The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on December 16. The post, Outlook for State Data Security Laws: More Than Breach Notification, is reprinted in its entirety below with permission from the IAPP.
Is data security legislation coming to a state near you? With data breaches continuing to make the headlines, 60 Minutes reporting that breaches are inevitable and federal legislation seeming unlikely, consumers and advocates may press state lawmakers to address data security. We have already seen state data breach notification laws proliferate following California’s enactment of the first such law in 2002. We may see data security laws spread in a similar fashion. In this post, we look at current and proposed state data security laws and consider their potential impact.
At least 31 states have already established laws regulating the secure destruction or disposal of personal information. And at least 12 states—Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah—have imposed broader data security requirements. Some states, such as California and Indiana, impose the general requirement that organizations implement and maintain reasonable safeguards to protect personal information from unauthorized disclosure or use. Other states, such as Nevada and Massachusetts, impose more granular requirements. Nevada requires organizations that collect payment data to comply with the PCI Data Security Standard. Massachusetts regulations require organizations to implement and maintain written data security programs that include specific requirements, including oversight of third-party service providers, risk assessments and imposing discipline for violations of security policies.
This year, the New York State Assembly is considering legislation (A. 10190) that would impose prescriptive Massachusetts-like data security requirements. In fact the proposed legislation is similar to the Massachusetts regulations in many ways. The New York bill requires businesses processing personal information to adopt comprehensive information security programs implementing administrative, technical, and physical safeguards. Businesses must designate one or more employees to maintain information security programs and identify and assess reasonably foreseeable information security risks. The bill requires businesses to take reasonable steps to select third-party service providers that are capable of maintaining appropriate security measures and contractually require those service providers to adopt such measures. The bill also imposes requirements relating to secure physical storage of data, annual security reviews and a mandate that actions taken in connection with security breaches are documented.
The New York bill differs from the Massachusetts law in an important respect, however. It establishes separate requirements for companies that maintain, but do not own, computerized data, distinguishing between entities that have broad rights to data; i.e., companies that “own” computerized personal information, and those service providers that process or store information only on behalf of data owners; i.e., companies that “maintain” computerized personal information. No such distinction is found in the Massachusetts standard, which expressly applies the same standards to data owners and data maintainers.
The additional requirements for service providers under the proposed New York law include establishing, to the extent feasible, a security system that addresses:
- secure user authentication protocols;
- secure access control measures that assign unique, non-default IDs and passwords to each person with access to systems;
- encrypting personal information that travels across public networks or is transmitted via wireless;
- monitoring systems for unauthorized use of or access to personal information;
- encrypting information stored on portable devices;
- implementing appropriate firewall protections and operating system patches;
- implementing security software that receives regular updates, and
- security education and training.
A. 10190 is still in the early stages of New York’s legislative process, but the bill may be a harbinger of legislation to come, with potentially significant implications for corporate security and compliance resources and budgets. On their face, granular security requirements may appear to establish stronger protections for personal information than do statutes that simply require organizations to implement “reasonable” security measures. However, that perception undervalues the strength of security programs that are designed to meet the reasonableness requirement.
For over a decade, the Federal Trade Commission (FTC) has used its authority under Section 5 of the FTC Act to enforce reasonable security practices. The FTC has taken the position that reasonable practices include:
- authentication controls (including strong password policies);
- encrypting personal information during transmission or when stored on portable devices;
- limiting access to personal information based on job responsibilities;
- secure data disposal and destruction;
- reviewing software and products for vulnerabilities on an ongoing basis;
- overseeing the activities of service providers;
- implementing firewalls and security patches, and
- monitoring for intrusions and unauthorized access to personal information.
Note that the list of reasonable practices closely resembles the granular requirements proposed in the New York legislation. One could therefore question whether a granular set of requirements is necessary to establish enforceable security standards. Moreover, the FTC’s views of what constitutes reasonable security are regularly updated in light of actual matters pursued by the commission, and it would be more difficult to update a statute (although some say that the FTC’s views on data security are difficult to ascertain and could usefully be explained with more detail and regularity).
One could also question whether a granular set of requirements enacted into law will always be sufficient to promote security. For example, consider the New York proposal that service providers implement access control measures that “assign unique identifications and passwords, which are not vendor-supplied default passwords, to each person with computer access that are reasonably designed to maintain the integrity of the security of the access controls.” That can be interpreted as a requirement for organizations to use passwords as a security control, which may seem reasonable. But a growing number of security experts claim that “passwords are dead” and do not provide adequate protections. Whatever the merits of passwords may be, legislation that imposes specific security controls risks harming security if those controls become obsolete or otherwise ineffective.
Another potential drawback of states establishing granular security requirements is that interstate and international organizations may be governed by a patchwork of security standards imposing potentially conflicting obligations. Already, organizations with U.S. operations must navigate various breach notification laws that differ in the types of information protected, the types of incidents that warrant notification and the required content of notifications.
If granular security laws proliferate like breach notification laws have, organizations may soon have to navigate various, and potentially conflicting, data security obligations. The costs of compliance could be substantial. And those costs would ultimately be borne by consumers.