Wednesday, September 22, 2010

I know what the law says. Or do I?

I recently attended an event where Scott Schafer, Chief of the Consumer Protection Division of the Massachusetts Attorney General’s office, reiterated the AG’s take on some aspects of MGL 93H, the Massachusetts data breach reporting law.  Specifically, Assistant AG Schafer put forward a very strict interpretation of the definition of breach in 93H, covering when you must report a breach.  The AG’s office has an interpretation of when you must report a breach that is substantially different than most people I have spoken with on the topic.


[Insert giant disclaimer here: I am not a lawyer, I am not your lawyer, this is not advice, legal or otherwise, except to advise you to contact your lawyer, etc.]

The issue revolves around breach notification when encrypted Personal Information (PI) is lost.  Here is 93H’s definition of breach:

““Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”

The key bit for me being:

“unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key…”

My reading of that (and that of most people I have spoken with) is reflected in the following with my emphasis added to the text by way of red font and bracketing:

“unauthorized acquisition or unauthorized use of [unencrypted data] or, [encrypted electronic data and the confidential process or key…]

That is, losing unencrypted PI is a breach; as is losing both encrypted PI and the key to decrypt it.  I had interpreted losing encrypted data without losing the key as not meeting this definition of a breach, and thus not requiring notification.

An excerpt of 93H from Assistant AG Schafer’s slide deck shows the emphasis he placed on the phrase (underlining is as it was shown on his slide deck):

“Unauthorized acquisition or use of unencrypted data or, encrypted electronic data and the confidential process of key that is capable of compromising…”

The exclusion of “and the confidential process or key” clause from underlining is telling.

The AG’s office states that any loss of personal information is a breach and must be reported, whether encrypted or not.  The explanation is that we cannot be sure that the key has not been lost or otherwise compromised.  Two examples were given to support this position:

  1. A laptop containing PI was lost.  Although encrypted, the encryption key was taped to the laptop.
  2. An encrypted laptop containing PI was reported stolen by an employee, but the employee was actually using the laptop and using the PI for fraud.

In each case, the organization responsible for the protection of the data has a problem.  In the first case, it was unclear if the organization knew the key was on the laptop, or if there had been any user education, or even if there were policies prohibiting affixing he key to the encrypted device.  In the second case, a crime was committed, and the organization was one of the victims of the crime- but is that relevant to disclosure under 93H?

I want to make it clear that I am all in favor of strong consumer protection laws, and was one of the few people who consistently spoke out against weakening 201 CMR 17.00 at hearings as the OCABR debated the various changes to that regulation.  I am, however, opposed to vague or misleading language.

Do not look down here for answers- I think this will take some prosecutions and subsequent court decisions to set precedents and give us the guidance we need.

By the way, this discussion only applies to the idea of encryption providing “safe harbor” in the case of breach reporting.  Encryption is required for all portable devices containing PI, 201CMR17.00 is very clear on this (although “where technically feasible” provides wiggle room).