Seems like everyone is getting into the cybersecurity act. Happy Cybersecurity week.
New York State Attorney General Eric Schneiderman has announced that he is proposing legislation that will require “unprecedented safeguards” for a wide variety of personal data, and make New York laws the strongest in the nation. Take that, Massachusetts and California!
The proposed law would do several things. This includes:
· Mandating that companies that do business in New York, that have certain kinds of personal information about New York residents, maintain a certain level of data security.
· Expanding the definition of “private information” required to be reported in the event of a data breach to include email addresses, passwords, security questions and other information.
· Creating a “safe harbor” for companies that meet certain security standards by auditing and verifying their security practices against standards like the NIST cybersecurity framework (and yes, I know it’s a framework, not a standard).
· Provide protection to companies that want to share personal data with law enforcement in the context of a data breach.
There are actually a few pretty good ideas floating around in here. Just not sure that they will work.
Mandating Security
Some states, like California, Massachusetts and Arizona already mandate that entities that collect or store certain kinds of personal information take certain reasonable steps to protect and secure that information. And, as Sony Pictures Entertainment (SPE) learned, that pretty much prevents an attack, right?
There are already a slew of laws that mandate security. HIPAA, GLBA, and FERPA are a few. PCI DSS is a contract that requires security. But these apply only to narrow classes of data – heath records, financial records, educational records.
The Empire State proposes to expand the data security requirement to the protection of things like email addresses, security questions (my first pet’s name!), passwords, pass phrases, PIN numbers, etc. The proposed law would require New York companies to be able to demonstrate that they have “reasonable security measures” to protect this information, including:
· Administrative safeguards to assess risks, train employees and maintain safeguards.
· Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.
· Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.
Hmmm… where have I heard that before? Oh yeah. Everywhere.
If the goal here is to get companies from a current state of doing nothing to a state of doing “something,” this might help.
But if the goal is to get companies to do the RIGHT thing, it may not. Not in and of itself. Companies decide when and how to apply security based upon their perception of risk. Will it happen to me? What will happen if it does?
This adds to the equation “will I get caught” and “will I get investigated/prosecuted?”
But if the chance of a hacker coming in and pwning your infrastructure, you having to fall on your sword and tell your customers about the breach, and the millions of dollars of lawsuits that follow the breach aren’t enough to get you to “do the right thing” why do you suppose that a potential visit from Mr. Scheiderman’s office will tip the balance?
The answer is, that people (and by that I mean corporations) are weird. It’s easier to get a budget for an information security program, a training and awareness program, and an audit of those programs because “the law requires it” and if you don’t “you will be out of compliance” than it is to say, “it’s the right thing to do.” The real question here will be enforcement and the perception of enforcement.
To the extent that the laws require a “reasonable” information security program, many entities will simply go to the information security store, look on the shelf, and buy themselves one of them. InfoSec policies here! Get your InfoSec policies here! But again, it’s doing SOMETHING rather than nothing.
Expand Definition of Private Information
The statutes that protect “personal information” really don’t take the time to think of what kind of information is “personal.” Is a name alone “personal?” What about a name associated with a visit to an AIDS clinic? Seems easy – but what about, for example an Uber user’s travel history showing multiple visits to an AIDS clinic? Uber aint a HIPAA covered entity, but the information is nevertheless sensitive. Both alone and in aggregate.
The NY AG proposal modestly expands the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the NY AG proposes to expand the definition of private information to include medical information, including biometric information, and health insurance information.
Devil will be in the details, and there will be a host of unintended consequences, but as a broad concept, it’s not a bad idea. Right now, HIPAA protects health information in the hands of covered entities or their partners or business associates. The New York law would go further and protect the data itself no matter who generated it, so it has the potential of covering things like gymnasia, massage therapists, vitamin stores, wellness centers, and yoga places. The devil is in the details.
Three Tiered Security
OK. So EVERYONE in New York needs this basic level of security. Technical, administrative and physical safeguards. That’s basic security. It’s not just a good idea now. It’s the law.
The next “tier” up would be those companies that get the “Good Housekeeping” seal of approval. Under the proposal, entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements would be granted a rebuttable presumption of having reasonable data security.
What that means is, if someone says you have reasonable security, and you get breached and an injured party sues, you can waive the certification in front of the court and say, “hey – there’s a presumption that I was reasonable. I did what NY said to do!”
This is a bit troubling. You see, assessments and certifications don’t really SAY that what you are doing is reasonable. Or that you are secure. They say that you are compliant with a standard that is presumably a reasonable one. That is today. Tomorrow? All bets are off.
And yet, we shouldn’t punish companies for trying. I mean, at least you had a program, and SOMEONE said that program was reasonable. And all you get is a “rebuttable” presumption that your actions were reasonable. The person suing can still try to show that, despite this presumption, you were actually irresponsible. Maybe you knew of a special threat to your infrastructure and failed to adequately prepare. Maybe you owed a higher duty of care to this particular person. Lawyers can be pretty damned crafty.
Safe Harbor
The highest form of legal protection would go to those who do the most to protect data. Under AG Schneiderman’s proposal, the State would create a “Safe Harbor” to provide an Incentive for a Heightened Level of Data Security.
If a company goes the extra mile to categorize their information systems based on the risk a data breach imposes on the information stored and creates and follows a data security plan based on a multitude of factors would be implemented and followed, and certifies compliance with these requirements, not only would they get a presumption of reasonableness, they would get immunity from lawsuits (well, at the State level anyway). Nothing would stop a clever lawyer from suing in federal court for violation of some federal law. Did I mention that lawyers can be pretty crafty?
I personally don’t see (from the proposal so far) the difference between certifying a data security plan and certifying a really super cool awesome data security plan. If I were assessing a company’s security, I would look for vulnerabilities, assess business risk, and propose and then implement changes. Is that regular security or heightened security? But I guess I could offer Bronze, Silver and Gold assessments. The difference may be the font. Oh, and the price.
Breach Response
The AG also proposes that, in the event of a data breach, a company that shares data with a law enforcement agency would not be in a worse position for having done so. They would not lose legal protection or waive privileges for having shared the data with the cops.
Attorney client privileged information would remain privileged, trade secrets remain trade secrets. Presumably, law enforcement agencies would be required to both protect and return such data. This gets at one problem in data breach investigations where a company has agreed not to disclose data to third parties, but must disclose that data to the cops during a breach investigation.
A bit more troubling is companies that promise privacy to consumers or others, and then suffer a potential data breach. During the course of the breach investigation, the company may then provide the very information they agreed not to disclose to the very people they agreed not to disclose it to.
So imagine if the Adam & Eve sex shop website is breached and YOUR (not mine) credit card data and ordering history is breached. Yeah, I want THAT to go to the New York State Police to be included in an indictment. Or the ACLU membership list of protesters in Staten Island. Yup. I’m going to trust the NYPD with that.
So we are going to need even more robust protections on the use of this data by law enforcement. Protections that have teeth. And the Courts enforce that. But it’s a good start.
Of course, a federal law that preempts the state and local laws can undo all of this. And to see what the feds have in mind, we need to wait for the State of the Union. Stay tuned, and “hey, let’s be careful out there…”