To revisit briefly the tortured history of this regulation, the original version was highly prescriptive and mandated specific technological protections (such as 128-bit encryption) regardless of the size, nature and scope of the business and the risks involved. After wailing and lamentations from business groups, a near-final regulation (discussed in depth in this blog) was issued in August 2009 and shifted the regulatory standard to a more flexible, risk-based, technology-neutral approach. The final revisions were issued after a September 22 hearing, based on which the OCABR concluded that it had finally gotten it right.

The revisions are minimal and deal mostly with the compliance deadline for binding third-party service providers by contract. The final regulation makes it clear that existing contracts signed on or before March 1, 2010 do not have to contain the magic language requiring service providers to maintain appropriate security measures to protect personal information. However, this carve-out does not apply as of March 1, 2012; on that date, ALL contracts must be compliant.

Now that those damned Yankees have won the World Series, if you’re yearning to read the final regulation, you can get it here.

Data breaches impose huge costs on businesses in terms of investigation, remediation, fraud losses, notification of affected individuals, replacement of accounts and reputational and customer-relations damage. Given the resources and sophistication of foreign criminal syndicates and other fraudsters, some data breaches are probably unavoidable. However, in the unfortunate event of a breach, you do not want to be seen as having fallen too far behind the state of the art in information security protection, or you could face statutory or regulatory fines and negligence liability. The FTC busted TJX, which ended up paying millions of dollars in fines to the FTC and the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business with Nevada customers), requires personal information stored on portable devices in motion or transmitted outside a business’ secure systems to be encrypted using technology approved by an “established standards setting body.”

And now, in the case of Shames-Yeakel v. Citizens Financial Bank, No. 07-C-5387 (N.D. Ill. Aug. 21, 2009), a federal district court in Illinois has denied Citizens Bank’s motion for summary judgment dismissing a data breach-related negligence claim where the bank allegedly had not moved promptly enough to implement multifactor authentication (i.e., secondary inputs beyond name and password, such as tokens, personal questions, etc.) to secure sensitive Internet transactions. (A 2005 regulatory guidance had criticized single-factor authentication, i.e., name and password alone, as being inadequate.)

There is a dialectic going on here: legislatures, regulators and courts are wary of imposing compliance requirements involving huge costs for new IT infrastructure at a time when the national unemployment rate is 9.8%. At the same time, given the mounting economic costs of data breaches, the public outcry over identity theft, and the connection between identity theft, organized crime and terrorism, legal and regulatory scrutiny of data security protections is increasing and will continue to do so. This dialectic was evident in Massachusetts this past August, when, at the urging of business groups, 201 CMR § 17.00, a highly prescriptive, technology-specific data security regulation that would have gone into effect in January 2010 (and would have required data in motion or stored on portable devices to be encrypted using 128-bit technology) was thoroughly revised to be risk-based and technology-neutral and to take into account the size, scope and type of business, the amount of resources available to the business, etc.

Don’t be an outlier. Learn what the state of the art is (the supporting and ancillary documents for the Payment Card Industry Data Security Standard are particularly useful here) and try to be in the general vicinity. If it’s too expensive, think about outsourcing the hosting or processing of personal information (but make sure you have done due diligence on the vendor and have a protective contract with them, as required by PCI DSS, HIPAA, federal banking regulations and state data security laws) or whether you even need to hold personal information in the first place. Amid the carnage and emotional trauma of a data breach, there’s no need to add legal fees, regulatory fines and tort damages to the heap of misery.

Our new offices in Old City

My biggest challenge in putting the presentation together was to connect all of these dots into some type of coherent pattern. At the beginning of the summer, it looked like we were moving to a much more “prescriptive,” technology-specific, top-down style of data security regulation in the former Massachusetts mold (rigorous computer system security and personnel access control requirements for all businesses owning or licensing personal information, 128-bit encryption, etc.). Then Massachusetts did an about-face, and other states failed to follow the Nevada and Massachusetts model of requiring encryption for personal information transmitted over open networks or stored on portable devices.

The two federal data security bills would set a national data breach standard and national standards for implementing data security safeguards, but are largely technology-neutral (Congressman Bobby Rush’s H.R. 2221 even goes so far as to prohibit the FTC from setting specific technological requirements!). At the end of the day, I told my largely California-based audience that their state data security statute (the original data breach notice legislation combined with a requirement to use reasonable data security safeguards appropriate to the nature of the data) would likely be the paradigm for national and other state data security legislation. California is the trend-setter for insanity in many areas of the law, but its regime seems relatively sane when compared, for example, with the earlier, anal-retentive version of Massachusetts’ 201 CMR 17.00.

While the breeze in San Francisco Bay was lovely, it’s good to be back in the City of Brotherly Love, and in new digs, too. More to come.

I will discuss the changes more fully in an upcoming post, but overall they respond to concerns from recession-racked businesses about the stringent encryption and other technical and computer security requirements of the regulation, which would have applied across the board to businesses regardless of their size and resources and the technical feasibility of implementation.

So, for example, the amended regulation now only requires that personal information stored on portable devices or transmitted over the Internet must be encrypted “to the extent technically feasible.” Furthermore, it drops the requirement of a 128-bit or higher encryption standard. More generally, businesses’ information security programs now only must contains safeguards that are appropriate to the size, scope and type of business and the amount of resources available to the business. The third-party service provider oversight provision has also been modified to be consistent with the FTC’s Safeguards Rule implementing the information security requirements of the Gramm-Leach-Bliley Act; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them by contract to do so. However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.

More to follow soon.

A data collector must also encrypt personal information stored on any data storage device or medium (including a laptop, flash or USB drive, mobile phone, CD-ROM or magnetic tape) that is moved “beyond the logical or physical controls” of the data collector or its data storage vendor. Unlike in the previous encryption law, encryption is now defined as requiring the use of cryptographic keys to decipher data, with the encryption technology and key management procedures having to meet established standards.

Compliance with the law will insulate a data collector from liability for damages for a data breach, unless the data breach is caused by gross negligence or intentional misconduct (an extremely high standard of proof from a plaintiff’s standpoint). The new law, which contains exclusions for telecommunications providers and certain financial account payment processing and reporting activities conducted over a secure private channel, is set to go into effect on January 1, 2010.

As if the Nevada and Massachusetts laws weren’t fun enough, on August 1 the FTC will start enforcing the new Red Flags Rule, which requires “financial institutions” and “creditors” (as defined in the Rule) to develop and implement programs that identify and detect the warning signs (or “red flags”) of identity theft and provide for appropriate responses to prevent and mitigate identity theft. The Red Flags Rule applies to a wide range of businesses and organizations beyond banks and others under the supervision of a federal regulatory agency (who were required by their respective regulators to comply as of November 1, 2008), including any business that regularly defers payment for goods or services or provides goods or services to be billed later. Utility companies, mobile telecommunications providers and even ambulance services may have to comply. Accordingly, businesses which offer accounts, or are in any way involved in providing or servicing accounts, that may involve credit (even short-term payment deferral) and exposure to the personal information of consumers or individuals should determine whether they are subject to the Red Flags Rule. More information about the Red Flags Rule can be found on the FTC’s website here.

On a happier note, it’s Friday….