ChoicePoint Settlement and State Data Breach Notification Laws Provide Privacy Wake-Up Call for Businesses
 
February 27, 2006
 
Roz Allen - Washington

Responding to growing public concern about identity theft, policy-makers approved mandatory data breach notification statutes in 22 states during 2005.¹ This trend emerged following widely publicized data losses – at financial institutions, universities, state agencies and corporations – that many observers believe would have gone unreported, but for the nation’s first data breach notification law implemented by California in July 2003. During 2005 alone, mandatory notifications required by California law revealed that the personal information of over 50 million Americans was compromised.²

One of the most significant data losses reported last year under the California law was made by ChoicePoint Inc., a major data mining company headquartered in Georgia. ChoicePoint’s failure to properly protect sensitive consumer data culminated on January 26, 2006, in a $15 million settlement with the Federal Trade Commission (FTC) based on violations of the Fair Credit Reporting Act (FCRA) and the Federal Trade Commission Act (FTC Act).

The ChoicePoint settlement is notable not only for its large civil penalty and long-term auditing and reporting requirements, but also the legal basis upon which it is predicated. In addition to charging the company with violating the FCRA, a law with somewhat limited reach, the government alleged that the company violated the “unfairness prong” of Section 5 of the FTC Act. The latter charge, used only twice before, means virtually every company handling consumer information in interstate commerce may be subject to FTC action.

The new, more aggressive approach embodied by the FTC’s “unfairness” strategy, coupled with the explosion of state data breach notification statutes, puts all companies on notice to take a more thoughtful and systematic approach to protecting the security, confidentiality and integrity of sensitive customer information, including implementing proper data breach notification practices and procedures.

The 23 states with data breach notification laws require companies, state agencies and other entities to notify state residents whose personally identifiable information is acquired, or reasonably believed to have been acquired, by unauthorized persons. In some states, third parties storing personal data on behalf of other businesses are also required to promptly notify such businesses of unauthorized access or reasonable belief that unauthorized access has occurred.

Most of the state laws do not require breach disclosure if the data is stored in encrypted form (if the encryption key is not compromised), although data holders should consider whether risk management considerations under other laws dictate notification if any type of actual or potential breach occurs. Given the sophistication of today’s computer crimes, it is not unreasonable to conclude that someone who goes to the trouble of hacking into a database of personal information could also decipher certain encryption standards.

In light of this trend, the highest priority for all entities that collect and store information about individuals should be to ensure that the personal information identified by the various state statutes as subject to breach notification is securely stored in encrypted form. An analysis of state breach notification laws indicates that the following types of personal information, when associated with the first name or initial and last name, are triggers for breach notification and should be encrypted: social security number, driver’s license, state identification card and financial information (i.e., account numbers, debit or credit cards). Covered entities may also choose to store triggering personal information in a format that strips out the associated name and separates different types of personal information. In addition, covered entities should review their information security practices to ensure that their enterprise-wide privacy policies include data breach notification procedures that are triggered if personal information appears likely to have fallen into unauthorized hands.

To date, there have been no prosecutions under state data breach laws, including California’s 2003 law – the first such law and the model for all state data breach legislation. The lack of case law in this area leaves covered entities with few nonstatutory resources to interpret who must be notified, when they must be notified and how they are to be notified in the event a data breach occurs. Minimal governmental guidance is available because most state agencies have had little time to implement, interpret or enforce their state’s data breach notification statutes (only the California law has existed for more than 12 months). Several state and federal data security cases are pending, but a review of pending state litigation revealed no decisions or ongoing prosecutions involving covered entities for failing to comply with any of the existing mandatory notification laws.

Covered entities should also be aware that federal involvement in this area is likely. At least four mandatory notification bills were introduced in the House and Senate during 2005. One bill, S.1408, was approved by the Senate Commerce Committee during the last week of July 2005, and the Senate Judiciary Committee approved a separate measure in November 2005. Other competing or complementary notification bills are expected to be considered during 2006 by the Senate Banking Committee, House Financial Services Committee and the House Judiciary Committee. Most observers expect some form of federal notification statute to be approved because of growing public concern about identity theft and the business community’s uneasiness about the substantial burden associated with satisfying a plethora of similar but nuanced state privacy laws, which would be preempted by the federal bills introduced thus far.

For more information, e-mail Roz Allen or Reg Leichty at rosalind.allen@hklaw.com or reg.leichty@hklaw.com, respectively, or call toll free, 1-888-688-8500.

¹ Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana (applies to state agencies only), Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas and Washington.

² See the Privacy Rights Clearing House Data Breach Notification Chronology: http://www.privacyrights.org/ar/ChronDataBreaches.htm (Web site last visited February 21, 2006).