Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

California Updates and Tries to Strengthen Some Privacy Protections

California’s Updates on Breach and Security

Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.

The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:

  • SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
  • AB 928 – Requires each state agency and department to conspicuously post its privacy policy on its website
  • AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
  • AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
  • AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
  • SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
  • SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress

Oh the Sun Shines Bright in My Old Kentucky…

…Cloud?

Kentucky is now the 47th state to enact a data breach notification law.Fence Line and Lane

Identity Theft/Fraud Trigger

The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.    Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):

  1. SSNs
  2. DL numbers
  3. Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.

The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person.  The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.”  The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.

Student Protections

In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).

The state auditor had promoted enacting such legislation and released a report stating:

“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”

http://www.wdrb.com/story/24272935/ky-auditor-says-a-data-breach-notification-law-is-needed

http://apps.auditor.ky.gov/Public/Audit_Reports/Archive/2013SSWAK-I-PR.pdf


 Just in time for the 140th “Run for the Roses”

My Old Kentucky Home by Stephen Foster

The sun shines bright in My Old Kentucky Home,

‘Tis summer, the people are gay;
The corn-top’s ripe and the meadow’s in the bloom
While the birds make music all the day.

The young folks roll on the little cabin floor,
All merry, all happy and bright;
By ‘n’ by hard times comes a knocking at the door,
Then My Old Kentucky Home, good night!

Chorus:

Weep no more my lady
Oh weep no more today;
We will sing one song
For My Old Kentucky Home
For My Old Kentucky Home, far away


http://allrecipes.com/recipe/mint-juleps/

mintjulepdownload

http://www.kentuckyderby.com/

“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”

And, for some Data and The Derby – see:

http://helloracefans.com/handicapping/patterns/geek-out-mining-derby-data/

 kentuckyimages

 rosesimages

California AG Issues Report on Data Breaches Covering 2012

stock-illustration-19023722-california-flag-icon

In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012.  The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders.  See link to AG website:  http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.

Notably, Attorney General Harris provides some recommendations:

  • Companies should encrypt digital personal information
  • Companies and agencies should review and tighten security controls
  • Companies and agencies should improve readability of breach notices
  • Companies and agencies should offer mitigation products
  • And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password

This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted.  States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud.  The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter).  The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts.  A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”

The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013.  Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.

Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email.  Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes.  With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.

California

BREACH REPORT 2012

iStock_000019699898XSmall

Inspector General – Medicare/Medicaid Tardy On Breach Notifications

In a bit of turn-about is fair play, HHS reveals that Centers for Medicare and Medicaid Services failed to meet the patient notification deadline under the HITECH breach notification rule.  The report also cited some stats on medical ID theft.  CMS has a database of Medicare ID and claim numbers that have been used or are suspected of having been used in ID theft.  As of February 2012, the database had in excess of 280,000 beneficiaries and 5,000 providers.  CMS is supposed to be tracking unusual billing activity and establishing scores to identify claims for review but guidance is lacking on how to use the database and identifying billing and medical ID fraud.

http://www.govinfosecurity.com/medicare-lags-on-breach-notification-a-5194