Data Privacy Trends: Randy Sabett, Information Security AttorneyActivity at the State Level Points Toward a Federal Data Breach Notification Law
In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses:
Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.
TOM FIELD: This is Tom Field, Editorial Director with Information Security Media Group. We're talking today about the trend in the Information Security laws, and we're talking with Randy Sabett of Sonnenschein Nath & Rosenthal, legal firm in Washington, D.C.. Randy, thanks so much for joining me today.
RANDY SABETT: Thanks for having me.
FIELD: Why don't you just give us some context here on your firm and the type of work that you do in your own background.
SABETT: Okay, well I guess to start out to give a context, I actually started my career on the technical side. I was a Crypto Engineer at NSA, so I come at this whole area with a Crypto foundation, if you will. That was a very detailed sort of bits and bytes level, and then over the years I transitioned, became a lawyer. Actually, I kid people, I say from one dark side working at NSA and went to a darker side and became an attorney years later, but it's actually been an interesting path in the sense that, you know, what technologists do and how technology progresses, it occurs much faster than the law, and so in my legal practice what I've done is developed a practice around Information Security -- Information Assurance -- looking at it, because of what I did at NSA, being I'm the defensive side, you know, protecting things, that's how I approach my clients -- how to best protect what they do.
Here at Sonnenschein, we have an Internet Communications and Data Protection practice. I focus on the Data Protection side. I also do some patent work and some licensing with the ultimate goal of protecting my client's assets, and then in those unfortunate situations where they have had something bad happen, sort of working through and counseling them on how to handle all those types of incidences -- handle those types of incidence and move on from them.
FIELD: Now Randy, I know you've got some interesting insights in some of the trends you're seeing in the states. Why don't you talk about some examples of the information security laws that you see being enacted.
SABETT: Okay, well I think from a trend prospective, you know, certainly everyone points back to California passing the first data breach and notification act, and that sort of set the stage. I think the first interesting thing to note is that most of the activity, most if not all of the activity in this area, is at the state level, but we've had very little focus at the federal level at least up until this point, on the types of privacy issues and data security issues that the states are dealing with in their legislatures. So, with California passing SB 1386 and then AB 1950 where you first focus on the data breach side, something that has happened, now what do you do as a result? California, again sort of leading the way, saw the need to focus on the other side of that line, and in other words, what do we do before a data breach happens? Well, you must have in place reasonable security measures. That's the AB 1950 law in California. We've now got over 40 states that have these types of laws.
What we're starting to see now from a trend perspective is much more granularity. You have a law in Nevada that affirmatively requires encryption of consumer data. You have Minnesota law that is incorporating at least portions of PCI, the Payment Card Industry data security standards, which applies to companies and financial institutions that deal with credit card numbers. Now you have states adopting portions of that data security standard into their laws. You also have states that are passing what are characterized as data breach notification laws, but they're really sort of an over-arching privacy and security regime, if you will, that encompassed data breach notification, reasonable security measures. In addition to the normal data breach notification, you also have to notify the Attorney's General in Massachusetts -- Massachusetts being the one that a lot of folks are focusing on right now, because it is again, over-arching. There are aspects of it that are different from any of the other states. You also have in Massachusetts further requirement for encryption of personal information, and you actually have -- not only do you have the law, but you have the regulations that are coming out of Massachusetts that again are even more detailed in terms of requiring encryption and those sorts of things. So, I think, to sum it up, what we're seeing from a trend perspective is first of all, activity by the states -- we know that -- but you're seeing not only greater activity, but also more granularity, more focus on specific technical things.
FIELD: Now Randy, what are some of the ramifications for organizations that are doing business in all of these different states?
SABETT: Well, I think from a business perspective it's complicated because, you know, in my business, if you have a patchwork of state laws, it actually makes my job very time consuming because you can't just look at a single law, you have to look at, over 40 of these state laws to figure out okay, which ones apply? How do they apply? What are the differences for a given data breach or potential data breach; do I get different answers under the different states? So, I think from what I think would be better for clients, would be to focus on the business. In other words, look at what sense of information they have, figure out the best way to protect that information is in their particular situation in their particular business vertical. I mean, for the - for the security technical gurus who may be listening to this, this is sort of your traditional threat and risk analysis. You know, look at the data that your company deals with, figure out what the threats are to that data, and figure out how to best respond to that.
I do a fair amount of public speaking, and one of the things that I always talk about in these types of discussions is around the nature of: Compliance does not equal security, and security does not equal compliance. It's something that will - it's - my own terminology, I call it `pragmatic security.' If you focus solely on the regulations and solely on the industry-driven efforts, like PCI, you may miss something that you should be doing in order to be secure. On the flip side, if all you focus on are the security aspects of your business and just purely on securing your data, you may actually miss something that, from a compliance perspective, you should be doing, but you're not doing. So, from a philosophical perspective, it's sort of what's the right balance that you need to strike to get to pragmatic security. You need to balance the compliance drivers that you have. Look at the laws that apply to you, figure out what they mean and what they say, but also look at it from a security and from a technical perspective.
FIELD: Now, you talked about the state legislation, and you mentioned that the federal government had more or less stayed away from this topic at least under the previous administration. We've got a new administration in town now; what's your sense of how the Obama administration is going to approach the Information Security and Data Privacy?
SABETT: First of all, we've seen definite positive activity in this area. Right now, Melissa Hathaway is doing a 60-day review of the landscape, if you will, of Information Security across the government - across all the agencies, figuring out all kinds of different issues, and I really think at this point it's an issue-spotting exercise. I actually sat on the commission on Cyber Security for the 44th Presidency that was run by CSIS, and in the process of coming up with our recommendations we sort of looked, at a very high level, at Information Security and the current sort of approach to things, and a number of different recommendations, some at a pretty high level, this whole cyber area should have leadership out of the White House looking at norms and authorities - looking at a number of different areas.
I do think that because of the attention that is getting paid to this issue in the current administration, and the recognition that to some extent there's been market failure, you know, going back several years, there were industry efforts that were sort of undertaken, that really didn't get too far. I think the one that we've - the one that we just talked about a couple minutes ago, PCI, has really been the only industry-driven effort that has taken root or gotten any traction. The problem with it, going back to my `does compliance equal security` issue, is that even with PCI, we've had data breaches, and some pretty bad ones at that.
So, you've got companies that are PCI compliant that still encounter a data breach, and with that kind of - with that set of dynamics where you have the states with the patchwork of laws that, not of all of which are consistent, you have market failure in the area of PCI, or at least perceived market failure. And I shouldn't single out PCI. I would say there's a perception of market failure generally because, you know, even after all these years, we have not gotten to a point of where there's an increased level of security. I think given all of those - or all of those different components -- you have a natural sort of expectation that the federal government is gonna step in, and we certainly know that there are a number of bills on the Hill right now, some of which have been pending for a while, some of which are fairly new, that in some way, shape or form focus on information security. Some of them are pretty narrow, focusing just on Social Security numbers, others are broader and are more like the laws that we discussed earlier at the state level.
FIELD: So, starting with the Hathaway Report, which I understand is coming probably within the month, what sorts of trends do you foresee in Information Security, like Security Legislation, say for the rest of 2009?
SABETT: I think that the expectation is that we will get a federal data breach law. So something at the federal level that focuses on how to handle a data breach, what information has to be provided in that type of scenario, provided both to the data subject. In other words, the person who's information has been breached, but also to the authorities. I think the other piece of it that you're going to see, at least to some extent, and I don't know if this will come out of the legislation or just come out of the sort of the follow-on activity, and perhaps we'll see it not at the federal level, but again at the state level, because we have seen bills to this effect, and some laws that have been passed that get to this, where the liability allocation ... in a in the past, it was always the financial institutions that were left holding the bag, and the entity that suffered the breach -- not that they got off scot free, but they really didn't bear the major cost of replacing the cards and doing all the follow-up work and that sort of thing.
So, I think that the trend will be - there will be a couple of different trends, again at the legislative level, we probably will see something at the federal level out of Congress, I think it will at a minimum be data breach notification, and it may go beyond that, focusing a little bit more on the proactive. But I think as a result, you will see more activity at the business, level where security is no longer just viewed as doing the minimal amount possible. It will be viewed in a broader context as doing good business. Part of the problem with security, obviously is that there isn't a return on investment, but I think that's a somewhat - that's a view that a lot of folks are looking at now as not necessarily correct. In other words, if you do employ good information security principles, it is beneficial to your business for any number of reasons.
FIELD: Very good. Randy, I appreciate your time and insights today.
SABETT: Thank you very much.
FIELD: We've been talking with Randy Sabett with Sonnenschein Nath & Rosenthal. For Information Security Media Group, I'm Tom Field. Thank you very much.