Data breach laws cover everyone

During the first Laptop Safety Seminar we gave in Indianapolis on April 23, I was surprised at how many questions we got from the audience about basic wireless laptop security. Of course, when my co-presenter Kim Brand of sponsor FileEngine demonstrated how easy it is to hack a Windows computer over the type of Wi-Fi service provided by coffee houses and hotels, the questions started coming even faster.

But we'll address that next week, because the timely news is the changes in data breach laws coming in states all over the country. Since about half of all data breaches start with a lost or otherwise insecure laptop, let me quote Kevin Erdman of Baker & Daniels, the host of the event (and second largest law firm in Indiana).

“The Indiana statute amendment eliminating the laptop password exception to the data breach law liabilities goes into effect July first,” said Erdman. Believe it or not, many of the early laws drafted by states include essentially a waiver for those laptops protected by the Windows startup password. How in the world legislators talked to security experts about data breaches yet didn't learn that the Windows sign on password is as protective as a bank vault with a screen door, I have no idea.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

During the first Laptop Safety Seminar we gave in Indianapolis on April 23, I was surprised at how many questions we got from the audience about basic wireless laptop security. Of course, when my co-presenter Kim Brand of sponsor FileEngine demonstrated how easy it is to hack a Windows computer over the type of Wi-Fi service provided by coffee houses and hotels, the questions started coming even faster.

But we'll address that next week, because the timely news is the changes in data breach laws coming in states all over the country. Since about half of all data breaches start with a lost or otherwise insecure laptop, let me quote Kevin Erdman of Baker & Daniels, the host of the event (and second largest law firm in Indiana).

“The Indiana statute amendment eliminating the laptop password exception to the data breach law liabilities goes into effect July first,” said Erdman. Believe it or not, many of the early laws drafted by states include essentially a waiver for those laptops protected by the Windows startup password. How in the world legislators talked to security experts about data breaches yet didn't learn that the Windows sign on password is as protective as a bank vault with a screen door, I have no idea.

Good news? Using a Windows “password” no longer counts as a security measure that shows you tried to actually be secure. OK, it works until July first, but after that the bizarre loophole is fixed. Erdman didn't say how many other states have a similar loophole, but since most states base their laws on existing laws in other states, I bet quite a few have this gift to hackers in place.

And why are states passing these laws? Because there is no general federal statute in place. Erdman said, “there will probably be one before long, but not right now.”

The lack of federal guidelines makes for some messy cleanup after a breach. Currently, companies must follow the process of notification about losing a customer's information based on the laws of the state where the customer resides. That means a t-shirt shop in Alaska must figure out the rules for Arkansas if a resident ordered an “I heart Anchorage” t-shirt online. So the t-shirt shop may be up to their knees in legal fees just finding out what they have to do in various states after a data breach, before they start paying to actually fix the problem.

Indiana defines “personal information” as a person's name and one or more other identifiers. Those include account number, Social Security Number (a big deal for all breaches), and even their address when included with other bibliographic information. For instance, Texas asks for a drivers license number when you write a check. Losing a list of names, addresses, and drivers license numbers would certainly be considered a breach.

Since a company may have to notify fifty different states, they should prepare a game plan for a data breach before something happens. Far too often, according to Erdman, “clients come asking for help about three days after the breach occurred.” Since the laws uniformly demand that individuals be notified “quickly,” getting a late start can leave your company open for even more pain.