In an attempt to understand the “safe harbors” provision in US State Laws, I considered Rhode Island as an academic example in this post.
Each of the U.S. states has individual laws with regard to Breach Notification of personal information.
These laws mostly cover-
1. Definitions
– specific descriptions of the entities and subjects that figure in the law.
eg. “breach”, “covered entity”, “personal information”, “service provider”, “encrypted”, “medical information” etc. are defined to remove ambiguity.
2. The law has details of –
> what entities are covered?
> what data is covered?
> who receives notice?
> when must the notice be given?
> may the notice be delayed?
> what is the mode of notice ? (written/electronic)
> is there an exemption or safe harbor?
> what are the enforcements/penalties
> is there private right/cause of action?
> application to other states?
[1] [2] [3]
Safe Harbor
A safe harbor is a “provision of a statute or a regulation that specifies that certain conduct will be deemed not to violate a given rule.” [4]
Under the breach notification laws, the safe harbors may be defined and stated w.r.t-
> establishing own notification methods
i.e. whether a compnany that maintains its own notification procedures, (as part of an information security policy for the treatment of personal identifying information), and is otherwise consistent with the timing requirements of this section, is
considered to be in compliance with the notification requirements of this section if the person notifies subject persons in
accordance with its policies in the event of a breach of security of the system, is covered? [5]
Yes, Rhode Island has this safe harbor. (§11-49.2-7) [5]
So if a company in Rhode Island, has its own clearly defined breach notification policy, and self-regulates, and notifies its stakeholders by abiding to that (when the breach occurs), it is covered by this safe harbor.
> For following inter-agency guidelines
i,e. whether a financial institution that maintains compliance with “Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice” is covered?
And similarly whether health-care company is covered when it is compliant with HIPAA regulations?
Yes, Rhode Island has this safe harbor. (§11-49.2-7) [5]
> Encryption Safe Harbor
– whether the Statute is applicable, or not, if the computerized personal data that was lost, stolen or accessed
by an unauthorized individual is encrypted?
Yes, Rhode Island has this safe harbor. (§11-49.2-7) [5]
Further, the Rhode Island breach notification law, also called the Identity Theft Protection law, specifically defines “encrypted” and states that-
“Encrypted means the transformation of data through the use of a one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.” [6]
So if a Rhode Island company which faced a breach of data, which was encrypted as defined above, it is covered by the encryption safe harbor, and no Notice is required. [3]
References-
1. http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/INDEX.HTM
2. https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
3. http://www.reyrey.com/regulations/
4. https://en.wikipedia.org/wiki/Safe_harbor_(law)
5. http://webserver.rilin.state.ri.us/Statutes/title11/11-49.2/11-49.2-7.HTM
6. http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf