Identity Theft and Data Security Laws: Protect Your Customers, Protect Your Business
*Originally published in Volume 25, June 2006 issue of Banking & Financial Services Policy Report
Reports of identity theft and security breaches are escalating. Recent statistics show that more than 52 million individuals' personal data was compromised in 2005 alone. The resulting liability exposure is daunting for companies, not only from actions by the private sector but also by state attorneys general and the Federal Trade Commission (FTC). States also are responding to the increase in identity theft by imposing greater responsibilities on businesses that collect and maintain personal information. At least 28 states have enacted security breach notification laws that require prompt notification of any data breach to potentially affected customers. Various identity theft and notification bills also are pending in Congress, which may preempt some or all of the new state legislation. This article will review some noteworthy data breach cases, provide an overview of the various breach notification laws, and also offer practical tips for businesses on how to prevent, manage, and mitigate damages from security breaches.
Case Studies: Consumers' Personal Data Must Be Protected
FTC enforcement actions and private litigation by employees and customers underscore both the enormous liability exposure facing companies today as a result of data breaches and the importance of securing personal data.
In the past several years, the FTC has brought enforcement proceedings against several major corporations for privacy-related conduct that the FTC has determined to be an "unfair or deceptive act or practice." In one of the largest known compromises of financial data to date, the FTC charged CardSystems Solutions, Inc., and its successor, Solidus Networks, Inc. (d/b/a Pay by Touch Systems), with an unfair act or practice by failing to protect the private information of tens of millions of consumers. CardSystems settled with the FTC and must implement a comprehensive data security program and obtain audits by an independent third-party professional every other year for 20 years. CardSystems also faces potential liability from banks and credit unions seeking the return of millions of dollars from fraudulent purchases.
Similarly, in January 2006, consumer data broker ChoicePoint Inc. entered into a significant settlement with the FTC for $10 million dollars in civil penalties and $5 million in consumer redress arising from the compromise of records of more than 163,000 consumers in its database, resulting in at least 800 cases of identity theft. According to the FTC, ChoicePoint did not employ reasonable procedures to screen prospective subscribers and made false and misleading statements about its privacy policies. Last year, the FTC reached significant settlements with BJ's Wholesale Club and DSW Inc., a shoe retailer, arising from these companies' respective failures to take appropriate security measures to protect the personal data and credit card information of their customers.
Employees and customers also are suing companies under, inter alia, common law negligence and invasion of privacy theories where there has been a security breach or unauthorized disclosure of their personal data. Last year, a Michigan appeals court upheld a collective award of $275,000 in mental anguish damages against a union for not safeguarding the confidential data of 13 union members. The union allowed its treasurer to bring home confidential documents containing social security and drivers' license numbers. The treasurer's daughter reviewed the information and used it in an identity theft scheme. The appeals court rejected the union's argument that it was not responsible for the unforeseeable criminal acts of a third party, holding that in today's world companies have a duty to secure sensitive information since "the possibility of identity theft is all too commonplace."
The opposite result was reached in a federal action in which a laptop computer containing unencrypted personal information was stolen from an employee's home office. Because the employer, a nonprofit student loan company, could not determine with any certainty which individual customers' personal information may have been compromised, the company decided to send written notice of the breach to all of its approximately 550,000 customers.
In response to the notice, plaintiff ordered copies of his credit reports, but found no indication that his personal information had been accessed. Plaintiff nonetheless sued the company for negligence, claiming that the company owed him a duty under the Gramm-Leach-Bliley Act (GLB Act) to secure his private personal information. The court granted summary judgment for the company and dismissed the action, concluding that the plaintiff did not present sufficient evidence that defendant had violated the GLB Act or failed to maintain proper safeguards for its customers' personal information.
Companies also must be careful with sharing employee data within the company and with third parties. For example, in Minnesota, employees sued their employer for disseminating approximately 200 employees' social security numbers to various terminal managers in six states. The Minnesota Supreme Court, however, found that this dissemination of personal information did not constitute the requisite "publicity" under Minnesota law to support a claim for publication of private facts and invasion of privacy.
Airline passengers also have sued several domestic air carriers for allegedly violating the airlines' respective privacy policies when, in response to post-September 11 requests by federal agencies, they disclosed passenger information to government contractors studying security-related issues. The airlines, for the most part, have successfully defended the lawsuits. For example, in class action litigation brought against JetBlue Airways, the federal court in New York dismissed all of plaintiffs' claims, including those alleging deceptive trade practices and breach of contract.  Significantly, the court determined that plaintiffs could not establish any damages and that contract law, in particular, does not permit recovery of damages for non-economic losses, such as "loss of privacy."
The foregoing cases demonstrate how cautious companies must be when maintaining personal information and sharing or disclosing data within the company as well as with other entities, such as governmental entities and outside vendors or contractors. Although a number of the cases have been dismissed, adverse publicity and significant defense costs may result from the filing and prosecution of such actions.
Relevant State and Federal Legislation
As a result of the dramatic increase in data breaches, at least 28 states have enacted security breach notification laws that require companies to notify affected residents and sometimes state law enforcement authorities of any breach of unencrypted personal information. Security breach legislation also is under consideration in more than 10 states.
California, the pioneer of this legislation, broadly defines a "security breach" as the "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business." Most states have adopted this description, while a few have modified it by stating that the breach must materially compromise the security, confidentiality, or integrity of the information.
Information Covered: The definition of "personal information" varies among states. For example, the New York State statute defines private information as personal identification data (e.g., name) in combination with any of the following: social security number; driver's license or non-driver identification; or financial account number, such as a credit or debit card with the access code or PIN number. Some state statutes have a much broader definition of personal information that includes medical records and employer or taxpayer identification numbers.
Entities Covered: The California law covers "[a]ny person or business that conducts business in California, and that owns or licenses computerized data." While many states employ similar language, Georgia's notification statute applies only to information brokers. Indiana recently amended its statute to cover not only state and local agencies but also companies doing business in the state. Many states exempt or consider compliant financial institutions that already are subject to federal consumer notification rules.
Notification Required: Under the California statute, both businesses and government entities must notify any California residents "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The notice must be delivered "in the most expedient time possible and without unreasonable delay." Most state statutes adopt similar language, but like California, permit some delay to meet the needs of law enforcement  or to determine the scope of the breach and restore integrity to the company's data system. Florida and Wisconsin actually include a specific notice period in their respective statutes. Several states also require notification to nationwide consumer reporting agencies.
Method of Notice: Most states follow the California statute and provide for notice in writing or electronically or in accordance with the business's own internal information security policy. Some states permit notice by telephone, and Utah recently passed legislation permitting publication of notice in a newspaper of general circulation. Almost all states provide for substitute notification under specific circumstances. For example, under New York State law, when personal notices would cost over $250,000 or if the number of persons affected is greater than 500,000, then the company may provide notice by email, conspicuous posting on a company's Web site, and notification to major statewide media. California, and many other states, also allow businesses to bypass the statutory notification methods if the company's internal notification procedures are "otherwise consistent with the timing requirements" of the statute.
Exemptions from Notification: Some states permit an exemption from the notification rules when it is unlikely that the breach would result in harm to customers. These states differ, however, on whether the business may independently make this determination or must consult with law enforcement agencies before doing so. Indiana also excludes from the notice requirements the unauthorized acquisition of a "portable electronic device" on which personal information is stored so long as the device is password protected and the password has not been stolen. This is an unusual exemption since one of the most common data security breaches arises from stolen or lost laptop computers.
Possible Penalties: Most state statutes provide some mechanism for state enforcement of the notification laws, usually through the state's attorney general. Civil penalties may be imposed and can be significant. Florida, for instance, permits an administrative fine of up to $500,000 if notification is not made within 180 days. In addition, several states have followed California's lead and expressly authorized private causes of action under their notification statute.
Destruction of Personal Information: Some states, like New Jersey and North Carolina, impose an affirmative duty on businesses to implement and maintain procedures to destroy, or arrange for the destruction of, records containing personal information.
Congress also is considering several bills this year in which security breach notices would be mandated nationwide. The Personal Data Privacy and Security Act (S.1789), also referred to as the Specter-Leahy bill, has broad bipartisan support and would regulate businesses collecting, accessing, using, transmitting, storing or disposing of personally identifiable information. Under this bill, businesses must develop and publish a data privacy and security program that includes technical safeguards, such as encryption. The bill also requires businesses to submit to audits of their security policies. The Specter-Leahy bill would preempt state law in many areas, including definitions of security breach, methods and content of notice, and risk assessment and fraud prevention exemptions.
Another bill that has been introduced, the Identity Theft Protection Act (S.1408), covers commercial entities and any charitable, educational or nonprofit organizations that acquire, maintain, or use sensitive personal information. The bill strengthens physical and technological safeguards against security breaches and requires customer notification. Those failing to comply with the notification provisions may face fines up to $11 million. It also includes a security freeze provision that would allow consumers to request a security freeze on their credit report.
The foregoing measures are in addition to various other laws that the government already has enacted to combat identity theft and enhance data security, such as the Gramm-Leach-Bliley Act of 1999, which regulates the financial industry and aims to prevent the unauthorized disclosure of consumer financial information.
Other Congressional measures include the Fair and Accurate Credit Transactions Act of 2003, which amends the Fair Credit Reporting Act to address identity theft and related consumer issues, and the Health Insurance Portability & Accountability Act (HIPAA) of 1996, which requires, inter alia, a patient's consent to disclose individually identifiable health information.
Best Practices: Protecting Data Security Must Be a Priority
Based on the burgeoning number of FTC actions, lawsuits, and legislative initiatives, it is imperative that businesses act proactively, evaluate their data systems, and implement greater security measures to protect sensitive data. The Chairman of the FTC explicitly warned in the CardSystems case that “[a]ny company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”
The following list provides several recommended best practices for any business that stores, handles, and manages personal data.
- Become familiar with state laws in each state in which you do business or have customers and employees to ensure compliance with all applicable security breach and notification laws.
- Make privacy and data security an enterprise-wide priority. Apart from being necessary risk management, privacy lawsuits may detract from or company initiatives may contribute to customer goodwill and commercial reputation.
- Have a plan of action in place in the event of an actual or potential data breach.
- Only collect and store personally identifiable information that is necessary for actual business needs. Develop a policy for destruction of information once the business need has passed.
- Develop a written, comprehensive data security program that includes encryption, "strong" passwords, restriction of access, regular vulnerability assessments and defense updates, and detection measures for unauthorized access.
- Educate employees on the impact of a data breach and the need for diligence in safeguarding personal data and adhering to company security policies and procedures.
- Investigate the availability of insurance for cyber risks.
- Retain professionals to conduct security audits and advise on the adequacy of the company's policies and programs.
1 See Privacy Rights Clearinghouse, Chronology of Data Breaches Reported Since the ChoicePoint Incident, https://www.privacyrights.org/data-breaches. A survey of identity theft found that identity theft costs to businesses and consumers reached almost $50 billion dollars in 2003. Federal Trade Commission, Identity Theft Survey Report (Sept. 2003).
2 States that have enacted security breach notification laws include: Arkansas, California, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Washington, and Wisconsin. See http://www.ncsl.org/programs/lis/cip/priv/breach.htm.
3 15 U.S.C. § 45. Section 5(a) of the FTC Act prohibits unfair methods of competition and unfair or deceptive acts or practices affecting commerce.
5 Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to pay $10 million in Civil Penalties, $5 Million for Consumer Redress, January 26, 2006, http://www.ftc.gov/opa/2006/01/choicepoint.htm.
6 Data aggregators, like ChoicePoint, also face claims under the Fair Credit Reporting Act (FCRA), which applies to entities that report information to credit bureaus and prohibits use of credit card information for other purposes.
7 Federal Trade Commission, BJ's Wholesale Club, Inc., No. C-4148, 2005 WL 2395788 (F.T.C. Sept. 20, 2005). Under the terms of the settlement with the FTC, BJ's agreed to implement a comprehensive information security program and submit to security audits every other year for the next 20 years.
8 Federal Trade Commission, DSW Inc. Settles FTC Charges, December 1, 2005, http://www.ftc.gov/opa/2005/12/dsw.htm. DSW's data-security failure allowed hackers to gain access to more than 1.4 million customers' sensitive data, including credit and debit card numbers. The matter was settled by consent order, with the retailer admitting no violation.
9 Bell v. Michigan Council 25 of the Am. Fed'n of State, County, & Mun. Employees, AFL-CIO, Local 123, No. 246684, 2005 WL 356306, *1 (Mich. Ct. App. Feb. 15, 2005).
10 Guin v. Brazos Higher Educ. Serv. Corp., No. 05-668, 2006 WL288483 (D. Minn. Feb. 7, 2006).
11 The GLB Act requires financial institutions to have a security plan in place to protect the confidentiality and integrity of personal consumer information. For purposes of the motion, defendant agreed that the Act establishes such a duty.
12 Bodah v. Lakeville Motor Express, Inc., 666 N.W.2d 550 (Minn. 2003).
13 In re JetBlue Airways Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005). The court held that the claims brought under state consumer protection laws were preempted by the Airline Deregulation Act (ADA).
14 While a breach of encrypted data generally does not trigger the notice requirements, notice may still be required when the encryption keys also are compromised. See, e.g., N.Y. Gen. Bus. Law § 899-aa (1)(b).
15 National Conference of State Legislators, 2006 Breach of Information Legislation, http://www.ncsl.org/programs/lis/cip/priv/breach.htm (last updated Apr. 19, 2006).
16 Cal. Civ. Code §1798.82(d).
17 See, e.g., Fla. Stat. Ann. § 817.5681(4); Mont. Code Ann. § 30-14-1704(4)(a).
18 N.Y. Gen. Bus. Laws § 899-aa (1)(b).
19 See, e.g., Ark. Code Ann. § 4-110-103(5)(medical information); Tenn. Code Ann. § 47-18-2102 (5)&(8) (includes drivers' licenses, Social Security information, taxpayer identification numbers, Medicaid or Medicare numbers, passports and passport numbers, birth and marriage certificates, medical insurance numbers, credit cards, bank accounts, and immigration documents).
20 Cal. Civ. Code §1798.82(a).
21 See, e.g., Fla. Stat. Ann. § 817.5681(1)(a); Mont. Code Ann. § 30-14-1704(1).
22 Ga. Code Ann. § 10-1-911(1)&(2).
23 Ind. Code § 4-1-11-2(a) (state and local agencies); Ind. H.B. 1101 (taking effect July 1, 2006) (subjecting businesses to notification laws).
24 These states include Arkansas, Connecticut, Delaware, Florida, Idaho, Indiana, Kansas, Louisiana, Minnesota, Nebraska, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas and Wisconsin.
25 Cal. Civ. Code §1798.82(a).
26 See, e.g., Cal. Civ. Code §1798.82 (c); Conn. Gen. Stat. § 36a-701b(d); but see 815 Ill. Comp. Stat. 530/10(a) (no delay to address needs of law enforcement agencies).
27 See, e.g., Ga. Code Ann. § 10-1-912 (a); Wash. Rev. Code Ann. § 42.17.31922 (1)(a)&(3).
28 See Fla. Stat. Ann. § 817.5681 (1)(a) (notification must be made no later than 45 days following breach); Wis. Stat. Ann. § 895.507(3) (requiring notification within 45 business days).
29 These states include Florida, Georgia, Indiana, Kansas, Maine, Minnesota, Nevada, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Tennessee, Texas and Wisconsin. This obligation arises when the breach impacts a specific number of residents, usually more than 1,000.
30 Utah Code Ann. § 13-42-202(5)(a) (written, electronic, telephonic or newspaper notice) (taking effect January 1, 2007).
31 N.Y. Gen. Bus. Law § 899-aa (5)(d).
32 See, e.g., 815 Ill. Comp. Stat. 530/10(d).
33 See, e.g., Ark. Code Ann. § 4-110-105(d) (notification not required "if after reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers"); N.J. Stat. Ann. 56:8-163(a) (disclosure is not required "if the business or public entity establishes that misuse of the information is not reasonably possible").
34 See, e.g., Fla. Stat. Ann. § 817.5681 (10)(a) (no notice required "if, after an appropriate investigation or after consultation with relevant…law enforcement [agencies], the person reasonably determines that the breach has not and will not likely result in harm"; this determination must be made in writing and maintained for five years); Conn. Gen. Stat. § 36a-701b (b) (requiring investigation and consultation with relevant law enforcement authorities).
35 Ind. H.B. 1101 (taking effect July 1, 2006).
36 States empowering their state attorney generals to enforce the laws include Arkansas, Connecticut, Delaware, Indiana, Kansas, Minnesota, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Texas and Utah.
37 Fla. Stat. Ann. § 817.5681 (1)(b)(2).
38 See, e.g., La. Rev. Stat. Ann. § 51:3075; N.C. Gen. Stat. § 75-65(i); Tenn. Code. Ann. § 47-18-2104; Wash. Rev. Code Ann. §42.17.31922 (10)(a).
39 See, e.g., N.J. Stat. Ann. § 56:8-162; N.C. Gen. Stat. § 75-64.
40 15 U.S.C. § 6801. Pursuant to § 501(b) of the Act, the federal banking agencies jointly issued interpretive guidelines, the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736 (Mar. 29, 2005).
41 15 U.S.C. § 1681 et seq.
42 42 U.S.C. § 1320.