Posted on November 12, 2009 by Bret Cohen

Senate Committee Approves Data Security Bills Creating Federal Data Security Program, Breach Notification Requirements: Criminal and Civil Penalties Give Proposed Law Real Teeth

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

Among other provisions, the bill would:

  • create a federal crime for intentionally and willfully "concealing" a breach of PII that one has an obligation to report;
  • ask the U.S. Sentencing Commission to reevaluate criminal penalties associated with the theft or unauthorized access of PII
  • subject data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and notifying individuals when a third party takes adverse action against them based on the PII furnished; and
  • require federal contractors to meet certain data security requirements.

Notably, the House Energy and Commerce committee passed a bill containing a number of similar provisions, H.R. 2221, including those pertaining to the security program, breach notification, and data brokers. The second Senate bill, S. 139 introduced by Sen. Dianne Feinstein (D-Calif.), would create a federal data breach notification requirement largely mirroring that of S. 1490 that would also preempt state data breach requirements. S. 1490 passed 14-5; S. 139 passed 14-2.

The civil penalties associated with a failure to comply with these bills would be substantial. Failure to institute a comprehensive security program would result in a fine of up to $5,000 per violation per day (double for willful violations) with a cap of $500,000 per violation, and failure to timely notify required parties of a reportable breach could lead to a penalty of up to $1,000 per day per individual whose PII was breached (doubled for willful violations), with a cap of $1,000,000 per violation. Violations of the data broker provisions could elicit penalties of $1,000 per violation per day, with a cap of $250,000 that would double with willful violations. In addition to the federal government (in some cases, the FTC was explicitly named), state Attorneys General would be granted the authority to enforce these laws on behalf of their affected residents.

Chances of this bill coming to vote before the full Senate in the near term are slim, especially with health care and appropriations at the forefront of the legislative agenda and relatively few days left in the current session. Nevertheless, this is not the first data security legislation introduced in Congress, and given the thought and detail put into crafting these bills, the committee endorsement, the number of co-sponsors, and increasing prevalence of identity theft and other relevant issues, such a law has a better-than-ever chance of coming into force at some point.
Tags: , , ,
Posted on August 19, 2009 by Mark Paulding

Latest Revision of Massachusetts Data Security Regulations Attempts to Increase Flexibility

On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses. 

Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.

Risk-Based Approach 

While the OCABR press release and FAQs heavily emphasize the position that the revised Massachusetts Standards take a more risk-based approach to compliance, the changes are not readily apparent. Previous iterations of the Massachusetts Standards were similarly scalable based on the unique circumstances of each covered entity. The prior versions of the regulations stated that the required information security program would be evaluated by the Commonwealth based on the: (a) size and type of the covered business; (b) resources available to the covered business; (c) amount of stored data; and (d) need for security and confidentiality of the personal information. Although that provision has been removed, the revised regulations state that the required information security program should implement safeguards that are appropriate to the same four factors listed above. This change may make the scalability of the regulations slightly more straightforward, but appears to have little impact on the practical considerations of compliance.

Technical Feasibility

Entities subject to the Massachusetts Standards are now only required to implement technical safeguards that are “technically feasible.” Unfortunately, the definition of technically feasible provided in the FAQs (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides little practical guidance. Nonetheless, subsequent portions of the FAQs provide additional insight into the Commonwealth’s intentions. The FAQs note that: “there is little, if any, generally accepted encryption technology for most portable devices ….” On the other hand, the FAQs unequivocally state that there is technology available to encrypt laptops. As a practical matter, it may be reasonable to conclude that covered entities are not expected to adopt cutting edge technologies to satisfy their obligations. Only “generally accepted” technology is expected. 

However, the absence of generally accepted technological controls does not absolve businesses of all obligation to protect personal information. When there is no feasible technical control, the OCABR clearly expects covered entities to take reasonable alternative steps to protect personal information. For example, the FAQs recommend that:

  • if encryption of backuptapes is not technically feasible, entities should take reasonable steps to physically protect the personal information stored on the tapes such as using an armored vehicle service to transport tapes containing unencrypted personal information; 
  • a secure, password-protected website should be used to conduct transactions involving personal information if encryption of email is not technically feasible; and
  • personal information should not be stored on portable devices, such as smart phones, for which there is no generally accepted encryption technology.

Accordingly, businesses should careful consider available administrative and physical security options when dealing with provisions of the Massachusetts Standards that do not appear to be technically feasible. 

Technology-Neutral Encryption Requirement

In an attempt to ensure that the Massachusetts Standards remain flexible enough to adjust to the evolution of technology, the definition of encryption has been revised to make it slightly more technology neutral.  Past versions of the Massachusetts Standards expressly required that encryption involve an algorithmic process.  The August 17th revisions eliminated this requirement.  This change is unlikely to have any significant effect in the foreseeable future.  

In fact, it is not yet clear what OCABR’s intentions were in this instance. While there is no formally accepted mathematical definition of the term “algorithm,” the word is generally taken to mean a process involving a specific sequence of actions.   Encryption and decryption are quintessential examples of algorithmic processes. These functions require a specific series of actions in order to transform readily-understandable information into a form that is difficult to understand and, when an authorized recipient receives the information, transform it back into readily-understandable information. It is difficult to conceive of a method of encryption that would not involve an algorithmic process. Even methods of concealing information which are traditionally outside the scope of cryptography, such as steganography, typically involve the use of a sequence of specific actions to protect and recover information.

It is possible that OCABR wished to avoid contentious litigation over the meaning of algorithm in the absence of a formal mathematical definition. Nevertheless, businesses should expect to use generally accepted, industry standard algorithmic encryption technology for the foreseeable future in order to ensure compliance with the Massachusetts Standards.    

Businesses Should Continue to Monitor Developments

As this is the third version of the Massachusetts Standards to be issued since the regulations were declared “final,” further adjustments in the future are not unforeseeable. The OCABR has scheduled a public hearing for September 22, 2009 and will be accepting written comments up to September 25, 2009. Persuasive arguments presented by both consumer advocates and the private sector may lead to further refinements of the regulations before the current effective date of March 1, 2010.
Tags: , , ,