in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Maine Personal Information Data Privacy Notification And Encryption Laws: Title 10 §1346 - §1350

Maine, like many states in the US, has a personal data breach notification law on its books.  The law also is similar to other states' legislation in that the use of encryption software like AlertBoot provides an exception from the onerous business of having to send such notifications.

If encryption is not used (or the wrong kind of encryption is used), then a breached entity will have to go public with the data breach, as TD Bank found out recently, or face the consequences.  The consequences are not so dire, though, relatively speaking.

Penalties For Violating South Carolina's Data Privacy Law

According to Title 10 §1349 of the Notice of Risk to Personal Data Act, not complying with the law is a civil violation that will lead to one or more of the following:

  1. A maximum fine of $500 per violation that will not exceed $2,500 for each day of violation.
  2. Equitable relief.
  3. Enjoinment from further violations.

As a non-lawyer, I had to look up equitable relief.  An enjoinment is, as I noted way, way back, just a fancy way of saying "stopping someone from doing something."  What's interesting is the monetary fine.

If I understand it correctly, the daily cap for a data breach in Maine is five people (2500 / 500 = 5).  Well, not really.  I guess if the fine per violation is valued at $1, technically the cap is 2,500 people.  But then, $1 is a ridiculously low amount.  The question is, is $500 to large an amount to fine?  And if so, what is an "acceptable" amount? $100 per violation?

It doesn't matter how you slice it, it appears to be small.  TD Bank's data breach, for example, affected 267,000 people -- 35,000 of them Maine residents.

The one redeeming feature is that the cap is on daily figures.  As the law states under the same penalties section, "the right and remedies available under this section are cumulative" and there doesn't appear to be a limit to how long it can go.

What Is Personal Identifying Information Under Maine Law?

Personal information is defined under the Risk to Personal Data Act as a person's first name (or initial) and last name combined with any of the following:

  • Social Security number
  • Driver's license number or state identification number
  • Financial account numbers
  • Passwords and other access codes

This is in keeping with many state laws.  And, As I pointed out in posts regarding data breach laws in other states, this technically means the loss of SSNs alone would not be considered a data breach.

Maine, however, is a bit different.  They included the following:

Any of the data elements....when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

In other words, losing a database full of SSNs only would also be considered a data breach in Maine, as it should be.

Another novelty in Maine law?  It makes it illegal for an unauthorized person to take advantage of information that was breached.

Notification Clauses for Maine Data Breaches

In Maine, pretty much anyone whose had a data breach must notify those residents who are affected by it.  For some reason, though, the law goes to great lengths to divide them into "information brokers" and everyone else.

One disappointing aspect of the breach notification requirement is the following (my emphasis):

....determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

I may be reading more to it than there is, but the underlined parts appear to put into play what is called a "harm threshold," where the person who was breached gets to judge if residents are affected, and to what degree.

If that sounds to you like putting the fox in charge of the chicken coop, you're not too off the mark.  Plenty of privacy experts have pointed time and again that harm threshold clauses are a bad idea.

Another disappointment lies in the fact that the Maine legislature has not defined an acceptable period by which residents have to be notified.  Currently, the law states that:

The notices required...must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system.

Let's go back to TD Bank as an example.  They took 8 months to notify Maine clients affected by the breach (and it sounds like residents of other states along the east coast weren't notified any sooner).  Compare this to HIPAA/HITECH rules, where a person whose protected health information is breached must be contacted within 60 calendar days by the covered-entity.  It's quite the difference.

Laws directing people to notify residents ASAP will get exactly that.  Maine is not alone in this, though.  Even Massachusetts -- which by some accounts has one of the strictest data breach prevention / data protection and notification laws in the country -- doesn't have fixed deadlines for notifications.

Other particulars to Maine's breach notification law:

  • Consumer reporting agencies must also be notified for breaches involving more than 1,000 people
  • In addition to residents, either the Department of Professional and Financial Regulation, or the Attorney General will be notified as well.

Encryption Means Safe Harbor

Hey, here's an idea: use our super-easy to set up encryption software to protect your data (for example, on your laptops) and forget about the intricacies of the law.  Our solution uses AES-256, which is in accordance with the definition of encryption under Maine's statutes:

Encryption.  "Encryption" means the disguising of data using generally accepted practices.

AES most certainly is that and more.


Related Articles and Sites:
http://www.mainelegislature.org/legis/statutes/10/title10ch210-Bsec0.html

 
<Previous Next>

More On TD Bank Data Breach Involving Backup Tapes

UK Patient Health And Medical Data Record Encryption: ICO Justifies NHS Monetary Penalties

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.