ISOL 633 Legal regulations, investigation and compliance Chapter 9 - Lesson 9 State Laws Protecting Citizen Information and Breach Notification Laws © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe state legal compliance laws addressing public and private institutions. • State regulation of privacy and information security • State data breach notification • State encryption regulations • State data disposal regulations • History of state privacy protection laws Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. CALIFORNIA NOTIFICATION LAW  California Database Security Breach Notification Act  First breach notification law  Enacted on July 1, 2003  Purpose to give California residents timely information to protect themselves  Serves as model for other states ChoicePoint Data Breach • ChoicePoint was a data broker • Databases contained public information and names, addresses, Social Security numbers, credit history, DNA information • Breach in late 2004; disclosed in February 2005, notified California residents • ChoicePoint data breach spurred creation of data breach notification laws in many states • 35 states began looking at breach notification laws in 2005 alone Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. ChoicePoint Data Breach…Continued • Second violation in 2008 • Changes in internal security controls led to additional breaches for which company was not alerted to unauthorized access to data • Violations of the 2006 agreement Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. California Breach Notification • Definition of Security Breach: Unauthorized acquisition of computerized data for which the confidentiality, security or integrity of the personal (unencrypted) information is compromised. • Definition of “Personal Information” is very broad under the California law. It could include a person’s name combined with SS#, Drivers’ license number, Account number, credit or debit card number, medical or health information, email address combined with password or answer to security question. Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. CALIFORNIA NOTIFICATION LAW Who Must Comply? State agencies Nonprofit organizations Private organizations Business Any entity storing info on California residents California Breach Notification…continued • Caveat - The law applied to businesses located outside the state of California, as long as the information they were storing was of a California resident. • Trigger for notification: – When breach occurs – When company reasonably believes breach has occurred • When to notify? – Asap – Exceptions: To determine scope of breach and to allow law enforcement to conduct criminal investigation Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. California Breach Notification • Type of Notification Required (as the law was amended in 2011) – – – – Written in plain language Include name and address of entity making notice List of information potentially compromised Facts about the breach including but not limited to dates of breach – Contact information for major credit card reporting agencies – Notification to the Attorney General when the breach affects more than 500 customers for a single breach • Exceptions to the written notice requirements Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. California Breach Notification • What is the “safe harbor”? – Legal concept where a party can demonstrate that it took specific good faith actions to follow the law. – Properly encrypted data is a safe harbor when data breaches occur in spite in spite of encryption • Private causes of action exist under California lBreach notice laws Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DIFFERENCES IN DATA BREACH NOTIFICATION LAWS BETWEEN STATES  Activities that constitute a breach  Arizona uses two-part test  Ohio –material risk of theft or fraud  Entities covered by the law  Georgia –Applies to information brokers and exempts government agencies, applies to DIFFERENCES IN DATA BREACH NOTIFICATION LAWS BETWEEN STATES…CONTINUED  Time for notifying residents  California vague – Ohio – 45 days of discovery  Content of notice  Minimum encryption requirements  Undefined under California law. Compare to Indiana law  Civil and/or criminal penalties  Private Causes of Action  Allowed in California Breach Notification and Federal Legislation • No federal breach notification law exists today • State laws differ in the area of breach notification • Book’s hypothetical question of “what happens with state laws if a federal breach notification law is passed?” Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Data-Specific Security and Privacy Regulations • Minnesota and Nevada – Require businesses to comply with Payment Card Industry standards • Indiana – Limits SSN use and disclosure Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Encryption Regulations • Massachusetts – “Standards for the Protection of Personal Information of Residents of the Commonwealth” – Applies to data in paper and electronic form – Applies to any person that uses and stores personal information about a resident as a part of the sale of goods of services. – Requires the creation of an information security program similar to Gramm-Leach-Bliley – Requires encryption of personal information while stored on the entity’s system – Unique and controversial by attempting to regulate business outside its state Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Encryption Regulations • Nevada – Standards-based Encryption – Data collectors must use encryption when transmitting personal information outside of their business network – Applies to data when stored and when transmitted – References and requires industry standards to be used for encryption – Federal Information Processing Standards issued by the NIST – Safe Harbor applies Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Data Disposal Regulations • Washington – Record – any material that holds information in either electronic or paper form – Destroy means changing it to a form that is no longer readable or decipherable. (examples, shredding, erasing, or modifying) – Health and financial data must be destroyed when no longer needed – Law applies to any person or entity in the state – Allows private causes of action • New York – No person or business may dispose of a record containing “personal identifying information” without shredding, destroying, or modifying it – Record is any information held in any physical form, both paper and electronic Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Thank you! • Questions? – Dr. Les Stovall – Leslie.Stovall@ucumberlands.edu Legal Issues in Information Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Purchase answer to see full attachment