"I've been advising them to follow the strictest standard and then they'll be safe," says Lucy Thomson, a privacy advocate at CSC, as well as chair-elect of the American Bar Association's Section of Science & Technology Law.
Different types of notification laws have different requirements, especially around encryption standards, says Thomson. "There are about six or seven standards that states use, so global businesses have to sort through all those inconsistencies and ambiguities and figure out how to address this," she says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
In terms of notification, there are also variations in how organizations need to notify individuals affected during a breach. "If they follow the strictest states, then the companies should be fine in their compliance approaches," Thomson says.
In an exclusive interview about global breach notification trends, Thomson discusses:
- The impact of this year's major breaches on breach legislation;
- Breach legislation conflicts, and how organizations can resolve them;
- What needs to happen to make breach legislation more effective in 2012
Thomson, J.D., M.S., CIPP/G, focuses her practice at the intersection of law and technology. As a senior principal engineer, information security, and privacy advocate at CSC, a global technology company, she has addressed a wide range of legal, technical and policy issues in major IT and information-sharing programs. She works on teams building modernized information systems for very large organizations and has developed strategies to safeguard sensitive information at the nation's ports, as well as for the government's key financial systems.
Thomson is chair-elect of the ABA Section of Science & Technology Law and is a member of its Section Council and serves in the ABA House of Delegates. She founded and co-chairs the e-Discovery and Digital Evidence Committee.
TOM FIELD: Just to give our audience a bit of context, why don't you tell them what you're working on today and some of your other roles outside of CSC?
LUCY THOMSON: I work in CSC in the global security group and I've been monitoring data breaches and working on continuous monitoring strategy to try to develop ways to strengthen security for corporate and government clients. Then, I'm also chair-elect of the American Bar Association Section of Science and Technology Law, which is the part of the ABA that focuses on science and technology law, and last year the ABA published a book that I put together called, "Data Breach and Encryption Handbook."
Legislative Impact of Recent Breaches
FIELD: It seems not so many months ago we were having a major breach almost every week. It felt like every day at some point. When you look back on the incidents that we saw, RSA, Sony, what impact have you seen from these incidents on breach legislation?
THOMSON: These breaches are very significant, and I surveyed the breaches over the last five years for the "Data Breach and Encryption Handbook" and there we saw breaches of retail organizations, and the hackers who perpetrated those breaches were prosecuted, and some of them are now in jail. Now a new group of hackers seems to be attacking companies looking for sensitive data to steal. In the arena of legislation, particularly in the U.S. Congress, there seems to be renewed interest in focusing on security and trying to develop security requirements that would be imposed on companies, in addition to just including data breach notification.
Global Breach Legislation Trends
FIELD: I want to come back and talk with you about the U.S., but I want to look globally first. What are some of the global breach legislation trends that you're starting to see?
THOMSON: The European Commission has a 2009 amendment to its 2002 data protection statute and that focuses on data breach notification in particular. Then there are a broad range of country laws around the world that in some cases do require data breach notification. In the "Data Breach and Encryption Handbook" we actually did a country-by-country survey of those laws, but they tend to be very similar in focus. They define what sensitive data is and then a number of the countries have particular requirements for privacy protection, some of which are stricter than what we find in the U.S., and then they have notification requirements either by a data commissioner or notification of a company to the data subjects that are affected by a breach. Those tend to be similar to what the states have enacted in the United States.
FIELD: Let's talk about the U.S. I know that California recently revised its law. What are the trends that you have seen this year inside the United States?
THOMSON: As you know, 47 states in the U.S. have data breach notification statutes, and several of those states, including Nevada, Massachusetts, Texas and California, have taken steps to make their statutes stronger, so they focus on additional requirements either to enhance the notification requirements, in the case of, for example, healthcare data, or to try to impose some more specific security requirements on companies. Texas is a good example. Texas has a statute that focuses on healthcare and has expanded the entities that are covered by the statute and also expanded the number of individuals to include individuals outside of Texas to be covered.
FIELD: Just a couple of quick follow-up questions. One, you mentioned some of the tougher breach notification laws in the U.S. Have you seen any of these really tested so far?
THOMSON: I haven't looked carefully at what Massachusetts is doing. I'd seen on the federal side enforcement by the Office for Civil Rights, which enforces the federal data breach notification act in HITECH. There are four cases that have resulted in fairly strict enforcement and severe fines for companies that were involved.
FIELD: The other quick follow-up I had for you was you mentioned there are 47 U.S. states that do have breach notification laws. At this point, what's the excuse for the three states that don't?
THOMSON: I don't know. I can't answer that question, but it's certainly a nationwide trend. The country is pretty well covered, but unfortunately the people in those three states are left out.
Breach Notification Law Issues
FIELD: Now we've talked about global trends and trends in the U.S. Where do you see these different types of notification laws in conflict with one another, and what needs to be done to resolve some of these conflicts so that what they say in Europe and Asia would be harmony, or harmonization of the laws?
THOMSON: There are different requirements and that's particularly evident in the area of encryption standards. Most of the statutes have what we refer to informally as an encryption safe harbor which would allow a company not to notify individuals whose information may have been involved in a breach if the information was encrypted. There are about six or seven different standards that states use, so global businesses have to sort through all those inconsistencies and ambiguities and figure out how to address this. I've been advising them to follow the strictest standard and then they'll be safe. Or in terms of notification, there are some variations in how you notify individuals. If they follow the strictest states, then the companies should be fine in their compliance approaches.
FIELD: When you look internationally, what do see as some of the stricter global laws?
THOMSON: Internationally, the European Union has strict privacy standards, but they're all basically aimed at requiring companies to encrypt data appropriately and have appropriate security. There's a whole variety of European laws, so it's hard to generalize, but the basic theme is what we've already mentioned, which is the companies need to secure their personal data to prevent data breaches.
2012: What Needs to Happen
FIELD: Looking ahead to 2012, in your opinion, what needs to happen to make breach legislation more effective, not just in the U.S. but globally?
THOMSON: There are a number of statutes that have been proposed in the U.S. Congress and some of them have good provisions that require specific security protections to be adopted by companies, and I personally believe that's the way to go because rather than having expensive breach notification requirements, which really address a broken system, I think the legislation should focus on ensuring that the security is appropriate and adequate so there won't be any breaches.
FIELD: It sounds like the best advice you can offer then is no matter what legislation might be coming out of whatever body, organizations really can take control of this by ensuring that they secure data and they're following, as you say, the toughest encryption standards prescribed.
THOMSON: Absolutely. I was at the RSA Conference in London last week and everyone was talking about the need to really ramp it up when it comes to security. The adversaries are becoming stronger and more sophisticated, but the technology is there for companies to have very good security and that's what they need to work on.
FIELD: So don't wait for new legislation, take advantage of new technology?
THOMSON: Absolutely right now, and the emphasis at RSA was to focus on the basics and prioritize so that all of the very obvious ways to protect data are addressed and this is something that can be done very systematically by companies and most breaches can b