In the wake of accusations against the Chinese military by the Obama Administration related to cyber hacking against U.S. entities, Florida Governor Rick Scott signed into law SB 1524, one of America’s most stringent cyber security state policies, which revamps the obligations Florida businesses have related to data breaches involving unauthorized access to personal information. This law has now been in effect since July 1, 2014. Previously, “breach” meant unlawful as well as unauthorized. Now, unauthorized access alone is sufficient. The statute also requires a notification to the Attorney General for breaches, which is a unique change.
Senate Bill 1524, dubbed “The Florida Information Protection Act of 2014,” dictates that all companies that store an individual’s first name or first initial and last name in conjunction with the following data elements are subject to this new law:
- Social Security Number
- Driver’s License or Identification Card Number
- Passport Number
- Military Identification Number
- Any similar number issued on a government document to verify identity
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
- A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account
(Legal language credit: Baker Hostetler)
The act requires companies that meet this criteria to not only take reasonable measures to protect and secure data containing personal information in electronic form, but mandates that in the event of a data breach, the affected companies provide computer forensics reports, current incident response policies and procedures, and notification of the breach to all individuals affected. In addition, businesses may at any time be asked to provide the specific steps taken to contain and eradicate the threat actors. Companies that are unable to satisfy these obligations in a 180-day window following the breach are subject to penalties of up to $500,000, not to mention potential public backlash surrounding the disclosure of the incident.
Too often, companies suffer substantial, avoidable costs because they fail to take a proactive approach to setting up a forensics practice before an attack is underway. In these scenarios, accurate reporting to leadership is typically delayed five to seven days at a minimum. Key evidence lost during the time it takes to initialize an investigation from scratch may prolong the length of remediation efforts by weeks—or in some cases months—which can easily amount to tens of thousands of dollars in additional consulting fees toward forensics professionals.
The 2014 Verizon Data Breach Investigations Report illustrates some alarming statistics regarding trends in the cyber espionage game. Not only is the frequency of attacks up 300 percent over the previous year, but more than 62 percent of all cyber espionage attacks go undetected for months, with some even going years under the radar. Even worse is that the data supports the notion that companies are ill equipped to identify and respond to these data breaches, as only 15 percent were detected by internal resources.
It is time for Florida businesses to rethink their current detection and response strategies and capabilities related to sophisticated, remote hackers looking to infiltrate their systems. Only through continuous network and host-based forensic analysis will companies truly be able to satisfy legal obligations and actually catch malicious threat actors before financial and reputational damage can be done.
About the author: Chip Henderson joined Pondurance in November 2013 as a senior security consultant. He has eight years of experience in multiple infosec disciplines, including digital forensics/incident response, as well as enterprise pen-testing. Chip currently resides in St. Petersburg, Florida, where he works from the local Pondurance office and enjoys fishing on the bay.