When an Information Technology manager is notified of a lost or stolen PC the first things that they worry about are replacing the laptop, changing the passwords, turning off accounts – all the fun details.  But, what many IT managers don’t realize is that there may be legal requirements for their company to actually report this event if the computer (laptop or desktop) opens up a potential security hole to the network.

Over 40 US states have breach notification laws and each state law varies (and other countries have laws pending).  Trying to get a handle on them could be a full time job in itself and many of the decisions require legal determinations “what is reasonable risk” that go far beyond the role of Information Technology alone.

• Was there consumer data on the PC? For the most part these laws only apply to the loss or potential loss of consumer data – so that does eliminate many IT departments from this risk.
• Was the data encrypted? California, which has the toughest laws, allows exemptions for encrypted data that’s lost.
• How much data was exposed? In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.  So the potential loss of unencrypted data on one customer is a reportable incident in California, but may not be in other states.
• What type of data was exposed - Some laws specifically mention financial data, others have been expanded to include  compromised medical and health insurance information.
• How likely is it that data was exposed? Was there a chance of a breach or was there actually a breach?  What harm could come from the breach? California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, such as Delaware, Arkansas and Florida require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm.

Highlighting California’s tough laws, the California State Senate has approved a new law requiring companies to provide victims of a data breach with additional information. The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

The fact that California, with these tough laws, respects the work companies do to encrypt the data should be a compelling reason for Information Technology shops to explore encryption.  In fact more than 25 states have now enacted this same exemption for encrypted personal data.  That means encryption at all levels where access is possible.  Having the data on the server encrypted is valuable – but if you have a stolen PC with access to the unencrypted data then you still have that security risk.

The bottom line is that if your company is dealing with consumer data – you are liable to a wide range of repercussions if you don’t report potential breaches of the data.  Just one of many reasons why Information Technology managers the world over are investing in data and drive encryption.

• Previous Entry: Protect the data, not just the laptop!
• Next Entry: Data Loss is the Other Guy’s Problem