IST 432 Legal & Regulatory Environment of IST PDF

IST 432 LEGAL AND REGULATORY ENVIRONMENT OF IST CHAPTER 9 State Laws Protecting Citizen Information and Breach Notification Laws Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Learning Objective(s) Key Concepts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Describe state legal compliance  History of state privacy protection laws addressing breach notification. laws  State data breach notification  State regulation of privacy and information security  State encryption regulations  State data disposal regulations 1 ChoicePoint Data Breach Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ChoicePoint was a data broker Databases contained public information and names, addresses, Social Security numbers, credit history, DNA information Breach in late 2004; disclosed in February 2005, notified 35,000 California residents ChoicePoint data breach spurred creation of data breach notification laws in many states Breach Notification Regulations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com California Database Security Breach Notification Act First breach notification law Enacted on July 1, 2003 Purpose is to give California residents timely information to protect themselves Serves as model for other states California Breach Notification Act Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Who Must Comply? Any entity Nonprofit Private storing info on State Agencies Businesses organizations organizations California residents 2 Other Breach Notification Laws Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Activities that constitute a breach The time for notifying residents Requirements that a notification contain certain types of information Minimum requirements for encryption Civil or criminal penalties for failing to notify affected people Activities That Constitute a Breach California law applies to unauthorized acquisition of unencrypted personal Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com information If attackers access the data, law’s notification requirements are triggered Under Ohio law, residents must be notified if the security breach reasonably causes a material risk of identity theft or other fraud to the resident Risk of harm can be a future risk of harm Time for Notification  Under California breach notification law, entities must give notice in the most Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com expedient time possible without unreasonable delay  A majority of states follow the California approach  Some states require that entities give notice within a certain period  Ohio law requires notification be given to state residents in the most expedient time possible  Law also states that entities must give this notice no later than 45 days after the discovery of the breach  Florida has a similar requirement and requires notification within 30 days 3 Contents of Notification  Some states, such as Alaska, do not specify types of Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com information that should be included in a notice of a data breach  Growing trend is to specify the types of information that should be included in a notice  Ensures that residents get enough information to protect themselves  North Carolina law requires that notice be given in a “clear and conspicuous” form; easily understandable Encryption Requirements  California law provides an encryption safe harbor  Entities do not need to give notice of a breach if the personal information in their Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com computer system was encrypted  Does not specify lowest level of encryption needed to use the safe harbor nor industry standards  Other states also provide an encryption safe harbor  Most do not specify a minimum level of encryption  Some states do specify the encryption standards required to take advantage of the safe harbor  Example: Massachusetts defines encryption as the use of a 128-bit or higher algorithmic process to transform data Penalties for Failure to Notify  Some states impose penalties for violations of Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com their breach notification laws  Texas  Can assess a fine against an entity that does not notify affected people  An entity can be fined at least $2,000 for a violation  Fine cannot be larger than $50,000 for a single violation  Other states have more complicated penalty structures, such as Florida (see next slide) 4 Florida Fine Structure for Failure to Give Notification Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Private Cause of Action  California law does not assess penalties against an entity that does not follow Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com the notification law  It does allow a person a private cause of action against those entities  People can sue the private entity for any damages they have because they did not receive notification in a timely manner  Other states, such as Alaska, Maryland, and South Carolina, allow a private cause of action  Most states do not Breach Notification Decision Tree Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 5 Data-Specific Security and Privacy Regulations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Minnesota and Require businesses to comply with Payment Nevada Card Industry standards Indiana Limits SSN use and disclosure California Consumer Privacy Act (CCPA) California governs the protection of personal information collected by businesses Encryption Regulations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com “Standards for the Protection of Personal Massachusetts Information of Residents of the Commonwealth” Data collectors must use encryption when Nevada transmitting personal information outside of their business network Data Disposal Regulations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Health and financial data must be destroyed Washington when no longer needed Law applies to any person or entity in the state No person or business may dispose of a record New York containing “personal identifying information” without shredding, destroying, or modifying it 6 Case Studies and Examples Public Sector Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com U.S. Department of Veterans Affairs (VA) Employee took home an unencrypted laptop and external hard drive containing personal information of every veteran discharged since 1975 Congress created the Veterans Affairs Information Security Act of 2006 in response to the breach The law requires the VA to create a comprehensive information security program It also required the VA to create breach notification regulations, which were issued in April 2008 Chapter 9 Summary  History of state privacy protection laws Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  State data breach notification  State regulation of privacy and information security  State encryption regulations  State data disposal regulations 7

IST 432 Legal & Regulatory Environment of IST PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue