26 June 2012

Steps Forward

Two US states have strengthened their data breach requirements, currently substantially stronger than the Australian regime.

In Vermont the state's 'security breach notification' law (9 V.S.A. §§ 2430 and 2435 (the Security Breach Notice Act) - has been modified, with notification no longer being triggered by mere “access” to personally identifiable information. Under 2430(8)(A) there is a requirement of actual “acquisition” of the information by an unauthorized person (or a reasonable belief that acquisition has taken place).

Under 2430(8)(C) the amendment adds factors to consider in determining that acquisition (or reasonable belief that acquisition has occurred), including indications that the information -
  • is in the physical possession and control of a person without valid authorization (eg someone illicitly holds a file),
  • has been downloaded or copied, 
  • was used by an unauthorized person, or has been made public.
Enterprises are required under 2435(b)(1)) to notify consumers affected by a breach within 45 days of discovery or notification of the breach. Prior to the amendment, they merely had to notify “in the most expedient time possible and without unreasonable delay”. Importantly, enterprises are required to notify the state Attorney General within 14 business days of the organisation's discovery of the breach or when the enterprise provides notice to consumers, whichever is earlier.

That requirement for a timely response reflects last year's settlement with health service provider Health Net Inc, which had lost a portable hard drive featuring sensitive health information, social security numbers and financial information regarding a mere 1.5 million people (including 525 Vermonters) in 2009 but didn't bother to contact those individuals for six months. Health Net unpersuasively claimed that the risk of harm was “low” because files on the missing drive were not saved in an easily accessible format. The drive was not encrypted; the files were in fact TIFF images and thus easily readable.

The notice to the Attorney General under 2435(b)(3)(A)(i) must now include the date of the breach and of its discovery, along with a preliminary description of the breach.

In addition, after notifying Vermont consumers affected by a breach, enterprises must provide a second notice to the Attorney General. That notice is to include the number of Vermont consumers affected (if known) and a copy of the notice provided to affected consumers. Under 2435(b)(3)(B)(ii) the enterprise should also provide a redacted copy of the letter that the Attorney General’s office can use for public disclosure purposes.

Under 2430(b)(5)(F) the notice letter that must be sent to affected consumers must now include the approximate date of the incident, in addition to the other information that was required by the law before it was amended. Sensibly, a free-call number is no longer required in the notice letter to consumers unless one is available.

A requirement for concurrent reporting to the state Attorney General is also a feature of the amendments to Connecticut’s data breach notification law (Conn. Gen. Stat. § 36a-701b, with 36a being the Banking Law of Connecticut and 36a-701b dealing with "Breach of security re computerized data containing personal information").

In that statute “breach of security” means
unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;.
"Personal information" means
an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. 
The new subsection 701b(b)(2) requires enterprises to alert the Attorney General no later than the time that notice is provided to the state's residents regarding a breach.

That notice to consumers under the existing subsection (b)(1) must be made without unreasonable delay, subject only to delays resulting from law enforcement investigations and an iternal investigation to -
  • determine the nature and scope of the incident, 
  • identify the individuals affected, or 
  • restore the reasonable integrity of the underlying information system.