Not Your Grandma's Quilt. Exploring The

The Kentucky Bar Association Corporate House Counsel Section presents

Not Your Grandma’s Quilt. Exploring the Current “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws

This program has been approved in Kentucky for 1.00 CLE credit.

Compiled and Edited by: The Kentucky Bar Association Office of Continuing Legal Education for Kentucky Bar Association Corporate House Counsel Section

Editor’s Note: The materials included in the following Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered as of the original publication date. No representation or warranty is made concerning the application of legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how a particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgment of the individual legal practitioner. The faculty and staff of these Kentucky Bar Association CLE programs disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during these programs, in dealing with a specific legal matter have a duty to research the original and current sources of authority. In addition, opinions expressed by the authors and program presenters in these materials do not reflect the opinions of the Kentucky Bar Association, its Board of Governors, Sections, or Committees.

Not Your Grandma’s Quilt. Exploring the Recent “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws

Table of Contents

Presenter ...... i

Not Your Grandma’s Quilt. Exploring the Current “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws ...... 1

Appendix A Business Roundtable Letter ...... 17

Appendix B 201 CMR 17.00 Compliance Checklist ...... 22

PRESENTER

Sarah Cronan Spurlock Stites & Harbison, PLLC 400 West Market Street, Suite 1800 Louisville, KY 40202-3350 (502) 681-0461 [email protected]

Sarah Cronan Spurlock is a member of Stites & Harbison’s Health Care Service Group and is Co-Chair of the firm’s Privacy & Data Security Group. She regularly advises clients on a wide range of health care and privacy matters, including fraud and abuse laws, physician and hospital contracting, information privacy and security laws, and data breach prevention and response. She is a Certified Information Privacy Professional (CIPP/US) and serves as the firm’s Chief Privacy Officer. Ms. Spurlock received her B.A. from Indiana University and her J.D., magna cum laude and Order of the Coif, from the University of Kentucky College of Law. Prior to law school, she lived in New York City where she worked at Friedman, Wang & Bleiberg, P.C. as a paralegal, and Lehman Brothers, Inc. in human resources supporting the information technology division. Ms. Spurlock is listed in Best Lawyers in America, Health Care Law (2019-20), and was included in Business First of Louisville’s 20 People to Know in Law in 2018. She is a member of the International Association of Privacy Professionals, Defense Research Institute, the American Health Lawyers Association, and the American (Health Law Section), Kentucky, and Louisville (Health Law Section, Chair, 2011) Bar Associations.

NOT YOUR GRANDMA’S QUILT. EXPLORING THE CURRENT “PATCHWORK” AND RECENT TRENDS IN U.S. DATA PRIVACY AND SECURITY LAWS Sarah C. Spurlock

I. INTRODUCTION

The term “data privacy” means different things to different people. Understanding what data privacy means to a business often depends on the industry as well as the state(s) (and countries) in which it operates. Whether a business is B2B or consumer facing also impacts the role of privacy in day-to-day operations. Data privacy means different things for different types of information as well. If you ask a person who works in a hospital, a bank, a restaurant, a school, a clothing boutique, or an accounting firm – the answers to when and how they encounter privacy issues in their workplace will all be unique. Simply put, data privacy is highly contextual. The United States lacks a comprehensive federal law governing data privacy. Instead, businesses must confront a complex “patchwork” of sector- specific federal laws and data-specific state laws addressing (in varying degrees) privacy, security, and breach notification. Understanding where a business fits in to this complex legal web may be more obvious for businesses operating in highly regulated industries (financial and healthcare, for example). But even those businesses are subject to additional laws that have implications for privacy in certain aspects of the business, or with respect to certain categories of information. For businesses in industries lacking a federal, sector-specific law, identifying relevant privacy laws is often a frustrating game of elimination.

Perhaps indicative of this frustration, in September 2019, Business Roundtable wrote to Leader McConnell and Speaker Pelosi, along with other senior members of Congress, urging passage of a comprehensive consumer data privacy law. The letter, signed by more than 50 CEOs representing multiple industries, states:

The Business Roundtable letter emphasizes the importance of a comprehensive federal law that promotes:

1. consumer trust and confidence; 2. accountability for collection, use, and sharing; 3. individual rights; 4. growth in the digital economy; and 5. expectations for data and digital platforms to deliver goods and services.

1 A copy of the Business Roundtable letter dated September 10, 2019 is included at Appendix A.

The letter also highlights a fundamental problem with the increasingly complex and fragmented system of state laws – confusion abounds. Noting not just the need for a stable environment and well-understood legal and regulatory framework, the letter also cites the disservice to consumers who cannot be expected to know or understand that rights and rules with respect to their personal information may vary depending on the state in which they reside, the state from which they access the internet, or the state in which a company’s operations are located. The Business Roundtable letter illustrates the shift in attitudes toward U.S. privacy laws. Historically, our laws pertaining to personal data have focused on relatively narrow categories of sensitive information (health, Social Security numbers, financial account information), with emphasis on notice and transparency – but generally allowing for free flow of data outside of a few, highly-regulated sectors. The trend in other countries, that is gaining traction in various states – most notably California – is a much more expansive view of personal information, with emphasis on individual rights and control, and increased restrictions of the flow of data. Instead of state laws that mostly address notifying consumers of data breaches after the fact we are seeing laws that focus more on curbing uses and misuses of data starting from the point of collection.

While efforts toward a comprehensive federal consumer data privacy law have been advanced in the past year, bipartisan support is lacking. In late 2019, we saw senators from both parties introduce comprehensive federal legislation with many common elements. The Consumer Online Privacy Rights Act (COPRA)2 and the Consumer Data Privacy Act (CDPA)3 each included requirements for transparent privacy notices, reasonable data security practices, privacy and risk assessments, oversight, and mechanisms for consent to process data. Yet the proposals differed in a number of significant ways. CDPA included a broad preemption of state laws while COPRA’s preemption extended only to laws in direct conflict, leaving intact more protective state laws. Also, CDPA included no private right of action and left enforcement to the Federal Trade Commission, while COPRA included a private right of action. The lack of consensus on these two issues – preemption and a private right of action – are often cited as the barriers to progress on privacy laws at the federal level. Another unknown is the impact a comprehensive federal law will have on existing federal regimes, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This debate has continued in 2020. The most recent attempt at comprehensive federal privacy legislation is the SAFE DATA Act, proposed by Republican lawmakers in September. 4 At a hearing before the Senate Committee on Commerce, Science and Transportation in late September, two former Federal Trade Commission heads argued in favor of a single national privacy standard that replaces state regulations such as California’s comprehensive privacy law that

2 Introduced in Senate December 3, 2019 by Senator Maria Cantwell (D-Washington), available at: https://www.congress.gov/bill/116th-congress/senate-bill/2968.

3 Senator Roger Wicker (R-Mississippi) circulated a draft of the CDPA in December 2019.

4 Senator Roger Wicker introduced the SAFE DATA Act in the Senate on September 17, 2020. A copy of the legislation is available at: https://www.congress.gov/bill/116th-congress/senate- bill/4626.

took effect January 1, 2020.5 California’s Attorney General urged the Senate via remote testimony to allow work and innovation to continue at the state level.6 Emerging issues arising in connection with the COVID-19 pandemic were also cited in support of a federal law with witnesses pointing out that organizations have difficulty understanding how to protect health data that is not covered by HIPAA. In written testimony submitted to the Senate committee, Microsoft executive Julie Brill stated that the lack of understanding regarding health data regulation has “created confusion and friction, and has hindered our ability to create effective technologies that people can trust.”7

In the meantime, many states have been working to add more privacy laws to their books in 2020. Privacy bills have been considered in 30 states in 2020, but few have been enacted as of October.8 Efforts in recent years have produced new and noteworthy laws in California, Washington, Texas, Maine, New York, and Nevada – to name a few. Along with increased regulation around the information businesses collect, comes an increased emphasis on keeping that information, and other sensitive business and competitive information, secure from cyberattacks. The terms “data privacy” and “data security” are often used together – with good reason. Privacy and security are, in many ways, interrelated. Data security encompasses the measures we take, typically through a combination of people, processes, and technology, to maintain data confidentiality, and also to maintain data integrity and availability. Securing information from unauthorized access, use, and disclosure is an important component of maintaining data privacy. Businesses face increasing pressures from customers and state and federal regulatory authorities to protect personal information from theft, loss, and manipulation in a cyberattack. Section II below highlights noteworthy privacy and security laws of which businesses should be aware. Section III addresses data security considerations generally, and Section IV outlines steps to consider in mitigating security risks. Finally, Section V concludes with a listing of additional resources.

II. PRIVACY, DATA SECURITY, AND BREACH NOTIFICATION LAWS OVERVIEW

A. Federal Sector/Data Specific Laws

1. HIPAA – Health Insurance Portability and Accountability Act of 1996, codified at 45 CFR, Parts 160 and 164, and as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Action of 2009, Public Law 111-5 (the “HITECH Act”). HIPAA establishes a national framework for the privacy and security of

5 Ben Kochman, Calif. AG Asks Senate not to Replace CCPA with National Law, Law 360, September 23, 2020, https://www.law360.com/articles.

6 Id.

7 Id.

8 National Conference of State Legislatures, 2020 Consumer Data Privacy Legislation, available at www.ncsl.org.

individuals’ health information. HIPAA specifies the manner in which “protected health information” may be used or disclosed and imposes specific obligations on regulated entities to ensure such information remains confidential and secure. HIPAA’s rules and restrictions apply to organizations known as “Covered Entities” and “Business Associates” (as well as downstream service providers known as “Subcontractor” Business Associates). HIPAA defines covered entities to include certain health care providers, health plans (including certain employer-sponsored group health benefit plans), and health care clearinghouses. A Business Associate is a person or entity who performs certain functions or activities on behalf of a Covered Entity, or who provides certain services to or for a Covered Entity, where the performance of the function or provision of services involves disclosure of Protected Health Information to the Business Associate. Employers are not regulated by HIPAA, and neither is medical information employers receive or collect in their capacity as an employer. However, many employer- sponsored group health plans that pay the cost of medical care for employees are covered entity health plans under HIPAA. The covered entity health plan itself is separate from the employer and exists only on paper. As such, responsibility for the health plan’s HIPAA compliance often falls to the employer as “plan sponsor,” and certain of its benefits personnel tasked with plan administration duties. Among HIPAA’s requirements for group health plans are requirements that the employer plan sponsor establish a “firewall” between the plan administration functions and other employment functions. For example, the HIPAA regulations require the plan sponsor to: (a) not use or disclose protected health information received from the plan for employment-related decisions; and (b) provide for adequate separation (supported by reasonable and adequate security measures) between the group health plan and the plan sponsor, including describing the employees under the control of the plan sponsor that are to receive access to protected health information to carry out necessary plan administration functions that the employer plan sponsor performs for the group health plan.9

2. GLBA – The Gramm-Leach-Bliley Act governs financial institutions’ treatment of nonpublic personal information about consumers. General GLBA obligations include: refraining from disclosures to nonaffiliated third parties unless notice and opt-out requirements are satisfied; providing notice of privacy practices and policies to customers; complying with Privacy Rule and Safeguards Rule; and providing notification of breaches involving sensitive information. 15 U.S.C. §§6802(a) and (b), 6805(a), 6809(4), (9). Financial institutions may share nonpublic personal information with third parties who use it to perform services to the financial institution, so long as the financial institution provides notice of this practice to the consumer, and the financial institution contractually binds the third

9 Requirements for Group Health Plans are found at 45 CFR §§164.504(f)(2) and 164.314(b)(1).

party to maintain the confidentiality of the information. 15 U.S.C. §6802(b)(2).

3. CAN-SPAM – The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) governs the use of commercial email, including any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The CAN-SPAM Act is enforced by the Federal Trade Commission (FTC) as though CAN-SPAM Act violations were violations of the FTC Act.10 State Attorneys General may enforce certain provisions of the CAN- SPAM Act by bringing civil actions in the appropriate U.S. district court. 11 Generally, the FTC summarizes best practices for compliance with the CAN-SPAM Act’s main requirements as follows:12 (i) do not use false or misleading header information; (ii) do not use deceptive subject lines; (iii) identify the message as an ad; (iv) include your valid physical postal address; (v) tell recipients how to opt out of receiving future email from your company; (vi) honor opt-out requests promptly; and, (vii) monitor what others are doing on your behalf.

4. COPPA – The Children’s Online Privacy Protection Act and the accompanying regulations prohibit unfair and deceptive trade practices in connection with the collection, use, and disclosure of information from and about children (under the age of 13) on the internet. 16 CFR §312.1; 15 U.S.C. §6501(1); 16 CFR §312.2. The statute applies to anyone who operates a website for commercial purposes who collects or maintains personal information from or about the users or visitors to the site. For purposes of COPPA, “personal information” includes any individually identifiable information about a person collected online, including first and last name, home or other physical address (street name and city), email address, phone number, Social Security number, any other information that the Federal Trade Commission (“FTC”) determines permits the website operator to contact the person, and any information about the child or child’s parents that is combined with other information listed above. 15 U.S.C. §6501(8). It is unlawful for any operator of a website directed to children or an operator that has actual knowledge it is collecting personal information from a child to collect such information in violation of COPPA’s regulations. 15 U.S.C. §6502(a)(1); 16 CFR §312.3.

10 15 U.S.C. §7706(a).

11 15 U.S.C. §7706(f)(1).

12 See FTC guidance at https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act- compliance-guide-business, noting that CAN-SPAM Act violations are costly and can result in penalties of over $40,000 for each separate email.

B. Unfair or Deceptive Practices – Federal Trade Commission

Businesses that lack a primary federal regulator may still face regulatory enforcement at the federal level from the Federal Trade Commission (FTC). The FTC has authority to bring enforcement actions against businesses relating to consumer privacy issues under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. Many state Attorneys General also have authority relative to privacy and security violations under state statutes prohibiting unfair or deceptive practices. The FTC enforcement actions generally require businesses to stop practices that violate laws and remediate unlawful behavior.13 The FTC does not have authority currently to issue fines for general privacy violations under Section 5 of the FTC Act, but it can for violations of specific laws like the CAN-SPAM Act. The role and scope of FTC authority is another issue in debate in connection with discussions surrounding a comprehensive federal privacy law.

C. Comprehensive Privacy Laws

1. California Consumer Privacy Act (CCPA).

On June 28, 2018, California became the first state to pass a comprehensive consumer privacy law. The California Consumer Privacy Act of 2018 regulates covered businesses handling personal information relating to California residents. The CCPA expands the typical definition of personal information to include categories of consumer information such as purchasing tendencies, internet activity, and profiles compiled from personal information. It introduces individual rights of notification, deletion, data access, and portability, as well as restrictions on the “sale” of personal information. It also affords consumers a private right of action for a breach of personal information. The law took effect January 1, 2020 with enforcement beginning July 1, 2020. Draft regulations issued in fall of 2018 and revised twice in 2020 were finally approved and went into effect as of August 14, 2020. However, the CCPA continues to evolve. On October 12, 2020, the California Attorney General released a third set of proposed amendments to the CCPA regulations, largely focused on notice requirements when businesses collect personal information from consumers offline and clarification on offering consumers an opportunity to opt out of a sale of their personal information. 14 The text of the CCPA, the regulations, and related resources are available from the California Attorney General’s website at https://www.oag.ca.gov/privacy/ ccpa.

13 FTC Privacy & Data Security Update: 2019, available at https://www.ftc.gov/reports/privacy-datasecurity-update-2019.

14 A copy of the most recent proposed amendments are available at https://oag.ca.gov/privacy/ccpa/current.

Geographic location is not determinative for the CCPA’s applicability. Generally, the CCPA applies to businesses that (1) are for-profit; (2) collect California consumers’ personal information; (3) do business in California; and (4) either (a) have annual gross revenues over $25M, or (b) buy, receive, sell, or share personal information of more than 50,000 California consumers, households, or devices, or (c) derive 50 percent or more of their annual revenue from the “sale” of personal information.15 An entity that controls or is controlled by an entity that satisfies the foregoing definition and shares branding in common also satisfies the definition of “business.”16 Businesses may be exposed to statutory fines for non- compliance as well as litigation. The CCPA affords consumers a private right of action in certain situations if an organization fails to maintain reasonable security measures and protections for certain types of personal information.17

At a high level, compliance with the CCPA requires reviewing and revising privacy policies to comply with its various notice requirements, internal data evaluation (data mapping), establishing new procedures for responding to consumer requests, and conducting personnel training. Though the law protects California residents, because of its broad definition of “business” it affects many businesses throughout the United States.

2. EU General Data Protection Regulation (GDPR).

The EU General Data Protection Regulation took effect on May 25, 2018. GDPR is the primary data protection law in the European Union and the European Economic Area aimed at providing greater control to individuals who reside in the EEA (data subjects). It establishes rights with respect to data subjects’ personal information, including rights to: be informed, access, rectification, erasure, restrict processing (when applicable), data portability, object, and rights in relation to automated decision making and profiling. GDPR sets timing requirements for an organization to respond to individual (most within one month). GDPR requires issuance of a privacy notice outlining data collection, use, disclosure, and retention as part of data subjects’ right to be informed. As with the CCPA, a business’s location is not determinative of GDPR’s applicability. GDPR applies to processing activities relating to personal data of EU data subjects regardless of where the processing activities take place. For example, it is intended to not only reach an EU company with operations in the United States that collects and stores information about EU subjects through its U.S. operations, but also non-EU companies

15 California Consumer Privacy Act of 2018 (CCPA) Section 1798.140.

16 Id.

17 CCPA 1798.150.

that offer goods or services to individuals in the EU. For an overview of GDPR’s definitions and provisions, see the UK Information Commissioner’s Office Guide to GDPR for Organizations available at: https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data- protection-regulation-gdpr/. While written from the perspective of the GDPR’s application in the UK, it is nevertheless a good resource for understanding the contours of this very complex privacy law.

D. Data Breach Notification Laws

All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring private and/or governmental entities to notify individuals of a data security breach involving personally identifiable information. 18 State security breach notification laws have common provisions but vary from state to state. These laws specify the type of information considered “personal information” that triggers a notification, the types of events that trigger notification (for example, system access alone versus actual data theft or disclosure), whether information in any form is covered or just electronic data, the time in which businesses are required to notify, whether the notification is required to credit reporting agencies, a state Attorney General, or some other state consumer protection agency in addition to affected individuals, and whether exceptions apply (for example, if the data is encrypted or where the business complies with a federal regulator’s breach notice requirements). Notification timeframes range from 10-45 days to “as expediently as possible and without unreasonable delay.” While many of the state breach notification laws share common provisions, there are noteworthy outliers including Massachusetts, North Carolina, Vermont, and California. Most states that require notice to the Attorney General have a threshold for the size of the breach; typically 200-500 residents need to be impacted before the Attorney General notice is required, depending on the state. Some states do not require notice to the Attorney General at all. However, North Carolina requires notice to the Attorney General even if only one North Carolina resident is impacted. 19 Vermont requires notification to the Attorney General and a preliminary description of the breach within 14 business days of discovering the breach. 20 Massachusetts’ breach notification law prohibits including a description of the nature of the breach,

18 National Conference of State Legislatures, www.ncsl.org (last visited October 18, 2020).

19 N.C. Gen. Stat §§75-61, 75-65 (“In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.”).

20 9 V.S.A. §2435 (Notice of Security Breaches).

while such content is required under other states’ notification laws. 21 California’s law includes a model form and specifies the content, format, headings, and font size for a compliant notification letter.22 Kentucky joined the list of states with security breach notification laws in 2014 with the enactment of KRS 365.732 (applicable to “any person or business entity that conducts business in this state”) followed in 2015 by KRS 61.931 to 61.934 (applicable to “agencies” and their “nonaffiliated third part[ies]” which includes any person that has a contract or agreement with an agency and receives personal information from the agency pursuant to the contract or agreement).

E. Data Security Laws

While not as prevalent as data breach notification laws, at least 25 states have laws addressing data security practices of private sector entities. Data security laws generally apply to businesses that own, license, or maintain “personal information” about a resident of that state and require businesses to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure.23

Massachusetts law requires every person that owns or licenses personal information about a resident of Massachusetts to develop, implement, and maintain a comprehensive written information security program or “WISP.” 201 Mass. Code of Regs. 17.00-17.04. The WISP should take into account the business’s size, scope of business, amount of resources and the need for security. The Massachusetts law applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. Among other requirements, businesses must encrypt portable devices where technically feasible (meaning it can be accomplished by reasonable means through use of technology), and bear responsibility for the selection and retention of third-party service providers who are capable of properly safeguarding personal information. The law also applies to lawyers who own or license personal information about a resident of Massachusetts regardless of privileged or confidential communications.24 For additional information on the Massachusetts law and a WISP Compliance Checklist see Appendix B.

21 Mass. Gen. Laws §93H-1 et seq. (“. . . said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use”).

22 Cal. Civ. Code §1798.82(a) (applicable to a person or business).

23 National Conference of State Legislatures, Data Security Laws, available at www.ncsl.org.

24 See Commonwealth of Massachusetts, Office of Consumer Affairs and Business Regulation, “Frequently Asked Questions Regarding 201 CMR 17.00,” available at https://www.mass.gov/info- details/requirements-for-data-breach-notifications#the-comprehensive-written-information- security-program-(wisp)-.

Ohio requires compliance with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information to qualify for an affirmative defense in an action resulting from a data breach alleging failure to implement reasonable information security controls.25 Kentucky has no general data security law applicable to the private sector. However, KRS 61.932(1) includes security procedures, stating as follows: “[a]n agency or nonaffiliated third party that maintains or otherwise possesses personal information, regardless of the form in which the personal information is maintained, shall implement, maintain, and update security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches.” KRS 61.932(2) goes on to specify that reasonable security procedures must be consistent with guidance established for different areas of government, such as the Commonwealth Office of Technology (for units of the executive branch), Department for Local Government (for units of county, city, and local government), or the Kentucky Board of Education (for public school districts).

F. Data Disposal Laws

At least 35 states and Puerto Rico have laws requiring private and/or governmental entities to destroy, dispose, or otherwise make personal information unreadable or indecipherable.26 For example, Kentucky law requires the following:

When a business disposes of, other than by storage, any customer’s records that are not required to be retained, the business shall take reasonable steps to destroy, or arrange for the destruction of, that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means. Ky. Rev. Stat. §365.725.

The National Conference of State Legislatures (www.ncsl.org) maintains hyperlinked charts listing data security, security breach notification, and data disposal laws by state. It is a very useful resource for quick reference and when needing to compare provisions by state.

III. SECURITY CONSIDERATIONS

Cyber threats to the United States and across the globe are reaching unprecedented levels.27 Businesses face increasing pressures from customers

25 Ohio Rev. Stat. §1354.01 to 1354.05.

26 National Conference of State Legislatures, Data Security Laws, available at www.ncsl.org.

27 Addressing the Cyber Threat, Director Discusses FBI Approach at Cybersecurity Conference, https://www.fbi.gov/news/stories/director-wray-speaks-at-rsa-cybersecurity-conference-030619 (March 6, 2019).

and state and federal regulatory authorities to protect sensitive information from theft, loss, and manipulation in a cyberattack. Certain industries, such as health care, finance, and retail have garnered significant media attention in recent years due to widely publicized data breaches. Businesses that experience data breaches face a long list of issues and considerations, including threat eradication and remediation, legal reporting obligations, potential business interruption, revenue losses, the potential for reputational harm, and risk of litigation.

The term “cybersecurity” means “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”28 Cybersecurity concerns have been elevated from technology departments to “C” suites in recent years as businesses realize the potential for operational and financial impact from cyberattacks. One threat that has captured significant attention from federal agencies, regulators, and businesses alike is known as “ransomware.” Ransomware is a type of malicious software used to deny access to systems or data by encrypting data and holding it hostage until a ransom is paid. In March 2016, the U.S. Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT) issued an alert to provide further information on destructive ransomware, which had been observed infecting computers worldwide. 29 The Federal Bureau of Investigation (FBI) and other federal agencies, including the Department of Homeland Security, have issued information and guidance on the ransomware threat that has continued to persist. The FBI developed a one-page information sheet on ransomware, which includes prevention tips and risks to consider when evaluating whether to pay a ransom.30 Additional interagency technical guidance on protecting networks from ransomware is available on the FBI’s website at www.fbi.gov.

Threats such as ransomware underscore the critical importance of implementing a defense strategy to combat cyberattacks. Potential sources of data security obligations exist in a patchwork of sector-specific federal laws and regulations, varied and sometimes contradictory state laws, contractual obligations, and ethical obligations. There are many possible sources to consider when developing a defense strategy. No single set of rules applies to protecting personal data. In many cases, the standards that apply to a business will be driven by a business’s industry regulations. Included below is a summary of considerations for safeguarding confidential information and highlights common features of a written information security plan. To assist with considerations for security as part of ongoing operations the FTC published a guide for businesses titled “Start with Security” available at https://www.ftc.gov/tips-advice/business-center/guidance/ start-security-guide-business. The guide draws from FTC enforcement actions and is intended to assist businesses in assessing operations and making reasonable decisions relative to security considering the nature of the business and the sensitivity of the information involved.

28 Merriam-Webster Online Dictionary, https://www.merriam-webster.com/dictionary/cybersecurity (last visited October 19, 2020).

29 US-CERT Alert TA16-091A Ransomware and Recent Variants (March 31, 2016), https://www.us- cert.gov/ncas/alerts/TA16-091A.

30 https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-ceos.pdf/view.

IV. SAFEGUARDING DATA

A. Adopting a Security Plan

Adopting a written information security plan is one step businesses can take to safeguard data and minimize risks of unauthorized use, acquisition, and disclosure of personal or confidential or competitively sensitive information. When selecting an appropriate security framework, some relevant factors for consideration include the nature of the information maintained, the industry in which the business operates, and resources available to address data security.

Examples of information security frameworks and guidance an organization may consider in developing an information security plan include NIST Cybersecurity Framework, ISO 27002, NIST 800-53, the Secure Controls Framework, and the HIPAA Security Rule.31 While not a substitute for identifying the specific obligations and framework suitable for a specific business and its operational environment, following are some common information security program features to consider when creating or evaluating an information security plan.

B. Selecting and Implementing Safeguards

Implement and maintain appropriate administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of information. Selected safeguards should be appropriate to the organization’s size, scope, and business, its available resources, and the amount and nature of the information it maintains.

1. Examples of administrative measures may include:

a. Designating one or more employees to coordinate the information security plan;

b. Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks;

c. Training employees in security practices and procedures;

d. Adjusting the information security plan in light of business changes or new circumstances;

e. Restricting authority to access information on a need-to- know basis;

31 NIST or National Institute of Standards and Technology publications are available at https://www.nist.gov/. HIPAA Security Rule regulations are located at 45 C.F.R. Part 160 and Subparts A and C of Part 164. Information about ISO frameworks can be found on the International Organization for Standardization’s website at https://www.iso.org/home.html.

f. Implementing a patch management process to address unpatched vulnerabilities and minimize opportunities for criminal actors to exploit system weaknesses that may lead to unauthorized intrusion; and

g. Requiring service providers that may have access to or maintain confidential information to implement and maintain reasonable security measures, consistent with the business’s security practices, applicable regulatory frameworks, and/or similarly situated service providers.

2. Examples of appropriate technical measures may include:

a. Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords, requiring that passwords are “strong” (i.e. setting a minimum length and requiring a combination of characters, numbers, and symbols), unique, and kept in a location or format that does not compromise security;

b. Secure authentication protocols, such as utilizing two-factor authentication when feasible;

c. Restricting access to active users and active user accounts only and preventing terminated employees from accessing systems or records;

d. Blocking a particular user’s access after multiple unsuccessful attempts to gain access or placing limitations on access for particular systems or network locations;

e. Using enhanced security measures for information traveling wirelessly or across public networks as appropriate to the sensitivity of the information being transmitted (e.g. encryption);

f. Monitoring for, detecting, and responding to unauthorized access or other attacks or system failures;

g. Maintaining firewall protection and system security software that includes malware protection with reasonably current patches and malware definitions;

h. Comprehensive backup and data recovery procedures with offsite or offline redundancy (e.g. non-networked backups); and

i. Assigning users appropriate access required for job performance.

3. Examples of appropriate physical measures may include:

a. Defining and implementing reasonable physical security barriers to protect areas where sensitive information may be accessed, including reasonably restricting physical access (e.g. using locks or badge access), and storing confidential records in secure facilities or locked areas;

b. Preventing, detecting, and responding to physical intrusions or unauthorized access to client information and restricted areas; and

c. Implementing secure disposal or destruction of client information, whether in paper or electronic form, when it is no longer required to be retained in accordance with data retention policies, applicable laws, or contractual obligations.

C. Conducting Security Awareness Training

While technical security safeguards are important, they represent only one aspect of an effective cyber defense strategy. In addition to implementing technical controls and safeguards, an organization must also account for the human component that makes many cyberattacks possible. Clear communication and training on information security policies and practices, threats to an organization and how to spot them, and when and how to report suspicious activity are an important part of an organization’s information security plan.

The proliferation and increased sophistication of ransomware attacks underscores the importance of having both robust technical controls and employee education. 32 Ransomware, and other forms of malicious software, are often delivered via email. Over time, as users and email systems have become more adept at recognizing problematic spam emails, criminals too have developed new and innovative ways to deliver malicious software or “malware.” 33 For example, email “spoofing” is a technique to make it appear to the recipient that an email is originating from someone known to them, often a supervisor or someone else in a position of authority. Email spoofing may be used to deliver a malicious link or attachment, increasing the chance the user will access the link or attachment because it appears to be from a legitimate source. Spoofing may also be used to solicit information that can be used for another type of intrusion, such as by obtaining access credentials or other personal information to provide clues to an individual’s password. The recipient may think they are providing the information to a trusted source, like an internal IT department or system administrator, when it is actually going to a

32 FBI, Incidents of Ransomware on the Rise, Protect Yourself and Your Organization, April 29, 2016, available at https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.

33 Id.

criminal. This type of social engineering to facilitate cyberattacks is becoming more common. Employees who are mindful of these risks will be in a better position to identify suspicious emails and avoid the bait.

D. Conducting Ongoing Risk Management

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. 34 Risk management involves evaluating recommended security measures to combat identified threats and vulnerabilities, and prioritizing, modifying, and implementing security measures appropriate to the organization.

E. Security Incident Response and Reporting

Outlining a plan for responding to suspected cyber incidents that may compromise data security can help mitigate the effects of an attack. Security incident response planning includes identifying individuals (internally and externally where appropriate) who will be called on to respond to an incident and designating the role individuals will serve in the response. Containing and eradicating ongoing threats will be the initial priority. Preserving evidence relating to an incident is also important as it may provide insight into its cause and inform remediation steps to prevent similar future occurrences. Identifying the types of incidents that will trigger the incident response process is also important. Examples may include: a suspected or confirmed unauthorized system intrusion; lost or stolen computer assets; unauthorized software infecting a computer or computer network; unauthorized changes to security permissions, access credentials, or system configurations; and, data loss or corruption.

V. ADDITIONAL RESOURCES

California: “California Data Breach Report” (2016), https://www.oag.ca.gov/ breachreport2016

Illinois: “Information Security and Security Breach Notification Guidance,” https://illinoisattorneygeneral.gov/consumers/consumer_publications.html

Massachusetts: “A Small Business Guide: Formulating a Comprehensive Written Information Security Program” Start with Security an FTC Guide for Businesses. https://www.ftc.gov/tips- advice/business-center/guidance/start-security-guide-business

FTC Decisions and Consent Decrees available at Federal Trade Commission, Data Security, https://www.ftc.gov/datasecurity

Ransomware prevention and response guidance for CISOs

34 National Institute of Standards and Technology (NIST) Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments, https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final (last visited October 19, 2020).

15 https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for- cisos.pdf/view

Ransomware and Recent Variants, US-CERT Alert TA16-091A (March 31, 2016) https://www.us-cert.gov/ncas/alerts/TA16-091A

APPENDIX A

1000 Maine Avenue SW, STE 500 Washington, DC 20024 202.872.1260 brt.org

September 10, 2019

The Honorable Mitch McConnell The Honorable Nancy Pelosi Majority Leader Speaker U.S. Senate U.S. House of Representatives Washington, DC 20510 Washington, DC 20515

The Honorable Charles E. Schumer The Honorable Kevin McCarthy Minority Leader Minority Leader U.S. Senate U.S. House of Representatives Washington, DC 20510 Washington, DC 20515

The Honorable Roger F. Wicker The Honorable Frank Pallone, Jr. Chairman Chairman Committee on Commerce, Science Committee on Energy and Commerce and Transportation U.S. House of Representatives U.S. Senate Washington, DC 20515 Washington, DC 20510

The Honorable Maria Cantwell The Honorable Greg Walden Ranking Member Ranking Member Committee on Commerce, Science Committee on Energy and Commerce and Transportation U.S. House of Representatives U.S. Senate Washington, DC 20515 Washington, DC 20510

Dear Leader McConnell, Speaker Pelosi, Leader Schumer, Leader McCarthy, Chairman Wicker, Chairman Pallone, Ranking Member Cantwell and Ranking Member Walden:

We write to urge you to pass, as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.

There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers. A federal consumer privacy law should also ensure that American companies continue to lead a globally competitive market. As Chief Executive Officers of leading companies across industries, our companies reach virtually every American consumer and rely on data and digital platforms every day to deliver and improve our products and services. Consumer trust and confidence are essential to our businesses. We are committed to protecting consumer privacy and want consumers to have confidence that companies treat their personal information responsibly.

17 We are also united in our belief that consumers should have meaningful rights over their personal information and that companies that access this information should be held consistently accountable under a comprehensive federal consumer data privacy law.

Consumers have grown accustomed to a breadth of resources and services made available over the internet across state borders and even globally. Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services. Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws. Further, as the regulatory landscape becomes increasingly fragmented and more complex, U.S. innovation and global competitiveness in the digital economy are threatened.

We urgently need a comprehensive federal consumer data privacy law to strengthen consumer trust and establish a stable policy environment in which new services and technologies can flourish within a well-understood legal and regulatory framework. Innovation thrives under clearly defined and consistently applied rules.

Business Roundtable has released a Framework for Consumer Privacy Legislation (attached to this letter), which provides a detailed roadmap of issues that a federal consumer privacy law should address. As the Framework describes, a comprehensive federal consumer data privacy law should create robust protections for consumers by requiring businesses to take responsibility for the collection, use and sharing of personal information.

The United States has been a global leader in technology and data-driven innovation and now has the opportunity to lead on consumer data privacy for the benefit of all consumers, companies and commerce. We stand ready to work with you.

Sincerely,

Randall Stephenson Julie Sweet Andrés R. Gluski Chairman and Chief CEO President & CEO Executive Officer Accenture The AES Corporation AT&T Inc.

Lee Styslinger, III Jeffrey P. Bezos Stephen J. Squeri Chairman & CEO Founder and Chief Executive Chairman and CEO Altec, Inc. Officer American Express Amazon 2 18

James D. Taiclet Brian Moynihan Giovanni Caforio Chairman, President & CEO Chairman and CEO Chairman & CEO American Tower Corporation Bank of America Bristol-Myers Squibb

Evan G. Greenberg Michael Corbat Brian L. Roberts Chairman & CEO CEO Chairman & CEO Chubb Citigroup Inc. Comcast Corporation

Tom Linebarger Michael Dell Pedro J. Pizarro Chairman and CEO Chairman and CEO President and CEO Cummins Inc. Dell Technologies Edison International

Carmine Di Sibio Frederick W. Smith James P. Hackett Chairman & CEO Chairman & CEO President and CEO EY FedEx Corporation Ford Motor Company

Mary Barra Dinesh C. Paliwal Ginni Rometty Chairman & CEO President and Chief Executive Chairman, President and General Motors Company Officer CEO HARMAN International IBM Corporation

3 19

Michael I. Roth Steve Demetriou Alex Gorsky Chairman and Chief Chair & CEO Chairman and CEO Executive Officer Jacobs Johnson & Johnson The Interpublic Group

George R. Oliver Jamie Dimon Jeff Gennette Chairman and CEO Chairman and CEO Chairman & Chief Executive Johnson Controls JPMorgan Chase & Co. Officer Macy’s, Inc.

Arne M. Sorenson Ajay S. Banga Greg Brown President & CEO President and CEO Chairman & CEO Marriott International Inc. Mastercard Motorola Solutions

Ted Mathas Daniel J. Houston David S. Taylor Chairman, President and CEO Chairman, President and CEO Chairman of the Board, New York Life Insurance Co. Principal President and Chief Executive Officer The Procter & Gamble Company

Steve Mollenkopf Blake Moret Douglas Peterson Chief Executive Officer Chairman & Chief Executive President & CEO Qualcomm Incorporated Officer S&P Global Rockwell Automation

4 20

Keith Block Bill McDermott Jim Goodnight Co-CEO CEO CEO Salesforce SAP SE SAS Institute

Egon Durban Michael L. Tipsord Kevin A. Lobo Managing Partner Chairman and CEO Chairman and CEO Silver Lake Partners State Farm Insurance Stryker

Brian Cornell LeRoy T. Carlson, Jr. M. Troy Woods Chairman & CEO CEO Chairman, President Target Telephone & Data Systems, Inc. TSYS

Stuart Parker Alfred F. Kelly, Jr. Curt Morgan CEO Chairman and Chief President & CEO USAA Executive Officer Vistra Energy Visa Inc.

Doug McMillon Abidali Neemuchwala Anders Gustafsson President and CEO CEO and Managing Director Chief Executive Officer Walmart, Inc. Wipro Limited Zebra Technologies Corporation

C: Members of the U.S. House of Representatives Members of the U.S. Senate

5 21 APPENDIX B

COMMONWEALTH OF MASSACHUSETTS CHARLES D. Office of Consumer Affairs and Business Regulation JAY ASH BAKER SECRETARY OF HOUSING 10 Park Plaza, Suite 5170, Boston, MA 02116 GOVERNOR AND ECONOMIC (617) 973-8700 FAX (617) 973-8799 DEVELOPMENT KARYN E. POLITO www.mass.gov/consumer LIEUTENANT JOHN C. CHAPMAN GOVERNOR UNDERSECRETARY

201 CMR 17.00 COMPLIANCE CHECKLIST

The Office of Consumer Affairs and Business Regulation has compiled this checklist to help small businesses in their effort to comply with 201 CMR 17.00. This Checklist is not a substitute for compliance with 201 CMR 17.00. Rather, it is designed as a useful tool to aid in the development of a written information security program for a small business or individual that handles “personal information.” Each item, presented in question form, highlights a feature of 201 CMR 17.00 that will require proactive attention in order for a plan to be compliant.

The Comprehensive Written Information Security Program (WISP)

 Do you have a comprehensive, written information security program (“WISP”) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts (“PI”)?

 Does the WISP include administrative, technical, and physical safeguards for PI protection?

 Have you designated one or more employees to maintain and supervise WISP implementation and performance?

 Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information?

 Have you chosen, as an alternative, to treat all your records as if they all contained PI?

 Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI?

 Have you evaluated the effectiveness of current safeguards?

 Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?

 Does the WISP include disciplinary measures for violators?

 Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises?

 Does the WISP provide for immediately blocking terminated employees, physical and electronic access to PI records (including deactivating their passwords and user names)?

 Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00?

 Have you required such third-party service provider by contract to implement and maintain such appropriate security measures?

 Is the amount of PI that you have collected limited to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations?

 Is the length of time that you are storing records containing PI limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations?

 Is access to PI records limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations?

 In your WISP, have you specified the manner in which physical access to PI records is to be restricted?

 Have you stored your records and data containing PI in locked facilities, storage areas or containers?

 Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?

 Are your security measures reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records?

 Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security?

Additional Requirements for Electronic Records

 Do you have in place secure authentication protocols that provide for:

o Control of user IDs and other identifiers?

o A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)?

o Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect?

o Restricting access to PI to active users and active user accounts?

o Blocking access after multiple unsuccessful attempts to gain access?

 Do you have secure access control measures that restrict access, on a need-to- know basis, to PI records and files?

 Do you assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?

 Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly?

 Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?

 Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI?

 On any system that is connected to the Internet, do you have reasonably up-to- date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI?

 Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?

 Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security?