After the breach, now what?

More than 30 states have laws that require companies to notify possible victims of security breaches that leave personal data vulnerable to unauthorized use. Companies find it irksome to master the details of so many laws. But pending federal legislation, which promises a uniform alternative to that patchwork of state laws, would prod companies and government agencies to adopt better security measures. Although some states have modeled their security breach disclosure laws on a 2003 California statute, major differences and a host of nuances among the laws complicates life for companies that do business in more than one state. Compounding the frustration are provisions in some states’ laws that exempt government agencies from notification requirements and the absence of any disclosure laws that apply to federal agencies. Only about two-thirds of existing state data breach notification laws apply to state agencies, said Bruce Brody, vice president of information assurance at CACI. “Legislation at the state and federal levels must continue to evolve,” he said. Federal lawmakers are trying to fill some of those gaps in data security and privacy statutes with three pending bills. Should the legislation move forward, requirements to disclose security breaches would apply equally to government agencies and businesses. A federal statute would supersede state laws and provide relief to interstate commerce companies who say they are buckling under the weight of myriad state laws. Many companies and advocacy groups, such as the Cyber Security Industry Alliance, are vocal about the need for uniform notification rules. “Among the many laws, there are substantial differences in terms of the timing of notifications, the triggers for notifying citizens and the definitions and scope of entities these laws cover,” said Geoff Gray, CSIA’s legislative counsel. CSIA and other industry leaders also say state laws don’t go far enough. “Many of these laws are breach notice laws, not data security laws,” Gray added. “They largely deal with actions that take place after data has been lost or stolen rather than serve as measures to prevent loss in the first place.” Beyond notification, legal experts say, government in particular must do more to prevent personal data from being lost or stolen. Information that the federal government collects is subject to the Privacy Act of 1974, which requires federal officials to consider privacy implications before collecting personally identifiable information, give public notice of such collections and limit the use of the information to the original purpose for which it was collected. But personal data stored in federal repositories is unprotected legally because federal information security laws are designed to safeguard the agencies, not the citizens, said Emilio Cividanes, partner at Venable LLP in Washington. Cividanes said existing laws fail to put enough focus on securing the personal data that federal agencies collect and store. For example, the Federal Information Security Management Act, he said, was written to protect the agency’s operations and assets. The lack of federal personal data protection laws is especially risky because agencies collect and store so much personal data: Social Security numbers, mothers’ maiden names and other information, said Alysa Zeltzer, an attorney specializing in data security and privacy at the Washington law firm Kelley Drye Collier Shannon. The government stores much more of this type of information than do most businesses, Zeltzer said. “It’s odd that the same notification and data protection requirements are not equally and consistently imposed on government agencies,” she added. Federal agencies and state governments must do more to put themselves under the same scrutiny that laws impose on the private sector, said Jeremy Wunsch, chief executive officer of LuciData, which provides threat management services. “One of the frustrations of the corporate world is that there seems to be a double standard when it comes to reporting” unauthorized disclosures of personal data, he said. For companies wrestling with the differences contained in 30 or more state data breach notification laws, however, cost is likely a much bigger issue than any perceived double standard. “Not only must businesses involved in interstate commerce be familiar with the nuances of many states, it also leaves these companies weighing the decision of whether to inform customers of data breaches in states with lax or nonexistent notification laws,” said Denise Shams, federal sales director for Ecora Software. Although variation among state laws may be a source of frustration, the mere existence of such statutes in so many states arguably outweighs the inconvenience. “Absent a legal requirement, most companies do not publicly disclose information on security breaches or contact law enforcement agencies,” said Tom Smedinghoff, a partner in the Chicago-based law firm Wildman Harrold. Because many existing state laws are effectively working to protect consumers affected by data breaches, federal legislators must be careful not to pass a national law that is less rigorous than the laws many states have passed, said Anton Chuvakin, director of product management at LogLogic, a risk mitigation company. Were that to happen, he added, “some citizens could lose the protections they enjoy now.” As Congress moves forward on data breach notification legislation, members must be aware of loopholes, Chuvakin said. “Lawmakers need to review a list of exceptions — when not to notify — since these exceptions can pretty much destroy the value of the law,” he said. Chuvakin mentioned several scenarios in which companies with ongoing investigations might be exempt from disclosure. “By keeping their ‘probe’ open forever, the unethical organization could avoid notifying the victims,” he said. Fortunately, legal experts say, most of the computer and network security breaches that have been reported have not had disastrous results. “There is a silver lining in that many breaches are small, and often no individuals actually suffer any harm,” said Lisa Sotto, a partner at the law firm Hunton and Williams in Atlanta. However, the agency or company that takes a hit and is forced to notify citizens and consumers learns a valuable lesson. “Management gains a new focus on information security issues and chooses to enhance internal data security processes,” Sotto said. Many security experts agree that the need to be vigilant about protecting personal data is a lesson best learned before disaster, and they hold out hope that pending legislation could help protect personal data before it is compromised. Yet so far, efforts have been lacking, said Tom Maxwell, partner at the Indianapolis law firm Barnes & Thornburg LLP. “Laws have been adopted by the states, mostly because the federal government has largely failed to legislate in this area,” he said. When Congress does make its move, lawmakers should provide agencies with adequate resources to meet the new requirements, said Shannon Kellogg, director of information security policy in EMC’s RSA security division. “If you set higher security safeguards for sensitive information in federal agencies, then the administration and Congress need to make sure there is funding there, too,” he said.