BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS Hypothetical: Your U.S. branch office has a laptop stolen from one of its on-site service providers. The laptop contains files on which the names and social security numbers corresponding to American employees and job applicants were stored. Issue: What are you obligations with regards to the potential loss of sensitive personal information? Does U.S. or state law create the obligation to take specific steps to minimize the potential negative impact? This update reviews the current state of affairs with regards to the various state laws and a set of standard steps that we should take in the event of an information systems breach of sensitive data. California was the first state to pass a breach notification law (in September 2002), and recently many others have followed suit. Following a widely publicized series of cyber-security breaches in early 2005 and 2006 (by ChoicePoint, Bank of America, Motorola, the Veterans Administration and many others), at least 40 states considered legislation involving breach notification and computer security, according to a report by the National Conference of State Legislatures. These notification laws are generally similar to the California law. But each state law has its own particular requirements and specifications leading to potential compliance burdens. Federal legislation There is currently no federal law on breach notification, but five major bills on this topic were pending in Congress in 2006. These bills all address the following key issues: To what extent should federal law preempt state laws on breach notification? Many large companies argue that they need to operate pursuant to a single set of rules, rather than a patchwork of inconsistent state laws. Therefore they are pushing for federal legislation that completely preempts state laws in this area. Three of the five bills clearly provide such preemption. How serious must a breach be for the notification requirement to apply? One bill would require notification whenever there is a breach of sensitive personally identifiable information. Another bill would require notice only
when the breach results in a reasonable risk of harm. Two bills set the standard at a significant risk of harm. The final bill refers to substantial harm or inconvenience. Many businesses are pushing for one of the heightened standards, because they are concerned about compliance costs and negative publicity. Who is responsible for providing notice? Three of the bills would impose notice requirements only on companies that own or license private data. The fourth bill would also impose such requirements on third-party service providers. The fifth makes the entity suffering the data breach primarily responsible for providing notice, unless there is an agreement between and entity and its third-party service providers to the contrary. How should notice be given? Many businesses are concerned about impractical dictates; they would like any federal law to permit a wide range of notification methods (email, phone). But the bills impose various restrictions and conditions on notification. Businesses also would like a safe harbor that protects companies from liability if they follow their own breach notification procedures, adopted pursuant to their own information security policies. Only one of the five bills provides such a safe harbor. If the federal law is violated, who has the authority to sue the offender? Businesses are adamant that any federal legislation should not be the basis for individual or class action lawsuits. Instead, the US Attorney General, the Federal Trade Commission, and the state Attorney General should have exclusive authority to enforce the federal statute. Four of the five bills preclude private rights of action. It remains to be seen whether, and in what form, federal breach notification legislation will be enacted. For one thing, the prospects for settling on a final bill are complicated by the fact that multiple committees are involved - - the House and Senate Commerce Committees and the House Financial Services Committee, along with the Senate Judiciary Committee. Moreover, the second session of Congress is always shorter, and it becomes easier to delay and stop legislation. On the other hand, 2006 is an election year, and members of Congress may not want to admit they were unable to pass legislation to address voters concerns about identity theft and financial loss. What Steps Should You Take? When you receive information regarding data breaches, Toyota must be prepared to act quickly. Consider notifying law enforcement. First, we should consider notifying appropriate law enforcement agencies. While notifying these agencies is not absolutely required in some states, police can help in recovering the stolen property and identifying the thief. Before notifying law enforcement, the company s legal division and security team should be consulted
Notify At-Risk Individuals. Most state laws require companies like Toyota to notify the individuals that potentially correspond to the lost or stolen data. It is important to alert them that that the security of their personal data may have been compromised. Notification must occur promptly, as soon as practicable; an obvious exception would be if law enforcement asks you not to do so because they believe it would jeopardize the capture of the thief. Consider additional help for individuals. Some companies have felt the need to go the extra mile and offer additional help to potentially affected individuals. For example, a company could offer affected individuals documentation assistance or offer them free credit reports and monitoring services to guard against identity theft. Taking such actions are important steps towards maintaining goodwill. Establish or improve your policies and procedures. We must always guard against data breaches. Toyota has an excellent policy and procedure for securing electronic data and handling any data breaches. You should take time to familiarize yourself with our existing administrative, physical, and technical safeguards for protecting personal information. Questions you should ask yourself, include: Does the company have an information security policy? What authentication measures are required to access a system (e.g., certain mandatory password characteristics or a dynamic password logon system? Are policies in place that prohibit employees from storing user IDs and passwords on portable computers? How burdensome would it be for the company to encrypt data, or at least the more sensitive data fields on the customer information template? Review third-party contracts. Take a look at the company s standard contracts with third-party service providers to make sure that these agreements contain appropriate provisions concerning data security. If sensitive data will be shared with third party suppliers you might want to consider whether or not the contract s provisions should allocate the risk of a third-party vendor s failure of electronic or physical security; indicate who is responsible for the costs of notification; and specify who will pay the costs of defending third-party claims in the event of a data breach caused by the vendor. The State Statutes Currently, thirty-four (34) states have laws regarding data breaches. A 35th state (Oklahoma) also has a data breach notification law, but currently it applies only to state agencies. New data breach laws are set to come into effect in July in Wyoming and the District of Columbia. Most of the other states have legislation pending to adopt notification laws, and a number of states have
pending bills to modify the existing statutes. Federal legislation is also pending. Because this legal landscape is still evolving, these statutes should be consulted should a breach occur, to ensure compliance with the law as it exists at the time of the breach. In general, the state statutes follow a similar scheme, centered around prompt notice to affected individuals of any breach of the security of a system containing personal information. However, the similarities can be deceptive. Despite the fact that most of the statutes seem to be built off a common model, each state has refined the model to suit its own purposes and concerns. Hence, it is important to review the statutes carefully to pick up on the nuances. For example, while most states require notice to affected residents of the state, a few have drafted their statutes more broadly. States such as Arizona and New Hampshire require notification to all individuals affected by the breach, not just to residents of those states. In addition to requiring notice to the affected individuals, a number of states require notice to consumer reporting agencies under particular circumstances (typically when a certain number of state residents are affected by the breach). Some states also require notification to the state attorney general s office and/or other state offices. While most of the states require that notice be made in the most expedient time possible, without unreasonable delay, some states have put express time limits on the notifications, both to the affected individuals (45 days in Florida and Ohio) and to the consumer reporting agencies (48 hours in Minnesota). Penalties for failure to comply with these requirements vary from state to state. Enforcement is often through the attorney general s office, and sanctions can include fines (including, in Florida, a per-day fine for failing to comply with the 45-day notification requirement). Private causes of action are also possible in some states. In addition to the data breach notification laws, many states have adopted or are adopting laws related to the protection and destruction of retained personal information (restricting, for example, how long information may be retained and how it may be disposed of). These laws, while not directly related to notification of data breaches, are important for companies that retain personal information and should also be reviewed. In the United States, we expect additional states will continue to enact data breach laws unless and until a federal law preempts them -- and offers greater clarity.
Being Prepared The hypothetical facts scenario at the beginning of this update may sound unpleasantly familiar to you because something similar has already occurred at your company. If it has not happened yet, it is reasonable to expect that it may happen on day in the future. In light of the pending bills and the new statutes is prudent to reflect upon your need to strengthen security and toughen contracts with vendors. It also wise to take the time to train you company s personnel so that they better understand some of the requirements of conducting business in light of the new data breach and identify theft risks. Being prepared with a quick, effective, and compliant response to a data breach is one of your best ways to ensure that it won t happen -- and that if it does, you are prepared to protect your and others identity and the company s reputation. Click here to see a useful state-by-state comparison that applies to the various jurisdictions in the U.S. For more information on this issue and strategies designed to address data breaches visit: http://www.ftc.gov/opa/2006/01/choicepoint.shtm http://www.consumersunion.org/campaigns/breach_laws_may05.pdf http://www.pirg.org/consumer/credit/statelaws.htm http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf http://www.bbb.org/securityandprivacy/