Breach Notification Laws
It’s almost impossible to read the news these days without running into a piece about computer security, compromised personal information, and bills written to protect consumer rights. Confidential information being inappropriately accessed and used is not a new problem. For years, people have dealt with identity theft and stolen credit card numbers. What has changed, however, is accountability. Because of a California law, known as SB 1386, companies are now required to tell people when a data breach has occurred. These notifications have been numerous, and the public reactions electric.
As of July 2005, 18 more states and Congress had proposed legislation similar to California’s that would require disclosure to potentially affected parties in the event of data breach. By the time you read this article, there may be more state laws in place, or perhaps a federal law that would preempt state legislation (for reasons like ease of administration for businesses—this is a Microsoft preference). But one thing is clear: if your company touches credit cards, identification numbers, or other types of sensitive information about individuals, data breach laws are going to change your job. So you’d better get to know them.
According to the Law
For this discussion, I’m going to use California’s SB 1386 and the federal bill proposed by Senators Arlen Specter and Patrick Leahy (in its July 2005 version) as my models. But bear in mind that, as with any law, the devil is in the details. Nothing in this column should be considered a substitute for actual advice from a qualified attorney licensed in your jurisdiction. Every scenario is different and you’ll need to discuss the specific details of your situation with an attorney.
Keep in mind that the proposed federal law might change substantially before it is passed—or it may never even pass at all. That said, there are certain consistent elements when it comes to almost all breach notification laws, and these elements are worth discussing in general terms, as they are likely to be part of any of the proposed data breach laws that will be passed throughout the United States in the near future. Here’s what you need to know:
They Cover Defined Types of Information For good or ill, these laws are not general data protection laws, as found in the EU model. SB 1386 addresses specific private information: names, social security numbers, driver license numbers, California ID Card numbers, and account numbers combined with security codes. Other state laws address similar items.
As a federal bill, Specter-Leahy would be a bit more general. While specific components are likely to change before enactment, it will likely address any information or compilation that serves as a means to identify an individual—this includes such items as names, social security numbers, passport numbers, and so on.
Loss of Encrypted Data is Not a "Breach" If the data is encrypted, then its loss is not considered a breach. However, this doesn’t necessarily mean you will not have to report the event to the world (public companies have obligations under laws like the Sarbanes-Oxley Act), but there’s a world of difference between saying "we got hacked" and "we may have lost 10,000,000 credit card numbers, including yours."
Notification Will Be Painful The notification process isn’t set up to be pleasant. Under SB 1386, companies must provide either actual notice to all affected individuals or "substituted" notice through the media. The Specter-Leahy bill adds the requirement to notify consumer reporting agencies, the Secret Service, or the attorney-general of each affected state.
Law changes fast, but one thing is clear: breach notification laws
are here to stay. By following these suggestions, you can help keep
yourself and your company out of the news. If you believe there’s
no such thing as bad PR, you probably haven’t worked for a company
that had to send out a breach notification.
Don McGowan is an attorney in the Law and Corporate Affairs division at Microsoft.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited