Missouri is the 45th state to pass a data breach notification law, which will go into effect on August 28, 2009 (which is a pretty random date, it seems like. It’s a Friday, if anyone’s interested).
It’s being pointed out by some that this new law is much more similar to its California counterpart (the original personal information breach notification law) than to the one found in Massachusetts or Nevada, in that the MO law won’t specifically say that personal information needs to be encrypted.
In that sense, this law is not an “encryption law,” although I imagine that many people will call it that since the use of data encryption seems to provide safe harbor (consult with your lawyer–I’m not one).
What Is Considered A Personal Information Security Breach In Missouri?
According to section 407.1500, a breach is the following:
“Breach of security” or “breach”, unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.
Hm…it seems to me that Missouri is a little behind on the times. If I’m not wrong, most other states are passing legislation so that security breaches include paper documents–not just digital data–and others are amending theirs if paper documents were not included originally.
“Personal information” is defined as follows (my emphasis on “encrypted”):
…an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not ENCRYPTED, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
Social Security number;
Driver’s license number or other unique identification number created or collected by a government body;
Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
Medical information; or
Health insurance information.
What Needs To Be Included In The Client Notification Letter?
As lifted directly from the law:
The incident in general terms;
The type of personal information that was obtained as a result of the breach of security;
A telephone number that the affected consumer may call for further information and assistance, if one exists;
Contact information for consumer reporting agencies;
Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
What Methods Can Be Used To Notify Clients?
Like in most other states, there are various methods for contacting the affected individually, including letters, e-mail, and phone calls.
Also, there are provisions if too many people are affected: if the cost of providing notice exceeds $100,000 or if over 150,000 people are affected, a substitute notice can be provided, including the use of statewide media.
If more than 100,000 people are affected, the state AG and consumer reporting agencies must be contacted as well.
The AG is given the authority to “obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.”
So, $150,000 or less in fines, plus I’d assume one would have to shell out money to contact the affected (something that should have happened).
Encryption Provides Safe Harbor?
It’s up to the lawyers and courts to say, but if I’m correctly reading the section on what constitutes personal information (as I’ve emphasized), encrypted information is not considered personal information. And since it’s not considered to be personal information, then its loss cannot lead to a data breach, which means there is no need for notification.
It’s kind of a roundabout way of saying that encrypted data cannot be breached, I guess, but man, the twists on logic….
Also, notification is not necessary if it’s determined that the breach won’t result in identity theft or fraud. However, “such a determination shall be documented in writing and the documentation shall be maintained for five years.”
In other words, you’d better be pretty certain that criminals won’t use it/find it. My guess is that, if your determination was erroneous and something comes to light, not having that paperwork will mean lots and lots of fines.
Should you use encryption software like AlertBoot to protect sensitive data? The law does not mandate it, but it certainly seems to be encouraging it.
Related Articles and Sites: