Data Breach Disclosure Laws
EDITOR'S NOTE:Many banking institutions today do business with customers in multiple states, but few security leaders are aware of the nuances of data breach disclosure laws in these different states. Some of the differences are subtle; others significant. Phil Alexander, an information security officer for a major bank, has written the book on state data breach disclosure laws, and we recently caught up with him for some insights on this issue.

TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group, and today I am talking with Phil Alexander, an information security officer for a major financial institution. We are talking about state data breach disclosure laws.
Phil, good morning to you.

PHIL ALEXANDER: Good morning Tom.

FIELD: Phil, how did you come to write and speak about state data breach disclosure laws that I know you are doing a lot of now?

ALEXANDER: Right. Well, in the field I am in, the job I do, we do a lot of risk assessments, and because I work for a financial institution we are very, you know, constant and aware and concerned about different data breach disclosure laws. And, going back about three years ago we were focusing heavily on California Senate Bill 1386. That is the state data breach disclosure law that started it all within the United States. And it dawned on me, you know, that California can’t be alone; that certainly other states have adopted similar laws, and I started doing research. And the book was born from there because as of right now about 39 states have their own data breach disclosure laws.

FIELD: And you’ve got one book out now. What’s the title of that book Phil?

ALEXANDER: The title of the book is Data Breach Disclosure Laws: A State-by-State Perspective.

FIELD: And what surprised you as you reviewed the laws state-by-state and as you put together your book?

ALEXANDER: Well, I think one of the main things that surprised me was roughly 30% of the states give themselves a pass -- and let me explain what I mean by that. All the state data breach disclosure laws hold businesses, the private sector, liable in the event of a data breach that includes sensitive information about residences of their state, but about a third give themselves a pass. They exclude their own state agencies. So, it is kind of a “do as I say, not do as I do” type scenario, which I found surprising and, you know, to a certain extent it was disappointing.

FIELD: Now when you talk with your colleagues, what do you find is most misunderstood about the data breach disclosure laws?

ALEXANDER: Oh, what I find kind of surprising is that they don’t understand. There are misconceptions about the subtle differences and how that can impact, you know, what you must do to disclose.

The fact that they think there is a misconception out there that if I have a nice firm contract with a third-party that I can make it their liability to disclose, and that is just not the case. Because the laws are very specific that, with the exception of the three major credit bureaus, the data owner owns the liability to disclose if the breach occurred at a vendor.

FIELD: Now, as you have research and you have written and you have spoken about the topic, the number of states with data breach disclosure laws has increased. Correct?

ALEXANDER: That is correct.

FIELD: The number now, today?

ALEXANDER: The number today is currently 39 states, but I also want to add that currently of the 11 that don’t have such laws on the books, six states are debating such laws right now.

FIELD: Okay.

ALEXANDER: So they are at various levels.

FIELD: So, we see states coming onboard.
What other trends do you see as you survey the states?

ALEXANDER: The states are really starting to tighten down on use of personal information, I think. And most notable are Social Security numbers. I see that as a major trend.

In fact, one of the trends, or one of the recent laws, was one passed by Minnesota. In fact it is not even scheduled to go into effect until July of 2008, which basically says you cannot sell the Social Security number of a resident of the State of Minnesota. Now that, the impact on there is to be seen. But for example, right now the three major credit bureaus have said that they are going to truncate the Social Security numbers of residents of Minnesota effective July 1st of next year.

FIELD: So, they are quickly taking action. As you know, they say July 1st, often people wait until, you know, June 30th, but in this case they are really getting proactive about it.

ALEXANDER: Well, I think that is important because one, you know, they are hoping --and I’ve talked to some of my peers in other financial institutions, and they are hoping there is some kind of “carve out” or exception made for financial institutions and banks engaged in anti-fraud activity. You know, that they can in fact use the whole Social Security number, but I wouldn’t bank on that.

And like you said, you know, a project of this size, in other words preparing for truncated Social Security numbers is not something you do overnight. So I think it is being prudent and proactive not to wait, as you said, until June 30th and hope you are ready the next day.

FIELD: Right. Now, Phil, you are producing a webinar on this topic now. What is the big take away in that presentation?

ALEXANDER: The particular one I want people to get from the webinar is to see the trend. You know, more states are adopting data breach disclosure laws and they are putting restrictions on use of sensitive information. In fact, there are even, you know, some states are considering legislation on information that can be sent overseas.

Now, I mean a certain amount of sensitive information, especially banks, you need that in order to conduct your business. But if it is not necessary, don’t use it. I think the take-away is don’t assume risk unnecessarily. If you don’t need to use a Social Security number, don’t.

FIELD: Right.

ALEXANDER: In other words, internally if you can use a customer identifier, that will do the same job, start moving to that. Because I see, you know, the government, both at the federal and state level, putting more and more restrictions on the use of Social Security numbers and other personally identifiable information.

FIELD: I bet you find this to be a real eye-opener for a lot of the people you talk with. I know you go around to a lot of conferences and such.

ALEXANDER: You know, it is. A lot of people say well I encrypt my data so my data is secure. Or, I have sent it to a third-party I have a very strong contract with so I am secure. You know, not necessarily.

No one security countermeasure or no one line in a contract is the end-all to protecting data privacy. And, you know, nothing I say is--the risks involved depending on the state and nature of the breach, I’ve seen statistics anywhere from $35 dollars a record up to $135 dollars a record of a cost of a breach. I mean, when you are talking about millions of records, that can add up, you know, to big money very quickly.

FIELD: Sure.

ALEXANDER: And that surprises people.

FIELD: Sure.
Phil has your research and what you have uncovered changed a lot about how you conduct business in your own institution?

ALEXANDER: You know it has. It has, for one, it has really added to my credibility. You know, now when I start bringing up my concerns they say this is the guy who researched this and published the book on it. And it has also given a lot of credence of, you know – let’s be more proactive and let’s start removing Social Security numbers when they are not necessary. Because, you know, going back to the inception of the Social Security number, it really is for, as its name would say, Social Security, and tax reporting. I mean, it might be a really great identifier, but it is also a very risky one.

FIELD: No, you are right. You make a great point.
Phil, if you could boil it down to a single piece of advice for banking and security executives just starting to consider the various data breach and security laws and the impact, what piece of advice would you offer to them?

ALEXANDER: I would say like other aspects of risk, like there is risk when you, you know, when you give someone a credit card or a mortgage, data risk is the same thing. Make it a very informed decision. Do not accept risk unnecessarily, because in my opinion, you know, customers are going to start looking at ‘do you protect my data?’ as one of their deciding factors on whether or not to engage in business with banks. I is just as important as good customer service.

So, only use sensitive data when absolutely necessary; if you don’t need it, don’t use it; and make sure you have the best and brightest working for you, because there are 39 states that have similar laws and more are coming, and it is going to get more costly and more involved as time passes.

FIELD: Excellent point.
Phil, I appreciate your insight today.

ALEXANDER: Thank you. Tom it was a pleasure.

FIELD: Look forward to your webinar on the topic and for Information Security Media Group and on the behalf of Philip Alexander, I’m Tom Field. Thank you very much.

To register for Phil Alexander’s webinar, please follow this link: http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=64




Around the Network