The U.S. Government Accountability Office recommends that Congress consider comprehensive federal internet privacy legislation.

Issues that should be considered include:

  1. Which agency or agencies should oversee Internet privacy.
  2. What authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority.
  3. How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.

Click here to view the formal notice.

Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

Data privacy bills are pending in at least eight states, reports Sara Merken at Bloomberg Law.

State lawmakers are aiming to give citizens more control over their personal data. Some of the bills largely follow the lead of California, whose Consumer Privacy Act takes effect Jan. 1, 2020. Others are more narrowly focused on specific business practices.

Some highlights:

  • In North Dakota – a bill would require companies to provide to consumers, upon request, information about the types of personal information the companies collect and possess
  • In New York – one bill addresses biometric privacy and another would govern businesses’ collection and disclosure of personal information
  • In Utah – a bill would require law enforcement to get a warrant from a judge to access electronic information
  • In Washington state – a bill would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data and would also regulate facial recognition technology

Details in Bloomberg Law.

In my previous post, I reviewed the New York State Department of Financial Services’ (NYDFS) findings and conclusions of survey results of financial institutions and insurers’ programs, costs, and future plans related to cybersecurity.

Anthony J. Albanese – Acting Superintendent of Financial Services – writes in a November 9, 2015 letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members that these conclusions have demonstrated a need for new cybersecurity regulations for financial institutions.

Such “robust regulatory action” would be a coordinated effort between state and federal agencies to create a thorough cybersecurity framework addressing critical concerns as well as covering New York-specific interests.

Potential regulations implemented by the NYDFS would require covered financial entities to meet specific cybersecurity obligations in the following areas:

  • Cybersecurity policies and procedures;
  • Third-party service provider management;
  • Multi-factor authentication (i.e., requiring covered entities to apply such authentication to customer, internal, and privileged access to confidential information as well as any access to internal systems or data from an internal network);
  • Chief Information Security Officer (i.e., covered entities will be required to have a CISO responsible for overseeing and implementing a cybersecurity policy, among other duties);
  • Application security (i.e., covered entities must have and set forth written policies, procedures, and guidelines to ensure the security of all applications utilized by the entity which need to be updated annually by the CISO);
  • Cybersecurity personnel and intelligence (i.e., covered entities will need to hire cybersecurity personnel who can handle certain cyber risks and perform core functions of “identify, protect, detect, respond and recover,” as well as providing mandatory training to such personnel);
  • An audit function; and
  • Notice of cybersecurity incidents.

Some of these proposed requirements are set forth in more detail below.

 

Cybersecurity Policies and Procedures

Covered entities, Albanese writes, would need to implement and maintain written cybersecurity policies and procedures addressing the following areas:

(1) information security;

(2) data governance and classification;

(3) access controls and identity management;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and application development and quality assurance;

(9) physical security and environmental controls;

(10) customer data privacy;

(11) vendor and third-party service provider management; and

(12) incident response, including by setting clearly defined roles and decision making authority.

 

Third-party Service Provider Management

Albanese wants covered entities to ensure that third-party cybersecurity policies and procedures are implemented. Third-party service providers who hold or have access to sensitive data or systems will need to adhere to certain contractual terms, including the following provisions:

(1) the use of multi-factor authentication to limit access to sensitive data and systems;

(2) the use of encryption to protect sensitive data in transit and at rest;

(3) notice to be provided in the event of a cyber security incident;

(4) the indemnification of the entity in the event of a cyber security incident that results in loss;

(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and

(6) representations and warranties by the third party vendors concerning information security.

 

Audits

Annual penetration testing as well as quarterly vulnerability assessments will be a new requirement for covered entities. Such entities will also be responsible for maintenance of an audit trail system that perform the following functions:

(1) logs privileged user access to critical systems;

(2) protects log data stored as part of the audit trail from alteration or tampering;

(3) protects the integrity of hardware from alteration or tampering; and

(4) logs system events, including access and alterations made to audit trail systems.

 

Notice of Cybersecurity Incidents

Covered entities, Albanese writes, will need to immediately notify the NYDFS of any cyber security incident that is reasonably likely to materially affect such entity’s normal operation, including a cybersecurity incident

(1) that triggers certain other notice provisions under New York Law;

(2) of which the entity’s board is notified; or

(3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.

 

These potential requirements are subject to further review and revision by the NYDFS, and there is no timetable for when these requirements will become the law of the land in New York. It will be interesting to see if and when covered entities begin implementing these requirements in advance of a legal obligation to do so. Will other states’ regulatory agencies enact similar regulations modeled on the NYDFS proposals? Look for developments on this topic in the news and on this website.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

In reaction to two surveys of more than 150 regulated banking organizations and 43 regulated insurers in New York, the state’s Acting Superintendent of Financial Services issued a letter to all Financial and Banking Information Infrastructure Committee (FBIIC) Members addressing the need for potential new cybersecurity regulations in the financial sector.

The New York State Department of Financial Services (NYDFS) expects that the November 9, 2015 letter will trigger more “dialogue, collaboration and, ultimately, regulatory convergence” among New York agencies on “strong” cybersecurity norms for financial institutions.

In the letter, Anthony J. Albanese – Acting Superintendent of Financial Services – discusses the NYDFS’ review of the two surveys which were conducted in 2013 and 2014. The surveys asked about the banks’ and insurers’ programs, costs, and future plans pertaining to cybersecurity. Albanese writes that the findings of those surveys led to some additional actions:

  • The NYDFS expanded its information technology examination procedures to focus more attention on cybersecurity;
  • NYDFS began conducting risk assessments of its financial institutions in late 2014 and early 2014 to compile information about risks and vulnerabilities;
  • In response to a realization of the financial industry’s reliance on third-party service providers for banking and insurance functions, the NYDFS conducted an additional survey of regulated banks in October 2014, specifically pertaining to banks’ management of third-party service providers; and
  • NYDFS published an April 2015 update to its earlier report with the most critical observations.

Those reports and risk assessments as well as the “dozens of discussions” the NYDFS has held with New York financial entities, cybersecurity experts, and other stakeholders have led to several “broad conclusions,” Albanese writes:

  • Financial institutions need to stay “dynamic” to keep pace with ever-changing technological advances and sophisticated cyberthreats;
  • Financial institutions’ third-party service providers must also have sufficient cybersecurity protections as these service providers often have access to an institution’s sensitive data and information technology systems; and
  • Cybersecurity is a “global concern” that affects every industry as evidenced by recent data breaches.

My next post will analyze the proposed regulatory actions and requirements NYDFS is considering for financial institutions and insurers.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

U.S. Capitol Building, Washington, D.C.A recent bill proposed by the U.S. Senate states requirements for publicly traded companies to increase transparency about cybersecurity threats, risks and breaches. The bill includes disclosure standards such as having publicly owned companies reveal whether anyone on its board of directors has cybersecurity expertise or specialization. Companies would provide this information through U.S. Securities and Exchange Commission investor reports.

The bill stems from an urgency to combat cyber threats in light of investigative findings from cybersecurity practices of top 100 financial firms as well as recent attacks on major publicly traded companies like Sony and Home Depot. If the bill passes, investors and shareholders can monitor how well public companies secure private data and information, motivating companies to enhance security measures.

In an effort to standardize data breach laws nationwide, Rep. Marsha Blackburn (R-Tenn) introduced H.R. 1770 to the House and Energy Commerce Committee this past week. Called the Data Security and Breach Notification Act, it aims to replace all state data breach laws with one federalized standard. Currently, 47 states and the District of Columbia have separate and distinct data breach laws. Rep. Blackburn’s legislation intends to make it easier for U.S. companies to adhere to data breach requirements by creating uniformity.

U.S. Capitol Building, Washington, D.C.If passed, H.R. 1770 would require any company that “acquires, maintains, stores, sells or otherwise uses data in electronic form that includes personal information”[i] to “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] While companies with security breaches must have notification requirements, such notifications can be evaded if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] However, in cases where more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person,” the breached company would be required to inform both the Federal Bureau of Investigations and/or the Secret Service.[iv] If enacted, the legislation would give enforcement powers to state Attorneys General and the Federal Trade Commission.[v]

Following its approval by the House Energy and Commerce Committee on April 15, H.R. 1770 is expected to potentially see the floor under the guidance of Chairman Fred Upton (R-Mich) sometime the week of April 20.


References
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

It is midway through 2014 and there have been updates to four existing, and one new, state breach notification laws.  Iowa and Florida have substantively amended their current breach notification laws, both of which went into effect on July 1, 2014, and Kentucky has become the 47th state to implement a breach notification law, which went into effect on July 14, 2014.

Idaho and Vermont also amended their data breach laws.  Idaho’s amendments were merely technical and did not change the substance of the law.  Vermont’s amendments were similarly technical, but a provision was added that requires a Vermont law enforcement agency to notify a business in writing if it has a reasonable belief that a security breach has or may have occurred at the business.

Iowa’s Breach Notification Law

Starting on July 1, 2014 Iowa’s amended breach notification law created a few changes that will impact when and who an individual or business must notify if there is a data breach.  The highlights of the amendments are as follows:

  •          A “Breach of Security” now includes an unauthorized acquisition of Personal Information that was transferred from computerized form to any medium, including paper.
  •          “Personal Information” now includes encrypted, redacted, or otherwise altered data elements if the keys to unencrypt, unredact, or otherwise read the data elements were acquired through the security breach.
  •          An expiration date is now included as a data element for combination with account numbers or credit or debit card numbers.
  •          Notification must now be provided to the Director of the Consumer Protection division of the Office of the Attorney General if the breach includes more than 500 Iowa residents.

Florida’s Breach Notification Law

Florida implemented the Information Protection Act of 2014 that repeals the existing data breach law and implements strengthened notification requirements.  The new law was signed by Governor Rick Scott on June 20, 2014, and went into effect on July 1, 2014.  The new law redefines a Covered Entity, expands the definition of Personal Information, and expands the notification requirements if there is a data breach.

Florida’s new breach notification law redefines a “Covered Entity” as any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or governmental entity that acquires, maintains, stores, or uses Personal Information.

In addition to what the original law included, “Personal Information” now includes a username or email address in combination with a password or security question and answer that would permit access to an online account.  Further, “Personal Information” includes the following new data elements:

  •          A passport number, military identification number, or other government issued number used to verify identity.
  •          The medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  •          The health insurance policy number or subscriber identification number in combination with a unique identifier used by the health insurer.

The new Florida law also provides that Personal Information does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

If there is a data breach, notice must be provided to individuals in Florida as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.  Notice of a data breach may be delayed by a federal, state, or local law enforcement agency if the agency believes notice of the data breach will interfere with a criminal investigation.  Notice of a data breach must be provided to consumer reporting agencies without unreasonable delay if the data breach requires notification of more than 1,000 individuals at a single time.  The new Florida law expands the notification requirement to include the Department of Legal Affairs.  Notifying the Department of Legal Affairs is only required if the security breach affects 500 or more individuals in Florida (Florida’s breach notification law does not refer to residents, unlike other states’ breach notification laws).  Notice to the Department of Legal Affairs must be provided as expeditiously as practicable, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.

The new Florida law also requires specific information to be included in a data breach notification, depending on to whom such notification is addressed.  When notifying an individual of a data breach by written or email notice, the notice must include:

  •          the date, estimated date, or estimated date range of the breach;
  •          a description of the “Personal Information” accessed or reasonably believed to have been accessed during the breach; and
  •          the contact information for the individual to reach the entity.

When notifying an individual of a data breach by substitute notice, which method can be used if the written notice or email notice is not feasible because the cost of providing notice would exceed $250,000, the affected individuals exceed 500,000 persons, or the “Covered Entity” does not have a mailing address or email address for the affected individuals, the notice shall include:

  •          a conspicuous notice on the entity’s website, if the entity maintains a website; and
  •          notices in print media and in broadcast media, including major media in urban and rural areas where the affected individuals reside.

When notifying the Department of Legal Affairs of a data breach, the notice must be in writing and include:

  •          a synopsis of the breach;
  •          the number of Florida residents affected by the breach;
  •          any services being offered to the affected individuals;
  •          a copy of the notice to the individuals or an explanation of other actions taken; and
  •          the contact information of an employee or agent the Department of Legal Affairs may contact to obtain further information about the breach.

Kentucky’s Breach Notification Law

Kentucky became the 47th state to pass a breach notification law.  Governor Steve Beshear signed H.B. 232 into law on April 10, 2014, and the law went into effect on July 14, 2014.  The new law will require any individual or business entity that conducts business in Kentucky and maintains computerized data that includes Personal Information to notify residents of Kentucky of a Breach of Security.  A “Breach of Security” is an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by the individual or business entity and actually causes, or leads the individual or business entity to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky.

“Personal Information” means an individual’s first name or first initial and last name combined with any one or more of the following data elements, when the name or data is not redacted:

  •          Social Security number;
  •          driver’s license number; or
  •          account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to an individual’s financial account.

The timing of the breach notification shall comply with the following requirements:

  •          The breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  •          The breach notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation.  The notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.

With respect to the manner of the breach notification, the notice may be provided by one of the follow methods:

  •          written notice;
  •          electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
  •          substitute notice, if the individual or business entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or that the individual or business entity does not have sufficient contact information.  Substitute notice shall consist of the following: (a) email notice, when the individual or business entity has an email address for the subject persons; (b) conspicuous posting of the notice on the individual or business entity’s website, if the individual or business entity maintains a website; or (c) notification to major statewide media.

Notwithstanding the above, any individual or business entity that maintains its own notification procedures as part of an information security policy for the treatment of “Personal Information,” and is otherwise consistent with the timing requirements, shall be deemed to be in compliance with the notification requirements of the Kentucky statute if the individual or business entity notifies the subject persons in accordance with its policies in the event of a breach of security of the system.