Another day of rain in Boston. That’s three in a row and at least four more coming. April showers bring May flowers, but what do May showers bring? Not pilgrims. How about data laws. Congress is awash with bills that deal with data in one way or another. They're just lining up down there in D.C.
I was reading through what has been called the “President’s Cybersecurity Legislative Proposal.” It has multiple parts, so today we will only dive into the “Data Breach Notification” [pdf] section, and examine two problems that jump right out at me.
There is plenty of analysis to be completed here, but we have to start somewhere, this is where I am starting:
The proposal follows a similar path as most of the bills that seek to protect our data. It defines what it intends to protect: Sensitive Personally Identifiable Information, or SPII. Can’t we all just agree to call it the same thing? Is it “PI” for personal information, or “PII” for personally identifiable information or is it now “SPII” for sensitive personally identifiable information? As much as I like the acronym, SPII (pronounced “SPY” of course), it’s better if we all just called it “PII”. (the mathematicians took over PI a long time ago, remember: 3.14…?)
What difference does it make, you might ask. It makes a big difference, a real big difference. The President’s proposal defines the targeted information as:
(1) An individual’s first and last name, or first initial and last name in combination with any two of the following data elements:
(A) home address or telephone number;
(B) mother’s maiden name;
(C) Month, day and year of birth;
(2) A non-truncated social security number, driver’s license number, passport number, or alien registration number or other government issued unique identification number;
It further defines “SPII” is sections 3 and 4 that include “biometric data”, financial account or credit or debit card number (apparently standing alone), or:
(5) Any combination of the following data elements:
(A) an individual’s first and last name or first initial and last name;
(B) a unique account identifier, including a financial account number or credit or debit card number…
(C) any security code, access code or password or source code that could be used to generate such codes or passwords.
Note the missing information: e-mail addresses. I guess the Epsilon breach wasn’t that big a deal then, now was it? That party hasn’t even started yet – the bad guys are still designing the PHISH!!!
Recall our good Senator Kerry and his far flung fishing buddy, Senator McCain’s “Commercial Privacy Bill of Rights” definition of “PII” was (paraphrased) name, address, E-MAIL ADDRESS, (emphasis added), phone number, Social Security or other Govt number, credit card number, a “unique identifier that alone could be used to identify an individual”, and biometric data.
And for completeness, let’s get Massachusetts’ definition of PI out here too:
a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account…
So we have PI, PII, and now SPII and they’re all different or “legally distinct” as one may say. Wow, what a fabulous example of you say tomAYto and I say tomAHto…but what’s the third guy supposed to say?
OK, I can accept the differences at some level because in practice it will just make more work for lawyers like me. (see generally $$$) I point them out to emphasize the chaotic storm that is raging in Congress. We can’t seem to agree on what we want to protect. Imagine if all the different definitions, PI, PII, SPII, are put into law. What data did you lose, Mr. Company? Oh, you lost this, then got to tell so and so. But if you lost that, you got to tell them over there. But if you lost a combination of this and that, you need to tell them. It's like an Abbott and Costello routine.
Let’s get to what’s likely to become the scuttlebutt here in Massachusetts: STATE LAW PREEMPTION.
The Federal Government is allowed to pass laws that “pre-empt” or trump the various state laws because of the “supremacy clause”, Article VI, clause 2, of the U.S. Constitution. (U.S. Const. art. VI, cl. 2. – hope that’s proper citing, old law school profs, been a while) The Federal Government also has significant leeway in passing “supreme” laws in the area of “interstate commerce”. Those two words are dropped more often than “my uncle’s a cop” after being pulled over by the “staties” here in Mass. It’s where Congress gets a lot of their juice. You can be sure that if they can get a law passed in furtherance of protecting interstate commerce, they will.
In what has been called “Section 109”, the President puts forward the following language in his proposal:
Sec. 109 Effect on Federal and State Law
The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data, except as provided in section 104(c).*
*for completeness: section 104(c) says essentially the States can require that the notice sent out after a breach include any “victim assistance program” offered by that particular State.
You noted the use of “interstate commerce”, right? It appears throughout the proposal.
So my question to ponder as I sail adrift in this storm is whether the Massachusetts requirement that businesses have a Written Information Security Program will be eliminated by the passage of this bill in its current state. You see, the proposed Federal law specifically says “supersede any provision of the law…relating to notification…” It doesn’t say any more or any less.
My initial read on this is that the Federal Government is trying to standardize the notification process by trumping all existing notification rules. The proposal lays out what the notification has to say, who it goes to and when. I can see the value in having a standardized approach to that, but there’s problems, “mattey!” (as in a ship’s mate – have you noticed the theme here?)
This law only applies to those companies who handle, (own, license, etc.) SPII of at least 10,000 people in a 12 month period. So, if I am a smaller company (i.e. less than 10K people’s PI, PII or SPII) in Massachusetts, am I off the hook?
But recall our “interstate commerce” connection. In order to have significant Federal involvement, and “supremacy”, the Feds really have to rely on “Interstate Commerce” as their basis to get involved. So this law only applies to those business who have at least 10,000 people’s information AND are involved in interstate commerce.
So, I am a small accounting firm or architecture firm, I do keep PI around, both of my employees and clients/customers. I employ lots of mobile devices and transmit the PI across the Internet on a regular basis. But all my business is in Massachusetts. I paid big money for encryption software and other upgrades in order to be in compliance with the Mass regs… are you telling me that after only one year it’s going away?
There is an analogy… sort of… Back a bunch of years ago, Boston passed a rule/law that required restaurants to have a separate room for those customers who choose to smoke. That room had to have its own ventilation system. Many restaurants actually built out those rooms at a significant cost to the business. What happened next? Government passed a law that outlawed smoking in every restaurant, period.
Yes, that’s right, even government can change their mind.
It’s not clear that the proposal will actually sink the WISP, in fact there are several arguments to be made that the regulations under 201 CMR 17 will still stay in effect with the force of law. It’s just that there are arguments to be made that the passage of this proposal will put that issue “in play.”
This proposal now has to take the route made so famous in Schoolhouse Rock's "I'm just a bill... yes, I'm only a bill and I'm sitting here on Capitol Hill..." Do you remember how that ended?
Assigned to committee..... amended, negotiated, amended some more.
And it died in committee...
You can be sure that your author will watch this situation closely.