Since February 2005, approximately 100 million records containing personal information have been subject to a security breach.  More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft.  The state provisions are not uniform, and are often difficult to reconcile.  Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform.  One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information. 

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws.  Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

Tags:

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:

• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.

Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

Tags:

 Private businesses are not the only victims of theft relating to confidential information.  In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975.  Burglars stole the laptop from the employee’s home.  The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth.  In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records.  The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk.  The FTC attorneys were working on a case, and were authorized to have the laptops.  The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated.  The laptops did not contain any information about FTC employees or government officials.   Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities.  The FTC offered free credit monitoring for 110 people as a result of the theft.

Tags:

Approximately 60 percent of PDAs and 59 percent of laptops contain unprotected sensitive or confidential information. Almost half of businesses surveyed by the Ponemon Institute indicated that they would never be able to determine the actual information that they lost. There are a number of precautions businesses and their employees should take to ensure that they have met the minimum standard of care related to protecting sensitive data contained on laptops or other mobile devices. These security measures include:

• Protect information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.
• Implement advanced security measures such as remote laptop security and laptop encryption.
• Be sure that all important data contained on the laptop is backed up.
• Make use of physical security measures like locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
• When leaving a laptop in the office, make sure it is hidden and secured.
• Keep your laptop in an inconspicuous case. Flashy cases expose your computer by attracting thieves’ attention. A simple padded messenger bag can suffice as a protective container.
• When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.

The Ernst & Young laptop theft in Miami could have been prevented if employees had followed these simple instructions. Furthermore, the companies whose data was stolen could have easily identified the compromised data if the companies regularly backed up the information contained on the laptops. Finally, all of the information could have been protected if it was encrypted. Only 65 percent of the Ponemon survey respondents claimed that their organizations utilize encryption to protect information.

Tags:

Many companies have started to experience the consequences of non-existent, insufficient or poorly implemented data security plans in the form of enforcement lawsuits filed by state attorneys general for violations of state data privacy and data security laws. However, in an interesting twist on this usual variety of state-initiated litigation arising out of poor data breach planning, the State of Connecticut is suing IT consultant Accenture for alleged negligence in losing electronic files containing information on bank accounts for almost all Connecticut state agencies as well as several hundred state purchasing cards and a handful of Connecticut taxpayers. Connecticut’s lawsuit also alleges unauthorized use of state information and breach of contract.

Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though similar project for the State of Ohio. (The tape also contained personal information on about 1.3 million Ohio residents.) The intern apparently had been using the Connecticut program as a template for the Ohio project. You can read more about the incident and subsequent lawsuit here and here.

The Accenture case underscores the business necessity of having a thorough data security program that employees actually follow, because breaches can be very costly and weak link in the security chain are prevalent. An effective plan should provide for contingencies affecting sensitive data, especially financial or health information. Plans should also ensure either that all of the business’ employees are aware of the data security policies and procedures, or, better yet, provide for physical, electronic, or procedural barriers to prevent data from being used for any unnecessary or non-business-critical purposes. Companies implementing security plans should consider reducing the risks identified in the Accenture matter by prohibiting interns from having access to sensitive information and restricting the presence of sensitive information on portable devices.

With the increasing number of lawsuits focused on data breach and security incidents, it is crucial that all businesses take steps to develop comprehensive security policies and also to ensure that their assets will be protected in the event that those policies fail.

Tags:

The U.S. District Court in New Hampshire recently issued a written opinion that undoubtedly will give some Internet service providers reason to re-think their policies with regard to some anonymous user accounts. In Doe v. Friendfinder Network, Inc., the plaintiff discovered prior to filing suit that an unnamed individual had created a number of profiles using information about the plaintiff’s identity on various social networking websites operated by the defendants and oriented toward people seeking sexual relationships with others. The plaintiff sued defendants on various state-law claims arising out of the allegedly false and unauthorized personal advertisements. In its opinion, the court addressed the defendants’ motion to dismiss, which asserted that the plaintiffs’ claims were barred by the Communications Decency Act of 1996. That Act provides, in part, that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” which the Act further defines as “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.”

The court held that the Act did work to bar all of the plaintiff’s state-law claims, except for one: invasion of privacy, to the extent that the plaintiff’s claim was based on the right of publicity. The court specifically looked to an exception in the Act, which provides: “[n]othing in this section shall be construed to limit or expand any law pertaining to intellectual property.” The court stated that a state-law right of publicity claim arises from a “law pertaining to intellectual property,” and it further held that state-law intellectual property claims are within the scope of the Act’s exception. In so holding, the court expressly disapproved the 9th Circuit’s opinion in Perfect 10, Inc. v. CCBill, LLC, where it held last year that the exception only extended to claims based on violations of federal laws pertaining to intellectual property.

The Friendfinder case may be one to watch for at least two reasons. First, it has the potential to set up a conflict between two federal circuits, which may help lead to or hasten review by the Supreme Court. (A petition for certiorari was denied following the 9th Circuit’s ruling in the CCBill case.) Second, if the trial court’s opinion in Friendfinder prevails, then Internet service providers – especially those operating social networking sites (which now include heavy-hitters such as Facebook and Second Life) – may face the daunting prospect of having to verify the validity of information entered in users’ personal profiles in order to avoid exposure from state-law claims based on violation of a third party’s right of publicity. Such a precedent could mean significant changes to the way such sites operate today.
 

Tags:

By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data. (Click here for more background on that topic.) While contingency planning in light of these laws (now present in 44 states and the District of Columbia) usually entails some up-front costs in the form of diverted resources and attorney’s fees, the overall cost of implementation has been relatively low. It may be fitting, then, that the perceived benefit of these laws has been similarly minimal, with some estimating only a 2% reduction in identify theft in recent years that can be attributed to data breach notification legislation.

 It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.

 The Nevada provision is succinct:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)

The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.

In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.

As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.

Tags:

A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.

Pharmacy benefits manager Express Scripts is facing a class-action lawsuit filed by an Express Scripts member who alleges that the company failed to use effective measures to protect the secrecy of its members’ confidential information and that it also failed to give reasonable notice of a security breach potentially affecting millions of those members. The complaint alleges that Express Scripts received an extortion demand in October 2008 indicating that an unauthorized third party had gained access to members’ personal data and that some individual members also had received similar threats. The complaint further alleges that Express Scripts failed, in the months following the breach, to send any notifications to its members other than vague statements posted on its website in November.

Currently, businesses with nation-wide operations face a patchwork quilt of federal and state laws regarding both steps required to safeguard personal data as well as steps to be taken in the event of a breach. With regard specifically to post-breach notifications, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands all have enacted their own legislation requiring notification of security breaches involving personal information. Therefore, for large enterprises such as Express Scripts, which is also  subject to complex federal rules such as HIPAA, data security planning can be a daunting undertaking.

However, businesses choosing or needing to retain potentially sensitive customer information nevertheless must make appropriate plans. The alternative, as Express Scripts may learn, entails negative publicity as a result of the initial breach, compounded by negative publicity as a result of an inadequate response. That kind of reputational damage can be difficult and costly to repair, especially if or when attorney’s fees and civil damages enter the equation.

All businesses, large and small, that handle confidential customer information must consult with knowledgeable counsel to ensure that they are protecting against and prepared for data security breaches.

Tags:

Both state and federal governments are seeking ways to ensure citizens’ personal information is secure and remains private, but the laws vary wildly and are sometimes frustratingly complex. For businesses, it is not always clear which laws, if any, the business is subject to. Once applicability of the law to a business is determined, the process of evaluating compliance of IT systems and policies can be time-consuming.

Now imagine you are the vendor of software products that could potentially store statutorily protected data for your customers. You potentially have just inherited compliance evaluation projects for every one of your customers.

For many vendors, such compliance demands are too burdensome, and a quick review of their cloud computing agreements shows that their methods for handling these requirements often consist of avoiding the subject altogether or by expressly absolving themselves of the responsibility. Many vendors attempt to avoid liability by including provision in their contracts disclaiming any liability for data breaches or compliance with data security regulations. Cloud customers that do not carefully evaluate cloud agreements can find themselves holding the bag for data breaches that may have been caused by their cloud vendors.

Some statutes, such as the recently revised HIPAA rules, have addressed such contractual liability avoidance by specifying that business associates of companies covered by the statutes are also liable for data breaches. As the cloud computing industry matures, vendors will learn that they have to comply with statutory security requirements. During this maturation, new and possibly standardized methods to share responsibility for security of customer information will emerge. For now, customers should seek the advice of experienced counsel before entering into any cloud computing agreement to mitigate or eliminate vendor avoidance and to ensure the vendor will adequately protect protected personal information.

Tags: