Today on Cybersound, Jason, Steve, and Matt are joined by Vancord’s Data Privacy Consultant, Rob McWilliams, to discuss the overall message: If you are equipped to respond properly to incidents, you should seek guidance to meet your regulatory obligations.
Understanding Data Breach Notification Laws
Listen to this episode on
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.Jason Pufahl 00:14
Welcome to CyberSound. I’m your host, Jason Pufahl, joined in a full house today, by Matt Fusaro, Steve Maresca, and we have Rob McWilliams, the vISO and Privacy Consultant here at Vancord, who is the guest of our, guest of our show today, he knows all things about privacy, not to put you on the spot, right. But I will.
Rob McWilliams 00:34
Hi Rob.Jason Pufahl 00:36
So, let, we’re gonna spend a little bit of time actually today on decisions that you might need to make, right. You’ve had an incident, we’ve spent podcasts talking about the technical aspects of it, right, the containment, the remediation. Today, we’re going to spend some time on, you know, the legal notification requirements, depending on the type of data that you had, and depending on whether or not data was exfiltrated, or, or taken, right, in more layman terms. So, you know, maybe Rob, if you can spend just a couple of minutes laying out maybe a couple of the privacy laws that exist out there. Then, we’ll just sort of start thinking about, what would be the influencing factors as organizations think about their disclosure requirements?
Rob McWilliams 01:21
Yeah, sure, Jason. It would be really nice to say that the notification requirements for a business or an organization in the United States, were really simple, that they were just in one place, and you consult that one place. And you’ve got your answer. Unfortunately, as in so much of life, and certainly security and privacy, the devil is in the detail. And so it will depend on what kind of data has or may have been breached, and many other factors. So, in terms of some of the laws, I do, of course, have to mention HIPAA, and it’s updating law, HITECH, which concerns breaches of HIPAA regulated data. I’m not going to talk too much about those today. I don’t think we are anyway, because people who are involved as covered entities of HIPAA, or business associates of HIPAA, generally know this stuff inside out. So we’ll probably give that a quick pass over. Surprisingly, at the federal level, like HIPAA, GLBA, the Privacy Rule that affects, that concerns financial institutions, doesn’t in fact, have any requirement or clear requirement to notify in case of a breach. Although that doesn’t mean that you’ve got to get out of jail free card there. I think what we’ll focus on a bit today is state data breach laws, which, you know, most people have probably heard of, we might go into one rule that perhaps people won’t have heard about, which is the FTC’s, Health Breach Notification Rule. And we’ll go overseas as well, to see what the GDPR has to say about breach notification.
Steven Maresca 03:15
Rob, what is a breach?
Jason Pufahl 03:18
It’s always good to draw that distinction right now.
Rob McWilliams 03:21
Well, there you go. That just is a is a great example of, wouldn’t it be nice if things were simple, and there was a universal definition of what a data breach is? And of course, they do it by all the names as well, you hear about security incidents and all kinds of other things. And the short and unsatisfactory answer, unfortunately, is that different laws have different definitions of a breach. And that’s something I should have mentioned, of course, is that your obligations as an organization, in the event of a breach, are indeed laid down in law. But they’re also laid down in the contracts that you’ve signed with organizations whose personal data you handle. Sometimes those things called DPA’s, data processing addendums. Sometimes, if it’s health data, it’s in a business associates agreement. And in all of those, the definition of a breach may be different from organization to organization. Taking the state data breach laws, of which there are now 50. And that number is not coincidental. Plus a few overseas territories, they generally agree that it’s an unlawful or unauthorized disclosure of personal information, but they don’t agree on everything. So some states, and Connecticut is one, will add to that, that it’s just unlawful or unauthorized access to personal data, so not necessarily, it’s a bit more expansive. There are certain things that completely rule out something being a breach, and one of those is encryption. If your data, personal data, is adequately encrypted, then, and the key there is adequately, then it cannot be breached. Of course, if somebody has the key to the encryption, then that doesn’t apply, somebody aliens your organization has the key, then it doesn’t apply. So there isn’t a simple explanation of a breach. And as I’m sure you, as I know, you know, Steve, very often the biggest part of any breach response is working out whether a breach actually happened.
Steven Maresca 05:51
So it’d be fair to say that a breach is broadly understood to mean the disclosure of information across the line between an organization and some entity outside thereof, or across the line of authorized use.
Rob McWilliams 06:04
Yes, I mean, in fact here is a fairly standard definition, “Unlawful and unauthorized acquisition of personal information that compromises security, confidentiality, or integrity”. And, yes, the line between an organization and outside the organization is important because, and in fact, some state breach laws have a stipulation that actually carves out a good faith, disclosure of personal data within the organization. So somebody, some member of your staff sees the data, and they shouldn’t have seen the data, according to your own policies, but they did. But they didn’t do anything bad with the data, they just saw it, they reported it, that’s usually carved out as not a not a breach. Obviously, if they saw it, downloaded it and sent it off to their their hacker friend, then that will be a different question.
Matt Fusaro 07:08
Jason Pufahl 07:09
So it’s fair to say then, if there is an incident that results in a breach, and you’ve got employees of a company that are spread across a variety of different states, you need to reconcile the breach notification laws for every state? Or are you doing notification based on the state that you reside in?
Rob McWilliams 07:27
It’s the law that applies to you, is based on the residence of the individual whose data has been breached. Wouldn’t it be nice if it was just where you happen to reside? And so if you’re a New York business, all you have to know is the New York breach notification, or yeah, breach notification law. Unfortunately, it’s not that way. So if you are a national business, we’ll come to international later, you may well end up having to look at the breach notification laws of 50 states and a handful of territories.
Steven Maresca 08:12
So during the analysis process of something that might turn into a breach determination, you have to keep all those things in mind and prepare for determining what data has been exposed, you have to do that work to help ultimately decide what notification is required. So what’s that look like?
Rob McWilliams 08:31
Um, I actually think it’s better if you’ve done the work before the breach comes along, because if you suddenly discover that you’ve had a breach, then your organization goes into, hopefully, controlled panic mode. And, you know, all of this then has to happen. If you’re an organization that collects and uses personal information, and that’s nearly every organization today, it and, you believe that that data would require notification in the United States, that’s something else we should come to is the kinds of data that require notification. I think it would be great preparation to say, okay, 50% of the people whose data we hold, are in California. So you prioritize California. 20% are in New York, so you prioritize New York. If you’ve got one or two people in Rhode Island, you know, maybe you can leave that as a manageable risk or for something later in the in the in the process.
Steven Maresca 09:47
So what types of data ultimately are the governing components? What are the biggest players?
Rob McWilliams 09:52
I’m going to sound like a broken record because I’m going to say the same thing. Wouldn’t it be great if it was all just the same thing, from state to state, but, there are variations from state about what kinds of data require notification. The good news is there is a basic definition that applies in most states, first name, or initial, and last name, plus social security number, driver’s license number or some other state issued ID, or a financial account or card number, usually combined with a security code or pen or something that would give you access to that, that account. That’s kind of the basic definition. Unfortunately, again, there’s additions to that. So in California, and indeed, in many other states, health data’s thrown in there. And that doesn’t have to be HIPAA health data, it can be any kind, it can be the health data on your Fitbit.
Jason Pufahl 11:05
So, so not necessarily address or physical address or email address, or some other piece of identifier tied with your name?
Rob McWilliams 11:16
Correct. If it was just your name, your street address, your name, your email address, it probably wouldn’t count as needing. But these definitions are expanding all the time. And again, in California, and I’m sure other states, a simple username and password to any kind of online account, you know, even your, your Yahoo Mail would require notification. So these are things you have to be on top of. And in Massachusetts, since we’re in, we’re in New England, their financial account information, yes, but in Massachusetts, with or without the password or the security code. So any financial account number, would require notification.
Matt Fusaro 12:07
So, just playing devil’s advocate here, what happens if I just choose not to notify? What happens to a company? What do they have to be prepared for for risk in that case?
Rob McWilliams 12:18
Well, it could, depending on your luck, or lack of it, it could run the gamut from nothing to action by the State Attorney General against you, if the breach is discovered, or private right of action, it could there could be a class action lawsuit against you. So this is not something you want to mess around with. And I think it is better, this is something that State Attorney Generals and others, they tend to be the enforcers of this, are very tuned into if an organization loses personal information, that leads to somebody having their identity stolen, or their accounts accessed and emptied. They’re gonna take it very seriously, and the penalties will be very high. So I really would not advise knowing that you’ve had a data breach that that reaches the threshold of state law, and just pretending it didn’t happen. It’s not a good strategy.
Matt Fusaro 13:34
Yeah, the reason I bring it up, as you know, we’ve we’ve been in incidents before where notification people almost have that in their head as a not something they necessarily have to do, an option. Right, they just don’t, I think a lot of them just don’t understand what the consequences are, how they affect them. And, you know, obviously, like you said, it’s different, depending on your data, depending on what it is, depending on where you are. So it’s difficult for some organizations to understand that.
Rob McWilliams 14:01
It’s, it’s really tough. I mean, there’s no doubt about it. If you’re a national organization, and you suffer a data breach, working out how you notify is is really tough. It’s hard work. So the best solution is not to have a breach. But I know that’s not always an option. The good news is that, as well as some of the limiting factors we’ve already discussed, like the in terms of data and the definition of a breach. Many sites allow there to be a risk of harm analysis, that you can sit down and say, look, we’ve looked at this from from every angle, and the likelihood that an individual is going to suffer some kind of harm from this is very small. So we’re, we’re not, this is not a breach as defined by state law. My only advice on that is that risk of harm assessment, it can’t be magical thinking and you’ve got to you’ve got to guard against wishful and magical thinking. So yeah, nothing’s going to happen. And basically, you know, if somebody’s has got from you names and social security numbers and driver’s license numbers, you know, there’s a good chance that something bad could happen to those people. And you’ve got to acknowledge that.
Jason Pufahl 15:23
As part of the notification process, is it required in any states that you notify the Attorney General? Or is that typically, you know, inactive, just transparency, by a company?
Rob McWilliams 15:35
No, in the majority of cases, breaches above a certain threshold of affected individuals will require notification to the Attorney General. Now the number varies from state to state, it’s fairly high, you’re not going to hit it if it’s just 100 individuals or something. But you know, there is a threshold there. And you’d normally have to notify the AG, you may have to notify the individuals themselves, you probably will. In some states, you have to notify the consumer rating agencies, so the guys that do the credit scores, in some cases, you may have to put something in the in the media even, you know, put something in the whatever the state equivalent of the Hartford Courant is, to say your organization’s had this breach, so.
Steven Maresca 16:29
If you’re not otherwise required or compelled in by threshold, you know, by the number of records, like you’re talking about, you know, it’s just a general set of guidance. Is it still a nice or recommended courtesy to notify? Is it a reasonable practice to notify even if there isn’t necessarily sufficient grounds to do so?
Rob McWilliams 16:53
I think that would apply primarily to the notifying individuals. I guess it’s arguable whether you should out of courtesy, alone, notify the Attorney General or the Hartford Courant, in our case here. Individuals, I guess it’s it’s a, it’s a it’s perhaps a more I can I can see a better case for notifying individuals. But there are, I think you would only do that when you really have got the facts established, and that there is a purpose for doing it. I don’t think it’s, and generally, the purpose would be that you might be at some risk of, in which case, you may have had to notify anyway.
Steven Maresca 17:46
Ultimately, there’s a lot of ambiguity after an incident, and that’s the root of the question. It’s it’s sometimes unknowable the number of records that might have been affected, it’s sometimes unknowable whether or not unauthorized access occurred. And, you know, I think that a lot of security incidents operate in that uncertainty and don’t quite know how to operate in terms of notification or not.
Jason Pufahl 18:13
It’s also one of the reasons why, typically, really early in incidents, we transition a conversation from, you know, containment to, well, let’s make sure we do some cursory data analysis to understand what your potential risk down the road is, because once things are back up, and running, is usually when we transition into that, you know, data analysis, data or notification phase, but you don’t want to have destroyed evidence while doing any of that precursor work or anything like that. So, you know, these things go hand in hand for sure. So while we may have broken the conversations up into segments, the reality is, you need to be thinking about all of this, from the start, from the time something is an incident until the time it becomes a breach.
Steven Maresca 18:54
So hypothetically, we’ve reached the threshold of breach, we’ve done the basic notifications to whatever is required by the local regulator, what is the next step? What’s the tail end of the notification process look like if there is a common set of actions?
Rob McWilliams 19:11
One notification can be the end, that you’ve you’ve told the required parties that the breach happened. The notification, again, depending on the specific law, should contain certain elements, and we’ve talked about some of those, what happened, what the risk is, what data was breached, that sort of stuff. And sometimes, as you know, it’s very common to offer, if there’s a risk of identity theft, to offer credit monitoring. And I think in some cases, that is obligatory, so you, I’m sure we’ve all had those emails from time to time saying, you can get free credit monitoring because your data was was breached. And if things go well, that might be the end of it, it’s I think, where security incidents can seem endless is when you don’t respond to them properly. And then there’s comeback with regulators or others saying, why didn’t you notify? Why didn’t you do this? Why didn’t you investigate properly? And of course, the big thing to wrap it up, and this is more on the security side, is just do everything possible to make sure that particularly that particular breach doesn’t happen again. The one other thing I would probably throw out there is, as an organization, it’s always to think, at what point you are going to need outside help? I think very few organizations are really equipped internally to deal with substantial breach. And it’s good ahead of time to think, okay, when this happens, who’s going to help us?
Jason Pufahl 21:02
I mean, that feels like an appropriate, appropriate place to stop. If, if not just because we’re over our normal sort of a normal time here. But I think what you, you’ve given a ton of information, but I also think you’ve made it crystal clear that for most organizations, right, they’re going to have a population, a data population, that’s probably going to be spread across a variety of states, and as a result, likely going to need external guidance. So don’t try to do it on your own. Reach out to somebody, ideally find legal counsel during the incident, but get that guidance early, understand what your obligations are. And it’s going to be based on your state, based on what regulatory requirements you need to you need to have met, and potentially you’re notifying individuals and Attorney’s Generals, and individual states, so it gets really complicated really quickly, it seems.
Rob McWilliams 22:00
If I could just quickly say two other things just to make sure I’ve given the complete picture. One is, there is a Federal FTC Health Breach Notification Rule that is deliberately targeted at organizations that process health data, but are not covered by HIPAA. So they’re not hospitals, they’re not practices, they’re things like connected devices. And so if you are collecting that kind of data from your users, you’ve got a wellness app or connected device of some sort. And that data is breached. You’re not off the hook, because you’re not covered by HIPAA. You have to report under the FTC Health Breach Notification Rule. And the other one just as a one liner is, these in overseas, and let’s just talk particularly about Europe and the UK. All of this is in the GDPR, similar kind of things about when you have to notify, what kind of risk assessment you could do before notifying timeframes. The difference with the GDPR is it doesn’t limit it to certain kinds of data, potentially, any personal data. So going back to what you brought up, Jason, even just an email address and a name. If breached and posing some kind of a risk, could require notification in Europe.
Jason Pufahl 23:35
Well, Rob, thanks for joining.
Rob McWilliams 23:37
Jason Pufahl 23:38
This is hugely helpful, I think, maybe for some people that probably raises as many questions as it answers, but I think that’s the goal, right? Get people thinking a little bit about what the risk is and what the requirements are. As always, if anybody wants to explore this topic any further, let us know. We’re happy to continue the conversation. And we hope you got some useful information out of this and we appreciate everybody listening. Thank you.
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.