Draft versions of a Federal data privacy and breach notification law have been in existence for over a year. The House of Representatives passed a version some months ago, and two versions have been working their way through the US Senate. This week saw a significant advance in the US Senate as the judiciary committee under Senator Patrick Leahy’s leadership passed a version out of committee with a vote along party lines. I think Senate Bill 1151 represents a significant step forward towards a federal law that will replace all of the approximately 45 state laws on breach notification. The law still has to be reconciled with the House version, and a lot can change in the process, but there is general agreement in the business community that one Federal law is preferable to a lot of different state laws. So I think there is a good chance that a Federal privacy law can pass.
Here is a recap of some of the features of the new law that will affect your business:
- You will need to have a written security policy.
- You will need to perform periodic vulnerability assessments.
- You will need to protect data using industry standard practices such as encryption.
- The legal penalties include fines and imprisonment.
- If you share sensitive data with service providers, you must ensure that they protect the data.
- You are responsible for notifying people affected by the data loss.
- There is an expanded definition of “Sensitive Personally Identifiable Information”.
- You will need to maintain audit trails of who accessed sensitive information.
In many ways, the new federal law goes further than most state laws in defining what companies must do to protect sensitive data. The law tries to strike a balance between prescriptive measures, and the evolving nature of threats. In many respects the law comes close to adopting many of the principles of the Payment Card Industry Data Security Standards (PCI DSS), and companies who meet PCI DSS standards will find a lot that is familiar in the law.
The definition of Personally Identifiable Information (PII) has expanded pretty dramatically and now includes telephone numbers and mobile device IDs, email addresses, and other information. I will talk about this a bit more in future blogs. I think there are some substantial procedural and technology issues in this area that will affect your approach to protecting data.
As I expected, the Federal law makes reference to industry standards for encryption and key management, and points directly to existing laws such as Gramm-Leach-Bliley (GLBA), the Health Insurance Accountability and Portability Act (HIPAA), and others. The Federal Trade Commission is charged with developing guidelines in this area. I think there is a well-worn template for this type of work that will point directly to the NIST standards and best practices. I believe that companies would do well to be sure that their data protection strategies line up with NIST standards. FIPS-140-2 certification is already required of some private enterprises, and this is probably the direction we are going.