This documentation is archived and is not being maintained.
Legal Briefs Breach Notification Laws
Don McGowan is an attorney in the Law and Corporate Affairs division at Microsoft.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
It’s almost impossible to read the news these days without running into a piece about computer security, compromised personal information, and bills written to protect consumer rights. Confidential information being inappropriately accessed and used is not a new problem. For years, people have dealt with identity theft and stolen credit card numbers. What has changed, however, is accountability. Because of a California law, known as SB 1386, companies are now required to tell people when a data breach has occurred. These notifications have been numerous, and the public reactions electric.
As of July 2005, 18 more states and Congress had proposed legislation similar to California’s that would require disclosure to potentially affected parties in the event of data breach. By the time you read this article, there may be more state laws in place, or perhaps a federal law that would preempt state legislation (for reasons like ease of administration for businesses—this is a Microsoft preference). But one thing is clear: if your company touches credit cards, identification numbers, or other types of sensitive information about individuals, data breach laws are going to change your job. So you’d better get to know them.
According to the Law
For this discussion, I’m going to use California’s SB 1386 and the federal bill proposed by Senators Arlen Specter and Patrick Leahy (in its July 2005 version) as my models. But bear in mind that, as with any law, the devil is in the details. Nothing in this column should be considered a substitute for actual advice from a qualified attorney licensed in your jurisdiction. Every scenario is different and you’ll need to discuss the specific details of your situation with an attorney.
Keep in mind that the proposed federal law might change substantially before it is passed—or it may never even pass at all. That said, there are certain consistent elements when it comes to almost all breach notification laws, and these elements are worth discussing in general terms, as they are likely to be part of any of the proposed data breach laws that will be passed throughout the United States in the near future. Here’s what you need to know:
They Cover Defined Types of Information For good or ill, these laws are not general data protection laws, as found in the EU model. SB 1386 addresses specific private information: names, social security numbers, driver license numbers, California ID Card numbers, and account numbers combined with security codes. Other state laws address similar items.
As a federal bill, Specter-Leahy would be a bit more general. While specific components are likely to change before enactment, it will likely address any information or compilation that serves as a means to identify an individual—this includes such items as names, social security numbers, passport numbers, and so on.
Loss of Encrypted Data is Not a "Breach" If the data is encrypted, then its loss is not considered a breach. However, this doesn’t necessarily mean you will not have to report the event to the world (public companies have obligations under laws like the Sarbanes-Oxley Act), but there’s a world of difference between saying "we got hacked" and "we may have lost 10,000,000 credit card numbers, including yours."
Notification Will Be Painful The notification process isn’t set up to be pleasant. Under SB 1386, companies must provide either actual notice to all affected individuals or "substituted" notice through the media. The Specter-Leahy bill adds the requirement to notify consumer reporting agencies, the Secret Service, or the attorney-general of each affected state.
Law changes fast, but one thing is clear: breach notification laws are here to stay. By following these suggestions, you can help keep yourself and your company out of the news. If you believe there’s no such thing as bad PR, you probably haven’t worked for a company that had to send out a breach notification.
Three Things You Should Do Now
OK, maybe your management chain needs a bit more convincing before they’ll pay for a full-blown compliance effort. Or they’ve decided for some reason that they need to collect Social Security Numbers in exchange for e-mail newsletters. That’s tough, but sometimes that’s life. So here are three things you can do today that won’t cost your company any money and shouldn’t get you in trouble with your boss for breaking company policy (at least, not if your company policy makes any sense).
Define Responsibilities Inside Your Team
1 A disaster plan is complicated and requires input from many teams, not just your own. But until you have a company-wide plan, you should at least make sure your own team is prepared. Specify responsibilities and how each member of the team will respond if there is a data breach. It’s best to be as prepared as possible, because your job is likely to be the one that is on the line.
Start an Information Campaign
2 The best way to do this really depends on your company. For a large corporation, you’ll probably need managerial approval and have to put content on the intranet. In a smaller company, a simple monthly or quarterly newsletter might suffice. The basic premise remains the same, though: if you remind people to do things like change their passwords and not leave their laptops in a taxi, you can go a long way to protecting your company’s data.
If There’s No Policy, Create One
3 There’s a funny thing about corporate life: if the right person starts working on a project, it’s tough to get them off the rails. If you’re in a security role and you start developing security policies, the odds are pretty good that no one will stop you from pursuing and accomplishing your goals. And once the policy is made, if someone wants to change what you think is best for your organization, they will be the one who has to explain their reasons. In my experience, that’s when people start to realize that there are laws and other factors to consider and that maybe your policy isn’t such a bad idea after all.
These tasks aren’t just busywork. These three steps are a good way to demonstrate a company’s commitment to security. Remember those notifications your company will have to send out if there’s a data breach? They get people’s attention—including people in my line of work. If you start working on these three items, you’re not just engaging in best practices, you’re protecting the company by demonstrating critical steps that can help to strengthen a legal defense if your company ends up in court. And trust me, when your company’s lawyers tell your management that your foresight helped to keep the company out of trouble, you (and your budget) will start feeling the love.
Five Steps to Get Ready
No one wants their systems to be hacked. But even more so, no executive wants to be the person at the press conference disclosing a data breach. If a data breach occurs at your company, you’ll be in a much better situation if you’ve taken these five steps. And if you convince your managers that these five steps could potentially save your CEO from such a press conference, you might even get the budget necessary to pay for these projects!
Encrypt Your Data at Rest
1 The laws don’t tend to define encryption, which is actually good drafting practice. If a law required a particular encryption standard that eventually turned out to be weak or broken, you’d be stuck with a choice between being illegally protected or legally at risk. But don’t think you can get away with just anything, such as ROT13. If your data is breached and the encryption method you employ is known to be broken, it’s likely that the method will be considered insufficient encryption under the law. So use good encryption.
Develop a Disaster Plan
2 You can create your own alternative disclosure plan. The Specter-Leahy bill and SB 1386 both allow a company that has developed and advised its customers of a disaster plan that addresses breach notification to perform the disclosure in accordance with its own plan. If you can show that you’ve sufficiently planned for this possibility, you’ll likely get to disclose the data breach according to your plan, as opposed to the process outlined by the law.
Keep Only the Information You Need
3 The more you store, the more you risk losing. One of the large breaches in early 2005 involved information being stored by a company about payments that were never completed. The company said the data was "for research purposes." If you store information you’re not using, you should be ready to explain why you were storing it if the database gets breached. It’s simpler just not to store unnecessary data in the first place.
Stop Using Social Security Numbers
4 If your company is using SSNs for account identification or customer authentication, think about alternatives. Specter-Leahy specifically prohibits many uses of SSNs. But even if Specter-Leahy changes or no federal law arrives, the use of SSNs in this way requires you to have them and store them. This is the kind of data that requires breach notification under SB 1386. To play it safe, consider making up your own account numbers.
Don’t Think There’s Only One Law
5 There are many laws that impact companies and computer security. We’ve all heard of Sarbanes-Oxley and many companies are governed by HIPAA and GLBA. But did you know that most of the controls on financial information envisaged by Sarbanes-Oxley are also envisaged by the Foreign Corrupt Practices Act, which has applied to all U.S. companies since 1977? Focusing your compliance strategy on one law misses the point. Microsoft is developing guidance that will help with this: the IT Controls and Regulatory Compliance Planning Guide (which will be available on the Microsoft Web site in early 2006) will address many laws and proposes an IT control framework to help you do most of your work in one shot.