Laboratory Manual to Legal issues in Information Security: Lab 6

Were you successful in finding your state’s data and security breach notification law? Specify the name of the law. If you were unable to download your state’s law, use the state of Virginia to complete the question.

Yes.
In Florida, there are three statutes which define the data and security breach notification requirements [1]-

Stat. §§ 501.171
Security of confidential personal information.
under Title XXXIII – REGULATION OF TRADE, COMMERCE, INVESTMENTS, AND SOLICITATIONS: Chapter 501 – CONSUMER PROTECTION [2]
1. Stat. 282.0041
  under Title XIX – PUBLIC BUSINESS: Chapter 282 – COMMUNICATIONS AND DATA PROCESSING [3]
1. Stat. 282.318(2)(i)
  Security of data and information technology.

under Title XIX: PUBLIC BUSINESS – Chapter 282:

COMMUNICATIONS AND DATA PROCESSING [4]

What is the purpose of state governments imposing a breach notification law on organizations to protect their citizens?

No single federal law or regulation governs the security of all types of sensitive personal information. In the absence of a comprehensive federal data breach notification law, the majority of states have passed bills to require businesses and/or government agencies to notify persons affected by breaches involving their sensitive personal information, and in some cases to implement information security programs to protect the security, confidentiality, and integrity of data. [5]

Some reasons for these laws are-

Vulnerability of data in information technology – and increasing cybercrimes
ChoicePoint, one of the largest data brokers, announces that it sold personal data on more than 145,000 people to fraudulent companies established by a ring of identity thieves. Subsequently, numerous companies and organizations began disclosing data security breaches. A vast majority of states then enacted data security breach notification [6]
Increasing accountability in companies w.r.t
- Information collection
- Information retention and sharing
- Information security
- Notification of breaches – and accepting responsibility
- Creating and upholding their privacy and information policies
Protection of private consumer information – to uphold people’s right to privacy, and preventing identity and financial frauds (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). [5]
Protection of the consumer’s right to know of a breach w.r.t their private information
Prevention of information fraud, corporate cover-ups, misleading the public, and other unethical behavior, in the event of a breach
Open a path for compensation for affected people
Incentivize stringent security and prompt action to mitigate harm wherever and whenever it might occur. [7]

Explain how state government data security breach notification laws relate to individual privacy.

The Fourth Amendment of the U.S. Constitution gives an individual his right to privacy. As there are no blanket federal or state laws to deal with privacy and with private data, especially in the information age, states have taken it upon themselves to define data security breach notification law, in particular.
While certain industries are covered through specific acts like HIPAA and GLBA, which lay down specifics to protect the individual’s PII (personally identifiable information) by defining breach notification laws, amongst others – many other non-specialized industries are left unaccounted. This is where the state government data security breach notification laws step in.
They also protect the consumer’s right to know if his private data has been breaches and made public. The notification laws have “their foundation in environmental law’s “community right to know” (CRTK) provisions”. [8]. This is necessary to protect him from personal and financial frauds, social crimes, and identity theft. The consumer also has the right to information of security lapses with this PII and his options if he decides to file a lawsuit.

Assess the scope and depth of privacy protection rights that a citizen has by being a resident of a state. Write down the name of your state, and then identify the following for your state’s breach notification law:

Florida

Who or what does the law in your state protect?

The law protects Florida residents – “Each individual in

[Florida] whose personal information was, or the covered

entity reasonably believes to have been, accessed as a result of

the breach.” (§501.171(4)(a)) [2]
It protects personal information –
“Personal information” means either of the following:

a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:

(I) A social security number;

(II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;

(III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;

(IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or

(V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. [2]

Does the law include both for profit and nonprofit organizations?

The Florida §501.171 states the law for a “Covered entity” and goes on to define this term as- “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity.” [2]

The law does not specifically mention “nonprofit organizations”, but it is presumed to be included, if the nonprofit organization also falls under one of the above terms (“trust”, “association” etc)

Does the law have a financial penalty assessed to the negligent party if proven guilty?

ENFORCEMENT-

(a) A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501.207 against a covered entity or third-party agent.

(b) In addition to the remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows:

1. In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days.

2. If the violation continues for more than 180 days, in an amount not to exceed $500,000. [2]

Does your state require the organization to publicly announce a breach to the media?

No it doesn’t. It does however mention media notices as a substitute-

“A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an e-mail address or mailing address for the affected individuals. Such substitute notice shall include the following:

1. A conspicuous notice on the Internet website of the covered entity if the covered entity maintains a website; and

2. Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.” [2]

Does your state notification law take into account encrypted data or doesn’t it matter whether the data is encrypted or not encrypted?

In Florida, the law does NOT “include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.” [2]

Does your state’s law define the amount of time an organization has to public announce that a breach has occurred? If yes, specify the time. If no, describe how your state handles this.
Yes.

“A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred.” [2]

True or false: If you are a citizen in one state but the company that had a data and security breach with your privacy data resides in another, the company must adhere to the data and security breach notification law of your home state.

Security breach laws apply to the state’s residents regardless of where the data resides for the following states-

AK AR GA IA IL IN LA MA MD ME MI MO NV OH OK OR PA RI TN UT VA VT WV
If a state is not listed above, their security breach laws apply to where their business resides. [8]
Florida is not part of this list. It’s laws are not applicable if a Florida resident faces a breach from a company in another state.

Because most states have data and security breach notification laws related to their citizens’ privacy, what is the number one reason for having these laws from a citizen protection perspective?

Protection of privacy, and security from identity and financial frauds.

Some states define a data and security breach as the loss and exposure of citizen privacy data in an unencrypted manner. If a state encountered a data and security breach, but no citizen’s privacy data was compromised given that it was encrypted in a steady-state within a database, does the company of organization have to abide by the data and security breach notification law?

No. If a state provides an encryption safe harbor the companies do not have to provide any notices.

True or false: Unauthorized access to a system must occur for the data and security breach notification law to take precedence.

True.

Florida law states-

“Breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. [2]

References