Data Breach Landscape: Few Federal Rules, Inconsistent State Laws
Although every state has a data breach notification law, each one imposes different regulations and reporting requirements, Emory Roane, associate director of policy at Privacy Rights Clearinghouse (PRC), said in a recent interview with Privacy Daily. While some protections exist at the federal level, a comprehensive breach law would help, as would data minimization principles, privacy pros added.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Only 14 states require that businesses suffering a breach notify a state agency and that it share the information publicly, said Roane. At the federal level, he said, the U.S. Department of Health and Human Services has a breach notification rule, which was added to HIPAA in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
What all this means is “there's more data out there that is simply not being shared publicly.”
Jay Harris, a lawyer in the Hudson Cook property management program who specializes in consumer data, said consumers have some protections. And they are gaining new ones concerning data deletion and retention, as well as affirmative privacy and anti-breach protections, he said. Also, within property management, “there are some pretty significant limits on the kinds of questions that [a] consumer can be asked” in an application.
At the federal level, the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) offer general protections for things like eligibility determinations and marketing, said Harris: Then state laws “layer on top of that,” which give "additional rights for protection from certain kinds of profiling, certain marketing rights, opt-out rights, and so forth."
Privacy advocates like PRC say that “a federal law would be great, as long as it is [a] floor" and not a "ceiling" that preempts state laws, said Roane. “We would love a federal standard if it sets a minimum of what states can do, but states are allowed to go beyond it,” as with HIPAA.
California is unique among the states, Roane noted, because under the California Consumer Privacy Act, there is a private right of action around data breaches. “When the data breach impacts someone's sensitive personal information, and [the organization] didn't use reasonable security measures, you can actually sue a business and recover some stipulated amount of damages.”
The state legislature also passed SB-446 this session (see 2508290005), which would require consumer notification within 30 days of discovering a breach, he added. It awaits the signature of Gov. Gavin Newsom (D).
What Data Breach Laws Do
“One of the sleeper elements of a very, very good data breach notification law ... is the public reporting side of things,” Roane said. “What is happening to government agencies that are getting these breach notifications? And, are they sharing them and how are they sharing them?”
An August settlement between the Massachusetts attorney general and a property management company over its shortcomings in handling a cybersecurity breach provides a case study. In a recent post, Harris called it a cautionary tale for any business collecting and storing consumer data (see 2509050052).
The $795,000 settlement with Peabody Properties came in the wake of five phishing-based cyber intrusions at the property management company. The breach leaked sensitive personal information, including Social Security numbers, driver's license data and bank account details, of almost 14,000 Massachusetts residents.
The sum is “not insignificant” and the Massachusetts AG didn't go "lightly" in this case, Harris said. “It was revealing, just looking at the language of the settlement, that there were several security measures that are fairly common as part of a data security program that a business … would have under Massachusetts law that are being implemented that … may or may not have been in effect before,” including multi-factor authentication or broader detection and prevention.
It's not “just about the dollar number," added Harris, but also "the overall cost here.” The settlement marked a “pretty significant upgrade in the protections" required by the AG office, and having to provide credit monitoring services "typically brings a cost as well."
Just the fact that the AG brought this case is also significant, said Harris, as these matters are typically raised in class actions.
Preventing Breaches
Data minimization laws often end up helping companies mitigate the possibility of a data breach, said Shook Hardy lawyer Alfred Saikali. “It was a security practice that good companies were engaging in even before there were laws.”
Roane agreed. “The best way, if you're a business, of preventing the risk of data breaches is to minimize the data that you have to breach,” he said. “The problem" is that for years "we have utterly incentivized this ‘collect and horde mentality,’ where businesses are just getting everything they can and monetizing as much as they can and holding it forever and not using good practices.”
Laws are needed that "require businesses to collect only what is necessary and to have deletion requirements that automatically trigger and make it easy for folks to delete their information,” he added. “That's the fastest and most immediate solution to this.”
Harris noted that “the expectation of what a business is supposed to do regularly increases.” Accordingly, “It's important that a business has qualified personnel [and] an adequate budget of engagement with the board," with someone in "a senior role who can help articulate" how much "the company is spending on safety safeguards and protections" and how much it should increase that spending to ward off "new kinds of attacks into the organization.”
Many breaches stem from employee vulnerabilities, said Harris, so it's also important to regularly conduct training on passwords and hold "anti-phishing exercises to get a sense of whether employees are continuing to open too-good-to-be-true offers" from external senders "when they shouldn't be.”
Saikali added that companies are increasingly de-identifying data they collect to prevent harm from breaches. “They realize that that's the best way to store it, so that if a threat actor gets there, they're really not [going to] be able to do anything valuable with it.”
In “every state, there are data breaches,” Roane noted. “Wherever data is being held, data breaches are happening … across basically every industry that we look at.”
“This is a technological problem in search of a regulatory solution,” he added. “Data breaches are an unsolved problem.”