In the wake of California's pioneering 2003 Database Protection Act ("the Act"), over 30 other states have now adopted laws requiring consumer notification when personal information is disclosed or jeopardized. These laws have been coincident with a startling number of security violations over the past 18 months. According to Privacy Rights Clearinghouse, over 88 million Americans have had their personal information compromised during that period. As more state laws come on line, the major fines and lawsuits that will make restitution for past security breaches - and discourage future ones - may just be beginning.
The California Law
The California Act (codified as Civil Code A 1798.82) requires companies storing unencrypted personal information to notify individuals of a security breach. Under the Act, personal information is defined as an individual's last name and first name (or first initial) combined with that person's social security number, driver's license number, or credit card, debit card, or financial account number (along with any applicable password needed to access it). The definition exempts information that can be lawfully gleaned from public records. Security breach, in turn, is defined as an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."
The Act applies to any piece of information regarding a California resident regardless of whether the information was stored within the state. Notification is due to any California resident whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person. Notification may be accomplished either in writing or electronically. In cases where notification may be especially burdensome - i.e. , the class to be notified exceeds 500,000 individuals or the cost of conventional notice exceeds $250,000 - substitute notice may be provided by e-mail, provided conspicuous notice is also placed on the organization's website and in major statewide media. All notice must be made "without unreasonable delay," although an ongoing criminal investigation may provide grounds for a reasonable delay.
Notably, the Act allows for private actions - including class actions - if companies fail to make a reasonably timely notification of a breach.
Other State Enactments
At the time of this writing, 26 states have active laws requiring security breach notification - and by January 1, 2007, at least 7 more states (Arizona, Colorado, Hawaii, Kansas, New Hampshire, Utah, and Vermont) will have laws in effect. These states join a contingent that already includes Delaware, Florida, Illinois, Nevada, New York, and Texas. Over the past year, states that have considered - and still may pass - security breach notification laws include Maryland, Massachusetts, Michigan, Missouri, Oregon, South Carolina, Virginia, and West Virginia.
Though most state statutes are modeled on the pioneer California framework, they can differ significantly. Certain states ( e.g., Georgia, Maine) only require notification for limited categories of organizations, such as data brokers, information brokers, and state agencies; some ( e.g., Arizona, Colorado) allow notification to be made by telephone; some states ( e.g., Nevada) require information to be encrypted if sent outside of a business' secure system; some ( e.g., Arkansas, Tennessee) regulate the manner of data destruction; some states ( e.g., Connecticut, New Jersey) merely require information to have been accessed to trigger notification, while others ( e.g., Ohio, Rhode Island) require a likelihood of ID theft or fraud; and though California and many states ( e.g., Delaware, Florida) allow for private rights of action, others deny them altogether ( e.g., Illinois, New York).
The definition of personal information also varies from state to state. Though most states have adopted California's construction that personal information includes account passwords only when matched with account numbers, some states ( e.g., Georgia, North Carolina) consider a breach to have occurred if nothing more than an account password is disclosed in conjunction with an individual's name - whether or not the account number or location have been similarly compromised. And while most states follow the California prototype in considering only access to unencrypted information to constitute breach, others ( e.g., New York, Pennsylvania) have begun requiring notification if encrypted information and the key to the encryption are both compromised.
Federal Security Breach Notification Legislation
Despite the abundance of state enactments, Congress has yet to pass similar legislation that bears squarely on the issue. Various federal laws touch on privacy issues, but without providing overarching legislation. For example, the 1974 federal Privacy Act restricts disclosures of personal information, but only by government agencies. More recently, the Federal Trade Commission ("FTC") released Fair Information Practice Principles that stress notice, choice, access, integrity, and enforcement; failure to comply with those principles exposes businesses to FTC penalties. Since 1999 the Gramm-Leach-Bliley ("GLB") Act has required financial institutions to develop and disseminate privacy policies, limit the transmission and usage of nonpublic personal information, and give clients the right to opt-out of certain information exchanges.
As discussed in the following section, the lack of comprehensive federal legislation on security breach notification has not prevented the FTC from increasing its activity in investigating and penalizing security breaches under existing federal law, such as the FTC Act. Congress may also provide the FTC with even more ammunition, if Hillary Clinton's recent proposal makes its way into law.1
Major Breaches In The News
If states are becoming more savvy in how and when they mandate disclosure, businesses and even government agencies have not kept pace in realizing and confronting the numerous risks of breach.
In February 2005, ChoicePoint - a publicly traded company which collects and sells data for a wide range of clients - acknowledged a breach that exposed the personal information of more than 163,000 individuals and resulted in over 800 cases of identity theft. According to the FTC, ChoicePoint jeopardized information through insufficient security procedures, allowing a theft ring to acquire personal information by posing as potential clients. The FTC charged that ChoicePoint violated the FTC Act and the Fair Credit Reporting Act. In January 2006, ChoicePoint agreed to a settlement with the FTC that included a $10 million fine (the largest in FTC history) and the establishment of a $5 million restitution fund.
Just four months after ChoicePoint initially announced its security failure, MasterCard reported that its business partner CardSystems Solutions had compromised as many as 40 million card accounts through hacked, unencrypted information. After the announcement, CardSystems foundered and was subsequently bought out in December 2005. CardSystems' successor, Pay By Touch, reached a settlement with the FTC prescribing preventative measures.
Private sector breaches, however, only comprise one piece of the larger picture. In May 2006, the Department of Veterans Affairs revealed that a laptop stolen from an employee's home compromised the records of 26.5 million veterans, including 2.2 million active-duty military personnel. A class action suit subsequently filed in D.C. District Court invokes the Administrative Procedures Act as well as the 1974 federal Privacy Act, under which it seeks $1,000 per victim - for a potential total of $26.5 billion in damages. This violation followed a February 2006 breach by the Department of Agriculture (affecting 350,000 Americans) and a May 2005 Department of Justice breach (affecting 80,000).
In an unexpected turn, the FTC announced in June 2006 that it had suffered a security breach of its own, after two laptops were stolen from a locked vehicle. Amongst numerous government files were the personal information of 110 individuals, whom the FTC promptly notified.
What You Can Do To Protect Your Company Or Organization
Encrypt your information. Many states continue to treat encryption as a panacea, requiring disclosure only of breaches involving unencrypted information. Nevertheless, few organizations fully encrypt all of their information; most leave backup and stored information unencrypted. The up-front expense of encryption can prevent exposure and litigation in the end. Also critical is protecting encryption codes or keys - particularly in those states where access to both encrypted information and an encryption key constitute breach.
Know the applicable law. It must be stressed that while most state legislation borrows heavily from California's model, not all enactments are alike. Distinctions range from the subtle to the not-so-subtle and can encompass the type of parties implicated, information included, and notification necessary. Given that so many statutes have taken or will take effect within a year, it's likely insufficient merely to look at what competitors are doing. Learn the law for yourselves - and take note where, as in California, revisions may be contemplated or enacted.
Develop and disseminate a privacy policy. The GLB Act - as well as state measures like the California Online Privacy Protection Act (codified as Cal. Bus. & Prof. Code 22575-22579) - require designing and disseminating privacy policies. Creating a successful privacy policy can be as much a matter of effective management as of compliance, though, since a thorough privacy policy that addresses security and notification may receive much-welcome deference. For example, in Nevada, if a disseminated privacy policy contains notification provisions that fit within the requirements of GLB, a company may follow those provisions and thereby satisfy all state requirements in the event of breach (though a consumer reporting agency must be notified if the breach affects more than 1,000 persons).
Comply with your privacy policy. Tailoring a policy to your organizational structure and needs also increases chances of compliance. While many organizations have hastily thrown together policies based on basic boilerplate language, not enough have made sure employees understand all the terms and the importance of compliance. Too many security breaches have been the result of a worker losing a disk or laptop that should never have been taken out of the office had the applicable privacy policy (or related company security policy) been followed.
Know and comply with document retention regulations. Destroying personal information when it is no longer necessary can lessen the risk of improper disclosure. Keep in mind, though, that Sarbanes-Oxley and various state laws impose requirements with respect to the retention, maintenance, and destruction of certain records and should be consulted prior to destruction of personal information.
Avoid handling personal information when possible. In many cases, it may be worth considering whether you can decrease potential liability by outsourcing certain functions to vendors with state-of-the-art electronic security (and who may be willing to indemnify you).
Talk to your insurance broker. Your current policies may not provide any insurance protection in the event of a security breach. If that is the case, you would be well advised to obtain applicable coverage given the ever-increasing scope of potential liabilities in this area.
Be prepared for worst case scenarios. As always, the best laid plans oft go awry. Be prepared for the possibility of a breach and have measures in place to alert those compromised should a breach occur. Be prepared to conduct an investigation and to address the root of the security failure. Nondisclosure of breach invites the most severe damage to both reputation and the bottom line.1In June 2006, Sen. Clinton introduced the most ambitious Congressional initiative yet on the topic - the PROTECT ("Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006") Act. Among the bill's far-reaching provisions are a national requirement for immediate security breach notification, the issuing of a "Privacy Bill of Rights," and the creation of a national privacy czar in the Office of Management and Budget.
Published August 1, 2006.