains the SPI has access to the decryption key.

You can read more about Texas’ Data Breach Notification Law in this post and the text of the actual statute titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code..

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 of

 

e Texas Business and Com

Texas’ Amended Data Breach Notification Law

Texas amended its existing data breach notification law which became effective on September 1, 2012. The relevant section of the law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 521.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.