Governance & Risk Management , Incident & Breach Response , Legislation & Litigation
Fine Tuning Data Breach Notification Law
Alerting Attorney General of Breach at Same Time as VictimsConnecticut is working to improve its cyber incident response, including updating its breach notification law and enacting a privacy task force.
On Oct. 1, a new provision to the state's breach notification law went into effect, requiring businesses and not for profits that experience a data breach to alert the Attorney General's office when they notify affected individuals.
The state also recently launched a Privacy Task Force which helps to enforce the data breach notification law.
"Scarcely a month would go by without some significant event involving data breaches," said George Jepsen, Connecticut's attorney general, in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "I decided that instead of being reactive to it all the time, we needed to explore how to be proactive."
The task force, headed by Assistant Attorney General Matthew Fitzsimmons, works to develop proactive strategies and develop best practices for organizations and not for profits to take appropriate steps to prevent breach incidents from happening.
The AG's office established an e-mail address, ag.breach@ct.gov, which the Privacy Task Force will monitor and organizations can use to report a breach.
Connecticut law generally requires anyone who conducts business in Connecticut and owns, licenses or maintains computerized data that includes personal information to disclose a security breach without "unreasonable delay" to state residents whose personal information is believed to have been compromised. The law does not define the term "unreasonable delay."
Jepsen and Fitzsimmons, in the interview:
- Evaluate the effectiveness of the state breach notification law;
- Explain how the Privacy Task Force operates;
- Opine about the need for a national breach notification law.
Jepsen became Connecticut's attorney on Jan. 5, 2011. Previously, he served in the Connecticut House and Senate. In the Senate, he served as chairman of the Judiciary Committee, ranking member of the Finance Committee and majority leader. A former Democratic State Party chairman, he ran unsuccessfully for lieutenant governor.
Fitzsimmons has been an assistant attorney general for nearly six years. He earned a law degree from the University of Connecticut School of Law and a bachelor degree in criminal justice from the University of Harford.
Breach Notification Law
ERIC CHABROW: How does the law differ from the old one and why was it changed?
GEORGE JEPSEN: There's really just one significant change in the law. Under existing law, it's already against the law for a business or a not-for-profit to lose some private information about individuals, things like card numbers, Social Security numbers, dates of birth and the like, and the Office of the Attorney General has enforcement powers to investigate and make sure the company takes appropriate steps to mitigate any potential damage from that loss and where appropriate seek a fine. It's an unfair trade practice under our current law.
But what does not exist under current law though is the requirement that companies notify the Office of Attorney General when such a breach occurs. The principle change in the law is to make that a requirement. Going forward, businesses and not-for-profit organizations that lose personal information and contact their employees or customers whose data and privacy were breached, also have to contact my office as well.
Improving Enforcement
CHABROW: In announcing the implementation to this provision, you said that since the original law made no requirement that your office be notified in the event of a breach, enforcement was difficult. How so? Have there been incidents where your office either didn't take action against the business or had action delayed because the AG wasn't notified promptly?
JEPSEN: We'll never know the full scope of what data breaches went unreported. They just dealt with it on their own. Obviously you can't prove a negative. When we did learn of data breaches, however, we aggressively followed up with businesses. Matt, are there any incidents where we learned some significant period of time subsequent to an event?
MATTHEW FITZSIMMONS: I can't recall any specifically but that's exactly what we're trying to avoid, because as the Attorney General said, we're not aware of what we're not aware of so this is exactly what this provision is meant to address.
Privacy Task Force
CHABROW: Last year, you established within the office a Privacy Task Force to help enforce the data breach notification law and Mr. Fitzsimmons you head that. How does the Privacy Task Force work?
JEPSEN: I'm going to give a quick historical background and then Matt can talk about the implementation with what has been done. When I came into office 21 months ago, one of the things that I quickly discovered was it seemed like scarcely a month would go by without some significant event involving data breaches and the loss of private personal information. It ranged from laptops and healthcare records being hacked into. I decided that instead of being reactive to it all the time, we needed to explore how to be proactive. ... Matt Fitzsimmons heads the task force with the goal of trying to come up with proactive strategies to identify best practices around the states so that organizations and not-for-profits could take appropriate steps to prevent these accidents from happening.
FITZSIMMONS: I think that's exactly what we on the task force are trying to do. The primary goal was to centralize our effort in both law enforcement - the investigative capacity of the office as well - and also on the education front, educating both consumers and businesses about the law and maybe more importantly educating ourselves as an office and as members of a task force on what best practices are across specific industries in terms of data protection. We really try to centralize all those efforts through the task force and ensure privacy matters run through my team on the task force just to make sure we have as uniform as we can an approach and practice towards these things.
CHABROW: Who's on the task force?
FITZSIMMONS: Three other AAGs are on the task force with me, although one of them is not now because he moved into a different department and is busy enough with other matters and is not as active anymore, but the two other main AAGs on it with me are AAG Tom Ryan in our healthcare fraud department and Lorrie Adeyemi in our Finance Department.
CHABROW: With this implementation of a new provision that requires reporting breaches to the Attorney General's office, you are providing an e-mail. Is that the formal way organizations would report breaches or is that just to get information about reporting breaches?
JEPSEN: They can inform us by mail or even on the phone. The e-mail provides an easy and reliable way for them to make contact.
Law's Effectiveness
CHABROW: How effective is the existing law?
JEPSEN: The existing law is very good because it empowers us to make detailed inquiry of the business or not-for-profit as to exactly what occurred in a data breach. We send out a very detailed questionnaire about when the breach occurred, how did it occur, the nature of the information that was divulged, the number of people who were affected, and what steps the business is taking to determine whether there has actually been harm and what steps are being taken by the business to make sure that this kind of event doesn't happen again, tightening up their internal procedures for example.
Then, depending on their responses with the threat of the fines that we can seek in court, we can push them to adopt better practices and where appropriate to punish them. If we determine that it was purely accidental with very low risk of an actual harm occurring, if the business or not-for-profit acted in good faith and quickly followed up and informed us to make sure that there was no harm and they proactively took steps to fix whatever the cause was for the breach, we generally won't seek a fine.
FITZSIMMONS: Another interesting aspect of our law that I think is fairly unique - I'm not aware of other states that have a similar one - is the requirement to consult with local, state and federal law enforcement in the event that there's a breach but the business or person feels that the risk of harm to individuals is really minimal and that sending out the notice wouldn't really be a good idea because the risk of harm is so low. That's proved usual in the past because businesses that have a breach, it's defined by law, can reach out and let us know what had happened, provide us with their risk analysis and their rationale for saying that there really is no likelihood of harm here and that we don't think we should notify people and maybe unnecessarily scare them that their information is out there when it really isn't, and I think that has proven pretty useful in the past.
CHABROW: Do you have a number of actions the State Attorney General has taken against organizations in Connecticut?
FITZSIMMONS: The number of actions I'm not sure. I think just recently I was looking for a presentation I was doing and within the year or so since the task force has been around, there has been a little over two dozen investigations to one extent or another, some resolved with formal or informal agreements, some resolved differently.
Reporting Requirements
CHABROW: Is there a time limit? Do organizations have to report a breach within 30 days or 60 days?
FITZSIMMONS: Just without unreasonable delay as there's no specific time limit noted in the statute. I think for our purposes and from our point of view, it would really vary by the circumstances of each case.
CHABROW: Are you expecting to be investigating more breaches because of this new law?
JEPSEN: We don't know what we don't know. I assume that there have been recent cases where businesses had a breach and didn't inform us or anyone else, and so if you become aware of the law I think we will receive those complaints. Also, a growing problem, not a shrinking problem, is it's dynamic just because of the sheer volume of information that's being stored in different places and so my guess is this issue will continue to grow on our radar screen.
Conflict with Other Laws
CHABROW: Does the new law go beyond what's required under the federal breach notification requirements of HIPAA, the Health Insurance Portability and Accountability Act, which requires breaches to be reported in 60 days?
FITZSIMMONS: HIPAA and the breach rule, and HIPAA generally with respect to state AG enforcement, is basically a federal floor. States are free to enact in some ways more restrictive laws as long as they don't conflict, meaning if the company can comply with both. I don't think it necessarily conflicts. It could mean 60 days and in some cases it could mean significantly less.
CHABROW: Every state has its own data breach notification laws. What jurisdictional problem does that present in protecting consumers in Connecticut? Would a national data breach notification law to replace state laws be better?
FITZSIMMONS: There has been lots of talk about a national breach law for several years, and there hasn't been much traction in Congress with them. I think as the HITECH Act really made clear to everybody, certainly with federal enforcement that always is to the benefit of consumers that you're trying to protect with those laws.
JEPSEN: Also my guess, given our U.S. Congress and the strength of business lobbies, federal law would be considerably weaker then what we have here.
Law's Reach
CHABROW: Is your law limited to businesses that are based in Connecticut or can you go after businesses that transact in Connecticut?
FITZSIMMONS: I think it can be both. I don't have it in front of me, but I believe it says any person who does business in this state, which includes the collection of information from folks in this state. Businesses, as a kind of best practice or at least sort of any position they take, typically notify consumers in all states and don't just try to nitpick with the laws and apply only those that they may be explicitly required to.