The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

The facts of Stengart are simple. Ms. Stengart brought an employment discrimination suit against her home-nursing company employer, Loving Care (great name, that) and exchanged e-mails with her attorney through a web-based personal Yahoo account that she accessed from a company-issued laptop. In the course of the discovery process the employer’s counsel imaged the laptop’s hard drive and found the e-mails, but did not promptly notify Ms. Stengart’s counsel and turn over the e-mails, as required by New Jersey’s attorney ethics rules. Although the employer purportedly maintained an Internet use policy that indicated “e-mail” and Internet use was the company’s property and could be monitored, the policy was poorly drafted and internally inconsistent, stating at the same time that occasional personal use of work computers was permitted.

The New Jersey Supreme Court held that, given the lack of clarity in the policy that appeared to invite some personal activity, and the fact that the policy did not refer specifically to employer monitoring of password-protected, web-based e-mail usage, Ms. Stengart had not been adequately placed on notice of her employer’s claimed right to monitor. Therefore, under the New Jersey constitutional and common law of privacy, she retained an objectively and subjectively reasonable expectation of privacy in her Yahoo account (i.e., that it fell outside the scope of the monitoring described in the Internet use policy), which Loving Care violated when its lawyers retrieved her private e-mails. Furthermore, the Court held — and this is the kicker — even if the employer’s policy had been totally clear that her Yahoo account usage could be monitored, it would not be enforceable to destroy Ms. Stengart’s attorney-client privilege in the e-mails with her lawyer.

The Court neatly summed up its views on Internet use policies at the end of the opinion:

“Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”

Until now, courts examining the issue of whether employees have privacy rights in personal online communications sent from work computers have largely deferred to employer Internet use policies that reserved broad monitoring rights. It is not particularly surprising that the New Jersey judiciary, with its more liberal policy preferences and insistence on the sanctity of the attorney-client privilege, has diverged from more employer-friendly, freedom-of-contract regimes like Pennsylvania in establishing limits on what employers can peek at with Internet use policies. Still, the Stengart case does provide some useful guidelines for how employers (in New Jersey and elsewhere) can structure their Internet use policies to avoid the loss of productivity and liability risks associated with uncontrolled employee web surfing, Facebook usage, etc., while at the same time avoiding a tort claim for invasion of privacy.

1. Specifically discuss whether and how employee access of password-protected, web-based e-mail accounts may be monitored. In other words, don’t make the mistake of the employer in Stengart and assume that references to “e-mail” usage will be interpreted to cover personal Yahoo and gmail accounts as well as messages sent via the company’s official e-mail system. So, for example, you should mention that e-mails from personal web accounts might be stored on the hard drive of the employer’s computer. Also consider giving similar examples with respect to personal activity on restricted areas of social media sites when accessed from work. Greater clarity and specificity about monitoring of password-protected account usage could also help prevent a Stored Communications Act violation as well as liability for invasion of privacy.

2. Don’t send mixed messages concerning personal Internet usage at work. The New Jersey Supreme Court indicated that an employer has the right to prohibit the use of work computers and Internet access for personal reasons and to discipline or terminate employees who violate this policy. For cultural reasons many employers have resisted taking such a draconian line up to now, but it may be time to consider drawing a line in the sand if productivity loss is a major concern. If an employer is willing to tolerate limited personal usage of company IT resources (subject to the restrictions in the policy and any blocking of particular sites that the employer considers a distraction), the policy needs to be absolutely clear that even allowed personal communications may still be monitored and stored. Bottom line for employers: tell your employees that if they consider something really private or sensitive, they should do it at home using their own computer.

3. Be consistent in applying the policy. This is a logical corollary of #2, i.e., don’t send mixed messages. Inconsistent application of an IT use policy landed the city of Ontario, California before the U.S. Supreme Court on April 19. In City of Ontario v. Quon, a SWAT team member was issued a department pager under a use policy that clearly indicated everything could be monitored. However, a supervisor allegedly assured Quon that personal text messages would not be reviewed as long as the employee paid for any overages. Needless to say, they were. The question before the Court is whether the supervisor’s statements, which deviated from the IT use policy, were enough to give Quon a reasonable expectation of privacy in the personal texts. Based on the transcript of the oral arguments, the justices seem skeptical (more so, perhaps, than the New Jersey Supreme Court might be). Their decision will be forthcoming in the next few weeks. However, the real take-away here is the case should never have happened. Make sure that all employees, including (and especially) managers confirm receipt of, and are knowledgeable about, your company’s Internet use policy (for example, it can be discussed in employee information security training). A well-drafted policy should describe the business interests underlying it and the company’s seriousness in promoting those interests, and should identify a contact person who can address any questions or issues concerning the policy. The company should also cultivate a culture of compliance (if you’ll forgive the alliteration) so that no one is perceived as exempt; selective application and enforcement can lead not only to privacy-related liability but discrimination claims too.

Now that employee privacy is more than just a rallying cry for plaintiffs’ lawyers, consider whether your Internet use policy could use a little loving care.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.

To revisit briefly the tortured history of this regulation, the original version was highly prescriptive and mandated specific technological protections (such as 128-bit encryption) regardless of the size, nature and scope of the business and the risks involved. After wailing and lamentations from business groups, a near-final regulation (discussed in depth in this blog) was issued in August 2009 and shifted the regulatory standard to a more flexible, risk-based, technology-neutral approach. The final revisions were issued after a September 22 hearing, based on which the OCABR concluded that it had finally gotten it right.

The revisions are minimal and deal mostly with the compliance deadline for binding third-party service providers by contract. The final regulation makes it clear that existing contracts signed on or before March 1, 2010 do not have to contain the magic language requiring service providers to maintain appropriate security measures to protect personal information. However, this carve-out does not apply as of March 1, 2012; on that date, ALL contracts must be compliant.

Now that those damned Yankees have won the World Series, if you’re yearning to read the final regulation, you can get it here.

Data breaches impose huge costs on businesses in terms of investigation, remediation, fraud losses, notification of affected individuals, replacement of accounts and reputational and customer-relations damage. Given the resources and sophistication of foreign criminal syndicates and other fraudsters, some data breaches are probably unavoidable. However, in the unfortunate event of a breach, you do not want to be seen as having fallen too far behind the state of the art in information security protection, or you could face statutory or regulatory fines and negligence liability. The FTC busted TJX, which ended up paying millions of dollars in fines to the FTC and the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business with Nevada customers), requires personal information stored on portable devices in motion or transmitted outside a business’ secure systems to be encrypted using technology approved by an “established standards setting body.”

And now, in the case of Shames-Yeakel v. Citizens Financial Bank, No. 07-C-5387 (N.D. Ill. Aug. 21, 2009), a federal district court in Illinois has denied Citizens Bank’s motion for summary judgment dismissing a data breach-related negligence claim where the bank allegedly had not moved promptly enough to implement multifactor authentication (i.e., secondary inputs beyond name and password, such as tokens, personal questions, etc.) to secure sensitive Internet transactions. (A 2005 regulatory guidance had criticized single-factor authentication, i.e., name and password alone, as being inadequate.)

There is a dialectic going on here: legislatures, regulators and courts are wary of imposing compliance requirements involving huge costs for new IT infrastructure at a time when the national unemployment rate is 9.8%. At the same time, given the mounting economic costs of data breaches, the public outcry over identity theft, and the connection between identity theft, organized crime and terrorism, legal and regulatory scrutiny of data security protections is increasing and will continue to do so. This dialectic was evident in Massachusetts this past August, when, at the urging of business groups, 201 CMR § 17.00, a highly prescriptive, technology-specific data security regulation that would have gone into effect in January 2010 (and would have required data in motion or stored on portable devices to be encrypted using 128-bit technology) was thoroughly revised to be risk-based and technology-neutral and to take into account the size, scope and type of business, the amount of resources available to the business, etc.

Don’t be an outlier. Learn what the state of the art is (the supporting and ancillary documents for the Payment Card Industry Data Security Standard are particularly useful here) and try to be in the general vicinity. If it’s too expensive, think about outsourcing the hosting or processing of personal information (but make sure you have done due diligence on the vendor and have a protective contract with them, as required by PCI DSS, HIPAA, federal banking regulations and state data security laws) or whether you even need to hold personal information in the first place. Amid the carnage and emotional trauma of a data breach, there’s no need to add legal fees, regulatory fines and tort damages to the heap of misery.

Our new offices in Old City

My biggest challenge in putting the presentation together was to connect all of these dots into some type of coherent pattern. At the beginning of the summer, it looked like we were moving to a much more “prescriptive,” technology-specific, top-down style of data security regulation in the former Massachusetts mold (rigorous computer system security and personnel access control requirements for all businesses owning or licensing personal information, 128-bit encryption, etc.). Then Massachusetts did an about-face, and other states failed to follow the Nevada and Massachusetts model of requiring encryption for personal information transmitted over open networks or stored on portable devices.

The two federal data security bills would set a national data breach standard and national standards for implementing data security safeguards, but are largely technology-neutral (Congressman Bobby Rush’s H.R. 2221 even goes so far as to prohibit the FTC from setting specific technological requirements!). At the end of the day, I told my largely California-based audience that their state data security statute (the original data breach notice legislation combined with a requirement to use reasonable data security safeguards appropriate to the nature of the data) would likely be the paradigm for national and other state data security legislation. California is the trend-setter for insanity in many areas of the law, but its regime seems relatively sane when compared, for example, with the earlier, anal-retentive version of Massachusetts’ 201 CMR 17.00.

While the breeze in San Francisco Bay was lovely, it’s good to be back in the City of Brotherly Love, and in new digs, too. More to come.

First, the new version reflects an abandonment of the “prescriptive” (i.e., top-down, technology-specific) regulatory approach that characterized the previous version of 201 CMR 17.00 issued in February 2009. To put it bluntly, that version scared the living hell out of recession-battered small businesses with its insistence on using 128-bit encryption to safeguard personal information stored on portable devices or transmitted wirelessly or across public networks, and a host of other computer security fiats that could have required the addition of costly IT infrastructure. 201 CMR 17.00 would have been the most stringent data security regulation in the country and would have affected millions of businesses and organizations outside Massachusetts, indeed, anyone who owned or licensed personal information about a Massachusetts resident.

As the OCABR proudly explained when it unveiled the redraft, the new, mellower 201 CMR 17.00 more emphatically adopts the flexible risk-based approach used by federal law, such as the FTC’s Safeguards Rule implementing the security requirements of the federal Gramm-Leach-Bliley Act (GLBA). Organizations other than Massachusetts governmental entities that own or license personal information (first name or first initial and last name, together with Social Security, driver’s license or state ID card number, or financial account, credit or debit card number) relating to a Massachusetts resident must still implement a comprehensive written information security program containing administrative, technical and physical safeguards, but it is clear now that the appropriateness of the safeguards will depend on the size, scope and type of business, the amount of resources available to the business, the amount of stored data, and the need for security and confidentiality of consumer and employee information.

While all information security programs must still meet some general requirements (such as designating employees responsible for their maintenance, risk assessment and evaluation of current safeguards, reasonable restrictions on physical access to records containing personal information, oversight of service providers through an appropriate selection process and contracting, developing employee security policies for the storage, access and transportation of personal information outside of business premises, preventing terminated employees from accessing personal information, documenting responses to data breach incidents, etc.), gone are the more onerous requirements, such as identifying all systems and storage media containing personal information and imposing a rigorous system of limiting the extent and duration of access by personnel to personal information. (These former requirements will now be used as guidance only.)

Another notable change is that the computer system security requirements in the regulation will now apply only to the extent technically feasible for the business. In its FAQ’s, the OCABR defines “technically feasible” as indicating the existence of “a reasonable means through technology to accomplish a required result.” This qualifier has enormous significance for the requirement to encrypt personal information stored on portable devices or transmitted wirelessly or across public networks. For example, while encryption of backup tapes on a going-forward basis is required, a business may not be required to encrypt a tape being transferred from current storage (although it should consider alternate protections depending on the amount and sensitivity of the information). Likewise, the OCABR has indicated that it may not enforce the encryption requirement for Blackberries, iPhones and similar devices, since there is currently no generally accepted encryption technology, but will for laptops.

Not only is the encryption requirement now subject to technical feasibility, but it is also technology neutral. No longer will businesses be required to use an encryption standard of 128-bit or higher.

There have also been some changes to the requirement to oversee service providers with whom personal information is shared. First, as the statute has become less onerous, the requirement to select service providers capable of compliance has become correspondingly lighter. Secondly, the regulation is now in conformance with the FTC’s Safeguards Rule under GLBA; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them to do so by contract. (However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.)

Finally, the date by which businesses must be compliant with 201 CMR 17.00 has been pushed back to March 1, 2010 (from January 1, 2010), another concession to the jitters experienced by small and medium-sized businesses (SMB’s) since the inception of this regulation in late 2008. (It is even possible that the regulation will be further amended, since the OCABR has invited public comment and will hold a hearing in Boston on September 22.)

Is 201 CMR 17.00 less scary now? Yes, but how much depends on whom you ask. For regulated financial services companies or businesses used to complying with the Payment Card Industry Data Security Standard (PCI DSS), HIPAA or GLBA, the amended Massachusetts regulation requires little or nothing that they are not already doing. However, it is still more stringent and formalistic in terms of administrative process than any other state’s data security law (including even California’s!) and will represent a major cultural shock for SMB’s who up to now have not had to think systematically about security (and may not have a CTO or information security officer on staff). Furthermore, based on my own experience, some managers who are used to purchasing IT services quickly, based on lowest available pricing, may chafe at the service provider due diligence and contracting requirements, although these requirements can actually be satisfied fairly easily.

With March 1, 2010 rapidly approaching, businesses will need to take a good hard look at themselves, assess the risk and the resources available to mitigate it, and determine whether their need to store and transmit personal information is great enough to justify the extra costs of compliance.

I will discuss the changes more fully in an upcoming post, but overall they respond to concerns from recession-racked businesses about the stringent encryption and other technical and computer security requirements of the regulation, which would have applied across the board to businesses regardless of their size and resources and the technical feasibility of implementation.

So, for example, the amended regulation now only requires that personal information stored on portable devices or transmitted over the Internet must be encrypted “to the extent technically feasible.” Furthermore, it drops the requirement of a 128-bit or higher encryption standard. More generally, businesses’ information security programs now only must contains safeguards that are appropriate to the size, scope and type of business and the amount of resources available to the business. The third-party service provider oversight provision has also been modified to be consistent with the FTC’s Safeguards Rule implementing the information security requirements of the Gramm-Leach-Bliley Act; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them by contract to do so. However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.

More to follow soon.

Baerbizlaw's happy hour pick of the week

While you’re quaffing your Stella at Finn’s, let’s talk about California. As any technology lawyer can tell you, California for years has been the laboratory and incubator for privacy and data security legislation (although Massachusetts and Nevada are now giving it a run for its money). California Senate Bill 1386, which took effect in 2003, was the first broadly applicable requirement mandating the sending of notices if personal information is potentially compromised in a data breach, and as we all know, most states in the Union, as well as D.C., have now emulated the California approach. Senate Bill 1, which also became effective in 2003, set standards for the privacy of financial information that went beyond the federal Gramm-Leach-Blilely Act (for example, by requiring financial institutions to obtain opt-ins from their customers before sharing non-public personal information with unaffiliated third parties). In addition, a 2005 law was an early prototype of more assertive prevention-focused data security legislation, requiring business that own or license personal information about California residents to use reasonable security measures to safeguard that information and to require unaffiliated third parties to which they disclose this information to do the same.

One can disagree ideologically with California’s top-down, paper-heavy, micro-managerial regulatory approach (and I frequently do!), but no one can deny the state’s importance in pioneering the law of privacy and data security. Therefore, if you’ll forgive a shameless plug, I am really looking forward to traveling to San Francisco to speak at the Compliance Decisions conference on September 17 about Nevada’s new data security statute (which requires encryption and PCI DSS compliance) and updates in California data security law. The best analogy I can make is that this is like giving a talk on Catholic theology in the Sistine Chapel.

One of the topics I plan to touch on is Senate Bill 20, an amendment to California’s original data breach law that is now making its way through the legislature. This bill sets very specific requirements with respect to the content of any data breach notice required under California law — for example, requiring a general description of the breach incident, a list of the types of personal information subject to the breach, the estimated number of persons affected by the breach (if determinable) and information about the date of the breach, among other things. If the breach notice is required to be sent to 500 or more California residents, the bill also requires the sender to provide an electronic sample copy to the state attorney-general. Minor amendments to SB 20 were made in the California Assembly on July 23, and the legislation will most likely be passed and signed into law later this year.

As always, please continue to visit www.baerbizlaw.com for updates on Philly watering holes, California privacy and data security legislation, and the world of technology law, which like happy hour libations, is always in a constant state of ferment.