House Passes Data Accountability and Trust Act (DATA)
On December 8, 2009, the Data Accountability and Trust Act -- HR 2221(DATA) moved one step closer to law by passing the House of Representatives. DATA is sponsored by Congressman Bobby Rush (D-IL). Note that the InfoLawGroup has previously commented on similar data security bills currently pending in the Senate. The DATA in Congress has similar elements as Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, including not only breach notice obligations, but also information security policy requirements.
Both the Leahy and Rush bills also impose increased obligations on "information brokers," defined as follows in the Rush bill:
(6) INFORMATION BROKER- The term `information broker'--
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.
(the Leahy bill uses the term "data broker", but has a similar definition). Information brokers would be required to submit their security policies to the FTC in the event their breach notice obligations where triggered. Moreover, the DATA imposes obligations on information brokers concerning data accuracy, data access and disputed data. Information brokers would also be required to maintain audit logs or similar measures "which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker."
While sometimes touted as a "national" data security law, the DATA appears to apply only to those entities regulated by the FTC:
The requirements of sections 2 and 3 shall only apply to those persons, partnerships, or corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.
As such, it would not appear to apply to financial institutions, insurance companies, governmental bodies or common carriers (e.g. telecommunications companies or transportation companies).
Please note, while passage of DATA by the House is a major milestone, there may still be a long way before DATA becomes law. The Senate will have to pass their version of the bill and then it would have to go through reconciliation. Stay tuned.
Analyzing the Risk-Based Factors of Massachusett's Data Security Law
SearchSecurity.com published an article by me yesterday (a copy can be found here the original is here) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.
While a legal exercise is necessary for determining compliance with any and all statutes that mandate security or privacy requirements, the Massachusetts regulation's hybrid approach (e.g. specific controls mandated with a general risk-based hedge) potentially complicates the analysis. Without a legal analysis to interpret and apply the risk-based factors and resolve ambiguities in the regulation, or a legal understanding of how regulators, judges and plaintiff's counsel may interpret the regulation, companies run a serious liability risk. Moreover, companies may get into trouble if they fail to document their rationale -- if/when a breach occurs or regulators come knocking the organization must be able to explain their risk-related decisions and how they complied with the law. The task is further complicated because risk is a moving target for organizations. As the company gets bigger or retains more personal information, or when new attacks or technologies arise, the company must reevaluate its risk, and the WISP and controls it has in place to address that risk.
To minimize legal risk, compliance efforts should all be performed under attorney-client privilege to shield certain compliance communications from class action lawyers, regulators and courts. In short, companies need to treat compliance with the Massachusetts regulation (and other security laws) as a legal exercise as much as a security exercise. The main question in this specific context is: "if something goes wrong, do we have a reasonably defensible legal position concerning our WISP and security controls in light of the law?"
