Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

President Proposes Federal Breach Notification Law

ftc_logo_430-centennialIn advance of the State of the Union, President Obama appeared at the Federal Trade Commission today to preview a couple of administration proposals, which will be addressed in the upcoming speech to the nation.  The President addressed a potential federal breach notification statute:

…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.

So, the proposal is to standardize breach notification to 30 days (Personal Data Notification & Protection Act; Florida is 30 days; some states say as soon as practicable).

Some express the concern (which is typically voiced by state Attorneys General) that a federal statute would dilute the effectiveness of the consumer protections in place. http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/12/privacy-advocates-a-national-data-breach-notification-standard-might-actually-make-things-worse/

The political pundits comment that it is not clear whether such legislation would make it through Congress.  This is due to certain industry resistance to tackling a new federal statute having absorbed the various state rules; and then there are consumer groups, who worry about preemption on the issue. See comments at:

https://privacyassociation.org/news/a/obama-announces-legislation-on-student-id-consumer-privacy/

Another new proposal is the Student Digital Privacy Act.  This legislation would require that data gathered about students through educational programs can be used only in an educational context, not sold to third parties (similar to the recent California law).

The Administration is also going to revive its 2012 Consumer Privacy Bill of Rights, which lays out principles for online data collection (revised proposal to come out in 45 days).

sotu2015_logo_blog_0

UPDATE:

The President also took up the challenge of “precision medicine:”

I want the country that eliminated polio and mapped the human genome to lead a new era of medicine — one that delivers the right treatment at the right time. In some patients with cystic fibrosis, this approach has reversed a disease once thought unstoppable. Tonight, I’m launching a new Precision Medicine Initiative to bring us closer to curing diseases like cancer and diabetes — and to give all of us access to the personalized information we need to keep ourselves and our families healthier.

This is part of the movement toward tailored therapies and treatments for diseases and chronic conditions.  The example referenced in administration materials was that of a cystic fibrosis patient, given the medicine Kalydeco (developed by a company called Vertex).  Reportedly this is the first drug designed to counter the genetic cause of the life-threatening chronic lung disease.  The medicine targets the underlying cause of the disease for a small subset of patients.

Providing such targeted treatments likewise requires collection of more personalized medical information from patients.  Costs of collecting data and personalizing treatment is noted in reaction to such initiatives but its promoters also hope that “[m]ore research will allow clinicians to make more-precise diagnoses, which in turn drive better treatments.” http://www.modernhealthcare.com/

See also, The Patient-And Her Data-Will See You Now,

http://www.rwjf.org/en/blogs/

“Personalized medicine has the potential to transform our health care system, which consumes almost $3 trillion a year, 80 percent of it for preventable diseases,” Dr. Snyderman said.

Although the new tests and treatments are often expensive, he added, personalized medicine can save money while producing better results. “It focuses therapy on individuals in whom it will work,” he said. “You can avoid wasting money on people who won’t respond or will have an adverse reaction.”

Florida Updates Breach Law

-Effective July 1, 2014-

 On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:

-SSN

-DL number or ID number, passport number, military ID number or other similar number issued on a government document

-Financial account number or credit/debit card number in combination with security/access code or password

-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis

-Health insurance policy number or subscriber number

-User name or email address, in combination with a password or security question (that would permit access)

The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).

In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.

The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”

See text at:

http://www.flsenate.gov/Session/Bill/2014/1524

See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).

http://www.idt911.com/KnowledgeCenter/NewsRoom/NewsRoomDetail.aspx?a=6E04A83A-6EE4-4806-AA26-6623B82FAB65

 

 

floridaiStock_000002848277Medium

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

Oh the Sun Shines Bright in My Old Kentucky…

…Cloud?

Kentucky is now the 47th state to enact a data breach notification law.Fence Line and Lane

Identity Theft/Fraud Trigger

The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.    Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):

  1. SSNs
  2. DL numbers
  3. Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.

The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person.  The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.”  The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.

Student Protections

In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).

The state auditor had promoted enacting such legislation and released a report stating:

“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”

http://www.wdrb.com/story/24272935/ky-auditor-says-a-data-breach-notification-law-is-needed

http://apps.auditor.ky.gov/Public/Audit_Reports/Archive/2013SSWAK-I-PR.pdf


 Just in time for the 140th “Run for the Roses”

My Old Kentucky Home by Stephen Foster

The sun shines bright in My Old Kentucky Home,

‘Tis summer, the people are gay;
The corn-top’s ripe and the meadow’s in the bloom
While the birds make music all the day.

The young folks roll on the little cabin floor,
All merry, all happy and bright;
By ‘n’ by hard times comes a knocking at the door,
Then My Old Kentucky Home, good night!

Chorus:

Weep no more my lady
Oh weep no more today;
We will sing one song
For My Old Kentucky Home
For My Old Kentucky Home, far away


http://allrecipes.com/recipe/mint-juleps/

mintjulepdownload

http://www.kentuckyderby.com/

“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”

And, for some Data and The Derby – see:

http://helloracefans.com/handicapping/patterns/geek-out-mining-derby-data/

 kentuckyimages

 rosesimages