The overwhelming majority of states currently require that persons, companies or other entities that own, license, store or maintain personally identifiable information of an individual provide notice to that individual when the personally identifiable information has been breached.1 These notifications do not come cheap, and, based on prior studies, the average data breach comes with a cost of $54 per lost record in associated notification compliance costs.2 Despite the comprehensive patchwork of breach notification laws designed to protect individuals whose personally identifiable information had been compromised and the associated costs of compliance, major data security breaches are commonplace.
News of employees engaging in the unauthorized review of employee personnel, customer or patient records, stories of stolen or lost laptops containing the names, addresses, Social Security numbers and credit card numbers of customers or employees, and criminal investigations of sophisticated hackers accessing customer or employee information through cyber-piracy serve as a sobering reminder that in the era of digitized personal information and portable electronic devices, data security breaches occur with alarming frequency. Thus, it comes as no surprise that the laws governing personally identifiable information safeguarding and data security breach notification requirements are expanding in scope and stringency as the federal, state and related governmental agencies attempt to respond to this reality and their constituents’ concerns about the protection of personally identifiable information.
Massachusetts, for example, has taken a significant step to address data security — the Massachusetts Office of Consumer Affairs and Business Regulation recently enacted a regulation, effective January 1, 2010, (the “Massachusetts regulation”) setting stricter security standards for the protection of all Massachusetts residents’ personally identifiable information and broader notification requirements for the breach of such information. These standards include specific encryption requirements for all persons that own, license, store or maintain personally identifiable information in both electronic and paper form about Massachusetts residents. 3 The use of the term “Massachusetts Resident” in the regulation indicates that any company or entity, whether located in Massachusetts or not, that owns, licenses, stores or maintains a Massachusetts Resident’s personal information is subject to the Massachusetts regulations.4 While many states require pre-breach security measures and post-breach notification requirements to safeguard personally identifiable information, those measures are not as comprehensive as those that will become mandatory under the Massachusetts regulation.5
The U.S. Senate has also responded to the call for additional protections on personally identifiable information, though moving at a much slower pace than Massachusetts. A proposed federal bill sponsored by Sen. Dianne Feinstein (D-CA), titled the Data Breach Notification Act (“Senate Bill 139”), would require all federal agencies and persons engaged in interstate commerce who are in possession of data containing sensitive personally identifiable information to disclose any breach of such information. The federal bill provides that once it is passed into law, it “shall supersede… any provisions of law of any [s]tate relating to notification by a business entity engaged in interstate commerce or an agency of a security breach,” subject to some exceptions for victim protection assistance provided by state laws.6
Most recently, on April 30, 2009, the U.S. House proposed the Data Accountability and Trust Act (“House Bill 2221”),7 which contains certain information security safeguards aimed at protecting computerized data containing personal information and, like Senate Bill 139 requires a nationwide data security breach notification in response to a breach.
The Massachusetts regulation and the two proposed federal bills constitute a drastic expansion of security and notification obligations and requirements, and both are the bellwether for future laws and regulations in the data security management and breach notification areas.8 Therefore, the key requirements of the Massachusetts regulation and the proposed federal bills will be discussed in greater depth below to provide a better understanding of how to prepare to meet the upcoming data management security challenges associated with handling personally identifiable information.
Massachusetts: Written Comprehensive Information Security Program Requirement
The new Massachusetts regulation, 201 CMR §§ 17.01 – 17.04, referred to as the “Standards for the Protection of Personal Information of Residents of the Commonwealth,” provides the minimum standards to be met in connection with the safeguarding of personally identifiable information contained in both paper and electronic records. The regulation requires all persons that own, license, store or maintain personally identifiable information about a Massachusetts resident to develop, implement, maintain and monitor a comprehensive written information security program to safeguard that information.9
The program must be consistent with industry standards, and must contain administrative, technical and physical safeguards to ensure the security and confidentiality of personal information. Although the regulation provides that the information security program’s scope will depend on the size, scope, and type of business at issue, the amount of available resources and stored data and the need for security and confidentiality, the regulation provides a list of specific elements the information security program must contain, including
(1) designating a specific employee to maintain the information security program,
(2) identifying and assessing reasonably foreseeable internal and external risks,
(3) developing security policies in connection with records that are transported outside the business premises,
(4) imposing disciplinary measures for violations,
(5) preventing terminated employees from accessing records by immediately terminating their access to physical and electronic records,
(6) verifying that third-party service providers adhere to equally stringent security measures,
(7) limiting the amount of sensitive personal information collected and retained,
(8) identifying the electronic media that contain personal information,
(9) placing reasonable restrictions on records containing personal information,
(10) regularly monitoring the information security program,
(11) reviewing the scope of the program at least annually, and
(12) documenting all responsive actions taken.10
The regulation also contains computer system security requirements that require, among other measures, securing user authentication protocols such as user IDs and reasonably secure passwords, placing restrictions of access to the personally identifiable information to those with a need to know basis to perform job duties, education and training for employees, and similar security measures. The regulation also requires, to the extent technically feasible, encrypting all transmitted records containing personal information that will travel across public networks, encrypting all data containing personal information to be transmitted wirelessly, and encrypting all personal information stored on laptops or other personal devices.
The broad implications of the regulation to businesses or entities handling personally identifiable information cannot be understated. The technical requirements of the regulation go beyond any current state laws and will require companies to rewrite their IT playbook and specifically, their data security management and data breach response plans. Moreover, the fact that the regulation applies to records stored in both paper and electronic form should provide incentive for those waiting to convert paper records to electronic records. Finally, because the regulation applies to information about employees who are Massachusetts residents, even entities that do not engage in transactions with consumers and are otherwise exempt from the requirements of the Federal Trade Commission’s (“FTC”) Red Flags Rule,11 will need to adopt a written comprehensive information security program to meet the standards. These changes are significant and companies should plan, adopt and test their revised information security programs now, so that those programs meet the regulation’s standards on January 1, 2010.
Federal Data Breach Notification Act
Senate Bill 139, the proposed Federal Data Breach Notification Act, requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information to (1) provide notice to any U.S. resident whose information may have been accessed or acquired following the discovery of a security breach; and (2) provide notice to the owner or licensee of any such information that the agency or business does not own or license. As noted above, the federal bill provides that once it is passed into law, it “shall supersede… any provisions of law of any [s]tate relating to notification by a business entity engaged in interstate commerce or an agency of a security breach,” subject to some exceptions for victim protection assistance provided by state laws.12
Senate Bill 139 exempts: (1) agencies and business entities from notification requirements for national security and law enforcement purposes; (2) security breaches where the agency or business conducts a risk assessment that concludes there is no significant risk of resulting harm, provides the results of the risk assessment to the Secret Service and the Secret Service does not respond within 10 days with a written directive requiring notification; and (3) business entities that utilize a security program that blocks the use of sensitive personally identifiable information and provides notice of a breach to affected individuals.
Under certain circumstances, the Secret Service, the FBI, the Postal Inspection Service, and State Attorneys General must be notified of the data security breach. Senate Bill 139 includes appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches. Certain violations are punishable by civil penalties, and the U.S. Attorney General and State Attorneys General may bring a civil action against any business entity that violates Senate Bill139. Senate Bill 139 further amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency.
The text of Senate Bill 139, as currently drafted, is likely to undergo significant revisions, and as of the date of this alert, the proposed Act had been forwarded to the Senate Committee on the Judiciary. We will issue updated alerts on any major developments in connection with its status as we monitor this situation closely.
Federal Data Accountability and Trust Act
On April 30, 2009, House Bill 2221 was proposed with bipartisan sponsorship in the U.S. House of Representatives. The proposed bill requires the FTC to promulgate regulations requiring each person engaged in interstate commerce and that directly or through a third party owns or posses data in electronic format containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information, including destruction of such information. Additionally, the proposed bill contains data security breach notification requirements applicable to any person engaged in interstate commerce that owns or possesses data in electronic format containing personal information.
House Bill 2221 notification requirements are largely similar to those currently in force in most states, with some substantive modification. The bill requires notices of a data breach to be sent to all affected U.S. citizens or residents and the FTC. If health information is breached, the Secretary of Health and Human Services is to be notified. The bill also contains special provisions not otherwise found in state laws for telecommunications carriers, cable operators, information services and interactive computer services providers. Notifications are to be made in written form or by email, under certain circumstances, as is currently permitted in most states. The notification must contain a description of the personal information acquired, a summary of the recipient’s rights to free credit reports, and contact information for the company sending the notices, the credit reporting bureaus, and the FTC.
Importantly, House Bill 2221, as proposed, has several major limitations that are similar to limits already in existence in current laws and regulations. First, it exempts from the notification requirement persons who determine that there is no reasonable risk of identity theft, fraud, or other unlawful conduct resulting from the breach. Second, the bill provides that encryption of data in electronic form, and other technologies the FTC may later identify, establishes a presumption that no reasonable risk of identity theft, fraud or other unlawful conduct exists following a breach. The presumption may be rebutted by facts showing that the encryption may be compromised.
House Bill 2221, as proposed, grants enforcement authority to the FTC, and grants state attorneys general the right to bring civil actions against violators, with penalties up to $5,000,000.
As the law of privacy and data security continues to evolve, it becomes clear that holders and users of personally identifiable information will need to plan ahead to respond to the challenges posed by a continuously evolving legal and regulatory landscape to meet these challenges.