Back in May, the White House proposed sweeping new data breach legislation. The purpose of the proposed law is to simplify the various State reporting and notification obligations of companies when they (inevitably) lose the personal information of their customers, agents or employees. Generally speaking, those laws require companies to encrypt their data so as to avoid the harsh consequences of losing “clear text” personal information.
As I stated in a previous blog post, the proposed legislation creates new obligations on companies that handle personal information. In particular, when companies that are subject to the new law lose data, they will have to conduct a Risk Assessment as to the loss and notify the FTC of the results of the Risk Assessment. As in the past, centrally-managed encryption is one of the easiest ways to “pass” the Risk Assessment.
But what about small businesses? They are clearly covered by most of the State breach notification laws. Will they be subject to the proposed Federal law? Not necessarily. The new legislation only applies to those companies that possess “sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” (§101(a)). While some will certainly have that much data, many small (and even medium-sized) businesses will not have that many records. They will therefore not be subject to the new legislation.
So if the Federal law will not apply to small businesses, will the pre-existing State laws remain in effect for them? This is unclear. The proposed legislation includes a preemption provision stating that “[t]he provisions of this Title shall supersede any provision of the law of any State . . . relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data” (§109) (emphasis added). Did the White House intend to reduce the regulatory burden on small businesses? Possibly. But not likely.
As we watch for congressional action on this point to see if congress clarifies the applicability of the various breach notification laws to all businesses (see, for instance, Senator Leahy’s proposed Bill), the best course of action for every business is to encrypt its data. The common denominator for all of the legislation that we have been watching is that encryption protects companies from broad notification obligations.
The White House announced several interesting cyber-security initiatives yesterday—one of which is a proposed Federal Breach Notification Law that is being sent to congress for consideration. On a briefing call directed to the security industry, they made it clear that this law would pre-empt the various state laws in an effort to simplify compliance and enforcement. I am not so sure that they accomplished their goals.
Although the proposed Law presents many things that need to be considered, in essence it requires:
1) Businesses other than those covered under the HITECH Act (engaged in or affecting interstate commerce that use/possess personally identifiable information on more than 10,000 individuals during any 12-month period [note that this doesn’t cover every entity that is covered under the various state laws and so will present an interesting pre-emption issue—likely to be the subject of a future blog post]) who experience a
2) Security Breach (defined to include “loss”) of
3) Personally Identifiable Information (such as government-issued identification numbers, certain combinations of personal information, biometric data, and unique account identifiers [note that this last category is an interesting inclusion—likely the subject of a future blog post]) must provide
4) Prompt Notice (by letter or telephone call unless the individual has properly consented to e-mail notices AND if the breach affects more than 5,000 individuals, also provide notice to the applicable media and the consumer credit reporting agencies) unless they conduct a
5) Risk Assessment that concludes that there is no reasonable risk that a security breach has resulted (encryption and other means of rendering the information unusable in a generally accepted manner creates a presumption that “no reasonable risk” exists)
a. Note that this presumption may be rebutted by “facts demonstrating that the security technologies or methodologies in a specific case have been, or are reasonably likely to have been, compromised”
b. Note further that these Risk Assessments must be conducted “in a reasonable manner or according to standards generally accepted by experts”
6) Note that even if an entity has encrypted or otherwise protected the information, it is still required to notify the FTC of the loss or breach and provide the results of the Risk Assessment.
My initial reaction is that encryption is still the best way to guard against breach notifications—but companies will now have to be more vigilant about their actions post-breach. They will now have to conduct a Risk Assessment each time there is a loss or breach and then notify the FTC of the results (potentially including log information). Proof is critical.
Much has been written about breach notification laws such as California’s Security Breach Information Act, which encourage companies to encrypt personal information in their possession. They generally do so by requiring that companies notify individuals whose information has been lost or stolen if such information was not encrypted at the time of loss. Because of the significant cost and reputational damage associated with these breach notifications, a number of companies have chosen encrypt personal information.
Many companies, however, appear unconvinced as evidenced by the fact that we hear of new breach notifications nearly every day. Perhaps the mere threat of providing breach notifications is insufficient as companies weigh the risk against the perceived cost. Maybe they remain true to the cliché that “information is an asset.” While this is undoubtedly true, corporate officers should also realize that information increases the risk profile of a company.
But is there really the potential for liability in addition to the requirements under existing breach notification laws (some of which already provide for civil remedies)? A jury can find liability where the following elements exist: 1) Duty; 2) Breach; 3) Cause; and 4) Harm. It’s easy enough to imagine a scenario where a data loss (element 2) causes harm (elements 3 and 4). But, what about element 1—is there a general duty to encrypt information or otherwise assure that it’s never compromised?
It’s doubtful that a broad duty to encrypt information exists. For example, it seems overly broad to apply liability with respect to personal data on home computers that are stolen. Corporate computers, however, may be different because of the applicability of breach notification laws. These breach notification laws may give rise to a negligence per se argument—essentially that the law imposes a certain duty, or standard of care, that the breach of which can give rise to liability. Under these circumstances, liability may be imposed on corporations even in the absence of a statutory remedy.
Even if ultimately unsuccessful, this type of litigation is costly—both in litigation expense and in reputational damage. For these reasons, it is easy to come to the conclusion that information is a liability and that the encryption of information is a fundamental component of following best practices in corporate risk management.