Companies prepare for tougher breach law: Writer of security bill wanted more protections

Imagine a busy local bank that signs several new accounts weekly. With each new customer, the bank receives that person’s Social Security number, home and business addresses, and entire financial history.

But what if a computer containing all that personal information-so useful for identity theft-is stolen from the building? Should the company notify its customers of the possible danger or hope the information itself is safe and keep quiet to avoid scandal?

To answer those questions, the Indiana General Assembly has passed a statute that will require companies to inform consumers of a data security breach unless the stolen information is protected by encryption. The law, which goes into effect July 1, also allows the state attorney general to create an outreach program to educate Indiana citizens about the risks of security breaches and how to protect themselves or recover from identity theft.

Indiana Rep. Matt Pierce, D-Bloomington, penned the bill to “fill some gaps in the current data breach law,” which states that companies only have to disclose a data breach if the stolen data is not passwordprotected.

The law is designed to protect personal information of consumers, such as Social Security numbers and financial information often given to banks, employers, credit bureaus and other businesses.

“The whole idea of doing something like this is a departure from the traditional use of legal sanctions where somebody does something improper and they get punished in the courts,” because traditional legal processes can take many years, said Phil Zimmermann, a Californiabased encryption expert and creator of Pretty Good Privacy, a popular e-mail encryption program.

When laws require a company to publicly confess a data breach, “there’s going to be a public shaming that’s swift like a bolt of lightning and unstoppable,” Zim- mermann said.

But Indiana’s HB 1197 lost several provisions in the legislative process that would have created more stringent security requirements for local businesses.

Before returning the bill to the House, a Senate committee cut a provision requiring companies that suffered a data breach to report the incident to the attorney general, who would have then posted that information on the attorney general’s Web site.

“The transparency of [the Web site] would have caused the marketplace to function better,” Pierce said. “Companies would know that, if they have lax security systems or continually have data breaches, that’s going to be posted on a Web page and people will figure that out.”

Businesses balked

Lobbying by corporations like AT&T and Microsoft helped convince the Senate committee to drop several key provisions, including the Web site requirement.

“I think, quite frankly, [the companies] are concerned that people will realize that maybe there’s more breaches than we think,” Pierce said. “Or they just prefer not to have that in the glare of the media or more publicly known. I think they just want to avoid any public relations black eyes.”

Most large companies and major institutions, like universities, have information security systems in place that require them to tell their customers directly.

“If sensitive data were compromised, [our] customers and the appropriate government agencies would be notified,” said Mark Bradford, president and CEO of Indiana-based Monroe Bank.

Bradford said the bank’s system would be “quicker and more direct” than a posting on the attorney general’s Web site.

Encryption requirement

Also cut from the bill was a requirement that companies must use encryption that meets “the best practices commonly used in the industry” in order to avoid disclosure.

Businesses expressed concern that they would be forced to invest in expensive topof-the-line security procedures.

“The companies didn’t like that [requirement]. They said it was vague; they weren’t sure what it meant,” Pierce said. “We didn’t expect them to be on the cutting edge and [using] technology that got invented yesterday, but we didn’t want them using encryption or some kind of protection system from ’98.”

The bill does not actually require companies to encrypt personal data. Rather, it says that companies that do use encryption will not be forced to tell consumers of a security breach. Companies without encryption that fail to notify consumers are subject to prosecution by the attorney general.

Experts disagree on how difficult it is to comply with the encryption qualifier.

According to Bradford, Monroe and most other banks already use “layered and varied” security hardware and software, but not necessarily encryption.

“Encryption is certainly used with some systems, but other proven data-protection methods are used as well,” he said. “However, if the new legislation required encryption of all systems where information is stored, some hardship [would] be placed on banks to comply.”

According to Zimmermann, “these days, encryption is widely available. It’s not like the companies would have to invent their own encryption technology. It’s off-the-shelf stuff now.”

But Mark Bruhn, associate vice president for Information and Infrastructure Assurance at Indiana University, said installing encryption-based security isn’t easy for everybody.

“There are very few encryption tools that are intuitive, integrated, cross-platform, and easy for non-technical users to work with, and so they aren’t widely used at IU or elsewhere,” he said.

Kevin R. Erdman, a partner at Indianapolis-based law firm Baker & Daniels LLP, who specializes in information, Internet and intellectual property law, said the difficulty of conforming to the new requirements is not in getting encryption software, but in what he calls “key management.”

To qualify for the law’s protection, companies must ensure that, even if a laptop containing sensitive information is stolen, the encryption key [used to access encrypted data] remains undisclosed, Erdman said. To do this, a small business may have to alter its operating procedures so employees can use the key without compromising it. However, that change could be as simple as storing the encryption key on a flash memory drive rather than on the laptop itself.

While the encryption requirement may be difficult for smaller, less technologically advanced companies to meet, Bruhn said IU has an “established set of response procedures that pre-date any of the Indiana laws,” and will not be greatly affected by the legislative changes.

Despite the changes, the most important part of the bill remained intact: Companies will now have to disclose loss of personal information if the data is protected only by a password, which experts say can be easily broken.

The Office of the Indiana Attorney General plans to publish educational information regarding data breaches on its Web site, IndianaConsumer.com, by July 1.

The updated data protection law puts Indiana in league with California, which pioneered data breach notification laws in 2003 and led other states to pass similar legislation.