BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

Similar documents
DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

STATE DATA SECURITY BREACH NOTIFICATION LAWS

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Selected Federal Data Security Breach Legislation

State Data Breach Notification Laws

STATE DATA SECURITY BREACH NOTIFICATION LAWS

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Security Breach Notification Chart

Security Breach Notification Chart

State Data Breach Notification Laws

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH LEGISLATION SURVEY

Issue Brief. A Public Policy Paper of the National Association of Mutual Insurance Companies July 2005

State Data Breach Notification Laws

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Security Breach Notification Chart

Security Breach Notification Chart

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

NO. 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson,

Policy: Notifiable Data Breach

Data Breach Charts. November 2017

State Data Breach Law Summary. November 2017

A guide to the new privacy landscape for the Commonwealth Government

OFFICE OF TEMPORARY AND DISABILITY ASSISTANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-78 OFFICE OF THE NEW YORK STATE COMPTROLLER

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

Case 3:13-cv JE Document 1 Filed 12/20/13 Page 1 of 13 Page ID#: 1

Security Breach Notification Chart

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

State Data Breach Laws

Electronic Access? State. Court Rules on Public Access? Materials/Info on the web?

Calif. Privacy Act Will Increase Data Breach Liability

OKLAHOMA IDENTITY THEFT RANKING BY STATE: Rank 25, 63.9 Complaints Per 100,000 Population, 2312 Complaints (2007) Updated January 10, 2009

Arent Fox LLP Survey of Data Breach Notification Statutes

Does your state have a MANDATORY rule requiring an attorney to designate a successor/surrogate/receiver in case of death or disability

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

FRCC REGIONAL RELIABILITY STANDARD DEVELOPMENT PROCESS MANUAL

KANSAS IDENTITY THEFT RANKING BY STATE: Rank 29, 61.0 Complaints Per 100,000 Population, 1694 Complaints (2007) Updated December 15, 2008

Cumulative Identity Theft Statutes Updated as of July 26, 2011

First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 11 of 2010

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

Why a State Should Adopt an Article V Application for A Convention of States if It Has Already Adopted a Balanced Budget Amendment Application

Oregon enacts statute to make improper patent license demands a violation of its unlawful trade practices law

Appendix: Legal Boundaries Between the Juvenile and Criminal. Justice Systems in the United States. Patrick Griffin

This test is now delivered as a computer-based test. See for current program information. AZ-SG-FLD033-01

National Family Partnership s Red Ribbon Photo Contest Official Rules

PLEASE READ CAREFULLY BEFORE AGREEING TO THE TERMS AND CONDITIONS

SUPPLIER DATA PROCESSING AGREEMENT

Limited Data Set Data Use Agreement

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

USER AGREEMENT GRANTING DEPARTMENT OF REAL ESTATE ACCESS TO USER S ELECTRONIC MANAGEMENT SYSTEM

Legislative Brief The Information Technology (Amendment) Bill, 2006

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

Strategic Partner Agreement Terms

UTAH LEGISLATIVE BILL WATCH

SERGEANT AT ARMS. Delta Tau Delta Fraternity

BUSINESS ASSOCIATE AGREEMENT

Data protection and journalism: a guide for the media

COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT SYNDICATE

GOING TO COURT ON SMALL CLAIMS

Procurement Oversight and Procurement Review Committees

Checklist. Industry Requirements for E-Bonding Solutions. Based on Surety Association of Canada Vendor Guidelines. Version date: October 19, 2009

Guidance Notes for Customers

Basis Account Terms of Service Agreement. Statista, Inc.

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

AS TABLED IN THE HOUSE OF ASSEMBLY

Georgia Computer System Protection Act

Commission of an Offence relating to Computer Act, B.E (2007)

LeGaL Lawyer Referral Network Rules for Network Membership*

Checklist. Industry Requirements for E-Bonding Solutions. Based on Surety Association of Canada Vendor Guidelines

The New Mandatory Data Breach Requirements under Canada s Federal Privacy Act

Five Year Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

STUDY COMMITTEE ON CRIMINAL RECORDS ACCESS AND ACCURACY FINAL REPORT TO SCOPE AND PROGRAM Submitted by Robert J Tennessen, Chair December 16, 2013

Sona BLW Precision Forgings Limited POLICY OF WHISTLE BLOWER AT WORKPLACE

UNDERSTANDING AND DEALING WITH LUAs, DORs AND ADVERSE EXAMINATION FINDINGS

BILL HORN SUPERVISOR, FIFTH DISTRICT SAN DIEGO COUNTY BOARD OF SUPERVISORS

MEMORANDUM OF AGREEMENT BETWEEN THE COLONIAL SCHOOL DISTRICT BOARD OF EDUCATION AND THE DELAWARE STATE POLICE DEPARTMENT

Interstate Commission for Adult Offender Supervision

State By State Survey:

Branches of Government

Legislative Update IACA Conference, Columbus, Ohio. By Paul Hodnefield

TERMS OF SERVICE FOR SUPPORT NETWORK COMMUNITY HEART AND STROKE REGISTRY SITE Last Updated: December 2016

Organization & Agreements

IMPORTANT DISCLOSURES

Terms and Conditions of Outward Interbank Giro System and Automated Payment System Plus

8. Public Information

Premium Account Terms of Service Agreement. Statista, Inc.

House Standing Committee on Social Policy and Legal Affairs

of a Police Complaint against BARRY BEFORE THE LICENSING AUTHORITY OF SECONDHAND DEALERS AND PAWNBROKERS DECISION

WHETHER UCC ARTICLE 4 IN TEXAS PREEMPTS COMMON LAW FRAUD AND BREACH OF CONTRACT CLAIMS IN THE RELATIONSHIP BETWEEN A BANK AND ITS CUSTOMER

END-USER SOFTWARE LICENSE AGREEMENT FOR TEKLA SOFTWARE

Self-represented litigants and the code of judicial conduct

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

BERMUDA VIRTUAL CURRENCY BUSINESS ACT 2018 BR/ 2018: TABLE OF CONTENTS PART 1 PRELIMINARY

Floor Amendment Procedures

An Introduction to British Columbia s Civil Resolution Tribunal

Transcription:

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS Hypothetical: Your U.S. branch office has a laptop stolen from one of its on-site service providers. The laptop contains files on which the names and social security numbers corresponding to American employees and job applicants were stored. Issue: What are you obligations with regards to the potential loss of sensitive personal information? Does U.S. or state law create the obligation to take specific steps to minimize the potential negative impact? This update reviews the current state of affairs with regards to the various state laws and a set of standard steps that we should take in the event of an information systems breach of sensitive data. California was the first state to pass a breach notification law (in September 2002), and recently many others have followed suit. Following a widely publicized series of cyber-security breaches in early 2005 and 2006 (by ChoicePoint, Bank of America, Motorola, the Veterans Administration and many others), at least 40 states considered legislation involving breach notification and computer security, according to a report by the National Conference of State Legislatures. These notification laws are generally similar to the California law. But each state law has its own particular requirements and specifications leading to potential compliance burdens. Federal legislation There is currently no federal law on breach notification, but five major bills on this topic were pending in Congress in 2006. These bills all address the following key issues: To what extent should federal law preempt state laws on breach notification? Many large companies argue that they need to operate pursuant to a single set of rules, rather than a patchwork of inconsistent state laws. Therefore they are pushing for federal legislation that completely preempts state laws in this area. Three of the five bills clearly provide such preemption. How serious must a breach be for the notification requirement to apply? One bill would require notification whenever there is a breach of sensitive personally identifiable information. Another bill would require notice only

when the breach results in a reasonable risk of harm. Two bills set the standard at a significant risk of harm. The final bill refers to substantial harm or inconvenience. Many businesses are pushing for one of the heightened standards, because they are concerned about compliance costs and negative publicity. Who is responsible for providing notice? Three of the bills would impose notice requirements only on companies that own or license private data. The fourth bill would also impose such requirements on third-party service providers. The fifth makes the entity suffering the data breach primarily responsible for providing notice, unless there is an agreement between and entity and its third-party service providers to the contrary. How should notice be given? Many businesses are concerned about impractical dictates; they would like any federal law to permit a wide range of notification methods (email, phone). But the bills impose various restrictions and conditions on notification. Businesses also would like a safe harbor that protects companies from liability if they follow their own breach notification procedures, adopted pursuant to their own information security policies. Only one of the five bills provides such a safe harbor. If the federal law is violated, who has the authority to sue the offender? Businesses are adamant that any federal legislation should not be the basis for individual or class action lawsuits. Instead, the US Attorney General, the Federal Trade Commission, and the state Attorney General should have exclusive authority to enforce the federal statute. Four of the five bills preclude private rights of action. It remains to be seen whether, and in what form, federal breach notification legislation will be enacted. For one thing, the prospects for settling on a final bill are complicated by the fact that multiple committees are involved - - the House and Senate Commerce Committees and the House Financial Services Committee, along with the Senate Judiciary Committee. Moreover, the second session of Congress is always shorter, and it becomes easier to delay and stop legislation. On the other hand, 2006 is an election year, and members of Congress may not want to admit they were unable to pass legislation to address voters concerns about identity theft and financial loss. What Steps Should You Take? When you receive information regarding data breaches, Toyota must be prepared to act quickly. Consider notifying law enforcement. First, we should consider notifying appropriate law enforcement agencies. While notifying these agencies is not absolutely required in some states, police can help in recovering the stolen property and identifying the thief. Before notifying law enforcement, the company s legal division and security team should be consulted

Notify At-Risk Individuals. Most state laws require companies like Toyota to notify the individuals that potentially correspond to the lost or stolen data. It is important to alert them that that the security of their personal data may have been compromised. Notification must occur promptly, as soon as practicable; an obvious exception would be if law enforcement asks you not to do so because they believe it would jeopardize the capture of the thief. Consider additional help for individuals. Some companies have felt the need to go the extra mile and offer additional help to potentially affected individuals. For example, a company could offer affected individuals documentation assistance or offer them free credit reports and monitoring services to guard against identity theft. Taking such actions are important steps towards maintaining goodwill. Establish or improve your policies and procedures. We must always guard against data breaches. Toyota has an excellent policy and procedure for securing electronic data and handling any data breaches. You should take time to familiarize yourself with our existing administrative, physical, and technical safeguards for protecting personal information. Questions you should ask yourself, include: Does the company have an information security policy? What authentication measures are required to access a system (e.g., certain mandatory password characteristics or a dynamic password logon system? Are policies in place that prohibit employees from storing user IDs and passwords on portable computers? How burdensome would it be for the company to encrypt data, or at least the more sensitive data fields on the customer information template? Review third-party contracts. Take a look at the company s standard contracts with third-party service providers to make sure that these agreements contain appropriate provisions concerning data security. If sensitive data will be shared with third party suppliers you might want to consider whether or not the contract s provisions should allocate the risk of a third-party vendor s failure of electronic or physical security; indicate who is responsible for the costs of notification; and specify who will pay the costs of defending third-party claims in the event of a data breach caused by the vendor. The State Statutes Currently, thirty-four (34) states have laws regarding data breaches. A 35th state (Oklahoma) also has a data breach notification law, but currently it applies only to state agencies. New data breach laws are set to come into effect in July in Wyoming and the District of Columbia. Most of the other states have legislation pending to adopt notification laws, and a number of states have

pending bills to modify the existing statutes. Federal legislation is also pending. Because this legal landscape is still evolving, these statutes should be consulted should a breach occur, to ensure compliance with the law as it exists at the time of the breach. In general, the state statutes follow a similar scheme, centered around prompt notice to affected individuals of any breach of the security of a system containing personal information. However, the similarities can be deceptive. Despite the fact that most of the statutes seem to be built off a common model, each state has refined the model to suit its own purposes and concerns. Hence, it is important to review the statutes carefully to pick up on the nuances. For example, while most states require notice to affected residents of the state, a few have drafted their statutes more broadly. States such as Arizona and New Hampshire require notification to all individuals affected by the breach, not just to residents of those states. In addition to requiring notice to the affected individuals, a number of states require notice to consumer reporting agencies under particular circumstances (typically when a certain number of state residents are affected by the breach). Some states also require notification to the state attorney general s office and/or other state offices. While most of the states require that notice be made in the most expedient time possible, without unreasonable delay, some states have put express time limits on the notifications, both to the affected individuals (45 days in Florida and Ohio) and to the consumer reporting agencies (48 hours in Minnesota). Penalties for failure to comply with these requirements vary from state to state. Enforcement is often through the attorney general s office, and sanctions can include fines (including, in Florida, a per-day fine for failing to comply with the 45-day notification requirement). Private causes of action are also possible in some states. In addition to the data breach notification laws, many states have adopted or are adopting laws related to the protection and destruction of retained personal information (restricting, for example, how long information may be retained and how it may be disposed of). These laws, while not directly related to notification of data breaches, are important for companies that retain personal information and should also be reviewed. In the United States, we expect additional states will continue to enact data breach laws unless and until a federal law preempts them -- and offers greater clarity.

Being Prepared The hypothetical facts scenario at the beginning of this update may sound unpleasantly familiar to you because something similar has already occurred at your company. If it has not happened yet, it is reasonable to expect that it may happen on day in the future. In light of the pending bills and the new statutes is prudent to reflect upon your need to strengthen security and toughen contracts with vendors. It also wise to take the time to train you company s personnel so that they better understand some of the requirements of conducting business in light of the new data breach and identify theft risks. Being prepared with a quick, effective, and compliant response to a data breach is one of your best ways to ensure that it won t happen -- and that if it does, you are prepared to protect your and others identity and the company s reputation. Click here to see a useful state-by-state comparison that applies to the various jurisdictions in the U.S. For more information on this issue and strategies designed to address data breaches visit: http://www.ftc.gov/opa/2006/01/choicepoint.shtm http://www.consumersunion.org/campaigns/breach_laws_may05.pdf http://www.pirg.org/consumer/credit/statelaws.htm http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf http://www.bbb.org/securityandprivacy/

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback