Will States Lead the Way on Data Breach Requirements?

California enacted the first data loss disclosure law in 2003, requiring companies and organizations that lose personal information to inform the individuals whose data has gone missing. Since then, 46 other states have passed similar laws. On Sept. 30, California Gov. Jerry Brown signed into law an amendment that toughens the Golden State’s pioneering legislation in several ways.

In the wake of massive data breaches at Target, Neiman Marcus, Michaels, PF Chang’s and Home Depot, California now appears to require organizations who lose certain types of data to supply “appropriate identity theft prevention and mitigation services” to each victim at no cost for 12 months. At least that’s how this amendment was widely viewed. However, legal experts say two little words inserted into the version signed by Brown muddle the mandatory nature of this new rule.

California’s law now also extends to companies that “maintain” personal data, not just own or license personal data. And in California it is now illegal to “sell, advertise for sale, or offer to sell” someone’s Social Security number.

ThirdCertainty asked Eduard Goodman, IDT911’s chief privacy officer, about the wider significance of California’s move. [Editor’s Note: IDT911 is the corporate sponsor of ThirdCertainty.]

Slippery Language

3C: Can you unmuddle this? What exactly is now being required?

Goodman: The original version of this bill read almost identically to how it was passed. However, the version signed into law adds the words “if any” to refer to the offer of “appropriate identity theft prevention and mitigation services.” The inclusion of this language now muddies the statute. It would appear that the legislative intent to mandate that monitoring, prevention and mitigation services be offered in certain situations has been gutted.

Instead, the law now simply provides that IF any services are supplied to support the victims of the breach, the institution offering it must indicate that the service offered is provided at no cost to the affected person; provide the service for not less than 12 months; and provide all of the information necessary to take advantage of the offer to any person. The language is a bit confusing and I have a strong feeling the actual meaning will eventually be tested and interpreted by the courts in the coming year or two.

3C: Don’t companies who admit big breaches already do this on their own accord?

Goodman: Larger companies do tend to offer free services in the wake of a breach. This usually comes in the form of credit monitoring services. Smaller companies may not have proper insurance or enough money in reserves to cover breaches. Many smaller companies do not opt to offer any form of assistance and will often, based on cost constraints, simply provide the required notification of the event.

3C: The devil is always in the details. How do you expect this to actually play out over time, in terms of resulting in a material benefit to victims?

Goodman: I hope it results in companies giving credit monitoring services in cases where it is useful, such as breaches that involve stolen SSNs, rather than in cases where it is a distraction, as with payment card breaches. There are generally accepted best practices in responding to breaches. Providing more robust support services is called for in higher-risk situations, such as when there is a targeted theft of personal information. And lower-level courtesy services are adequate for lower-threat scenarios, in cases when information is lost or misplaced. Unfortunately the statute provides no real guidance as to what “appropriate services” are.

Accountable for ‘Maintaining’ Data

3C: What’s significant about extending data security responsibilities to organizations that maintain data?

Goodman: Previously the requirement to implement and maintain reasonable security measures was only incumbent upon those who “owned or licensed” personal information. However, the extension now applies to anyone that also maintains personal data. The definition of “maintains” is vague at best. Essentially, the requirement means that if you HAVE personal information in your company’s possession, whether you own or license it or just hold it for another, you now need to provide for its security as well. Seems common sense, but the statute fell short on that requirement in the past.

3C: What’s the thinking behind banning the sale of SSNs? That seems like an obscure scenario.

Goodman: The practice is not as obscure as you may think. This happens in all different types of situations. Whether it be desperate parents who sell their children’s SSNs to help make ends meet or buying and selling the SSNs of the deceased by getting access to the Death Master File. This just seems to be one more way to crack down on the illicit trade in identity information in California, one of the states with consistently high rates of ID theft.

3C: What drove California to make these changes?

Goodman: California, unlike most states with data breach notification requirements, does NOT take a set-it-and-forget approach to their privacy legislation. The regulation has already been modified prior to this, just last year. In addition, California is at the forefront of these areas. Originally, the intent was to make offering support service to breach victims a mandatory requirement, which, as already discussed, was not the end result here. Keep in mind this is just one of many areas where California has been trying to tighten privacy laws, with education privacy being one of the next main areas that will be tackled.

3C: What’s going on in other states? Are others moving to expand data loss rules and responsibilities?

Goodman: One of the big trends we’ll start to see is the expansion of education-related privacy legislation passing in multiple states. These new laws focus on privacy of education information for children in grade school through college and grad school. In addition, other states are expanding their laws to cover paper records, not just digital data, and to start tightening the time frames for required notifications to be sent out.

3C: The drive for a federal data loss disclosure law seems to have lost steam. Where does that stand?

Goodman: The problem with federal attempts is that they all tend to weaken the consumer protection already in place in the 47 different states with breach notification laws. In addition, Congress seems to be more willing to weaken these laws based on pressure from industry groups and special interests whereas on the state level these influences seem more limited. In the end I wouldn’t hold my breath for any more talk of a breach notification bill until after the mid-terms. More realistically we may not hear anything about it federally until after the 2016 election cycle.