Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes. Twenty-nine states already have security breach notification laws in effect and four additional states have enacted laws that will become effective on January 1, 2007. If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.

In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages. For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.25

In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records.26 The employee left the information in the car, where it was stolen. When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.

Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information. Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.27

c. Regulatory Action
Several companies were recently fined by the Federal Trade Commission for security breaches that resulted in personal information disclosures. Although these security breaches were not directly related to lost hardware like laptops, there is no indication that the FTC would treat
a company more leniently because it lost consumer information in a theft while an employee was transporting the data on a portable device.

The FTC has investigated and pursued companies in a variety of industries for breaches of security. The industries include a data collector for credit card companies, a wholesale warehouse retailer, a mortgage company, a national pet store chain, an internet service provider, and a national shoe retailer.28 In the cases based on breach of security or information, the FTC based its allegations on the following:

• Unfair practices;
• Violations of the Fair Credit Reporting Act;
• Failure to maintain adequate security;

• Failure to protect financial data; and
• Failure to disclose security breaches.

In January 2006, ChoicePoint paid the FTC $10 million in civil penalties and $5 million in consumer redress after ChoicePoint disclosed personal information of approximately 163,000 consumers. At least 800 distinct cases of identity theft resulted from the ChoicePoint disclosure. The FTC claimed that ChoicePoint failed to take reasonable measures to protect company data. Additionally, the FTC alleged that ChoicePoint misrepresented its privacy policies to consumers.

In May, the FTC settled a matter against Nations Title Agency, Inc. Nations Title is a real estate services company operating in 44 states. It routinely collects personal and sensitive information related to home mortgages. The FTC alleged that Nations Title violated the GLBA standards for safeguarding information and the Fair and Accurate Credit Transactions Act requirements for disposal of customer information. The FTC discovered evidence that Nations threw customers’ confidential information into the dumpster. To compound matters, hackers accessed Nations’ computers and stole sensitive personal and financial information. Like ChoicePoint, the FTC also alleged that Nations made misrepresentations regarding the security of its data.

On September 19, 2006, the FTC outlined several measures outlined by the Identity Theft Task Force to help address the increasing problem of identity theft.29 The Task Force recommends that the government adopt standards regarding “whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.”30 The Task Force also recommended that agencies reduce the access to personal and confidential information and implement policies to increase data security.

IV. The New Standard of Care: Data Encryption on Portable Devices
Approximately 60 percent of PDAs and 59 percent of laptops contain unprotected sensitive or confidential information.31 Almost half of businesses surveyed by the Ponemon Institute indicated that they would never be able to determine the actual information that they lost.32 There are a number of precautions businesses and their employees continued, page 4 »