Streamlining Data Transfers for State Data Breach Notification Law Compliance

Discusses how you can achieve compliance with US state data breach notification laws using a managed file transfer server.

  1. Blog

Overview

Most US states now have their own data breach notification law. If your business operations involve the storage and transfer of personal information, there are a couple of things you ought to know to reduce the risks and bring down the costs of compliance.

Streamlining_State_Data_Breach_Notification_Law_Compliance_Using_A_MFT_Server.jpg

What are Data Breach Notification Laws?

Data breach notification laws are legislations that require businesses who suffer from a data breach to notify individuals whose personal information (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.) may have been compromised in the incident. The main purpose of these mandates is to prevent those individuals from getting victimized by identity thieves and other fraudsters.

Whenever a data breach involves a large amount of personal information, there's always a good chance that information could end up in hacker forums or online marketplaces in the dark web. There, they could be bought by other cyber criminals who (depending on the kind of personal data involved) may use them to acquire credit cards, steal tax refunds, file health claims, or a carry out a host of other fraudulent acts.

To prevent these fraudulent acts from succeeding, US state legislators passed these breach notification laws. By compelling companies who suffer from a breach to send out breach notifications, legislators hope to give affected individuals ample time to carry out countermeasures. For example, individuals could change passwords, request for fraud alerts, request for credit security freezes, etc.

All good, right? Well, not for everyone.

Adverse effect on businesses

Depending on the state, breach notifications are supposed to be distributed through regular mails, emails, phone calls, or publications on the Internet or major statewide media (e.g. TV, radio, newspapers). These public disclosures can be quite costly; and we're not just talking about the costs of sending out the notifications.

The nature and magnitude of these public disclosures can cause considerable damage to a company's reputation. Companies who have had to disclose data breach incidents are known to have subsequently suffered financial losses as a result of abnormal customer churn, forced discounts, footing credit monitoring and identity protection fees, hefty lawsuits, and many others.

The article "Thoughts On The Rising Cost of Data Breach And How To Reduce Risk" offers a more in-depth discussion on the additional costs companies incur following a data breach disclosure.

You can't just sweep a breach under the rug either. States typically levy hefty fines on companies who are found guilty of neglecting their breach notification responsibilities.

Absence of a federal data breach notification law

The problem is further compounded by the absence of a unifying federal data breach notification law. Because these data breach notification laws vary from state to state, companies and other covered entities who operate in multiple states or who transact with businesses in other states need to pay attention to the nuances or risk violating one state's provisions despite already complying with another. This can result in additional administrative and legal consultation costs.

Encryption as safe harbor

Fortunately, most of these state data breach notification laws provide a form of safe harbor that allow businesses to avoid those costly public disclosures. That safe harbor is encryption. Encryption renders data unreadable. Even if encrypted data is stolen (assuming the encryption is strong enough and the decryption key is safe), the confidentiality of whatever information it had would still be safe.

And so, what these laws say is that (although the specific text may vary): breach disclosure / notification requirements only apply to data breaches that involve unencrypted personal data. If the personal information was encrypted, then notification is not required.

Note, however, that, although the far majority do, not all states offer this kind of exemption.

States and territories offering encryption as safe harbor for data breach notification law

As far as we know, these are the US states and insular territories that have enacted legislation for data breach notification:

Disclaimer: This chart is only for illustrative purposes. Please consult your lawyers if you need to verify its accuracy.

State Offers encryption as safe harbor Montana Offers encryption as safe harbor
Alaska Yes Nebraska Yes
Arizona Yes Nevada Yes
Arkansas Yes New Hampshire Yes
California Yes New Jersey Yes
Colorado Yes New York Yes
Connecticut Yes North Carolina Yes
Delaware Yes North Dakota Yes
Florida Yes Ohio Yes
Georgia Yes Oklahoma Yes
Hawaii Yes Oregon Yes
Idaho Yes Pennsylvania Yes
Illinois Yes Rhode Island Yes
Indiana Yes South Carolina Yes
Iowa Yes Tennessee -
Kansas Yes Texas Yes
Kentucky Yes Utah Yes
Louisiana Yes Vermont Yes
Maine Yes Virginia Yes
Maryland Yes Washington Yes
Massachusetts Yes West Virginia Yes
Michigan Yes Wisconsin Yes
Minnesota Yes Wyoming Yes
Mississippi Yes District of Columbia -
Missouri Yes Puerto Rico Yes
Montana Yes Virgin Islands Yes

A complete list of US states and territories that have enacted breach notification laws along with links to the corresponding statutes can be found here.

As you can see, an overwhelming majority of US state and territories offer exemptions for encrypted personal information. It should therefore be safe to say that, regardless which state you're in or which state the person or organization you're transacting with is currently located, strong encryption with well managed encryption keys can help you avoid breach notifications.

The need for end to end encryption

In today's highly connected world, personal information can be in several places. In most cases, it can be at rest, in a database or filesystem. However, there are instances when it can also be in transit, such as when it's traversing LANs or WANs while it's being transferred from one business unit to another or from one organization to another.

In cases wherein personal information can either be at rest or in transit, the best way to secure it would be by implementing end-to-end encryption. End-to-end encryption basically encrypts data before, during, and after it crosses a network. This will ensure that the data is safe from unauthorized access regardless where it's located.

End-to-end encryption is usually achieved by combining three or more solutions. One solution for providing data-at-rest encryption, another for data-in-transit encryption, and yet another for transferring the encrypted files.

How a managed file transfer server can help in achieving compliance

A managed file transfer server is an advanced B2B solution that enables the secure, efficient, and automated transfer of data.

Recommended read: Exploring Use Cases for Managed File Transfer

A good managed file transfer server like JSCAPE MFT Server already has built-in support for secure file transfer protocols like FTPS, SFTP, WebDAVs, and HTTPS, which provide data-in-transit encryption, as well as OpenPGP, which provides data-at-rest encryption. In other words, this is a single solution that readily provides end-to-end encryption.

Using a single solution can help you reduce administrative costs as well as simplify your data breach notification law compliance initiatives.

Get Started

JSCAPE MFT Server comes with a free, fully-functional evaluation edition. If you'd like to give it a test run, download it now.

Download JSCAPE MFT Server Trial

Related posts

What The EU-US Safe Harbor Is All About And How It May Affect Your Business

How To Install A SFTP Server on Windows

Securing HIPAA EDI Transactions with AS2

Guide to HIPAA Compliant File Transfers - Part 1

Guide to PCI DSS Compliant File Transfers - Part 1