No organization wants to have to notify its customers that a data breach has occurred on its watch. Word of a data breach can not only sink customer confidence and invite litigation, but also can give the impression that the organization doesn’t value its customers’ information as much as hackers do.
But data breaches may not be as black and white as you might think.
California was the first state to enact a data breach notification law in 2002. Since that time, nearly all other states have followed suit with their own versions of law, with the exception of Alabama and North Dakota. While they differ to some degree, the foundational tenet of these state laws is:
Companies must immediately disclose a data breach to customers (state residents), usually in writing.
But many states gum up their breach notification law with layers of statutes. Take, for example, Tennessee’s law, which we wrote about nearly a year ago today. On July, 1 2016, the safe harbor provision for unlawful access to encrypted data was removed. This meant that even if the information that was stolen was encrypted and inaccessible to the perpetrator, companies still had to notify customers of a breach.
The amendment caused some head-scratching in the information security community. Why did the state demand that customers be notified after the loss of encrypted data occurred? No harm, no foul, right?
Thankfully, Tennessee’s legislators agreed and came to their senses. On April 4, 2017, Tennessee updated the breach notification law to state that firms do not need to disclose an event if the stolen data is “Information that has been encrypted in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2 if the encryption key has not been acquired by an unauthorized person.” This provision, in essence, restores the safe harbor provision to the Tennessee breach notification law.
Why does this matter?
- Data breach notifications are expensive, damaging to a company’s brand and cause panic among the public. Companies don’t want to ring the bell unless the data being exploited is truly at risk. The 2017 amendment considers properly encrypted data to be secure data, even if it falls into the wrong hands, and thus, does not require a notification unless it’s believed the thief has a key to decipher the data. This amendment will lessen the negative impact from a breach of encrypted data.
- It encourages companies to encrypt sensitive data. Encryption is another layer of defense for organizations that truly care about their reputation. Without this amendment, organizations would have had much less motivation to use encryption if they still had to deal with the fallout of a breach notification.
- It made headlines. Although it was not as big of a splash as the Apple vs. The FBI saga, lay people in Tennessee learned more about encryption. Consumers continue to become more aware. Should this trend continue, the days where consumers demand encryption of their data at all times may not be far off.
- There will be a burden to prove that a business meets the “no material compromise” and “no reasonable belief that information has been acquired” safe harbors if and when a breach occurs going forward.
With the new amendment, it’s a good time to reassess your organization’s IT Security Program Plan, conduct risk assessments and implement needed controls and processes to reduce risk to an acceptable level, weigh the benefits of implementing encryption (if you haven’t already), and put a data breach response plan into place.
As a full-service Information Security firm, LBMC can help you with all of this. We test, audit and consult with your organization to keep the risk of a data breach to a minimum. The time to do this due diligence is now, before a data breach occurs.
To inquire about our IT Security Consulting Services, please contact us.