We discussed in Part 1: A Guide to Per State Data Breach Response the importance of understanding what classes of data you have in your control.
We stress this point as it’s easy to get lost in the different numerical conditions around per state data breach disclosure. What’s often not considered is that due to differences in how a state defines Personally Identifiable Information (PII), what may be considered a data breach in North Dakota might not be a data breach in Florida.
Typically “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Also, it’s important to remember that these data points are combinatorial. For example, emailing a spreadsheet of Social Security Numbers that did not include associated first and last names likely wouldn’t be considered sufficient to trigger data breach disclosures in most cases.
All of this results in the need to understand exactly what information was lost in a breach.
Common PII Definitions
Almost all states consider a mixture of:
- First Name or Last Name
- Social Security Number
- State ID (Driver License, Passport) – Given that these are per state laws, they are often keenly interested in disclosure of Driver’s License numbers, Passport information, etc.
- Financial Account Information (account code, passcode, password). Typically this is summarized as “any ability to access a financial account” and encompasses anything that might be used for access to bank, credit card, retirement, investment or savings accounts. The definition is broad enough to include things like cryptocurrencies as they’re clearly financial in nature.
With that as the baseline we can then start to consider some more of the outlying criteria. While this may or may not affect you today, the conventional wisdom is that sometime in the not too distant future a comprehensive Federal Data Breach disclosure law is going to be passed. Most likely it will be a roll-up of the different state disclosure laws.
Given this, it’s good to consider this a roadmap of the data that you need to preferentially protect, manage, secure and dispose of to protect your organization from breaking the law.
In large part, mass data breaches are dangerous because consumers often reuse credentials between accounts. It’s not uncommon for someone to use the same email address and password between say their social network, their bank and their preferred shopping site.
This means that a breach in any one of those systems actually compromises them all.
With that in mind, I was pleasantly surprised to find that a handful of states require notification if any kind of username/password is leaked from a service (as it’s quite likely that those passwords would also unlock more sensitive financial or medical accounts)
These statutes are not widely known and potentially affect thousands of tiny one off SAAS services, forums, blogs, companies and other websites.
It’s a big change from the mindset of “We don’t have any valuable information, so it’s not a big deal if we’re hacked.”
Someone who runs a moderately popular WordPress blog with comments enabled is likely not thinking “I need to check Georgia Data Breach Notification laws” when their site gets hacked.
Biometrics are increasingly popular as a means of adding additional factors to authentication or as a user friendly way of securing access. Given this, unsurprisingly, unauthorized access to biometric data is considered to be a leak of personally identifiable information.
Fingerprints, retina / iris scans or any other “unique physical representation” (so presumably facial recognition, palm scans, gait analysis, etc would all fall under this category).
The statutes themselves don’t get into the fine detail of what constitutes biometric storage. They don’t differentiate storing a high definition image of a thumbprint from a system that takes sample points from a thumbprint and stores a hash of the value. Unauthorized disclosure of either would be considered a data breach.
Currently, only Wisconsin considers a disclosure of your personal genetic makeup to be “Personally Identifying Information”.
Somewhat maddeningly, the definitions for what constitutes an electronic signature are quite vague. But it would fairly safe to assume that they include PKI keys as a signatory mechanism.
To me this is interesting as there are lots of cases where a web host might have thousands of vulnerable sites in standalone VPS silo’s. You could imagine some PHP bug that allowed for the contents of them to listed – which would then trigger the disclosure rules.
Generally defined as: “any electronic or physical information about treatment, diagnosis or history”, which extends far beyond a formal medical record as one might have in a hospital.
Consider something like a consent form for a trampoline park (not pregnant or has a history of heart issues) or a checkbox in a form that indicates that someone has a peanut allergy.
Date of Birth
Date of Birth is often used as a security question and inclusion of it as a PII indicator seems forward thinking.
An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password.
Mothers Maiden Name
Long used as the answer to security questions, disclosure could potentially be used for account recovery attacks.
Health Insurance Information
This is distinct from any actual medical information, but purely items of information like who is providing coverage and the identification number for the account.
I’m honestly a bit surprised that tax information isn’t more often considered to be a reportable data breach event as it’s so often used as a means of identification.
We hope this underscores the importance of classifying the data on your network to better prepare for a potential data breach.