Site Menu

Privacy, Breach Notification Laws

By Jim Hietala
Published 03/9/2008

Since the passage of SB1386 a couple of years ago, over 30 states have now passed legislation requiring notification in the event of security breaches. What is interesting to me, and what likely causes heartburn among affected organizations, are the outlier cases.

Minnesota, for example, passed HF 1758, which allows banks to recover from merchants the costs incurred as a result of a breach of debit and credit card data retained by the merchant. (Benjamin Wright has a good write-up here describing why the Minnesota law is poorly constructed).

California amended SB1386 late last year to add medical information to the definition of personal information, so that breaches experienced by healthcare organizations and insurers, which involve medical information on California residents, have to be disclosed.

Maryland recently passed H.B. 208, which requires organizations experiencing a breach to conduct an investigation to determine the liklihood of the breach resulting in personal information being misused, with disclosure required if the organization believes that misuse of the personal information is likely. In addition, the Maryland law s

tarts to touch on a requirement that appropriate security controls be utilized (albeit at a very high level).

As the states start to diverge as to legal responsibility and penalties (Minnesota), definition of what constitutes PII (California), and the requirements of organizations and their service providers regarding security controls (Maryland), it is pretty clear that a comprehensive federal law in this area would be very useful. Imagine the poor privacy officer at a company experiencing a breach having to sort through 30+ states breach notification laws to try and determine what the company is required to do.

Maryland excerpt:

"A business that uses a nonaffiliated third party as a service provider and

discloses personal information about a Maryland resident under a written contract with

the third party must require, by contract, that the third party implement and maintain

reasonable security procedures and practices that are: (1) appropriate to the nature of the

disclosed information; and (2) reasonably designed to help protect the information from

unauthorized access, use, modification, disclosure, or destruction."

Jim Hietala

Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University.

Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com