US Private Sector Privacy Chapter 07 Data Breachp1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP CHAPTER 7 State Data Breach Notification Laws, State Data Security Laws, & State Data Destruction Laws Security, September 8, 2022: “A data breach of student loan servicer Nelnet Servicing (Nelnet) has affected over 2.5 million student loan borrowers throughout the United States. The breach … compromised the names, addresses, email addresses, phone numbers and Social Security numbers of borrowers. … Nelnet reported … that they had discovered a vulnerability believed to be the source of the breach.” 1 HIPAA Journal, September 1, 2022: “The number of individuals affected by the ransomware attack on the Hartland, WI-based mailing and printing vendor [for various healthcare companies], OneTouchPoint, has now increased to 2,651,396 individuals. … Customers have reported the breach as involving names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and other information.” 2 Business Insider, April 3, 2021: “The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. … A Facebook spokesperson told Insider that the data had been scraped because of a vulnerability that the company patched in 2019.” 3 Reuters, February 14, 2021: “A hacking campaign, … likely orchestrated by Russia, breached software made by SolarWinds Corp., giving hackers access to thousands of companies and government offices that used its products. … The breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software.” 4 As these examples show, companies across a variety of industries collect and process large amounts of personal data. When companies store large amounts of data, this data can become a target for bad actors – creating significant cybersecurity challenges. Of particular importance in this book about privacy regulation, problems with cybersecurity can lead to data being accessed and (mis)used in ways not intended or agreed to by the user. When unauthorized persons do gain access to this data, data breach notification laws are triggered. The spread of state data breach notification laws to all 50 states over the last two decades has had a major impact on private-sector information security practices. When breaches occur, top management often focuses intensively on information management practices, discussed in Chapter 4 [Information Management]. In many instances, the budget and visibility increase for information security activities in the wake of a breach. Similarly, concerns about the possibility of data breaches, with the resulting negative publicity, financial penalties, and other effects, provides an important incentive for companies to develop strong information security practices. While significant 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP differences remain among the state laws, the end result today is that entities processing personal data in the United States are compelled to disclose data breaches in an expeditious manner. 5 This chapter begins with a discussion of the state data breach notification laws. An overview of the material provisions of the laws in all 50 states is provided. Because California has been an innovator in this area, enacting the first state data breach law in 2003 and recently becoming the first state to provide consumers with the ability to recover a set amount of money when their data is compromised in a data breach, pertinent details of California’s legal framework are also highlighted. 6 Recognizing that regulators may review whether entities used reasonable data security measures and data destruction policies in the wake of a data breach, the chapter also reviews state data security laws that are designed to help prevent data breaches as well as state data destruction laws that are enacted to prevent breaches at the end of the data life cycle. It is worth noting that, although both state comprehensive privacy laws 7 and state data breach notification laws define “personal information,” the definitions in these laws may differ significantly. This is primarily due to the fact that the laws are focused on different protections. State comprehensive privacy laws intend to limit what authorized entities are properly able to do with an individual’s data. State data breach notification laws put protections in place in an effort to avoid instances where an unauthorized user can misuse an individual’s data – such as for purposes of fraud or identity theft. 8 For privacy practitioners, the landscape at the state level can be complex – with multiple types of state laws, and accompanying requirements, in place. 7.1 State Data Breach Notification Laws With all 50 states having implemented data breach notification laws and California having enacted a provision that permits consumers to recover a set amount of money for the unauthorized release of certain personal information, these state laws can result in significant enforcement actions by state attorneys general as well as notable class action settlements in those states that permit a private right of action. 9 Privacy practitioners should be prepared to assist companies in developing policies to comply with the various requirements of these laws as well as to help coordinate responses in the event of breaches. 7.1.1 Lack of Federal Data Breach Law With massive, high-profile data breaches making the front pages, calls for a uniform federal data breach law have been ongoing for decades. 10 These discussions began at the national level in 2003, when Senator Diane Feinstein of California introduced the first federal breach notification bill. Over the years, numerous comprehensive federal data breach notification laws have been considered by Congress. As of the writing of this book, no comprehensive federal law with data breach notification requirements has been enacted. 11 Reaching consensus on such a law is difficult—privacy advocates have generally supported approaches that would match federal law to the strictest state laws, while businesses have generally supported a federal law with fewer regulatory requirements as well as preemption of stricter state laws. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP 7.1.2 Components of State Breach Notification Laws In the absence of a federal law, states have taken the lead in setting requirements related to data breaches. These laws create important incentives for companies to develop good information security practices. Companies who operate nationally are faced with compliance with all 50 state data breach laws. 12 When examining these state laws, it is important to realize that state data breach notification laws generally contain the same basic topics: Key terms such as the definition of personal information (meaning the specific data elements that trigger reporting requirements), the definition of what entities are covered, and the definition of a security breach (including whether an analysis of risk of harm is permitted) Notification requirements including whom to notify, when to notify affected parties, what to include in the notification letter to affected parties, how to notify affected parties, when to notify state attorneys general or state agencies, when notice is required to credit reporting agencies, whether exceptions may exist to the obligation to notify, and when notification may be delayed Enforcement such as penalties and private rights of action 13 Each of the following subsections highlights trends common among the majority of states and details states whose requirements are outliers. Because California’s recently enacted comprehensive privacy framework (discussed in Chapter 6) includes a provision which permits consumers to recover a set amount of money for certain data breaches, pertinent parts of California’s legal framework are detailed here. 7.1.2.1 Key Terms For data breach notification laws, it is important to focus on definitions of key terms when assessing the applicability of these state laws. Three key terms discussed below are “personal information,” “covered entities,” and “security breach.” 7.1.2.1.1 Personal Information The definition of personal information found in the majority of state data breach notification laws includes an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; 14 (2) driver’s license number or state identification card number; or (3) financial account number or credit or debit card number, often in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 15 Approximately two-thirds contain additional elements as meeting the definition of personal information. 16 These include medical and healthcare information, any federal or state identification number, unique biometric data, tax information, and mother’s maiden name. 17 Almost all states exclude publicly available information from the definition of personal information. 18 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP 7.1.2.1.2 Covered Entities In most states, covered entities who are subject to these state laws include those: 1) who conduct business in the state; AND 2) who, in the ordinary course of such person’s business, maintain computerized data that includes personal information. Some states limit the definition of covered entities to those that conduct business in that state. 19 Georgia’s definition is significantly more limited, with covered entities defined as “information brokers.” 20 7.1.2.1.3 Security Breach The definition of a security breach in these state laws often includes the following elements: unauthorized access to or acquisition of electronic files or computerized data containing personal information, which compromises confidentiality, security, or integrity of information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Nearly all states apply a risk-of-harm analysis in determining whether an incident involving personal data constitutes a regulated breach. 21 Although the exact requirements vary by state, an incident is commonly excluded where it is not reasonably likely that either harm or substantial harm will result to the affected party. The harm envisioned by these laws typically includes identity theft, fraud, and other financial loss. It is worth noting that the language related to this risk analysis can be found either in the state law’s definition of a security breach or in the requirements for notification to affected parties. 22 7.1.2.2 Notification Requirements With notification requirements, it is important for companies to understand who they are required to notify – affected parties, state attorneys general, and national credit reporting agencies (CRAs). In addition, companies must understand when they are required to make these notifications and what they must include in these notifications. Because each state has its own set of requirements, this subsection focuses primarily on the trends that are common among states, with some mention of those states whose requirements are atypical. The subsection concludes with by reviewing exceptions to the notification requirements as well as permitted delays when law enforcement is investigating the breach. 7.1.2.2.1 Whom to Notify Data breach notification laws commonly require notifications to affected parties; state attorneys general or other state agencies; and nationwide credit reporting agencies (CRAs). - The primary recipients of a breach notification are those state residents who are at risk because their personal information has (potentially) been exposed based on the level of unauthorized access or harm. All 50 states require notification to those affected. - Approximately two-thirds of the states require covered entities who have detected a data breach to notify the state attorney general and/or other state agencies. - About two-thirds of states require that these entities notify CRAs of a data breach. 23 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP 7.1.2.2.2 When to Notify Affected Parties These state laws use similar language to describe the required timing of notifications to affected individuals. The most common phrase used in conjunction with timing is “as expeditiously as possible and without unreasonable delay” – which allows the affected entity to conduct a reasonable investigation to determine the scope of the breach and to restore the reasonable integrity of the data system. Numerous states specify a limit to the time allowed when this common phrase is utilized, with 45 days after the discovery of the breach being the most common timeframe permitted by these states. 24 For companies operating nationally, it is important to note that the industry best practice is to report within 30 days after the discovery of the breach, meaning that a delay of 45 days could be considered unreasonable (without a valid explanation) in certain states. 7.1.2.2.3 What to Include in the Notification Letter to Affected Parties Approximately half of these state laws mandate specific content be included in the notification to the affected parties. Privacy professionals dealing with the required notifications in those states that do not mandate specific information in the notice to affected parties can use the requirements in states with mandates (detailed in this subsection) as guidance. Although the particular requirements for the content of the notification to affected parties vary, many of these state laws require: A description of the incident in general terms An approximate date of the incident A description of the type of personal information that was subject to the unauthorized access and acquisition A description of the general acts of the business to protect the personal information from further unauthorized access A telephone number for the business that the person may call for further information and assistance A conspicuous notice on the company’s website indicating how the person may contact the company for further information and assistance A list of steps that the person may take to protect against identity theft The toll-free numbers and addresses for the major consumer reporting agencies The toll-free numbers, addresses and websites for the FTC and relevant offices of attorney generals, along with a statement that the individual can obtain information from these sources about preventing identity theft. 25 For companies that operate nationally, the notification to affected parties should be developed with caution as the sometimes divergent requirements in the 50 states can lead to problematic results. For example, while almost all state laws require the notification to include a general description of the incident, Massachusetts’ law prohibits including a description of the nature of the breach in the notification or the number of residents affected by the breach. 26 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP With regard to content of the notice, it is worth noting that, when Social Security number have been compromised, the Federal Trade Commission (FTC) suggests companies offer affected parties at least a year of free credit monitoring or other identity theft protection in the notification letter. 27 As of the writing of this book, three states require companies to provide certain affected parties with free credit monitoring for at least 12 months. The requirement comes into play when Social Security numbers, or other similar data, have been exposed – increasing the likelihood of the victims suffering identity theft or fraud. California became the first state to enact this requirement in 2015. 28 Since then, Delaware 29 and Massachusetts 30 have also added a credit-monitoring requirement. 31 7.1.2.2.4 How to Notify the Affected Parties State laws generally focus on providing written notification to affected parties using postal mail. These laws typically permit notice by email or telephone as acceptable alternatives, but usually only if the affected party has previously explicitly chosen one of these as the preferred communication method. 32 The notification requirements for nearly all states recognize that data breach notifications involving thousands or even millions of affected parties could place an undue financial burden on the organization if it was required to individually notify each affected party. 33 Under certain circumstances, these laws permit substitute notice by methods such as conspicuous posting on websites or notification to major state-wide media, including newspapers, radio and television. 34 7.1.2.2.5 When Notice is Required to State Attorney General or State Agency Approximately two-thirds of states require entities who detected a data breach to notify the state attorney general and/or other state agencies. Nearly half of the state laws have a threshold for the number of people affected before notification to the state attorney general or state agency is required; some of these states focus on the number of state residents impacted, while other states are concerned with the number of individuals affected. In state laws with this triggering requirement, the number of people affected typically varies from a low of 250 to a high of 1,000. 35 States vary regarding the timing of the notice to the attorney general or state agency. - The most commonly used approach focuses on the notice being made as soon as possible. Numerous states specify a limit to the time allowed when this common phrase is utilized, and the timeframe often mirrors the requirement for notification to affected parties. - Several states have a requirement that the notification to the state attorney general or state agency must be no later than the time of notification to the affected parties or must be simultaneous to that notice. - At the writing of this book, the shortest enumerated time frame is found in Vermont’s law which provides the required notification must be made within 14 business days of discovery of the breach or when notifying affected individuals, whichever is sooner. 36 - Maryland, New Hampshire, and New Jersey require this notification to the state entity prior to sending notices to affected parties. - It is worth noting that a minority of state laws contain no provisions regarding the timing of the notice to the state attorney general or state agency. 37 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP Most states require notification to the state attorney general or state agency only if the entity determines, after an investigation into the breach, that the breach has harmed the consumers or is reasonable likely to do so. 38 Notification to attorneys general and regulators may be sent via letter or email. Some states have specific online forms that must be used for this reporting. 7.1.2.2.6 When Notice is Required to Credit Reporting Agencies Similar to the reporting requirements for state attorneys general and/or state agencies, approximately two-thirds of states require that entities notify nationwide credit reporting agencies (CRAs) of a data breach. Nearly half of the state laws have a threshold for the number of people affected before notification to nationwide CRAs is required. In state laws with this triggering requirement, the number of people affected typically varies from a low of 250 to a high of 1,000. In some of these states, the number of state residents affected is critical, but in other states the number of individuals impacted is key. 39 The timing required for notification to national CRAs varies. - The most commonly used approach focuses on the notice being provided without unreasonable delay. - The second most common approach is to defer to the timing requirements in federal statutes. - As of the writing of this book, the shortest timeframe for reporting to national CRAs that is found in Minnesota’s state law. Minnesota requires reporting within 48 hours. 40 - It is worth pointing out that a minority of state laws contain no provisions regarding the timing of the notice to the CRAs. 41 The CRAs have established email addresses to receive breach notification reports. 7.1.2.2.7 Exceptions to Notification There are three basic exceptions for providing data breach notification: entities subject to another more stringent data breach notification law, entities subject to their own notification policy, and data that is subject to the safe harbor provision within the state data breach notification law. The first and most common exception allowed by states is for entities that are subject to other, more stringent data breach notification laws. This includes HIPAA-covered entities, discussed in Chapter 8 [Medical Privacy], and financial institutions subject to and in compliance with the GLBA Safeguards Rule, discussed in Chapter 9 [Financial Privacy]. Second, most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law. 42 The third exception involves data that falls within the safe harbor provision of a state data breach notification law. All state data breach notification laws include a safe harbor for data that was encrypted, redacted, unreadable or unusable. 43 The specific requirements related to the safe harbor vary by state and are subject to change. Some states exclude encrypted data from the definition of a data breach. In other states, the notification requirement is avoided if the data is encrypted based on the idea that there has not been a compromise (or, more pointedly, there is no risk of harm). 44 Importantly, these laws help motivate many organizations to use encryption to 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP protect data, and thus avoid the burden of providing notice of breaches, as well as the embarrassment and potential brand damage of a public data breach. It is important to note that this encryption exception typically applies only when the key remains secure. Most state laws, such as the Illinois law, make this requirement explicit by stating that the exception does not apply when the decryption key is breached along with the encrypted data. 45 7.1.2.2.8 When Notification May Be Delayed When a data breach is suspected to be the result of criminal activity, all states allow delays of required notifications for a reasonable period of time if law enforcement determines that the notification will impede a criminal investigation. 46 The covered entity is, however, expected to issue the notification as soon as possible after such an investigation is complete or the law enforcement agency decides that notification will not compromise the criminal investigation. 7.1.2.3 Enforcement All 50 states provide for enforcement of state data breach notification laws when covered entities fail to properly provide notice under these laws. Most typically this enforcement involves penalties assessed against the company by the state attorney general. Additionally, in many states, affected parties can file a lawsuit pursuant to the state law’s private right of action. In 2020, California became the first state in the nation to permit consumers to recover a set amount of money after a breach. 7.1.2.3.1 Penalties In each of the 50 states, covered entities are subject to civil penalties if they violate the state data breach notification law. In approximately one-third of these states, the state attorney general (or other appropriate state agency) can impose fines. Under many of these laws there is a maximum cap per breach, with $750,000 being the highest amount at the time of the writing of this book. 47 A minority of laws impose a fine per day for failure to comply with certain notification requirements. 48 Notably, a few of these state laws include criminal penalties that can be imposed under egregious circumstances, such as when notice of a breach is provided with the intent to defraud. 49 7.1.2.3.2 Right of Action Nearly 15 states grant a private right of action to individuals harmed by disclosure of their personal information. The recovery in these suits is often capped at the amount of money lost by the party as a result of the breach, called actual damages, along with attorneys’ fees and costs of the lawsuit. 50 Suits are also common by businesses directly harmed by a breach, such as banks that undergo costs to replace stolen credit card numbers. 51 7.1.2.3.3 Statutory Damages As of 2020, California became the first U.S. state to allow consumers to recover a certain amount of money set by statute, known as statutory damages, as a result of data breaches. 52 Realizing that actual damages can be difficult to prove in a data breach, California took the approach of providing 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP an avenue for consumers to recover statutory damages – dispensing with the need for a consumer to prove an actual amount of loss suffered as a result of a breach. 53 Under California’s private right of action, consumers may be entitled to statutory damages of between $100 and $750 per incident, actual damages, or other remedies the court deems appropriate. 54 To be entitled to these remedies, the breach of the consumer’s personal information must result from the business’s failure to “implement and maintain reasonable security procedures and practices.” 55 A consumer who is seeking statutory damages must give the business the ability to cure the alleged violation, meaning that if the business successfully cures the violation within 30 days then the consumer cannot pursue statutory damages. 56 The provision providing for statutory damages was passed as part of the private right of action in the California Consumer Privacy Act (CCPA) and then updated in the California Privacy Rights Act (CPRA) [discussed in Chapter 6]. This California framework provides consumers the opportunity to receive statutory damages when a company’s poor cybersecurity practices result in a data breach involving the consumers’ personal information as defined under California’s data breach notification law. 57 7.2 State Data Security Laws Since each state has enacted a data breach notification law, many practitioners are aware that such requirements exist and that care must be taken to abide by these laws. Less well known is the fact that many states have enacted data security laws. While some of these laws call for reasonable security and others mandate specific security requirements, all of these state laws are intended to ensure that companies develop and maintain appropriate data security practices. 7.2.1 Federal Requirements for Data Security Although no federal legislation directly imposes information security standards across all industries, the healthcare and financial sectors have federally imposed information security provisions. 58 In addition, the Federal Trade Commission (FTC) 59 uses its Section 5 power (under the FTC Act) to bring actions against companies misrepresenting their information security practices (as a deceptive trade practice) or failing to provide “reasonable procedures” to protect personal information (as an unfair trade practice). 7.2.2 Details of State Laws on Data Security Measures In the absence of comprehensive federal requirements, approximately two-thirds of the states have laws requiring companies to take data security measures to protect citizens’ personal information. 60 Approximately 20 states have enacted laws that impose a reasonableness standard for security but do not provide specific cybersecurity requirements. California is an example of this “reasonable security” approach. One year after enacting the first state security breach notification law in 2003, California put in place Assembly Bill 1950 (AB 1950) – the country’s first state security law – to “encourage businesses that own or license personal information about Californians to provide reasonable security.” 61 Specifically, the law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 7 – as of 02/12/2024 © IAPP procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” 62 About 10 state security laws take the approach of imposing extensive cybersecurity requirements. For example, the Massachusetts state security law – generally considered one of the most prescriptive in the nation – establishes detailed minimum standards to “safeguard... personal information contained in both paper and electronic records.” 63 From a technical perspective, the Massachusetts law mandates user authentication, access controls, encryption, monitoring, firewall protection, updates, and training. 64 In a more recent development, four states – Connecticut, Iowa, Ohio, and Utah – have put in place “safe harbor” laws for cybersecurity instead of enacting security obligations. In these states, a company has the possibility of defeating a lawsuit resulting from a data breach, if the company had put in place the appropriate safeguards, detailed in the relevant law, prior to the breach. 65 Privacy practitioners should be alert that certain states have additional laws that impose security mandates on specific sectors, such as financial services or insurance, with New York having the most prominent of such laws. 66 7.3 State Data Destruction Laws While state data breach notification laws and, to a lesser degree, state security laws receive media attention, state data destruction laws have received relatively little attention. These state laws are put in place to make sure that data is handled appropriately at the end of the data lifecycle. These laws require companies to implement the data minimization principle that data should only be kept so long as necessary to fulfill its purpose. Securely destroying unnecessary data also reduces the amount of data that a company holds in case of a breach. 7.3.1 Federal Requirements for Data Destruction Although no federal legislation directly imposes data destruction standards across all industries, privacy practitioners should be alert that data destruction requirements, sometimes called data disposal mandates, may be found as part of federal privacy laws for certain sectors. For example, the FTC enforces the disposal rule for consumer reports and information derived from consumer reports. 67 7.3.2 Details of State Laws on Data Destruction In the absence of comprehensive federal requirements, approximately two-thirds of the states have enacted data destruction laws. 68 Typically, these states require that the companies destroy or dispose of personal information in such a way that it is no longer readable or decipherable. The term personal information is often defined in these laws similarly to how it is defined in data breach notification laws. Most of these laws have common elements describing to whom the law applies (government and/or private businesses), the required notice, exemptions (e.g., GLBA, HIPAA, FCRA), the covered media (electronic and/or paper), and the penalties. 69 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.