Learn the general requirements of breach notification laws modeled after the California Security Breach Information Act and strategies for compliance.
From hundreds of thousands of Social Security numbers obtained through a compromise of ChoicePoint's database to an estimated forty million credit cards compromised by a CardSystems hacker, the publicity surrounding breaches of sensitive personal information in 2005 has been unprecedented. Much of this publicity can be traced to California's revolutionary breach notification law, which required ChoicePoint to notify California residents when the sensitive personal information of several hundred thousand individuals had been compromised. To date, 16 additional states have passed some form of breach notification law (see sidebar). This article takes a closer look at the California Security Breach Information Act (SB-1386) and its state counterparts, discussing the entities covered by the laws and suggesting how businesses should comply.
What's required by breach notification laws?
The California law and its state counterparts require companies to notify state residents whenever their unencrypted personal information is reasonably believed to have been obtained by an unauthorized person. This includes circumstances as simple as the theft of a laptop or Blackberry, or as troubling as penetration by a hacker. These laws apply to any person or business that conducts business within a U.S. state and that maintains computerized data about residents, such as customer information or employee records. Moreover, the security breach need not occur within the state for that state's statute to apply -- all that matters is that the personal data of a resident of that state is compromised. Like California, several of the new state laws also require notification whenever a breach occurs, even if no harm would likely result.
Under the law, "personal information" generally means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number, (2) driver's license number or state ID card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
The law generally requires that notice may be provided in writing, by e-mail or by substitute notice if the person or business demonstrates that the cost of providing notice exceeds $250,000, or that the affected class of persons to be notified exceeds $500,000. The substitute notice requirements, at least in California, are quite burdensome and can require a company to make a conspicuous posting of the notice on the company's Web site and provide notification to major statewide media. To escape these more stringent requirements, companies that have adopted their own notification programs as part of a larger information security protocol can follow their own plans, provided they give notice promptly using whatever method their plans specify.
Strategies for compliance
Identify systems containing personal information and enhance mechanisms to detect unauthorized conduct on networks. Because breach notification statutes are triggered when personal information is compromised, organizations should identify the systems on which such data is stored and enhance the means used, such as logging capabilities, to detect when a breach has occurred.
Encrypt personal information. The majority of the state statutes only require notification if a breach compromises unencrypted personal information. Organizations that encrypt personal information will not only better protect consumers but also avoid onerous notification obligations.
Amend incident response plan to require that key decision-makers are immediately alerted when breaches are detected. Because the statutes are likely triggered as soon as an intrusion has been detected by the IT department, organizations should ensure that incident response plans provide for timely reporting of incidents to those responsible for making notification decisions.
Adopt a corporate incident response policy that provides for notification. As noted, the statutes are modeled on California's law and generally provide more flexibility when "a person or business maintains its own notification procedures as part of an information security policy for the treatment of personal information." Companies now have significant incentive to develop their own form of incident response plans.
Ensure that third-party contracts involving the transfer of personal data include appropriate information security provisions. Breach notification laws provide no exception for when data within the possession of a third-party is compromised. Organizations should ensure that their contracts contain provisions requiring that vendors or subcontractors provide immediate notification of suspected breaches, and allowing the organization both to participate in the investigation of incidents and exercise control over decisions regarding external reporting.
About the authors
The authors, Marc J. Zwillinger and Jacqueline Sadker, are attorneys in the Information Security and Internet Enforcement practice group at Sonnenschein Nath & Rosenthal, and provide advice and counsel on preventing, minimizing and recovering losses from cybercrime to some of the nation's leading financial institutions and consumer companies. Mr. Zwillinger chairs the group and is a former cybercrime prosecutor with DOJ.
