Security Breach Laws: Disclose and Tell

by Tim Jackman

Before
long, we all
may have our
personal data
wrongfully
disclosed.

At least 33 states recently have rushed to pass legislation requiring notification to consumers of unauthorized disclosures of their personal information.

The first of these security breach/notification laws came from California, under an act that is typical of most that have followed. However, they all tend to vary somewhat in terms of the trigger for the notice, the timing of the notice, the content of the notice and the required recipients. Nearly all of these laws provide an exemption for personal data encrypted at the time of disclosure, which significantly aids compliance.

As a result of these laws, significant breaches must get reported, and every week seems to bring news of another highly publicized security breach. A few weeks ago, Social Security numbers and other personal information of 26.5 million U.S. military veterans were stolen when an employee took home some digital data to review. Earlier disclosures also revealed that CardSystems Solutions Inc. may have exposed information on up to 40 million credit and debit cards, resulting in action from the Federal Trade Commission. Before long, we all may have our personal data wrongfully disclosed.

The good news is that these laws are beginning to have a remarkably positive effect on security practices in the United States. Organizations are understanding that sooner or later lax security practices, such as failing to encrypt sensitive data and using poorly protected laptops and PDAs, are likely to garner negative press with possible exposure to legal action from affected individuals or the FTC.

The bad news is that there are at least 33 different state laws that an organization may need to comply with, although Missouri is not among them at the moment. A new Kansas law was passed this year, which just became effective July 1. Of course, complying with these state variations can be daunting. There is an effort at the federal level to pass security breach legislation that would preempt the various state laws and bring some uniformity. In fact, nearly 30 different bills already have been introduced. Despite that effort, experts disagree on the likelihood of any federal legislation soon.

On the legal front, if your organization is subject to more than a few of these laws (by virtue of having operations or customers in multiple jurisdictions), the wisest strategy probably would be to develop and implement a uniform policy that meets the requirements of the most stringent of the applicable state laws. Ironically, one of the tradeoffs to consider is just how zealous one wants to be in detecting each and every breach, knowing that there is a disclosure obligation for those detected, even if the likelihood of the data being used maliciously is small.

On the practical front, the best way to keep your organization out of trouble and out of the headlines is probably nothing more than a carefully considered and wellexecuted plan from “Data Security 101,” which would include:

- Encrypting data containing personal information in general, particularly as it moves across public networks like the Internet;

- Utilizing a state of the art firewall;

- Utilizing a good intrusion detection system;

- Regularly testing your security systems;

- Maintaining strong security on all laptops and portable devices, and relentlessly educating the users regarding security issues;

- Keeping only the information you need;

- Ensuring that all third party contracts include requirements that your vendors have and follow similar security policies and procedures, and periodically auditing them for compliance.

By carefully developing and executing appropriate policies and procedures regarding data security, you can keep your organization in compliance with the expanding plethora of data breach laws and out of the headlines.

Tim Feathers is a partner and co-chair of the Intellectual Property and Technology Division at Stinson Morrison Hecker. He can be reached by phone at 816.691.2754 or by email at tfeathers@stinsonmoheck.com.