Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking

Thursday, February 4, 2010

Data breach disclosure in the USA: An emerging framework around data security

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, PCI QSA, CISSP, CISA, CISM, BS 7799 Lead Auditor

On July 1, 2003, the ground-breaking California Security Breach Notification Law went into effect.  For the first time, organizations were forced to reveal a security breach and report the potential acquisition of personal information by unauthorized entities.

Today, while 45 states have data breach notification laws, none of the laws are identical.  This leaves companies struggling to comply with a variety of requirements that vary, such as the notification period and any exclusions surrounding encrypted data or paper-based records. Defining sensitive data and knowing where sensitive data resides remains challenging for organizations. While many states are taking steps to develop laws, we still lack a cohesive national law that is applicable across the board.

Here is what some states are doing:

The original law from California focused on identity information – name and social security number, driver’s license number or financial account number.  The California legislature expanded its law to also include breaches of medical data.  That expansion became effective Jan. 1, 2009, and other states have followed suit.  In the first five months of 2009, California authorities were notified of 823 healthcare data breaches.

California demands reasonable security measures to be in place to prevent loss or theft of personal data, but there is no prescriptive definition of what constitutes “reasonable security.”  Similar legislation has appeared in other states, including Massachusetts.

Massachusetts moved to introduce an even tougher law around data loss prevention and gave shape to a more prescriptive approach, which has been loosely defined as reasonable security. Objections to Massachusetts’s 201 CMR 17 have been raised about the cost involved, especially with small companies that need to comply with the security controls required by this legislation.  The law has been delayed three times, and the underlying concern has been that the security controls are too onerous for small companies.  Every organization that collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010. 

Most recently, in October 2008, Nevada became the first U.S. state to enact a law that specifically requires encryption for all external electronic transfers of customers’ personal information.  The requirement for encryption was a move away from the standard non-prescriptive requirements of most of the disclosure laws, which generally require organizations to implement reasonable security measures.  The move by Nevada and Massachusetts to define required security controls will in all likelihood be imitated by other states.  It is likely the same domino effect that happened with disclosure laws will be repeated with data loss prevention legislation.

The liability involved in losing personal details can be intimidating.  Legal action involving the FTC has cost companies six figures in penalty costs, and Visa, MasterCard and AMEX can also impose six figure penalties.  In addition, there can be legal action from state Attorney Generals, and the cost of notification rises each year.  In the wake of the seemingly endless stream of breaches, it is becoming more complex to comply with the increasing range of laws designed to enforce stricter security controls around the storage of personal data.

In the United States, there have been several attempts to unify the patchwork of state laws, but not one of these attempts to introduce a national law has been successfully passed in the Senate.  A national data breach notification bill was passed in the U.S. House of Representatives on December 8, 2009, and will be enforced by the FTC.  However, concerns have been raised about the lack of jurisdiction the FTC has to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and nonprofit organizations.

I have no doubt that in 2010, we will see the introduction of a federal law surrounding data disclosure.  A federal law will help ease the compliance burden by unifying requirements, though ensuring the law has teeth may be challenging.  Generally federal laws tend to be less onerous than state laws and may in fact result in less stringent requirements.

And I believe that data loss prevention laws — laws that require organizations to have security controls in place as a condition of collecting personal data — will become a hotly debated topic internationally.  Increasing legislation around security controls and private data will grow in the face of the increasing number of breaches worldwide.

Posted at 2:50 PM
Tags: , , , ,

Bookmark and Share

Leave a Reply

subscribe - log in