[BreachExchange] Tennessee Breach-Notification Law Indicative of Data-Security Regulators’ Lack of Creativity

Tue Jun 14 19:48:22 EDT 2016

http://www.lexology.com/library/detail.aspx?g=75beffe1-a824-448d-8581-b4e07157d1d1

There is no shortage of data-privacy and security laws in the United
States. By our count there are now about 300 state and federal statutes.
They include breach-notification laws, data-disposal laws, data-safeguard
laws, payment card information-protection laws … the list goes on and on.
Many of these laws, and practical strategies for managing compliance with
them, are discussed in a Washington Legal Foundation Contemporary Legal
Notes paper I authored, Data Privacy and Security Practical Guide for
In-House Counsel.

Nonetheless the push continues to be a push for more regulation to make
sure that the consumer data held by companies is secure.

Quantity does not, in this case, equal quality. In fact, it means the
opposite. The quantity of data-security legislation imposes a significant
cost on businesses to stay abreast of the changing legal landscape and to
comply with (or to be confused by) what can best be characterized as
technical or procedural differences between the data-security laws. For
example, following a data breach the 54 different breach-notification
statutes may require a business to notify 25 different federal and state
agencies. Notifying 25 different agencies does little, or nothing, to
strengthen private-sector data security, protect consumers, or prevent
identity theft; it does impose a compliance burden and create 25
opportunities for a good corporate citizen to unintentionally violate a
statute.

Click here (
https://wlflegalpulse.files.wordpress.com/2016/06/zetoony-graphic.png?w=660)
to view image.

Perhaps most disappointing, despite the quantity of regulation, legislators
and regulators have displayed relatively little creative thinking and most
changes serve to confuse the business community rather than to help direct
them toward best practices.

For example, the Tennessee legislature recently amended its data-breach
notification statute so that beginning on July 1, 2016, a “breach of
security,” which used to be defined as “unauthorized acquisition of
unencrypted computerized data that materially compromises the security,
confidentiality or integrity of personal information,” will no longer have
the qualifier that the data must be “unencrypted.”

News articles and the legal press have characterized the change as making
the Tennessee statute “among the nation’s toughest,” and as requiring
breach notification “regardless of whether or not the information … was
encrypted.”

In actuality, the change will have very little, if any, impact on
businesses besides generating some counterproductive confusion. Although
the statute will no longer technically contain an automatic “encryption
safe harbor,” the statute will still require consumer notification only if
an incident “materially compromises the security” of personal information.
If data is encrypted, the encryption is strong, and the encryption key is
not compromised in most, if not all, situations, the personal information
will not be “materially compromised” and notification will not be needed.
This is functionally the same result that would be reached under a dozen
other state statutes that include an “encryption safe harbor,” but require,
in order for the safe harbor to apply, that the encryption key not be
compromised, and that the encryption be sufficient to make the data
unusable to the unauthorized party (i.e., a different way of stating that
there has been no “material” compromise). Despite the headlines, the real
moniker of this change should be “much ado about nothing.”

If regulators want to improve data security, they should move away from
tweaks to the existing framework, or enactment of substantively duplicative
legislation, and should instead meet with the business community to design
new and creative means for improving data security, decreasing regulation,
and lowering business risk.

A good example of such an effort came from New York Attorney General Eric
Schneiderman who proposed last year what would have been a new framework
for state data-security regulation. Instead of trying to impose additional
penalties on businesses following a data breach (which arguably do not need
more motivation to avoid breaches) or remove safe harbors, he proposed a
framework by which companies that voluntarily adopted the highest standards
for data protection—such as independent auditing of security
frameworks—could qualify for a new safe harbor from suit in the event of a
data breach. If that legislation had passed it would have provided a
carrot, not a stick, to businesses as well as specific tangible direction
toward maturing security programs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160614/438ce9f4/attachment.html>