The White House announced several interesting cyber-security initiatives yesterday—one of which is a proposed Federal Breach Notification Law that is being sent to congress for consideration. On a briefing call directed to the security industry, they made it clear that this law would pre-empt the various state laws in an effort to simplify compliance and enforcement. I am not so sure that they accomplished their goals.
Although the proposed Law presents many things that need to be considered, in essence it requires:
1) Businesses other than those covered under the HITECH Act (engaged in or affecting interstate commerce that use/possess personally identifiable information on more than 10,000 individuals during any 12-month period [note that this doesn’t cover every entity that is covered under the various state laws and so will present an interesting pre-emption issue—likely to be the subject of a future blog post]) who experience a
2) Security Breach (defined to include “loss”) of
3) Personally Identifiable Information (such as government-issued identification numbers, certain combinations of personal information, biometric data, and unique account identifiers [note that this last category is an interesting inclusion—likely the subject of a future blog post]) must provide
4) Prompt Notice (by letter or telephone call unless the individual has properly consented to e-mail notices AND if the breach affects more than 5,000 individuals, also provide notice to the applicable media and the consumer credit reporting agencies) unless they conduct a
5) Risk Assessment that concludes that there is no reasonable risk that a security breach has resulted (encryption and other means of rendering the information unusable in a generally accepted manner creates a presumption that “no reasonable risk” exists)
a. Note that this presumption may be rebutted by “facts demonstrating that the security technologies or methodologies in a specific case have been, or are reasonably likely to have been, compromised”
b. Note further that these Risk Assessments must be conducted “in a reasonable manner or according to standards generally accepted by experts”
6) Note that even if an entity has encrypted or otherwise protected the information, it is still required to notify the FTC of the loss or breach and provide the results of the Risk Assessment.
My initial reaction is that encryption is still the best way to guard against breach notifications—but companies will now have to be more vigilant about their actions post-breach. They will now have to conduct a Risk Assessment each time there is a loss or breach and then notify the FTC of the results (potentially including log information). Proof is critical.
No comments:
Post a Comment