1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

New Mexico Becomes 48th State To Enact Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the only two states without such a law. The New Mexico law goes into effect June 16, 2017.

Who Is Covered? Defining “Personal Identifying Information”

The new law applies to any “person that owns or licenses elements that include personal identifying information of a New Mexico resident[.]” The definition of “personal identifying information” largely tracks the definitions adopted by sister states, and includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when such data elements “are not protected through encryption or redaction or otherwise rendered unreadable or unusable:”

  • social security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined under the new law to mean a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to “uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account[.]” “[E]ncrypted” is defined under the new statute to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security[.]” And “personal identifying information” does not mean information that is “lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public[.]”

When Is Notification Required?

Defining “Security Breach”

Notification is required under the new law when the “personal identifying information” of a “New Mexico resident” is “reasonably believed to have been subject to a security breach.” The phrase “security breach” is defined under the statute to mean the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” The phrase “security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a “legitimate business purpose of the person[,]” so long as the personal identifying information is not subject to further unauthorized disclosure.

45 Day Window

Notice under the new law must be made “in the most expedient time possible, but no later” than 45 calendar days “following discovery of the security breach[.]” Notification may be delayed, however, if a law enforcement agency determines that the notification will impede a criminal investigation, or “as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.”

Investigation Defense / Risk Of Harm

Notification is not required if “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”

What Is Required In The Notice?

If notice is required, the new law provides specific content requirements, including:

  • The name and contact information of the notifying person;
  • A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
  • The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
  • A general description of the security breach incident;
  • The toll-free telephone numbers and addresses of the major consumer reporting agencies;
  • Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
  • Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.

Are There Exemptions?

Yes. The new law does not apply to covered persons subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.

Do The Attorney General And Credit Reporting Agencies Require Notification?

Yes. If notice goes out to more than 1,000 New Mexico residents “as a result of a single security breach” the covered person must “notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p)[.]” Such notice must be made “in the most expedient time possible,” but no later than the same time that notice goes out to the impacted resident – 45 calendar days. Such notice must “notify the attorney general of the number of New Mexico residents that received notification” and “shall provide a copy of the notification that was sent to affected residents within” 45 calendar days “following discovery of the security breach[.]”

Is There A Private Right Of Action?

No. The new law only allows for an enforcement action brought by the attorney general. And in such cases, the attorney general may seek injunctive or compensatory relief. If the court determines the person violated the new law “knowingly or recklessly,” the court may also impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10.00 per instance of failed notification up to a maximum of $150,000.

5 Takeaways

  1. Encryption is key. The new law contains a safe harbor provision for encrypted data, so long as the encryption key is not compromised. The new law does not describe the specific encryption method required, as opposed to Tennessee’s new revisions.
  2. Investigation is key. Conducting an adequate and thorough investigation at the outset of a breach is critical under the new law. Conducting such an investigation will provide for extra time to complete notification, if required. It will also allow for non-notice if the investigation determines the security breach “does not give rise to a significant risk of identity theft or fraud.”
  3. Consider involving law enforcement. It may seem counterintuitive, but involving law enforcement early in a data breach case may provide extra time on notification. The federal government, and particularly the FBI and DHS, also actively encourage private business to reach out in the case of a data breach. In the case of 1,000 impacted New Mexico residents, however, notice to the New Mexico attorney general is required.
  4. Time is of the essence. The new law provides a 45 calendar day window to effectuate notice to both residents and law enforcement, when required. That means investigations need to be undertaken immediately, and without delay.

The Dentons Privacy and Cybersecurity Group is prepared to help you and your business navigate this new law, address your encryption issues, and help conduct the required investigations necessary once breach occurs.

New Mexico Becomes 48th State To Enact Data Breach Notification Law

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

Colorado Proposes New Cybersecurity Rules For Financial Advisers

Earlier this month, the Colorado Division of Securities released a set of proposed changes to the Colorado securities laws that would, if adopted, impose strict cybersecurity requirements on investment advisers and broker-dealers, and require both to: (1) establish and maintain written procedures designed to ensure cybersecurity; and (2) include cybersecurity as part of their risk assessment.

If adopted, the new rules would make Colorado the second state in recent months to adopt strict cybersecurity rules relating to the financial industry. Last month, the New York Department of Financial Services imposed new cybersecurity rules on financial institutions operating in the state. Those rules did not, however, apply to investment advisers and broker-dealers.

Overview of Colorado Proposed Rules

The new proposed Colorado rules would add Rule 51-4.8, entitled “Broker-Dealer Cybersecurity,” and Rule 51-4.14(IA), entitled “Investment Adviser Cybersecurity,” to the Colorado Division of Securities Rules found within the Code of Colorado Regulations. The new rules, according to the Colorado Division of Securities, would “clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” According to the Division, the rules are intended to provide “guidance to broker-dealers and investment advisers on what factors the Division will consider when determining if the procedures by the firm are reasonably designed to ensure cybersecurity.”

Both rules contain the same language, and require broker-dealers and investment advisers to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” To determine whether the cybersecurity procedures are reasonably designed, the proposed rules state that the Colorado Securities Commissioner will consider:

  • The firm’s size;
  • The firm’s relationship with third parties;
  • The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
  • Authentication practices;
  • The firm’s use of electronic communications;
  • The automatic locking of devices used to conduct the firm’s electronic security; and
  • The firm’s process for reporting of lost or stolen devices.

The cybersecurity procedures must also provide for:

  • An annual cybersecurity risk assessment;
  • The use of secure email, including use of encryption and digital signatures;
  • Authentication practices for employee access to electronic communications, databases and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

Interplay with Federal Law

The Securities and Exchange Commission (SEC) requires financial advisers to have written policies on preventing, detecting and responding to cyberattacks. It does not, however, have a requirement for an annual cybersecurity risk assessment, as the Colorado rules propose. The Financial Industry Regulatory Authority (FINRA) also has issued guidelines to member firms. And late last year, FINRA hit 12 firms with a $14.4 million fine relating to the retention of broker-dealers’ and customers’ electronic records. The new proposed Colorado rules would add additional requirements.

Next Steps

A public hearing discussing the proposed rule changes is being held at 9:00 am on Tuesday, May 2, 2017 at the Colorado Department of Regulatory Agencies in Denver, Colorado. At the public hearing, interested parties will be afforded an opportunity to be heard and submit written data, views and arguments. Information and materials relating to the proposed rules will be available online at least five days prior to the public hearing.

The Dentons Privacy and Cybersecurity Group will continue to monitor these rule changes for further development, and is available to help you or your firm navigate this rapidly changing area of the law.

Colorado Proposes New Cybersecurity Rules For Financial Advisers

New Guidance on Disclosure Exceptions for Investigations and Fraud

On March 17, 2017, the  Office of the Privacy Commissioner of Canada (OPC) published guidance on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics.

Background

The Digital Privacy Act, 2015, amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to lower the threshold for when an organization could share personal information without the knowledge or consent of the individual for the purposes of an investigation into a breach of an agreement or a contravention of the laws of Canada. In addition, the Digital Privacy Act, 2015, added a new exception to PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purpose of the detection or suppressing fraud or preventing fraud that is likely to be committed.

7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

The OPC did not support these amendments. Even before these amendments were passed and came into force, the OPC was sounding alarms that it would interpret these provisions narrowly.  In particular, the OPC was concerned about two issues:

First, the triggering threshold for a permitted disclosure was changed. Under the previous provisions, organizations had to have reasonable grounds to believe that the information related to a breach of an agreement or contravention of law. Following the amendments, an organization only had to determine that the disclosure was reasonable for the purpose of investigating a breach of an agreement or a contravention of a law or reasonable for the purpose of detecting, suppressing or preventing fraud.

Second, the range of purposes were too broad in the OPC’s view. In particular, the OPC was concerned about the possibility of oversharing under the fraud exception.

OPC Guidance

The OPC’s guidance is an attempt to ensure that organizations interpret these provisions narrowly. Although the OPC does not state expressly state that organizations cannot participate in systematic programs to attempt to detect or prevent fraud or breaches of agreements, it is clear that the OPC would prefer that these exceptions be used in isolated circumstances. This is particularly evident in the OPC’s statement that organizations must be able to establish on a case-by-case basis the reasons why it determined that disclosure was appropriate.

The OPC recommends that organizations prepare policies and procedures and to make those available to individuals. The OPC reminds organizations that individuals have the right to make an access request and obtain an account of the third parties to which information has been disclosed. The OPC would also like to see organizations report publicly on the number and type of disclosures made. It should be noted that there is no legislative basis that would require such reporting.

To satisfy the OPC’s concerns about indiscriminate use of these provisions, organizations should develop polices and procedures to ensure that the preconditions to disclosure are met and should make these policies and procedures available on demand.

Although the OPC seems to suggest that organizations should include disclosure of the use of these exceptions, it does not appear to be legislatively required to advise individuals in a privacy notice that the organization may use a lawful exception to disclose information without consent. Any such disclosure would have to be at a very high level unless the organization was participating in a systematic program to share information. What could an organization meaningfully say in the case of a disclosure under the investigation exception? Nevertheless, there are clear benefits to at least mentioning the possibility of these types of disclosures to prevent later accusations that the organization failed to be transparent.

Recommendations

When developing a policy or procedure for disclosures relating to an investigation into a breach of an agreement or the contravention of a law of Canada, organizations should require that, at a minimum, the following criteria (and the common criteria set out below) are met before disclosure:

  • If the investigation relates to a law, it is a law of Canada. The law should be specified and documented. A breach of a foreign law is not covered by this exception.
  • If the investigation relates to a breach of an agreement, the agreement is documented and in force at the time of the alleged breach.
  • The breach or contravention has already taken place, is ongoing or is about to happen. This suggests that the organization must document must be some credible evidence of a breach of the agreement or a contravention of a law of Canada.
  • The investigation is a bona fide formal or systematic inquiry to determine the facts. It cannot be a fishing expedition or gossip.

The following are the minimum criteria for disclosures relating to detecting or suppressing fraud or of preventing fraud:

  • If the disclosure relates to detecting or suppressing fraud or preventing fraud that is likely to be committed.
  • In the case of preventing fraud, the risk of fraud is probable and not merely possible .
  • The type of fraud that is in issue should be documented.

The following common criteria apply to disclosures under either provision:

  • If the organization has received a request for disclosure under these provisions, the request provides sufficient information to ensure that the rationale for disclosure is documented in the request. Requests should not be taken at face value.
  • The disclosure will be made from one organization to another organization. These provisions do not permit disclosure to law enforcement or family members.
  • The disclosure is reasonably related and proportionate to the investigation of the breach of an agreement or a contravention of law or to the activities of detecting or suppressing fraud or preventing fraud that is likely to be committed. Organizations should document their rationale for why the information is necessary to assist in the investigation or is rationally connected to and effective the detection, suppression or prevention of fraud.
  • Obtaining the consent of the individual would compromise the investigation or the fraud detection, suppression or prevention purposes. The rationale for the organization’s decision should be documented.

For the text of the OPC’s Guidance, see: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA

,

New Guidance on Disclosure Exceptions for Investigations and Fraud

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017