Data Security Breach Laws Becoming Stricter
The webinar “An Update on Data Security Breach Laws in the U.S. & Canada” was offered February 13 by ID Agent. The top-line message is that the many overlapping laws and regulations governing data security are becoming stricter.
Moderated by Jessica Retka, an associate in the Intellectual Property and Technology Group at Baltimore law firm Whiteford Taylor Preston LLP, the webinar featured legal experts S. Keith Moulsdale, a partner in the Cyber Security, Information Management and Privacy Group at Whiteford Taylor Preston, and Judith Payne, a partner at Winnipeg-based Pitblado Law who specializes in privacy, regulatory compliance, and information technology in corporate and commercial enterprises.
Updates to U.S. Data Security Regulations
The numerous laws — federal, state, and international — that pertain to data security in the U.S. are sometimes compared to a patchwork quilt, said Moulsdale. But he suggested a more apt metaphor is a Rubik’s cube, because determining which laws apply to your company in which circumstances is like solving a three-dimensional puzzle.
“You could have a competitor directly across the street from you that kind of looks like you, kind of walks like you, and has the same number of employees as you. But the laws that apply to you and to your competitor may be different, according to what services you provide, where your customers are located, what data you collect, and how you use that data,” Moulsdale said.
For example, vertical laws at the federal level apply to specific industries and to specific types of data. The Health Insurance Portability and Accountability Act (HIPAA), for example, safeguards the privacy and security of certain health information. Organizations that collect data from children under the age of 13 must abide by the provisions of the Children’s Online Privacy Protection Act (COPPA).
U.S. organizations are subject as well to both federal and state laws and regulations about breach notification, to tort and common law, and to Act 5 of the Federal Trade Commission Act, which states that insufficient data security can amount to unfair trade practice. International law is also relevant if a U.S.-based organization has global operations or customers. Moulsdale noted that contracts may impose tighter restrictions around data security and breach notification than those set by statute.
With a nod to Heraclitus’ maxim that change is the only constant, Moulsdale said that the data security law space is ever-evolving. Recent changes at the federal level include the Cybersecurity Act of 2015 and the Federal Aviation Administration’s 2016 rules on drones. Proposed legislation, such as the American Data Dissemination Act and Senate Bill 189, would further alter the legal landscape.
For most U.S. organizations with customers in multiple states, customizing data security practices state by state would be onerous and inefficient — and therefore expensive. For that reason, the nation’s strictest state laws come to serve as de facto federal law, and that is what’s happening now with the 2018 passage of the California Consumer Privacy Act (CCPA), Moulsdale said. Granting consumers new rights over the collection and use of their personal information, the CCPA establishes a gold standard for data security that U.S. enterprises with operations or customers in California must meet, and one likely to guide practices nationwide.
Likewise, as of 2018, all 50 states plus the District of Columbia and Puerto Rico have data breach notification laws in place. “Because there’s no omnibus federal law,” said Moulsdale, “the strictest state laws become the de facto federal practice.”
European Legislation Establishes the Gold Standard
A similar phenomenon is happening internationally, with multinational companies hewing to the strong privacy protection provisions set forth by Europe’s General Data Protection Regulation (GDPR), which was implemented May 25, 2018. Matthew J. Schwartz, writing in Data Breach Today (Feb. 6, 2019), reports that Microsoft and Facebook have both stated they will follow GDPR’s requirements worldwide.
The law ups the penalties for data security failures, to include revenue-based fines and U.S.-style group litigation claims. The largest fine levied during its first eight months in effect — €50 million — was to Google and pertained to the processing of personal data without authorization.
Close to 60,000 data breaches were reported in the first eight months of the GDPR’s implementation, ranging from minor incidents, such as emails sent to the wrong recipient, to major hacks affecting millions of people.
The Canadian Landscape
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations can collect, use, and disclose individuals’ personal information, said the second panelist, Judith Payne, partner at Pitblado Law. PIPEDA also establishes a breach-reporting framework. Payne noted that PIPEDA does not usually apply to British Columbia, Alberta, or Quebec because similar legislation is in place at the provincial level.
PIPEDA is based on 10 interrelated principles:
- Accountability – An organization is responsible for personal information under its control and shall designate one or more persons who are accountable for the organization’s compliance with the following principles.
- Identifying Purposes – An organization shall identify the purpose(s) for which personal information is collected at or before the time the information is collected.
- Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In limited circumstances, personal information may be collected, used or disclosed without the knowledge and consent of
- Limiting Collection – An organization shall limit the collection of personal information to that which is necessary for the purpose(s) identified by the organization. The organization shall collect personal information by fair and lawful means.
- Limiting Use, Disclosure, and Retention – An organization shall not use or disclose personal information for purpose(s) other than those for which it was collected, except with the consent of the individual or as required or permitted by law. The organization shall retain personal information only as long as necessary for the fulfillment of those purpose(s).
- Accuracy – Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
- Safeguards – An organization shall protect personal information by security safeguards appropriate to the sensitivity of the information.
- Openness – An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
- Individual Access – Upon request, an organization shall inform an individual of the existence, use, and disclosure of his or her personal information and shall give the individual access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance – An individual shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for an organization’s compliance.
“Plan to Fail Well”
Maintaining data security wherever a business has operations is akin to surfing in a tsunami, said Moulsdale: “Eventually, you’re going to fall off the board; there’s going to be a data security incident.”
For that reason, “plan to fail well,” he said. Don’t limit planning for an incident to members of the department. “Data security needs to start from the top down and be embedded in the company’s culture,” he said.
Key elements of a comprehensive data security plan include data mapping, legal review and risk analysis, vendor screening, employee training, and monitoring the effectiveness of safeguard. Outside legal counsel and other advisers can help mitigate risk.
“It’s important to remember that liability relating to an incident depends on what happened before the incident,” Moulsdale said. Breaches are expensive, he noted, citing a recent IBM/Ponemon report that calculated the global average of the total cost of a data breach to be $3.86 million.
Data Breach Mini-Case Study: Ashley Madison
Payne presented a case study focusing on the data breach experienced by Avid Media in the summer of 2015 with its Ashley Madison site, which caters to individuals seeking an extramarital affair. A hacker team threatened to expose the personal details of Ashley Madison’s customers unless the site, along with another Avid Media site, Established Men, shut down. These demands not met, the hackers released about 25 gigabytes of stolen data, posting information on the dark web. Individuals whose data was exposed were subject to blackmail attempts. The breach itself along with the company’s response to it damaged its brand.
Although the company had numerous data security safeguards in place, Payne noted, its data security training had been delivered only to higher-level staff. Moreover, indications suggest that the company failed to conduct thorough risk assessments, despite graphics on the site conveying that the highest-level safeguards were in place to guard customers’ particularly sensitive data.
Data breaches will inevitably happen, said Payne. For that reason, an expeditious, well-planned response is crucial. That requires using all available tools, including scanning the dark web for exposed credentials, to detect and contain a breach swiftly.