in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption: California, Massachusetts, and Canada Look To Update Data Breach Laws

California and Massachusetts have passed new bills that strengthen each state's data breach notification laws, and Canada might be looking to get some "attention-getting fines" on the books.

California

The CA senate approved Senate bill 24, which updates the current legislation on breach notifications by requiring companies to also notify the Attorney General if an incident affects more than 500 residents of the Golden State.

It will also require certain information to be included in the notification letters, and require companies to place a notification on their websites.

California was the first state to pass a data breach notification law.  Many states (and countries) have used its legislation as a starting blueprint for their own, with many passing their modifications and additions.

For example, some states have made it a requirement to send notifications even with the use of drive encryption on stolen or lost laptops (CA provides safe harbor if encryption software is used).  Other states, from the beginning, have made it mandatory for their respective state Attorney General to be alerted if a certain number of residents are affected by the breach, like S.B. 24 above.

The passing of S.B. 24 is not CA's first update to its laws, though.  California has passed (or has attempted to pass) a couple of different bills updating the original data breach notification law:

No doubt more laws will be passed as the data threat landscape changes.

Massachusetts

Massachusetts is also a pioneer when it comes to data breach legislation, although it's a latecomer to the scene (39th out of 50 states).  It currently holds the distinct fame (some would say notoriety) of having the strictest data security laws in the nation.  Among other things, it requires companies to protect personal data with encryption whether it's stored on digital products or sent via a network, such as the internet.

H.B. 3360 would require companies that sell photocopiers to alert consumers about a potential data breach in the works: photocopiers, the risks of which I blogged about here and here.

Not notifying consumers could result in fines of up to $50,000.  More specifically, a note must be affixed to the top of the photocopier, stating whether the machine has "an eraser that deletes and destroys any previously captured" images (which appears to me to be an indirect reference to the use of encryption software and cryptodeletion).

Canada

Canada's Privacy Commissioner has publicly proclaimed the need to fine companies involved in data breaches.  In her words, the fine should be "attention-getting."

Sony's data breach from last week seems to have prompted the commissioner to make the remarks.  It's not the breach itself, but the fact that "Sony did not proactively notify her of the breach."  Once the commissioner contacted Sony, the company was very cooperative with her office.  From the globaltoronto.com:

"I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance."

In a followup interview, Stoddart would not yet define how large an "attention-getting fine" would be, other than to say "it has to be more than token amount."

"I think it's a fine that's significantly related to the size of the business and the size of the profits," she said.

If the commissioner gets her way, it certainly would be ground-breaking.  Apart from the UK, where the Information Commissioner's Office has the right to fine up to £500,000 (a little over $800,000 US dollars as of today), most laws I've read don't go above the $100,000 mark, which is a drop in the bucket for major companies like Sony.


Related Articles and Sites:
http://www.workplaceprivacyreport.com/2011/05/articles/workplace-privacy/california-and-massachusetts-legislatures-push-data-breach-and-security-bills/
http://www.globaltoronto.com/Privacy+commissioner+calls+substantial+fines+Sony+breaches/4727644/story.html

 
<Previous Next>

Data Encryption: Starbucks So Ubiquitous Police Set Up Stings

Disk Encryption Software: Rape & Brooks Orthodontics Server Stolen, Over 20,000 Affected

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.