1

Preparing for a Data Breach:Navigating the Rocky Shoals of U.S. Data Breach Laws

Deanie RehConsultant

Special Counsel-Phoenix602-881-4164djreh@q.com

Security FirstThe first and best rule of handling a data breach is not to

have one• Upgrade security of your data to the highest degree

possible• Include hard copy procedures and electronic procedures

when evaluating your data security• Reference the PCI SSC Data Security Standards

regarding payment card security• Closely monitored security procedures will make it easier

to identify, define the scope of, and handle a data breach• Insist that your vendors follow strict security protocols• Train employees about data security and enforce data

retention and security policies• Consider de-identification of data

2

It Isn’t If, but When

Believing that you won’t ever need to deal with a data breach is like an Ostrich sticking its head into the sand . . . .

.

Just Waiting to be Kicked in the Keister

3

The Many – Headed Hydra

Laws That Govern Data Breaches?

• Forty-six state legislatures, Guam, Puerto Rico, and the Virgin Islands have passed laws addressing data security breaches.

• HIPAA/HITECH for health plans, clearing houses and providers, and business associates

• Federal Agencies are governed by the OMB Breach Notification Policy

• Gramm-Leach-Bliley Act applies to financial institutions

4

Laws That Govern Data Breaches?

Although there are similarities between some of the laws, there are many disparities. This requires businesses that engage in interstate commerce to comply with a myriad of

notification provisions depending upon where its consumers live, and depending on whether you are

governed by specific federal laws.

If You are a Government Agency

• Most states cover government agencies in the general notification law. Agencies generally include universities.

• Some states, for example North Carolina, exclude government agencies or designated government agencies from some or all aspects of the law.

5

If You are a Government Agency

• Separate obligations/rules may pertain to government agencies, for example:

• AK– specific civil penalties for state or local agencies that fail to notify (excluded judiciary)

• AZ, MA – agencies (in AZ, certain designated agencies) must maintain privacy and/or notification policies

• CT, FL, IN – laws generally exclude agencies from penalties (exception may exist for private contractors who provide services to the agency)

• GA, NV – law applies to “data collector” defined as a state agency

Drafting a Procedures Document• Do it now – before a breach. Figuring it out during a crisis would be incredibly risky and difficult.

• It should be more of a step-by-step instructional guide.

• There are too many moving parts to leave them to chance – make it painfully detailed.

• That does not mean that you will need a set of procedures for every separate law – identify the common denominators.

6

Suggestions• Look up all the laws and copy them into a

separate document. That way you don’t have to go back and forth to multiple resources.

• Make spreadsheets of salient points for even quicker references.

• What may be helpful:• Text of all statutes copied into one document with a

TOC linked to text• Spreadsheet of general facets of each statutory

scheme• Spreadsheet of state notice provisions

Example of a General Spreadsheet

7

Example of Notice Provisions Spreadsheet

Prerequisites

If at all possible become compliant with

15 U.S.C. § 7001

• The consumer must affirmatively consent, and consent must not be withdrawn

• Must inform the consumer of the: (1) right to withdraw, and the fees that would apply; (2) right to have the record provided or made available on paper or in nonelectronic form

8

• Must inform the consumer of whether the consent applies: (1) only to the particular transaction which gave rise to the obligation to provide the record, or (2) to identified categories of records that may be provided or made available during the course of the parties' relationship

• Must provide the procedures the consumer must use to withdraw consent and to update contact information

• Must inform the consumer of the procedures to obtain a paper copy of an electronic record, and whether any fee will be charged for such copy

• Prior to consenting, the consumer must be provided with a statement of the hardware and software requirementsfor access to and retention of the electronic records

• The consumer consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent

• Notify the customer of any changes in hardware or software requirements

9

Prerequisites

• Establish a relationship with a company to provide credit monitoring.

• Establish a relationship with a company that can do mass mailings.

• Establish a relationship with a company that can maintain a toll-free hotline.

• Consider data breach insurance.

In Case of Breach, Put the Fire Out First

10

First Response Issues

• Make sure you are notified of the breach immediately by technical staff.

• Remediation - do whatever is necessary to stop the bleeding and restore security, including shutting down services (make sure you have the authority to do this or don’t need to give notice to someone).

• Determine the scope of the breach (must rely on IT professionals).

First Response IssuesHave a basic law enforcement template prepared.Determine if law enforcement should be involved.

• An appropriate national law enforcement agency might be the Secret Service Electronic Crimes Task Force (“ECTF”) http://www.secretservice.gov/ectf.shtml

• The ECTF says that they would like all breaches reported, but there may be reasons why that is ill-advised.

• One of the main objectives of contacting law enforcement is to determine if public notice would hamper an investigation, and if so, get that statement in writing and ask for an end date and CALENDAR IT.

• All states allow for a delay of notification if law enforcement requests it.

11

First Response Issues

• Making a public announcement:

oBe very careful, consult with your legal and public relations advisors first;

oCould impact investigation;

oCould be premature.

• Set up a hotline (toll-free if at all possible) –you may need it.

Determining the Scope

• Was information accessed and/or acquired?

• Was the breach due to the loss or theft of a mobile device?

• Was the accessed information personal information?

12

“Personal Information” generally means any data that, ifaccessed or acquired by an unauthorized party, poses athreat to identity theft or other criminal activity, including aperson’s social security number or first and last namewhen associated with other individual-specificinformation, such as: an individual’s date of birth;mother’s maiden name; financial or utility account, creditcard, or debit card numbers; driver’s license number orany other identification or license number; electronicidentification number, including tax identification numberor employee identification number; access code (such asa PIN or password); biometric information; fingerprints;medical information; health insurance information; homeor work address; or birth, marriage or divorce certificates.

Determining the Scope

• Was the information that was accessed internal information or customer information?

• Was information relating to the customers of customers accessed?

• Was the information that was accessed encrypted?

• If encrypted, was the encryption key corrupted, accessed or also acquired?

• If not encrypted, was the information redacted or otherwise rendered unreadable or unusable?

13

In-Depth Investigation• Identification of customers or other individuals impacted.

• Identification of the exact nature of the information compromised.

• Identification of the location by state or country (political subdivision) of all persons affected.

• Quantification of the numbers of persons affected in each political subdivision.

• Identification of the primary email contact and/or mail address information for each person affected.

• Identification of the cause, scope, and remedial action taken to address the security incident.

Delay of Notification

• To determine the scope of the incident.

• To restore the integrity of the system.

• To comply with a law enforcement request.

• To identify the individuals affected or determine contact info (this reason is only explicitly allowed in 12 states, but it could arguably fit within “determining the scope of the incident”).

14

Assessment

• Eliminate non-breaches• If accessed material was encrypted or rendered

unreadable – no breach in any state (but check the accepted methods of obfuscation)

• If there was no access, acquisition, or compromise of the security, confidentiality or integrity of PI, there may not be a breach (Under Connecticut, Hawaii, Mississippi, North Carolina, North Dakota and Wisconsin law only access constitutes a breach, regardless of the effect of that access)

• If no harm can result (all states but California, Illinois, Minnesota, Nevada, New York, North Dakota, Puerto Rico, Tennessee, Texas, Virgin Islands and Washington D.C.)

Assessment

• Eliminate non-breaches• No multi-person database accessed – no notification

necessary for Arizona, Guam, Michigan, Oklahoma, Pennsylvania, Virginia, and West Virginia residents.

• If information accessed is generally publicly available in federal, state, or local government records, or in widely-distributed media or other lawful sources (phone directories) –

no breach. (Alaska, Puerto Rico and Rhode Island do not have this exemption.)

15

Assessment

• In states where no data breach law exists or applies:• Alabama, New Mexico, Kentucky, South Dakota

• Georgia’s data breach law only applies to “data collectors” (defined as governmental entities) or “information brokers” (defined as those entities that collect data for the purpose of furnishing information to non-affiliated third parties).

• Notification may still be advisable under state consumer protection laws.

• Also, the FTC may pursue data breaches and failure to notify as “unfair and deceptive trade practices”.

HIPAA/HITECH

• No longer has “harm threshold.”

• Breach is now presumed: now any access or use is reportable, and then there must be a “risk assessment” for every single breach to determine reasonable likelihood that PHI has been compromised.

• Risk assessment must be documented, using 4 factors: nature of PHI accessed; the identity of the unauthorized person; was PHI actually acquired or viewed; the extent to which risk has been mitigated.

16

HIPAA Risk Assessment

• Nature of information: Sensitive? Financial or clinical? Detailed? Could it be used by unauthorized recipient in an adverse way (harm).

• Recipient: Under obligations of privacy already? Can the person reconstruct de-identified info?

• Actually viewed: Circumstances of recovery. Lost laptop not viewed? May require a forensic analysis.

• Mitigation: Get assurance that recipient will not use or disclose, and document why that assurance is reliable. Remote locking of lost devices? Encryption (approved by HHS) or password protected?

Notification to Customers

• One template can be used for all states except Illinois, Maryland, Massachusetts, and North Carolina who have peculiarities not found in other states. Leave out a reference to getting credit reports from Consumer Reporting Agencies in notices to Montana residents.

• Notification to a state agency should precede customer notification in New Hampshire, New Jersey, and Puerto Rico. (It is implied that state agency notice will precede customer notification in Maryland and Missouri).

17

Exemptions Under State Law

Most states have whole or partial exemptions for entities that have to comply

with other federal or state data breach notification laws

• Gramm-Leach-Bliley Act

• HIPAA/HITECH

• Other state or federal regulation

Notification to Customers

• Include the toll free number for the hotline.

• When identity can’t be determined, notice would go to all customers who could have been affected.

• Customer of customers – duty is to notify customer (except in Rhode Island)

• Notification to customers must be within 45 days of discovery of the incident in Florida, Vermont and Wisconsin (subject to law enforcement delay).

• In Ohio, notification to customers must be within 45 days of the date of the incident.

18

Notification to State Agencies• Lots of variations here, but here are some of the

peculiarities or things to look for:

• Not all states require it (18 do). Should include a sample customer notice with agency notice.

• Some of the requirements are dependent on the number of affected parties (e.g., if more than 500 residents are affected, the California AG must be notified).

• Target agencies vary: AG, Department of Consumer Affairs, State Police, etc. ( There is more than one agency recipient in Massachusetts, New York, North Carolina.)

Notification to State Agencies

• More peculiarities:

• New York and North Carolina require specific forms be filled out in addition to a letter notice.

• Louisiana has a prescribed template according to its Administrative Code.

• There are common denominators of the content that is required, but some variation. A basic template can be used for most agency notices, except for Louisiana, Massachusetts, New York, New Jersey (which should follow a law enforcement notice template), and North Carolina.

19

Notification of Credit Reporting Agencies (CRAs)

• Variations in requirements

• 30 states require notification to CRAs

• General template can be used for all states, except Michigan, which requires that a specific form be used.

• Oregon requires that a police report number be included if there is one.

• Triggers are varied, but dependent on number of residents affected (500, 1000, 5000 or 10000)

Method of Notice

• Written notice acceptable in all states

• Email acceptable in AK, AZ, CO, IN, IA, MD, MN, MS, NH, OH, OK, PA, VA, WI, WY

• Email acceptable if compliant with 15 U.S.C.A. § 7001 (or customer has consented to email) in AR, CA, CT, DE, FL, GA, HI, ID, IL, KS, LA, ME, MA, MI, MO, MT, NE, NV, NJ, NY, NC, ND, OR, PR, RI, SC, TN, TX, UT, VT, VA, WV

20

Method of Notice

• Telephone is acceptable in Guam, HI, ID, IN, MD, MI, MS, MO, MT, NE, NH, NY, NC, OH, OK, OR, PA, SC, TX, UT, VT, VA, WV.

• FAX is acceptable in Indiana and general publication is acceptable in Utah.

• Wisconsin allows any method that is reasonably calculated to provide actual notice.

21

Record Keeping

•If it is determined that no harm will ensue, this must be documented, and some states require that it be sent to a designated state agency or that the state agency be involved in the determination.

•Keep all records for 5 years to satisfy all states.

Questions?