Simon Says – Musings of a Technology CTO

This week I’ve been working my way through H.R 2221 – the “Data Accountability and Trust Act” . This proposed legislation is making its way through the Committee on Energy and Commerce at the moment, and if passed, will rationalize data protection legislation across the USA at a federal level.

The act enforces a few requirements on people holding PII, PHI electronic and paper data, I’ve paraphrased many of them below. The summary is though that this act will, if entered into law, standardize data protection across the USA at a Federal level, and with the penalties and force that the FTC has behind it. It enforces a duty to disclose loss or unauthorized access to data, fines and penalties, and enforces a duty to have audited people, systems and processes in place to protect data and manage its life-cycle.

You must:

• Establish and implement policies and procedures regarding information security of PII which are a) appropriate, b) the current state of the art for protecting data c) cost appropriate
• Procedures shall include a security policy with respect to the use, sale, dissemination and maintenance of data
• Identification of an officer or individual as the point of contact with responsibility
• A process for identifying vulnerabilities and monitoring for breaches of security
• A process for taking preventative / corrective action to mitigate against any vulnerabilities
• A disposal process for obsolete data

As you can see the current list of requirements is pretty sensible, but will be onerous to people not currently engaged in any data protection activities.

HR 2221 also discusses correct disposal of paper records, and expands radically the requirements of “data brokers”:

• Submission of security policies to the FTC upon request
• A Federal (or independent) audit of policy and practice in the event of a breach, followed by up to 5 years of subsequent audits
• Process and procedures to verify access to data
• Provision to allow consumers access to their data at no cost once per year
• Information accuracy dispute management process
• A requirement to audit transmission of data, and access to data

This last requirement should raise some eyebrows – designed probably to assist in the prosecution of people accessing data inappropriately, typically audit is pretty weak in most organizations.

Moving on, Section 2 part 5 talks about preventing inappropriate access to data, both making it unlawful to facilitate, and to entice the disclosure of PII by fictitious or fraudulent means. Basically if PII gets out, you are acting unlawfully.

The act then goes into talking about your duty to notify people if you lose, or suspect loss of data, or you disclose, or have suspicion of disclosure to unauthorized parties. For PII it’s the usual public notification, but for PHI, the act also forces you to disclose to the Secretary of Health and Human services.

Two year mandatory free Credit reporting is required, along with toll-free hotlines and timely notification.

The final part of Section 3 is most interesting to us – it talks about exemptions and exceptions. Basically the things you can do so you don’t fall foul of the act:

…Encryption – The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been, or is reasonably likely to be compromised…

The act also includes verbiage to state that “Such encryption must include appropriate safeguards of such keys”

The act then goes on to say that within 270 days, appropriate guidance will be offered as to what methods are appropriate etc.

Finally we get to the juice – enforcement (Section 4). In short, a failure to adhere to this act is unlawful, and such people will be subject to the penalties of the FTC Act (15 U.S.C. 41 et seq). The State Attorneys General can bring independent civil action against such parties to compel compliance with, enjoin further violation, and to obtain penalties of up to $11,000 per violation, per day. The fine is capped at $5m. If you’re being prosecuted though by the Feds, you’ll be pleased to know the state has to wait for them to finish before they can wade in.

This act will supersede any local state laws which are of the same nature.