The Security Catalyst

By David Stern 

It is 2006 and I still encounter organizations that would rather bury their heads in the sand or float down “de-nile” than acknowledge that information security is an enabler of business. More and more states are passing laws that require the disclosure of a breach that includes personally identifiable information. In this article, Ill talk about one.

As a hypocritical New Yorker, I always labeled California as the “Left Coast” – talk about the pot calling the kettle black. In the winter of 2002, legislators in California did something extraordinary; they earned a little of my respect. Recognizing the growing danger of corporate databases to personal privacy, they implemented SB1386, a law that requires organizations to report any computer breaches that result in the loss of personally identifiable information. This law is a shining light for information security professionals who spend their days fighting the uphill battle to convince management that security matters.

There were sighs of relief from the board rooms of organizations without a California presence. SB1386 might have made the headlines, but over the next three years, over 30 states passed similar laws. In the winter of 2005, New York legislators began crafting their own data breach law. A04254-A/S3492-A, the Information Security Breach and Notification Act, became law on December 7, 2005.

NYS A04254-A/S3492-A ((http://assembly.state.ny.us/leg/?bn=A04254&sh=t)
Let’s take a look at the text of the law. The first significant section defines “personal information” as social security numbers, drivers license numbers or non-drivers ID numbers, and account numbers (including credit card numbers) that can be used in combination with an access code to get into personal financial information. Corporate counsel, managers, and board members cannot use shades of gray to hide here. It is hard to find a significant data breach that does not include at least one of these elements.

The second significant section clearly indicates the need to notify anyone affected by the breach. An organization “SHALL DISCLOSE ANY BREACH OF THE SECURITY OF THE SYSTEM FOLLOWING DISCOVERY OR NOTIFICATION OF THE BREACH IN THE SECURITY OF THE SYSTEM TO ANY RESIDENT OF NEW YORK STATE WHOSE PRIVATE INFORMATION WAS, OR IS REASONABLY BELIEVED TO HAVE BEEN, ACQUIRED BY A PERSON WITHOUT VALID AUTHORIZATION. THE DISCLOSURE SHALL BE MADE IN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY.”

Furthermore, notification must be
“(A) WRITTEN NOTICE;
(B) ELECTRONIC NOTICE, PROVIDED THAT THE PERSON TO WHOM NOTICE IS
REQUIRED HAS EXPRESSLY CONSENTED TO RECEIVING SAID NOTICE IN ELECTRONIC FORM AND A LOG OF EACH SUCH NOTIFICATION IS KEPT BY THE PERSON OR BUSINESS WHO NOTIFIES AFFECTED PERSONS IN SUCH FORM; PROVIDED FURTHER, HOWEVER, THAT IN NO CASE SHALL ANY PERSON OR BUSINESS REQUIRE A PERSON TO CONSENT TO ACCEPTING SAID NOTICE IN SAID FORM AS A CONDITION OF ESTABLISHING ANY BUSINESS RELATIONSHIP OR ENGAGING IN ANY TRANSACTION.
(C) TELEPHONE NOTIFICATION PROVIDED THAT A LOG OF EACH SUCH NOTIFICATION IS KEPT BY THE PERSON OR BUSINESS WHO NOTIFIES AFFECTED PERSONS; OR
(D) SUBSTITUTE NOTICE, IF A BUSINESS DEMONSTRATES TO THE STATE ATTORNEY GENERAL THAT THE COST OF PROVIDING NOTICE WOULD EXCEED TWO HUNDRED FIFTY THOUSAND DOLLARS, OR THAT THE AFFECTED CLASS OF SUBJECT PERSONS TO BE NOTIFIED EXCEEDS FIVE HUNDRED THOUSAND, OR SUCH BUSINESS DOES NOT HAVE SUFFICIENT CONTACT INFORMATION. SUBSTITUTE NOTICE SHALL CONSIST OF ALL OF THE FOLLOWING:
(1) E-MAIL NOTICE WHEN SUCH BUSINESS HAS AN E-MAIL ADDRESS FOR THE
SUBJECT PERSONS;
(2) CONSPICUOUS POSTING OF THE NOTICE ON SUCH BUSINESS`S WEB SITE PAGE, IF SUCH BUSINESS MAINTAINS ONE; AND
(3) NOTIFICATION TO MAJOR STATEWIDE MEDIA.”

Again, the law clearly states that notification must be made even when there is no concrete proof that the bad guys got away with the good stuff. Take an experienced team of incident response professionals and they will know whether the breach was successful just by looking at it. To hide behind uncertainty is certainly an unethical and perhaps illegal gamble.

The final significant section defines the recourse.
“(A) WHENEVER THE ATTORNEY GENERAL SHALL BELIEVE FROM EVIDENCE
SATISFACTORY TO HIM THAT THERE IS A VIOLATION OF THIS ARTICLE HE MAY BRING AN ACTION IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK, IN A COURT OF JUSTICE HAVING JURISDICTION TO ISSUE AN INJUNCTION, TO ENJOIN AND RESTRAIN THE CONTINUATION OF SUCH VIOLATION. IN SUCH ACTION, PRELIMINARY RELIEF MAY BE GRANTED UNDER ARTICLE SIXTY-THREE OF THE CIVIL PRACTICE LAW AND RULES. IN SUCH ACTION THE COURT MAY AWARD DAMAGES FOR ACTUAL COSTS OR LOSSES INCURRED BY A PERSON ENTITLED TO NOTICE PURSUANT TO THIS ARTICLE, INCLUDING CONSEQUENTIAL FINANCIAL LOSSES. WHENEVER THE COURT SHALL DETERMINE IN SUCH ACTION THAT A PERSON OR BUSINESS VIOLATED THIS ARTICLE KNOWINGLY OR RECKLESSLY, THE COURT MAY IMPOSE A CIVIL PENALTY OF THE GREATER OF FIVE THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT SHALL NOT EXCEED ONE HUNDRED FIFTY THOUSAND DOLLARS.
(B) THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
OTHER LAWFUL REMEDY AVAILABLE.”

$150,000 may not seem like a lot of money to a large organization. It may be worth the gamble to keep it quiet. That is until you show up on the radar of an ambitious State Attorney General like Elliot Spitzer.

Unlike HIPPA or GLBA, this legislation is clearly defined. Information security professionals should be able to leverage this law to make headway in their organizations. Similar laws have been established in Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, and Washington.

Whether your organization has 20 security guys or no security guys is irrelevant. If you have systems in any of the states mentioned above, this type of law forces the issue.

to be continued….

If you enjoyed this post, make sure you subscribe to my RSS feed!