Keeping Personal Information Personal: Data Privacy Legislation and How to Stay Ahead of the Curve
Media Law Bulletin
Keeping Personal Information Personal: Data Privacy Legislation and How to Stay Ahead of the Curve
Businesses and celebrities alike know the dangers of data breaches, which have become increasingly prevalent. Just recently, at least 50 celebrities, including actress Scarlett Johansson and “High School Musical” star Vanessa Hudgens, have had their phones and email accounts attacked by hackers, who took the “compromising” photos they found and spread them on the Internet. While celebrities might gain additional fame from these occurrences, data breaches can cost a company millions of dollars and damage its reputation for years. The challenge for businesses, as well as for the occasional celebrity, is how to keep private information private.
It is critical that companies, especially those that store sensitive personally identifiable information (PII), institute meaningful data security and mitigation measures. Not surprisingly, data breach and privacy legislation has garnered a great deal of congressional attention over the last few years; yet we still do not have one central federal law or regulation that governs all forms of PII. As a result, companies are faced with a patchwork of state laws with variances in applicability, safe harbors, enforcement and notification procedures and deadlines that make compliance extremely challenging. Many companies engaging in interstate commerce simply default to adopting prevention and mitigation procedures that comply with the more stringent state laws, such as the ones in California and Massachusetts. This uncertainty may change soon with the growing congressional emphasis on data privacy.
Legislative Efforts at Closing the Door on Data Breaches
In 2009, the Senate introduced bill S. 1490 (the Personal Data Privacy and Security Act) and S. 139 (the Data Breach Notification Act), and the House proposed H.R. 2221 (the Data Accountability and Trust Act). Each of these bills would preempt breach notification laws in the 46 states that have enacted them, while each also contains either a risk threshold or exemption to its notice requirement. H.R. 2221 and S. 1490 also require companies that maintain PII to implement a data privacy program and regularly test and monitor the program. S. 1490 contains a penalty provision that imposes either a fine and/or a prison term of up to five years for the intentional concealment of a security breach concerning PII.
2010 saw the introduction of H.R. 6236 (the Data Breach Notification Act), which appears to be a reincarnation of S. 139. This is not uncommon, since at the end of each session of Congress, all proposed bills and resolutions that have not passed are cleared from the books and members often reintroduce bills that did not come up for debate under a new number in the next session. In July 2010, Sen. Thomas Carper (D-Del.) introduced S. 3579 (the Data Security Act), which targets financial institutions, merchants and federal agencies that maintain large volumes of PII and prescribes security and notification procedures to protect consumers. Similarly, Sen. Mark Pryor (D. Ark.) introduced S. 3742 (the Data Security and Breach Notification Act), which places enforcement in the hands of the Federal Trade Commission (FTC) and requires companies that store PII to implement “reasonable security policies and procedures,” to undertake periodic risk assessments and to provide nationwide notice if a security breach occurs.
Congressional interest in data privacy legislation has not waned in 2011, although the new focus seems to be on online privacy protection. Rep. Cliff Stearns (R-Fla.) recently announced that he will introduce legislation that would create a five-year self-regulatory program overseen by the FTC for companies that collect PII over the Internet. Rep. Jackie Speier (D- Calif.) has proposed legislation in the form of two bills to protect consumer privacy: (1) H.R. 653 (the Financial Information Privacy Act of 2011), which would amend the Gramm-Leach-Bliley Act by updating regulations addressing the disclosure of PII by financial institutions and (2) H.R. 654 (the Do Not Track Me Online Act), which empowers the FTC to issue regulations requiring Internet companies to allow consumers to opt out of online tracking. In February, Rep. Bobby Rush (D-Ill.) introduced H.R. 611 (the Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards, aka the BEST PRACTICES Act). This comprehensive bill is intended to provide consumers with choices regarding the collection and use of their PII, particularly PII collected online, while also establishing “reasonable procedures” to secure the PII while maintaining its accuracy. Other online privacy bills are in the works in both the House and Senate.
Regardless of the landscape of federal data breach and privacy legislation, companies can take meaningful steps now to institute prevention and mitigation measures that will minimize the possibility of a breach and reduce their liability when the inevitable occurs.
Breaches Are Inevitable – Disasters Are Preventable
Actress Jessica Alba and singer Christina Aguilera were embarrassed when nude photos of themselves were plastered on the Internet. The hackers found the images by accessing their mobile phones, computers and various accounts. The performers could have prevented this, by implementing data security measures or simply by not storing those pictures. For businesses as well, there are many preventative measures that can make a data breach less likely. These range from technical defenses (e.g., strengthened firewalls, intrusion detection systems, malware protection) to organizational practices (e.g., restricting unfettered Internet access or limiting the data that users can access). However, some form of breach is inevitable given the range of attack vectors, such as employee misconduct, lost laptops, and opportunistic or targeted network attacks. Also, network security systems are moving to a “defense-in-depth” approach by actually allowing a breach to penetrate non-critical parts of a network that in turn triggers a complete defense of mission-critical areas containing PII.
Companies must therefore consider measures that mitigate data breaches, by either actually reducing the amount of data lost, or by allowing a company to prove to regulators and effected parties that the breach was limited. The ability to thoroughly determine the extent of a breach is critical to avoiding liability or the imposition of expensive notification actions. Given onerous state and federal laws, aggressive regulators, and a hungry plaintiff’s bar, organizations that cannot prove the extent of a breach are often forced to “assume the worse” and declare a data breach when it may not even have occurred.
Mitigating the Breach
Celebrities usually sell more records or movie seats due to data breaches and the resulting media frenzy. For companies, the fallout is not so profitable. So what to do? Below are five steps that a company can put in place to help mitigate potential damages from a data breach.
A Thorough and Updated Breach Response Plan. All companies should have a well-crafted incident response plan in place. It needs to be updated (at least every 6 months), well documented, preferably rehearsed, and with proper senior management support. A response plan is key to capturing sufficient data in the first 48 hours of an incident to be able to identify and stop the breach and conclusively determine how much data was lost. Even if a company does not store PII or regulated confidential data, it must be able to respond confidently to its employees, business partners, and customers when faced with a possible data breach.
Senior management must determine if suitable in-house incident response resources exist and, if not, they must move quickly to vet and select an outside vendor. In addition, a company should consult with its outside attorney to identify an attorney with the relevant experience necessary to handle the telephone call at 2 a.m. and provide counsel should a breach happen.
Network Logging. Network logging records communications and data flow into and across a network. Carrying out and storing such logging can be crucial to determining and proving how much data has actually been compromised. Logs can prove that, while a network was penetrated, no actual confidential data was taken, or that the attackers only reached certain areas of the network. The absence of sufficient logs is the leading reason a company will declare a breach, thereby exposing itself to potential fines, law suits and adverse publicity, even when it is unlikely that significant, or even any, confidential data was actually lost.
Logging is often dictated by cost restraints of storage and many logs are consequently over-written after 24 hours. Companies should instead identify key areas that require constant monitoring, with the relevant logs stored in secure locations for several months. The fact that hackers invariably attempt to erase or alter logs to cover their tracks underscores the value of logs in the prevention and mitigation process.
Internal Controls/ Employee User Rights. IT systems should always follow the Principle of Least Privilege, whereby a user — whether an employee, business partner, third party or even a software application — should always only possess the bare minimum rights to legitimately perform their job. Then, even if a workstation is infected, or an employee acts maliciously or negligently, the company can show the limited extent of the possible data loss, even if the exact extent is not proven.
An occurrence that underscores the importance of limiting employee user rights — as well as the danger of scorned lovers — involved a data breach on which Kivu Consulting consult worked. A woman, enraged by her ex-boyfriend’s sudden decision to marry a co-worker, hired a private investigator to send a key logger within an email to capture the correspondence between the newlyweds. Unfortunately, the ex-boyfriend opened the personal email on the same work computer that he used in his position as CFO of a major loan provider. As a result, his ex-girlfriend inadvertently also captured the PII of more than 10,000 customers across the U.S., triggering breach notification issues in multiple states.
Having well-defined and documented user policies (e.g., limiting Internet access, the use of USB devices, or taking data off-site) may prevent breaches and provide a company redress against an employee. However, current best practices dictate that a company actually restricts its computer users; limiting, and potentially monitoring, what data is available or accessible to its employees — and their exes.
Encryption. “Full disk encryption” (the encryption of all data on a drive, including the encryption program itself) is often seen as a panacea for both prevention and mitigation. Thus, a company whose employee loses a laptop with full disk encryption may not believe that any data has been breached. Yet, over-reliance on encryption is dangerous. In practice, problems include (1) malware or hacking techniques that capture passwords, including those used to encrypt files or a computer and/or (2) computer users not following corporate encryption policies even when encryption is installed on their laptops or storage media.
Senior management should audit encryption use and ensure that the chosen encryption solution is sufficiently easy to use and does not negatively impact normal computer usage. Even a single example of non-compliance can be dangerous, with plaintiffs’ attorneys extrapolating the single failure to comply into a “worst-case scenario.” In such an instance, the onus then shifts to the company to prove that encryption was not only installed on a stolen laptop, but was actually used by the employee in question — often a difficult task. Therefore, at a minimum, in order to at least show that a company is following best practices, all mobile devices, including laptops, USB sticks, mobile phones, etc., should be completely encrypted. A similar requirement should be enforced against contractors and third parties handling the company’s data.
Inventorying a Company’s Confidential Data. Knowing in advance the storage location of a company’s key data is often crucial in proving that a compromise of its system did not expose confidential data to an outsider. However, this measure is limited by the thoroughness of the audit (preferably automated) and the frequency of the inventory. An out-of-date inventory is useless in determining the scope of data that might have been exposed and is simply a wasted resource.
Fighting the Breach
Stars such as Hudgens are fighting back against the breaches of their personal information by working with federal investigators who are probing celebrity hack attacks. Businesses, in turn, are looking to lawmakers for protection — and direction. It is only a matter of time before Congress enacts a comprehensive federal data breach and privacy law that will hopefully provide clear guidance as to the implementation of a data security program. Yet, regardless of the current data privacy legal landscape, a number of practical preventative measures exist that companies may use to limit their potential liability when the inexorable data breach happens.