Photo of Elizabeth A. Bove, CIPP/US

All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Continue Reading

One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations.

If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without the companies’ knowledge. Companies can contractually address this exposure by requiring pre-approval of fourth parties, imposing security requirements that must be met by fourth parties and/or requiring security reviews of such fourth parties. Vendor and fourth-party risk can also be managed by cyber insurance policies.
Continue Reading