Since many organizations are collecting what many would consider personal, non-public, information, it is very important that they protect this information since it is considered sensitive. Almost every state has specific laws around what happens if that information is breached. Florida just passed a new law that outlines what is considered sensitive information and the thresholds regarding when and what to report to the state. The full bill can be found at http://laws.flrules.org/2014/189.
Personal Information according to the Florida law is described in summary below:
- First name or first initial with last name in combination with at least one of:
- Social Security Number
- Driver License Number
- Passport Number
- Military Number
- Financial Account Number (Including Credit or Debit Card) in combination with security code, access code ore password to account
- Any Medical History
- Health Insurance Policy Number or Subscriber ID
- Username or E-mail Address in combination with:
- Security Question and Answer
Data that is not covered are items made publicly available by the government or data that is protected using encryption, is secured or modified to be unusable. (Interestingly, they don’t define “is secured”.)
In the event more than 500 instances of this data are breached, the organization is required to provide notice to the state within 30 days of identifying the breach. There are also many details about what information needs to be provided in that notice within the text of the new law. One interesting thing that you can be required to provide is a copy of your policies in place regarding breaches. I don’t know if going with “We don’t have any” is going to be the right answer here. If you don’t have solid policies in place and ways to show you are performing them, this might be where you want to get started.
The law replaces the previous one and is broad in its declaration. It is imperative that businesses pay attention to the laws that exist for their area to ensure that they are meeting the requirements. It is bad enough to suffer a breach and all the reputation and monetary damage that it brings. You don’t want to add on the fines or other issues that may be involved by not properly reporting the breach when it occurs.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.