Untitled Page
|
Entries tagged with "breach notification" |
| | Privacy and Data Security Act of 2007 |  Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.
After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.
Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident. |  | Tags: Privacy Notice breach notification data breach data privacy data security breach privacy | | |
| | State Class Action Litigation Related to Privacy Breaches | Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes. Thirty-four states already have security breach notification laws in effect. If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.
In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages. For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.
In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records. The employee left the information in the car, where it was stolen. When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.
Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information. Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.
| | Tags: Privacy Notice breach notification privacy | | |
| | Using Insurance Coverage to Mitigate Risks Associated with Data Breaches | Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.
The new policies include coverage for the following claims:
- Failure of network security;
- Wrongful disclosure of private or confidential information;
- Failure to protect confidential or private information; and
- Violations of federal, state, or local privacy statutes.
Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.
Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.
| | Tags: Security Breach breach notification data breach data breach notification data security breach | | |
| | More Food for Thought on Data Breach Notification Laws |  A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:
“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”
However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.
The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.
None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.
| | Tags: data breach data breach notification | | |
| | State Data Breach Notification Legislative Update | In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.
For the most part, all of the new laws follow what is now a fairly familiar pattern for data breach notification requirements. All require that notice of a breach be provided without “unreasonable delay,” but notice may be delayed to accommodate any pending law enforcement investigations. Notice also is not required under any of the new laws when the data that was accessed was encrypted. All of the laws provide for civil penalties for failure to comply.
However, there are a couple of noteworthy differences. West Virginia and Iowa join a minority of states with laws that do not allow for private causes of action for failure to comply with the notification requirements. In addition, the South Carolina, Virginia and West Virginia enactments contain no express exemption for immaterial breaches, though breaches requiring notice generally are defined to include only those where there is a reasonable risk of harm to the person whose data was accessed.
As always, business handling personal information should continue to remain vigilant regarding any new or revised provisions in the data breach notification laws for the jurisdictions in which they conduct business. There have been no major, new developments regarding the enactment of a national data breach notification law, and, at this point, with so many state laws on the books, it is possible that a federal law either will, if passed, provide only supplementary requirements in addition to the state laws or will fail to reach passage altogether. The longer the state regimes remain in place, the less the likelihood of complete federal preemption on the issue.
Therefore, for the foreseeable future, businesses will need to maintain up-to-date notification procedures that are in compliance with the laws of each state where they operate. It remains advisable to consult with counsel in developing procedures that are consistent with business goals and objectives. | | Tags: breach notification data breach | | |
|
|
|