state data breach laws - a national patchwork quilt

Allison DolanProgram Director, Protecting Personally

Identifiable InformationMassachusetts Institute of Technology

State Data Breach Laws

….A National Patchwork Quilt

Rochester Security Summit 2010 2

• Breach law history

• Massachusetts and other states

• What’s on the horizon

Presentation Overview

10/21/2010


Key Take-awaysLaws and regulations continue to abound – and

are becoming more proscriptiveKnow what state(s) are relevant

Know what industry(s) are relevantKnow what processes you have

10/21/2010


Laws & Regulations• FERPA - Family Educational Rights and Privacy Act• Gramm-Leach-Bliley Act• HIPAA - Health Insurance Portability and Accountability

Act • FACTA/Red Flags Rule• PCI DSS - Payment Card Industry Data Security

Standards • HITECH Act - Health Information Technology for

Economic and Clinical Health• State data breach laws, regulations

10/21/2010


State Laws

2002 – California SB-1386 – consumer notification if unauthorized access to unencrypted electronic records with personal information

2005 – New York data breach law GBL 899-aa2007 – Massachusetts MGL 93H/I

39th state with breach law; 5th to include paper1st to require “written information security program”

2007 – California AB 1298 added medical and health insurance information to definition of PI

2010 – 47 states, Puerto Rico, Virgin Islands, DC, NYC with laws

10/21/2010


Massachusetts Data Breach Law(M.G.L. c.93H & 93I)

• Personal information (PI) = last name (with first name or initial), along with one or more of Social Security Number; Driver’s License # or Mass. ID#; Financial Account # or Credit/Debit Card #

• Defines obligations re: notification, if paper or electronic files exposed (irrespective of encryption) • Includes what must be in notification letter

• When destroyed, must be done such that PI cannot be practicably read or reconstructed

• Data protection regulations initially issued 9/08; ultimately effective 3/1/2010

10/21/2010


Massachusetts Data Protection Regulations (201 CMR 17)

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

If you have Personal Information, then you have a “duty to protect” and need to follow “standards to protect”, including:

“Develop, implement, maintain and monitor a …written information security program” (WISP)

Limit access and ensure user authentication & authorization “Oversee” 3rd parties Encrypt transmitted records and personal information stored

on laptops or other portable devices.Maintain up-to-date versions of system security including

malware protection, patches and virus definitions…plus other requirements

10/21/2010

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf


Massachusetts Data Protection Regulations Evolution

• Office of Consumer Affairs and Business Regulation promulgated regulations; Attorney General responsible for enforcement

• Draft regulations 2/08 • Included technical detail for encryption requirements • A lot of feedback

• Issued 9/08, with 1/1/09 effective date No technical requirements for encryption “Certification” of 3rd parties Implied requirement to inventory PI Standards were ‘one size fits all’

10/21/2010


Massachusetts Data Protection Regulations Evolution con’t

4 postponements with revisionsAdded emphasis on risk based approach – small business

with little PI have different risk than large companyMade more explicit that ‘written program’ could consist

of compilation of existing written policies/practicesNeed to “oversee” 3rd parties by taking “reasonable

steps” to ensure 3rd party can protect informationEntire IT section prefaced with “to the extent technically

feasible”

10/21/2010


California redux

• 2007 – AB 1298 added medical information and health insurance information to the definition of PI

2010 – SB 1166Additional information in notification letters, including

Type of personal information exposedDescription of incident, including date Steps organization is taking to protect individualsSteps consumers can take to protect themselves,

including contact information for credit reporting agencies

Breach affecting >500 must review notification letter with AG

10/21/2010


State comparisons

All(?) focus on state residents (not company residence)Most focus on electronic records; few include paper/other

mediaMost include SSN, Driver’s License/state issued id, CCN,

financial account numbers; some limit only if PID/PIN included

Some include mother’s maiden name, date-of-birth, etcMany exempt ‘protected’ or encrypted records

10/21/2010


State comparisonsState agency notification varies – e.g. AG, others, noneTemplate for notification letter varies – e.g., some require

details of breach (when, how, #), others preclude detailsTimeframe varies – “without unreasonable delay”, “5 days”;

often exception for police investigationHarm threshold varies – no threshold thru “reasonably

believed to have been acquired by an unauthorized person”Quantity threshold varies – 1 to 1,000 (also, maximum for

personal notification)Penalties vary, some with maximums Private right to action varies

10/21/2010


Federal TrendsHITECH (2/2009)

notification requirements for HIPAA Covered Entities and Business Associates

national databaseHHS AND State AG enforcement

Data Breach Notification Act (introduced 1/2009)Authorize AG to bring civil action if notification did not

occurExtends notification requirement to government agencies

Personal Data Privacy and Security Act (introduced 7/2009)Set criminal penalties for willful concealment of breachRequire preventative security standards

10/21/2010


Federal Trends

2010 Data Security Act SB 3579 (2007, reintroduced 7/2010)preempt state laws; modeled after GLBA; establish “appropriate standards” for administrative,

technical and physical data protectionData Security and Breach Notification Act of 2010 S.3742

Require protection of PI (FTC to set national standards)Require notification within 60 daysRequire offering 2 years of credit protectionUp to $5 million in civil penaltiesExemption for entities covered by FCRA

10/21/2010


In Our Future?

More European-style controls?More items to be protected?

PhotographsBiometrics IP addresses

More contractual requirements between organizations?More definition of how information is to be protected?

10/21/2010


Summary

Know the states(s) represented in your business (employees, customers, vendors, affiliates)

Know the industry(s) represented in your business (health, insurance, finance, retail)

Know the major business processes (HR, procurement, finance, business operations)

You are prepared when- new laws enacted- business processes change- company changes (acquisition, divestiture, etc.)

10/21/2010


QuizFollowing examples from

http://www.idtheftcenter.org/artman2/publish/itrc-news/Notification_Roulette.shtml1 Paperwork containing personal and financial information was found littering the streets of Buffalo, New

York. The customer records were from Rent-a-Center. Do they have to notify you?2 In Arizona, thousands of pages of sensitive information reportedly disposed of by The Vine Tavern and

Eatery contained people’s names, Social Security numbers and dates of birth from restaurant applications, as well as checks with banking information and also credit card receipts with full card numbers from Vine customers. The receipts revealed a person’s entire credit card number.

3 Over 40,000 intact patient records containing personal and medical information were found in a pile described as 20’ long by 20’ wide at Georgetown Transfer Station in Massachusetts. The records, from four hospitals, had reportedly been dumped there by the medical billing service they had used.

4 An unknown number of canceled checks bearing Social Security and bank account numbers of Rockland, Massachusetts town employees are missing after wind knocked them from a loaded recycling truck.

5 Approximately 30,000 estimated tax payments with checks wound up in the San Francisco Bay after the truck transporting them to the Internal Revenue Service was involved in an accident and wind blew the mail into the bay.

6 Boxes with 1,590 patient records from a Charlotte, North Carolina’s psychologist’s practice were left at a county recycling facility because the psychologist’s sons mistakenly took the wrong boxes to be recycled. The records contained patient names, contact information, Social Security numbers, credit card numbers and medical histories.

10/21/2010

http://www.idtheftcenter.org/artman2/publish/itrc-news/Notification_Roulette.shtml


Quiz7 In Illinois, hundreds of sensitive documents that were provided to the law firm of Robert J. Semrad &

Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with other businesses. The “Client Information Sheets” contained Social Security numbers, full names and addresses, driver’s license numbers and signed debit card authorizations.

8 75 legal files were found in a dumpster off Interstate 10 near Boerne, Texas. The files, which included peoples’ names, addresses, bank accounts, social security numbers, driver license numbers, and birth dates, belonged to attorney David Naworski, who readily acknowledged throwing them away unshredded and said he was unaware of any state law on disposal.

9 Three small file boxes full of decade-old personal records belonging to customers of the First Federal Savings Bank were found near a residential street in Bryan, Texas. The bank had apparently closed its doors under that name around 2002 and has been acquired by several banks since then. The current owner says that they never assumed ownership of those bank records.

10 Credit-card numbers from 17,000 guests at the Emily Morgan Hotel in San Antonio were stolen and used in a three-state shopping spree. Officials say the suspects used stacks of stolen credit-card receipts from a storage room at the hotel in 2006.

11 The University of Florida discovered that 2,047 people that their Social Security or Medicaid identification numbers included on address labels affixed to letters inviting them to participate in a research study. The letters were sent through the U.S. Postal Service on May 24, and the information also was shared with a telephone survey company.

12 In Maryland, Montgomery County’s Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors’ yards over the past few months. The exposed internal documents contained patient conditions, names and Social Security numbers.

10/21/2010


Resources

• Map and other state/Canadian info: http://www.nymity.com/About_Nymity/Nymity_Maps.aspx• privacylaw.proskauer.com/articles/security-breach-notification-l/• summary of state data breach requirements:

www.perkinscoie.com/news/pubs_detail.aspx?publication=26596137-b74f-4b68-8063-93f996f233e9• list of state breach statutes:

www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/13481/Default.aspx

• www.ncsl.org/Default.aspx?TabId=13489• "Intersections - Data Breach Consumer Notification Guide” details each state's law, 118 pages, contact info

www.intersections.com 888.283.1725 [email protected] • www.sb-1386.com/Guide to CA regulations• Breach notification letters: datalossdb.org/incident_highlights/34-data-breach-notification-letters• NY Guide to handling PII:

www.nysconsumer.gov/pdf/protecting/information_privacy/the_new_york_business_guide_to_privacy.pdf• Summary of US privacy laws, (undated) www.bbbonline.org/understandingprivacy/library/fed_statePrivLaws.pdf

10/21/2010

http://www.nymity.com/About_Nymity/Nymity_Maps.aspx

http://www.nymity.com/About_Nymity/Nymity_Maps.aspx

http://privacylaw.proskauer.com/articles/security-breach-notification-l/

http://www.perkinscoie.com/news/pubs_detail.aspx?publication=26596137-b74f-4b68-8063-93f996f233e9

http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/13481/Default.aspx

http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/13481/Default.aspx

http://www.ncsl.org/Default.aspx?TabId=13489

http://www.intersections.com/

http://www.sb-1386.com/

http://datalossdb.org/incident_highlights/34-data-breach-notification-letters

http://www.nysconsumer.gov/pdf/protecting/information_privacy/the_new_york_business_guide_to_privacy.pdf

http://www.bbbonline.org/understandingprivacy/library/fed_statePrivLaws.pdf


Questions/other follow-up? Feel free to contact:Allison Dolan [email protected] 617.252.1461

10/21/2010

mailto:[email protected]


Places to look for PII/SSN Employee Processes

• Job Applications• Background checks• New hire paperwork - I-9,

Federal/State tax withholding, benefit enrollment, other new hire forms

• Payroll, timecards, paychecks,direct deposit forms; wage garnishing requests

• Ongoing benefit and 401(k) processes

• Status changes (e.g. marriage)

• Worker’s compensation, medical leave form

• Employee loan programs• Specialized certifications (e.g.,

nurse, engineer)• Special requirements (e.g. top

secret clearance, confidentiality agreement, employment contracts)

• Employee reporting (e.g. annual reviews)

• Union reporting

10/21/2010


Places to look for PII/SSN Customer Processes

• Services that require customer’s PII - e.g., banking and financial services, education services, car rentals, tax preparations, accounting, etc.

• Products/services with check and/or credit card payments

• Services that require PII of others - e.g., 401(k) administrators, benefit providers, underwriters,claim administrators

• Services that may involve access to PII of others - e.g., backup service providers, shredding services, IT application developers and system admins, custodians

10/21/2010


Places to look for PII/SSN - Financial Processes

• Vendor files/vendor payments e.g., independent contractors

• Employee reimbursements (look at form used to request reimbursements, as well as backup to request)

• Honorarium • Employee awards• Customer rewards, awards, or

payments

• Other payments - e.g., payments to ‘one-off’ vendors, research subjects, casual labor

• Taxes• State or federal government

reporting- corporation reports, real estate transactions

• Financial reporting - SEC

10/21/2010


Places to look for PII/SSN - Miscellaneous Processes

• State visits• Any service that predates

non-SSN organizational id (e.g. library, parking, travel, conference attendance)

• Insurance (beneficiaries)• Legal (subpoenas, court

records,etc.)• Audit (if PII part of the

process that was audited)• Research grants (pre-2009)

• Medicare• Internal medical• System backups• Paper archives• Printing/scanning with

devices that retain information

• PCs after ‘delete trash’; prior to deployment

• Email

10/21/2010