These three states are requiring more specific disclosure in the event of a breach including the following examples:
Name and contact info of the reporting business
List of the types of personal info reasonably believed to have been the subject of the breach
Date or estimated date range of the breach
General description of the breach incident
Toll free tel. numbers of the major credit reporting agencies
Notify persons affected in other states even if their state has no notification law (TX)
State Movements: Encryption Laws & Payment Card Laws
States like Massachusetts and Nevada have enacted encryption laws, providing a clear standard for “reasonable and adequate”
States like Washington and Minnesota have enacted payment card laws
Minn. law states any company that is breached and is found to have been storing “prohibited” PCI (Payment Card Industry Data Security Standard) data (e.g., magnetic stripe , CVV codes, track data, etc.) is required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain “sensitive personal information” about its residents
This law “added teeth” that many security notification breach laws lack by specifically stating security requirements (i.e., encryption) to be met by organizations to ensure their security measures are “reasonable and adequate”
Management Discussion & Analysis: "Registrants should address cyber-security risks and cyber-incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition."
Description of Business: "If one or more cyber-incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's 'Description of Business.'"
Legal Proceedings: "If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber-incident, the registrant may need to disclose information regarding this litigation in its "Legal Proceedings" disclosure."
Financial Statement Disclosures: "Cyber-security risks and cyber-incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident."
Disclosure Controls and Procedures: "Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures."
Companies "should consider" customer incentives to maintain relationships after a cyber-attack (like enhanced credit monitoring. e.g., After the Play Station Network outage* Sony issued Identity Theft insurance polices in the amount of $1 million USD per user through Clear ID)
*77 million accounts were stolen
“ More than 58% of U.S. mobile users worried that their data can be easily accessed by others” - Alan Chapell, Co-chair of the MMA Privacy Committee
Recent FTC actions
Class action law suits
Goal is to encourage self regulation of mobile app data processing and privacy
What information is obtained
What information is automatically collected
Including real time “check in” data
Do 3 rd parties have access to the information
Does the app work with 3 rd parties to deliver targeted ads
Opt out rights
How long is information retained
Rights of children
*MMA is seeking public comment on the guidance through Nov. 18, 2011