What do businesses need to do to comply with privacy and data security laws? The first place to look is to relevant statutes. If you store or process the personal information of Massachusetts residents, then you will at least be subject to the Massachusetts Data Breach Notification Statute and related security regulations. These are important guides that require certain operational activities, such as maintaining a written information security program, or WISP, an often-overlooked requirement that demands a minimally-robust set of security practices.
But statutes and regulations only provide part of the story. In the absence of a comprehensive federal privacy law (despite repeated, and quixotic, Congressional efforts), agencies charged with enforcing against consumer protection violations have used their broad authority to protect individual personal information, especially following a breach. The most important of these agencies is the Federal Trade Commission; the FTC’s work in this regard has been so extensive that legal scholarship has been dedicated to helpfully illuminating what scholars Daniel Solove and Woodrow Hartzog have called the “common law of privacy.” This “common law” is essentially guidance, usually in the form of settlements (consent decrees) between the agency and allegedly offending companies, outlining what companies have done to harm consumers, and what they must do to remediate. These settlements will place technical, physical, organizational, and administrative security requirements on organizations, and give the FTC the power to act as a long-term monitor of an organization’s security practices.
But the FTC is not the only sheriff in town; state attorneys general also have broad consumer protection authority, as well as enforcement authority stemming from breach notification statutes. This is true in Massachusetts, where the Commonwealth’s Attorney General recently entered into a consent judgment with Equifax–under which Equifax admitted no liability and agreed to pay $18 million–following the company’s 2017 announcement of a data breach affecting approximately 147 individuals in the U.S., 3 million of them Massachusetts residents. These state-based settlements offer guidance to businesses in the same way that FTC settlements do, and are important sources for organizations as they consider what steps they must take to comply with privacy and data security laws.
So what useful compliance and liability mitigation lessons can we draw from the Equifax consent judgment (the text of which can be found here)? At a high level, the settlement requires the following:
- Implement a comprehensive security program. The contours of what must be contained in a WISP are already defined with some specificity under Massachusetts law, and the Commonwealth’s data breach notification statute recently changed to require that, in the event of a breach, organizations must inform state agencies whether the organization had a WISP in the first place. The Equifax settlement commits the company to a program that requires a risk assessment; appoints an executive or officer for overseeing the program and must report to the Board of Directors; security officers for each business unit; reasonable support for the program; training for employees who have responsibility under the program; the implementation of an incident response plan; and oversight of third-party vendors who have access to the Equifax network or who hold or store personal information on Equifax’s behalf.
- Written protocols for the processing of personal information. The protocols will follow certain principles such as data minimization (only processing what is necessary); security of information (through encryption of other controls); access controls; and reduction of storage of Social Security Numbers.
- Specific technical safeguards. These include segmenting the network (to minimize data disclosure or loss in the event of a breach and minimize the risk of access); penetration testing; access control and account management; real-time file integrity monitoring; controls against the execution or installation of unauthorized applications on the network; logging and monitoring controls; controls regarding any changes to the network; an asset inventory; digital certificates; threat management; and patch management (along with dedicated employees for these protocols).
- Specific consumer relief. Relief to consumers comes in the form of extensive and gratis identity theft prevention and credit monitoring tools.
- Third party assessment. An independent third party must assess and report periodically on the comprehensive security program.
Companies should consider what the contours of this agreement mean for their day-to-day privacy and data security compliance. I suggest four takeaways from the details in the Equifax settlement:
- WISPs matter. A lot. Companies doing business in Massachusetts (and, increasingly, in other jurisdictions such as New York) must implement and regularly maintain a written information security program. Companies face real liability risks in failing to do so. But note that this is not a “paper” requirement: it is an operational requirement that must be memorialized in writing.
- Enforcement authorities are taking an increasingly detail-oriented view toward technical and organizational security. The days of complying with data security requirements simply through encryption and anti-virus software are long gone. Enforcement authorities are increasingly sophisticated in assessing security, and expect that organizations will be diligent in assessing their risks and using industry standard security measures to mitigate those security risks. Note that the Massachusetts AG knows its own limitations, required a third party to make the assessment and provide reports.
- Security is not merely technical. The Equifax settlement spills much ink on organizational, reporting, training, and management requirements. This is consistent with Massachusetts law, but the settlement provides detail on the extent to which multiple employees and groups must manage security. Another way of thinking about this is that privacy and data security are matters of holistic risk management, involving a number of employees, and not something to be relegated to IT.
- Consumers are paramount. The Equifax settlement takes seriously the idea of making sure that consumers are protected from identity theft, and that the organization create a robust plan to manage and respond to the next breach. Companies need to think carefully about the speed of notification in the event of a breach (since delay can increase the possibility of identity theft), and the ways in which they will quickly offer mitigation to consumers.
The “common law” of privacy is critically important. Consumer protection authorities like the FTC and state attorneys general offer critical guidance through their settlements, and organizations would do well to pay close attention to them.