Data Breaches: A State’s Perspective

Posted by Mark Greisiger

A Q&A with Barbara Anthony, Undersecretary of Massachusetts Office of Consumer Affairs and Business Regulation
Since 2009, Massachusetts has been releasing reports on the state’s data breaches. In 2013, the state received over 1,800 notifications for breach events that had the potential to impact over 1.2 million residents. I asked Barbara Anthony about the current state of affairs in Massachusetts and the data security threats she sees on the horizon.

Employee training is very key in the Massachusetts law because you’re only as strong as your weakest employee.

What factors are taken into consideration when deciding whether to fine an organization? How are the fines or penalties determined?
Under the state consumer protection Chapter 93A, the Attorney General of the Commonwealth can secure penalties of up to $5,000 per violation. This is true whether it’s a data breach or false advertising or any other violation of the state’s consumer protection act. I can’t speak for the AG’s office but when I handled data breach cases for the FTC in the early 2000s, my office really looked at an organization’s existing security program and the way the company handled past data breaches. Of course, every aspect of the current breach would be investigated. You want to see a culture of security from the C suite on down. Employee training is very key in the Massachusetts law because you’re only as strong as your weakest employee. If it’s a mom and pop business, they’re not going to be expected to have the same kind of sophisticated technology as a business like Target. It’s not going to be a one-size-fits-all determination.

Does Massachusetts treat all PII data elements (email address, social security number, health records, credit card numbers) equally or is there a scale of “data sensitivity” that’s used in investigations?
Under the state’s Data Security Law, Chapter 93H, personal information is defined as a resident’s first name or first initial and last name in combination with any of the following data elements: Social Security number, driver’s license number or state-issued identification card number, financial account number, or credit or debit card number. Health records are protected by the Health Insurance Portability and Accountability Act (HIPAA), which is a federal law. The FTC or the state AG can investigate and pursue breaches of other information such as email under theories of deception or unfairness with state or federal law.

On occasion, we’ll read about breached entities that decide to notify victims on the late side (months after the fact, for instance), if at all. Do you foresee a looming problem with notification compliance?
In some cases law enforcement such as the FBI or Secret Service might ask the company to hold off on notification for a while until they can run forensics. Sometimes organizations are afraid of legal fallout or reputational risk or financial blemishes, but the bottom line is this: You can’t keep it a secret and it will be revealed sooner or later. The companies that come through the incidents the best are the ones who cooperate with authorities and provide notification. The ones that fare the worst are the ones who try to hide the truth. In most cases, there will be a few weeks’ delay. I would encourage companies to take action as soon as possible. And remember, under Massachusetts law, the AG, my office, and consumers are supposed to be notified within a reasonable period of time.

Are there any business sectors or organizations that appear to be more prepared to deal with these imminent events?
The banking industry as a whole is more familiar and comfortable with the concept of data security as they have been held to federal law since the early 2000s. The same is true in healthcare with HIPAA. You still see breaches, of course, but these are the organizations that are taking security seriously and do a good job of reporting breaches when they happen.

We are seeing more breaches from educational institutions, and while the numbers of notifications are small, they are up 600 percent in this sector from the previous year and could potentially affect tens of thousands of residents. We think this should be a wake up call for educational institutions because they are as vulnerable as anyone else and they are also held to the same regulations. There’s a treasure trove of data there but there’s not the same level of vigilance.