A recent change in Tennessee state law will soon increase the burden for organizations holding sensitive personal data of a Tennessee resident. With the removal of the safe harbor provision for unlawful access to encrypted data, organizations are exposed to greater breach disclosure obligations and may need to revisit their data security programs.
In a system-oriented world, security procedures don’t always hold fast against scammers or other unauthorized parties looking to gather sensitive information from organizations. In the aftermath of a data breach, there are, however, regulations in place to notify those whose information might have fallen into malicious hands.
Currently, 47 states have legislation in place regarding breach disclosures; Alabama, New Mexico and South Dakota do not have laws in place, according to the National Conference of State Legislatures. Most of the laws require organizations to notify affected individuals of any breach in personally identifiable information – generally defined as the information the average person would consider of value: social security number, home address, phone number, etc. While each state law is slightly different, all suggest that entities protect sensitive information and require them to notify affected individuals of possible breaches.
The PCI requirements specify a similar obligation for credit card data, and when it comes to health information, the federal HIPAA law protects health information and healthcare data, defining what information is deemed sensitive and putting procedures into place for alerting patients of any data breaches. Most of these regulations were put into place in an attempt to encourage organizations to take action to identify and protect sensitive information where they weren’t doing so before. Today, however, most companies are trying to do what’s right, but many are failing in competition with scammers.
“How we got to where we are is because organizations were not doing their risk assessments, they weren’t being responsible and prudent in terms of protecting sensitive data, and so lawmakers responded,” Mark Burnette, shareholder with LBMC Information Security said. “Now, however, organizations are trying to be responsible and prudent and diligent in protecting information, and it’s still a difficult, difficult battle to win.”
In conjunction with breach disclosure legislation, most state laws also have a safe harbor provision, which allows for a company to withhold information about a breach if the data that was stolen was encrypted.The logic behind the safe harbor provision is that, without the decryption key, the scammer is unable to the decrypt the information, and thus the sensitive data cannot be accessed. Earlier this year, the Tennessee breach disclosure law was amended when the state legislature removed the safe harbor exemption for encryption, putting organizations more at risk for the negative impact from reporting a breach.
“Removing the safe harbor provision for encryption, without specifying some particular reasoning or some logic behind it, leaves it open to interpretation and, in essence, you could assume that, if an environment is compromised and personal data is accessed or stolen, regardless of whether it was encrypted, you’d still have to publicly acknowledge a breach. Even if, in reality, you were sure the data wasn’t actually able to be viewed because it was encrypted,” Burnette said. “By removing the safe harbor provision from the law, it expands the liability that an organization in Tennessee might face due to this particular breach disclosure obligation.”
“The law still provides the entity with the ability to conduct a risk assessment of the potential breach, which could also have an impact on the entity’s determination of whether or not a breach has occurred, and therefore whether or not a breach disclosure is necessary. However, the removal of the safe harbor provision would seem to indicate that the State is not willing to accept data encryption as an effective means of protecting information, which is completely counter to the current thinking in the cybersecurity world” Burnette said.
The amended law will likely compel organizations to reevaluate their existing breach disclosure processes, as well as their security risk posture, to gain a more clear understanding of the likelihood of a breach occurring and what to do if a breach of personal information does occur. Entities would be well-served to take the results of their risk assessments and implement controls and processes to reduce risk to an acceptable level. However, there is nothing an organization can do that will ever guarantee that information will never be stolen.
“In cybersecurity it’s never ‘no risk’. Unless you’re going to unplug the computer from the Internet and put it in a room with doors and no windows, it will always be at risk of compromise,” Burnette said. “Once you acknowledge this, your approach becomes, ‘What security posture can I get comfortable with that does what’s reasonable and prudent for the organization and our stakeholders?’”