The Green Sheet Online Edition
April 23, 2012 • Issue 12:04:02
The challenge of data breach reporting
Very few companies can see a data breach coming. And when a breach occurs, a critical consideration for most is the requirement to file timely reports to a widening variety of authorities. The reporting issue gets more complex as the data sets that must be protected increase. Not filing breach reports in a timely fashion can lead to substantial financial penalties and possibly criminal action.
You might be familiar with the requirement to report loss (or suspicion of loss) of credit card information to the card companies within 72 hours.
But there are many other types of sensitive data that must be protected and that are often stored with credit card data, including Social Security numbers, driver's license numbers, birth dates and bank account information.
Additionally, reporting requirements vary. Loss of patient medical information, for instance, must be reported to the U.S. Department of Health and Human Services (HSS) immediately. Massachusetts requires reporting to the Bureau of Consumer Affairs, New Jersey to the State Police.
Some states require reporting to their respective attorneys general if 1,000 or more citizens will be notified of a breach. Several states require reporting to credit bureaus. New York and North Carolina have specific reporting forms to be used in the event of a breach.
Recently, a satchel fell off the motorcycle of a merchant en route to the bank to make a deposit. Not only did it contain credit card receipts (with nontruncated account numbers), but it also held medical liability release forms with dates of birth, Social Security numbers and health histories, along with customer names, addresses and checks.
Without complete and timely reporting to the proper authorities, this incident could have resulted in costs of over $50,000 to the merchant.
The definition of PII is expanding
Also, the definition of personally identifiable information (PII) continues to expand. According to the National Institute for Standards and Technology, PII is "any information about an individual including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information."
In 2011, the California Supreme Court ruled that ZIP codes requested at the POS are PII, except for fuel transactions. In addition, Massachusetts now requires all vendors of companies storing data of Massachusetts residents to be contractually required to protect PII.
This law exemplifies the growing complexity and difficulty in filing reports to the appropriate authorities. I predict the Massachusetts regulation will likely drive similar laws in other states, as well as new federal data breach laws.
Reporting requirements abound
In this day of global interaction, organizations need to plan for the inevitable breach of sensitive information. Business planning means preparedness that spans the scope of data handling and breach reporting in order to stay current with state and federal regulations. The list of regulatory bodies requiring reporting is long and growing. Each has its own specific data breach reporting requirements.
The Payment Card Industry Data Security Standard is well known to the payments community for providing rules about the handling of credit card information. In addition, the FBI, Secret Service, HSS, state attorneys general, and the Federal Trade Commission are several of the agencies and law enforcement organizations to be considered when data is lost.
Add to that each of 46 states with breach notification laws on the books. (Alabama, Kentucky, New Mexico and South Dakota have no breach notification laws to date.)
Federal legislation that covers children, seniors, patients and consumers all weigh in with additional reporting stipulations, including the:
More legislation is in the pipeline
In addition, three bills have passed through the Senate Judiciary Committee. Here is a brief summary of the bills:
- The Personal Data Privacy and Security Act, sponsored by Sen. Patrick Leahy, D-Vt., was passed after being significantly amended. The Judiciary Committee adopted a substitute amendment that struck a controversial provision with special rules for the data broker industry. In addition, the committee also adopted civil liability limitation language and other modifications requested by Sen. Charles Grassley, R-Iowa.
The committee adopted language drafted by Sen. Al Franken, D-Minn., that would allow companies to keep personal data "only as reasonably needed" for business purposes or to comply with any legal obligation.
The committee's 10 Democrats voted in favor of the bill; its eight Republicans voted against it. If enacted, S. 1151 would require breach notice to affected individuals unless a risk assessment shows there is "no significant risk that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to the individuals whose sensitive personally identifiable information was subject to the security breach."
The bill would also impose criminal penalties for intentional and willful concealment of a breach and increase penalties for damaging computers that manage the nation's critical infrastructure (that is, defense, transportation).
- The Personal Data Protection and Breach Accountability Act, sponsored by Sen. Richard Blumenthal, D-Conn., is a wide-ranging data security and breach notification proposal. The bill features a provision that would give individuals the ability to file lawsuits (up to $20 million) against businesses responsible for a breach.
The bill would also require businesses and federal entities to provide notice to individuals without "any unreasonable delay" if the breach presents a "significant risk of harm or fraud to any individual."
If the breach involves more than 5,000 individuals, businesses and federal entities would have to notify major media outlets as well. Covered entities would be required to notify the Secret Service and FBI if a breach: (1) affected more than 5,000 people; (2) affected a database owned by the federal government; or (3) impacted national security.
Additionally, covered entities would be obligated to provide free credit monitoring services for two years to individuals notified of the breach. The bill provides specific storage guidelines for businesses that store online data for more than 10,000 people.
The bill contains numerous carve-outs and exceptions, such as carve-outs for financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA entities and public records. The bill would also impose criminal penalties for intentional or willful concealment of a data breach.
- The Data Breach Notification Act of 2011 (S. 1408), sponsored by Sen. Dianne Feinstein, D-Calif., is the narrowest of the three bills. Under S. 1408, a covered entity would not be required to provide breach notice if "a risk assessment concludes that there is no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach."
A covered entity that decides not to notify individuals after a risk assessment would be required to certify its decision and submit it within 45 days after discovery of the breach to the U.S. Secret Service for approval. Covered entities could be fined $1,000 per individual whose personal data was breached, up to a maximum of $1 million for a single breach incident.
Passage of any of these bills in the House is unlikely prior to the November election, given the fractious environment on Capitol Hill.
It pays to stay informed
In updating our databases on the most current data breach law, we depend on a wide variety of resources like the International Association of Privacy Professionals for the latest in regulations, as well as notices of new state offices and departments that require reporting.
The average merchant doesn't have the time to research reporting requirements when a breach occurs.
As you've heard before, it's not a matter of if, but when, a company will lose sensitive data. Determining whom to report to, what information requires reporting and in what time frame can be overwhelming. Fulfilling these reporting requirements when a company needs to focus on investigation and remediation of the data breach is not the top priority after a compromise.
Make the conscious business decision to educate yourself and choose a partner you trust who stays current with the latest data breach reporting legislation. Be prepared; keep your merchants prepared as well.
Mark Brady, Director of Compliance at CSR, holds professional certifications from the International Association of Privacy Professionals and the Project Management Institute. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.