Information Security Breach Notification Laws: Understand, Prepare, and React

  

By Daniel I. Didier

 

Introduction

In February 2005, ChoicePoint, a California based corporation that collects and compiles consumer information, disclosed that it had been the victim of a security breach that involved the sale of personal information of almost 145,000 individuals to a criminal enterprise.  The company disclosed the breach as required by California’s Notice of Security Breach law, enacted in 2002, to only residents in California.  However, the company later disclosed that residents of other states also may have been affected by the breach. [1]     

ChoicePoint is a single example among many organizations that have experienced a breach of private consumer information.  As reported by the Privacy Rights Clearinghouse, since November 2005, more than 234 million personal records have been exposed. [2]   In addition, the Identify Theft Research Center reports that more than 8 million personal records have been exposed with a total of 167 breaches during the first quarter of 2008.  This is more than double the 76 breaches reported in the first quarter of 2007. [3]

As a result of the high-profile ChoicePoint breach and the continued rise in computer crime, security breach legislation was considered in at least 35 states in 2005 alone.  As of June 20, 2008 at least 44 states, the District of Columbia and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information. [4]    

This paper is designed to help organizations understand the core elements of information security breach notification laws.  It will also provide recommendations as to how an organization should prepare for a potential security breach in accordance with applicable legislation.

 

Breach Notification Overview

Information security breach notification laws are generally based off the format originally established in California’s Notice of Security Breach law.  The laws typically apply to both state entities and private businesses and require the notification of unauthorized access to private computerized information. 

Breach Determination

The definition of a breach varies slightly from state to state but generally, the following information, if breached, or is reasonably believed to have been acquired by an unauthorized person, will trigger the statute:
  • Personal Information: Any information concerning a natural person that can identify that person (for example, name), and
  • Private Information: Any personal information, if unencrypted or no longer encrypted, plus any one of SSN, Driver’s license or non-driver ID, account, credit or debit card number, plus any security or access code, or password that would permit access to an individual’s financial account
  • Publicly available information is excluded [5]

If an organization suspects a breach has occurred and wishes to further qualify the scenario before notifying law enforcement, the following points can be considered to help further qualify the potential breach:

  • The law is only applicable to computerized data, not paper records.
  • Has there been unauthorized acquisition or acquisition without valid authorization?
  • Has the security, confidentiality, or integrity of the personal information been breached?
  • Good faith acquisition of data for purposes of the entity is not a breach. [6]

To determine the specific laws that apply to an organization based on state, a number of resources exist:

 Once the determination has been made that a breach has occurred, a breach notification form must be filled out in accordance with the corresponding state requirements.  Organizations with a national footprint must interpret and respond to individual state breach and notification law as it applies to the respective legislature.  As the specific requirements vary from state to state, this can be a complicated process.  For this reason, it is important to develop a breach notification plan as discussed later in this paper.

Notification

If a breach has occurred, the breached entity must notify the individual whose information is or is reasonably believed to have been breached. Typically, a written notice is required for the breach disclosure.  In some cases, organizations can use electronic notice, if previous express consent to this method was granted.  In addition, telephone notice may also be permissible if a log of the call is kept.  The contents of a breach notification must include:

  • The contact information for the entity generating the notice
  • A description of the categories of information that were or are reasonably believed to have been breached, including what elements of private information (for example, SSN) were acquired.
  • A notice may also contain other information not required by statute, such as date and description of event, what the individual can do to protect himself (for example, by obtaining a fraud alert or credit freeze to prevent identity theft). [7]

Timing

While a definitive amount of time isn’t typically specified, the notification must occur “in the most expedient time possible and without unreasonable delay”.  However, if law enforcement requires additional time to fully investigate the scenario, a delay will be allowed. [8]

 

Repercussions of Failure to Comply with Breach Notification Law

Failure to comply with breach notification law may result in inquiry from the Federal Trade Commission (FTC).  Once an FTC inquiry has commenced, an in-depth review of an organizations complete privacy and security practices will typically commence.  The FTC has become increasingly active in cases involving identity theft.  Recently, settlements with organizations such as DSW, BJ Wholesale, and ChoicePoint have cited various deficiencies with information security practices and safeguards and as a result, the FTC has mandated corrective action. [9]

Once the FTC becomes involved in corrective action, they may institute long-term involvement and ongoing audits to ensure compliance with the mandated changes as a result of the initial investigation.  If the organization fails to maintain the mandated changes, additional fines and investigations may incur.

 

Developing a Breach Notification Plan

A breach notification plan should establish organizational procedures for responding to a breach.  Before developing a plan, an organization must first perform a comprehensive review of applicable law.  After fully understanding all of the laws that apply, a breach notification plan can be developed.  An acceptable plan includes four basic elements:

  • A dedicated incident response team
  • An initial assessment plan
  • A notification plan
  • An internal and external communication plan [10]

An initial assessment plan should include the following:

  • An investigation of the incident conducted under the direction of legal counsel
  • A process to identify and execute corrective measures to prevent exploitation of the discovered vulnerability (such as plug the hole that was used to gain access to the data)
  • An assessment of the type of data and its origin to identify applicable law
  • An assessment of the facts to determine whether notifications are required
  • A process to implement the notification and communication plans discussed further below.
  • A pre-written notification and considerations for who will be the identified sender [11]

 

Conclusion

As the likelihood of an information security breach continues to increase, organizations must not only defend against these attacks, but also prepare to comply with information security breach and notification laws.  This includes performing a comprehensive review of applicable state laws and developing a breach notification plan.  Organizations that operate in multiple states must interpret the respective state laws and react accordingly.  In doing so, an organization can limit legal liability and ensure compliance with applicable information security breach and notification laws.  In addition further analysis, involvement, and fines by the FTC can also be limited in the event of a breach.

 

 

[1] "2005 Security Breach Legislation." National Conference of State Legislatures. http://www.ncsl.org/programs/lis/cip/priv/breach05.htm (accessed July 26, 2008).

[2] "Privacy Rights Clearinghouse--privacyrights.org." Privacy Rights Clearinghouse--privacyrights.org. http://www.privacyrights.org/index.htm (accessed July 26, 2008).

[3] " The Identity Theft Resource Center Reports That Data Breaches More Than Doubled in...." World News, Financial News, Breaking US & International News | Reuters.com. http://www.reuters.com/article/pressRelease/idUS126479+02-Apr-2008+PRN20080402 (accessed July 26, 2008).

[4] "State Security Breach Notification Laws." National Conference of State Legislatures. http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm (accessed July 26, 2008).

[5] New York State General Business Law § 899-aa.

[6] Smith, Thomas. "NYS Security Breach Legislation." NYS Information Security Breach and Notification Act, Albany, NY, June 4, 2008.

[7] Ibid.

[8] Ibid.

[9] Campbell, Robin. "Compliance with Information Security Breach Notification Laws: Precention & Mitigation Strategies." Amwerican Health Lawyers Association (2007), http://www.crowell.com/documen

[10] Raether Jr., Ronald. "Security before and after a data breach." Business Law Today 16 (2006), http://www.abanet.org/buslaw/blt/2006

[11] Ibid.

 

 
 

Daniel I. Didier - Information Assurance / Information Security Consultant

Information Systems Security (INFOSEC) Professional
Cisco Certified Security Professional CCSP
Cisco Technology Solution Specialist TSS
Cisco Advanced Security Field Specialist ASFE
Cisco Certified Network Administrator CCNA


NetSecureIA
Secure Network Design and Information Assurance Consulting