Security Breach

Background

Several bills in the Massachusetts legislature (e.g., S. 184, H. 4061) seek to address the issue of security breach, or inadvertent release of personal information, by requiring notice to consumers of the breach.  To date 23 other states have already enacted some form of security breach legislation. 

Companies face considerable compliance costs in connection with notice requirements,   It would be preferable to have the issue of security breach resolved at the federal level so that a national standard can replace a patchwork of state laws.  Efforts are underway in Congress to pass federal legislation.  However, the Council has learned that the Massachusetts legislature is going to debate and act on a bill within the next few weeks. 

 

Council Activities to Date

With the assistance of the ITAA, the Council has researched the various state laws that have been enacted around the country and identified key issues of concern to technology businesses.  The Council prepared and submitted a briefing paper outlining these concerns to the Joint Committee on Consumer Protection, one of the committees working on security breach legislation at the State House.  In addition, Council President Joyce Plotkin, Council lobbyist Bob Bernstein of Holland & Knight,  Neal Winneg, General Counsel of UPromise and Rich O’Neil, Security Officer of UPromise attended a meeting with Consumer Protection Committee Co-Chair, Rep. Vincent Pedone to discuss issues of concern to the technology industry companies.

Proposed Policy Position

We recognize the need to protect consumers from actual breaches of personal information.  However, businesses are already taking significant steps to address security issues by adopting internal notification procedures.  Companies that do so should not be penalized by a patchwork of inconsistent state laws.

Any security breach legislation should consider the following issues that are of concern for businesses, particularly the many computer and internet-based companies, hospitals and financial institutions that make up the membership of the Council.

 

  • Definition of security breach

    • Notice provisions should apply to a confirmed breach (requiring investigation) rather than merely a suspected breach.
    • Definition of “breach” should focus on release of data that creates a reasonable risk of harm or ID theft
    • Definition of “personal data” should be narrowly defined and should exclude, at a minimum, information/material that is publicly available for free from government sources

  • Unencrypted computerized data

    • Legislation should specify “unencrypted computerized data”
    • Data that has been encrypted should not trigger notice provisions -- unless the key to the encryption has also been released.

 

  • Notice provisions

    • Businesses should be able to satisfy notice provisions by following internal notification procedures that are consistent with the law. 
    • Companies face enormous compliance costs of following multiple state-mandated procedures.

  • Allowing notification by email

    • Companies should be able to notify people in the same way that they normally communicate or do business with them (e.g., by email if that is the customary mode of communication).
    • Citation of the federal e-sign statute (15 U.S. C. sec. 7001) is too restrictive to allow routine notice by mail because it requires affirmative consent to email communication.

 

  • Third party data facilitators

    • Legislation should recognize that data is shared among multiple parties in business transactions and care should be taken to place the notification burden on commercial entities that actually own or license the data (rather than just process it) and have contact information for the consumer.