As of this writing, The U.S. National Data Law is working its way through the U.S. Senate. No doubt details of the bill will change before it becomes finalized. And there’s a chance the bill won’t become law, although all the bets are that it will. So why aren’t we waiting until it’s final to start talking about it? Because this law has a strict definition for “sensitive” data—and criminal penalties—for not properly dealing with it.
First: the bill. The U.S. National Data Law is also known as the Personal Data Privacy and Security Act of 2007, PDPSA, S. 495, and the Identity Theft bill. It was introduced as “A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” The bill includes many provisions about newly required programs and processes, which we will discuss in future columns. What deserves your attention now are a pair of requirements, a consequence, and a definition.
The requirements: This bill requires data-related risk assessments. Organizations will be required to “identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information.” They’ll also be required to report security breaches.
The consequence: According to this bill, any person with knowledge of a reportable security breach who “intentionally and willfully conceals the fact of such security breach and which breach causes economic damage to one or more persons, shall be fined under this title or imprisoned not more than five years, or both.”
Yes, this means exactly what it sounds like. If a person knows that sensitive data was inappropriately accessed, but hides that information, the person could go to prison. Could this mean you? At the time of this writing, the bill doesn’t specify which roles within an organization would be subject to this “must tell” provision. I’ll keep an eye on things and provide an update when it becomes more clear.
The definition: The bill is all about protecting ‘‘sensitive personally identifiable information.’’ This is specifically defined in the bill, and you may be surprised by how strict the definition is.
The term ‘‘sensitive personally identifiable information’’ means any information or compilation of information, in electronic or digital form that includes:
- An individual’s first and last name or first initial and last name in combination with any one of the following data elements: a non-truncated Social Security number, driver’s license number, passport number, or alien registration number
- Any two of the following: home address or telephone number; mother’s maiden name, if identified as such; or month, day, and year of birth
- Unique biometric data such as a fingerprint, voiceprint, a retina or iris image, or any other unique physical representation
- A unique account identifier, electronic identification number, user name, or routing code in combination with any associated security code, access code, or password that’s required for an individual to obtain money, goods, services, or any other thing of value
- A financial account number or credit or debit card number in combination with any security code, access code, or password that’s required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.
To summarize, the legislation defines personal information as a combination of a person’s name or financial information with any additional unique identifier. So any of the following—if improperly accessed or released—would constitute a security breach:
- Name plus Social Security number
- Name plus driver’s license number
- Name plus telephone number plus birthdate
- Name plus address plus birthdate
- Financial account number plus password.
So you’d better get ready. The first thing your management team is going to ask is the location of these types of information. Do you know the answer? Does anyone? If not, the bad news is that you have some work to do. The good news is that you have a chance to get a head start on efforts to comply with your legal requirements. Z