data security regulation, identity theft, and protection of personal information

DATA SECURITY REGULATION, IDENTITY THEFT, AND

PROTECTION OF PERSONAL INFORMATION

Business Law InstituteAugusta, Maine

September 25, 2009

Molly CallaghanAlistair RaymondVerrill Dana, LLP

I. History and Background

Identity theft and data breach statistics

• EU Directive (October 24, 1995)• Gramm-Leach-Bliley Act (Pub. L. 106-102;

November 12, 1999)• HIPAA “Security Rule” (health care; 45 CFR

164; February 20, 2003)• FISMA (federal government agencies; 44

USC 3541, 2002)• Sarbanes-Oxley (publicly traded companies;

’34 Act Rule 13a-15)• FTC and State AG Enforcement Actions

II. Current Federal and State Regulation: Protection of

Personal Information

FTC Red Flags Rule. 16 CFR 681

• Requirements. Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” Compliance Deadline = November 1, 2009


• Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.”

“Creditor” = a person who “regularly extends,

renews, or continues credit,” including the right to

purchase property or services and defer payment.



“Covered Account” = “(1) [a]n account . . . primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions . . .”



“Covered Account” = “. . . or (2) [a]ny other account . . . for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”



“Identity Theft” = “a fraud committed or attempted using the identifying information of another person without authority.”

“Identifying Information” = “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person . . .” 16 C.F.R. § 603.2



“Red Flags” = a pattern, practice, or specific activity that indicates the possible

existence of identity theft.

What is a Red Flag?

• Red Flags should be identified from (at least) the following sources:• Prior incidents of identity theft• Methods of identity theft identified

generally• Applicable supervisory and regulatory

guidance

What is a Red Flag?

• Requires a case-by-case analysis• Presentation of suspicious documents• Suspicious account activity• Complaints from customers regarding bills

for services they never received• Personal information presented by a

customer does not match prior records• Fraud alert or suspicious activity on a

consumer report

FTC Red Flags Rule

• Program with reasonable policies and procedures for the following:• Identifying Red Flags relevant to your

business• Detecting Red Flags• Responding appropriately to Red Flags to

prevent and mitigate identity theft• Periodically update your program

FTC Red Flags Rule (cont.)

• What written procedures are appropriate when a Red Flag is detected?• Monitor the account• Request supporting documentation• Notify law enforcement• Close an account• Limit account access• CALL THE CUSTOMER!


1) Are you a Financial Institution or Creditor?a) If yes, you must periodically determine whether

you offer or maintain Covered Accounts

2) Do you offer or maintain Covered Accounts?

a) If yes, you must have a “written identity theft prevention program”


• Can you delegate to IT? NO!• The Rule is risk-focused, not technology-

focused• The initial program must be approved by

the board of directors • The Senior management must be involved

in oversight, development, implementation and administration

• Training• Oversight of third party service providers


• Hot Issue: What is a creditor?

• Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5) and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

• Credit - the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.

• Creditor - any person who regularly extends, renews, or

continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.


Hot Issue: What is a creditor?

• 11 Million Businesses Affected• Not impacted by the collection of

personal information

• Health Providers

• Attorneys

FTC Enforcement

• If you are a Creditor, the Rule applies to all Covered Accounts, not just those involving credit

• FTC is unlikely to (but may) enforce the rule against:

• Businesses that know their customers personally• Industries with a low incidence of identity theft

• Unfair Trade Practice• Premier Capital Lending, Inc. (Dec. 10, 2008)

• You don’t have to be BJ’s• Third Party Service Providers

• Compliance Deadline = March 1, 2010

• Applies to = every person that owns or licenses personal information about a Massachusetts resident

• Requirement = develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing personal information about a MA resident

Massachusetts Data Security Regulations 201 CMR 17.00 (Regulations promulgated by the Office of Consumer

Affairs and Business Regulation)

Massachusetts Regulations

• Top cause of ID theft in Massachusetts = lost and stolen laptops

• Of 368 reported incidents of security breaches in Massachusetts, – 220 (60%) resulted from

criminal/unauthorized acts (high incidence of stolen or lost laptops)

– 77 involved data that had been password-protected

– 11 involved encrypted data

• Every person that owns or licenses personal information about a Massachusetts resident must develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing such information. “Personal information” = MA resident’s first name and last name, or first initial and last name, in combination with any one or more of the following that relate to such resident:

• SSN

• Driver’s license number or state ID number

• Financial account number, credit or debit card number

DOES NOT INCLUDE: information that is lawfully obtained from publicly available sources, or from federal, state, or local records lawfully made available to general public

Massachusetts Regulations

The WISP

• establishes minimum standards for safeguarding electronic and written records containing personal information

• administrative, technical, and physical safeguards

• tailored

Massachusetts (cont.)

The WISP must include at least: a) Designate one or more employees to maintain WISP

b) Identify and assess reasonably foreseeable internal and external risks to records containing personal information

c) Develop security policies for employees relating to storage, access, and transportation of records containing personal information

d) Impose disciplinary measures for violation of WISP rule

e) Prevent access by terminated or unauthorized employees


The WISP must include at least: f) Reasonable restrictions on physical access to records

containing personal information

g) Regular monitoring

h) Reviewing the scope of security measures at least annually or whenever there is a material change in business practices

i) Documenting responsive actions taken in connection with a security breach


The WISP must include at least:

*** Oversee Third Party “Service Providers”

1) Take reasonable steps to select and retain Third Party Service Providers “that are capable of maintaining appropriate security measures” to protect personal information

2) Require Third Party Service Providers by contract to implement and maintain such measures


Computer system requirements in WISP:1) Access control

a) Restrict access to those who need it for performance

b) Assign unique, non-vendor supplied IDs and passwords

2) Encryptiona) Laptops/USB drives

b) Blackberries/cell phones

3) User authenticationa) Control use of IDs and passwords

b) Block access after multiple unsuccessful attempts

4) Firewalls, malware protection, etc.

5) Education and training of employees

Massachusetts Regulations: Points to Consider

• Human element (errors, sloppy handling – not just hackers)

• Enforcement outside Massachusetts

• Currently no audit program

Nevada. S.B. 227 (amends NRS Chapter 603A; effective January 1, 2010).

Requirements. “Data collectors” doing business in Nevada must:

1. Must comply with Payment Card Industry Data Security Standards (PCI DSS) in any transaction where the business accepts a credit or other payment card for the sale of goods and services, AND

2. Must encrypt any personal information the business

a. transfers, through an electronic, nonvoice transmission (other than fax), outside the business’ secure system, or

b. moves, in any storage device, beyond the logical or physical controls of the business (or that of its data storage contractor).

Safe Harbor. No liability for damages in the event of a breach if the data collector is in compliance with the statute, and the breach is not caused by gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.

III. Breach Notification: Obligations after a Suspected Breach

• Purpose: to alert affected persons (who may wish to take steps in protecting themselves from identity theft)

• Currently 45 states (including Maine) have security breach notification laws• Financial Institutions

• Sarbanes-Oxley

• HIPAA

Breach Notification

• Generally speaking, these laws require any business in possession of protected personal information to disclose a breach of security to affected persons.

• Protected information is usually defined to include a person’s first name or initial plus last name AND SSN, driver’s license number, financial account or credit card number, DOB, other types of personal information susceptible to identity theft.

Breach Notification

Maine• Title 10, Chapter 210-B• 10 M.R.S.A. § 1348:

• If a person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if:

• Information Broker: personal information is reasonably believed to have been acquired by an unauthorized person

• Any other person: misuse of the personal information has occurred or it is reasonably possible that misuse will occur

Breach Notification


• If person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if:

Personal information does not include (i) encrypted/redacted information or (ii) lawfully public information through government records, media, or third party insurance claims databases

Breach Notification


• If person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if:Unauthorized acquisition of computerized data

compromising the security, confidentiality or integrity of personal information. Exception for good faith access by employees if not used for or subject to unauthorized disclosure.

Breach Notification

Maine• Title 10, Chapter 210-B• 10 M.R.S.A. § 1348: Notice

• Written

• Electronic Notice (pursuant to 15 USC §7001, requiring consent and specific disclosures)

• Substitute Notice: permitted if (i) will cost greater than $5,000 (ii) more than 1,000 people affected, or (iii) insufficient contact information, then notice permitted by email AND website posting AND statewide media

Breach Notification

• Notice must be as expedient as possible and without unreasonable delay • delays permitted for law enforcement, to

determine scope of breach, and to restore the reasonable integrity of the system

• Must notify (i) the Attorney General or (ii) the Department of Professional and Financial Regulation

• If more than 1,000 people affected, consumer reporting agencies must be notified

• Safe harbor for compliance with other Maine or federal laws, regulations, procedures or guidelines if notification requirements are as protective

Breach Notification

Massachusetts• Applies to any written, drawn, spoken,

visual, or electromagnetic information, regardless of form or characteristics

• Substitute Notice: If (i) notice will cost more than $250,000, (ii) notice affects more than 500,000 residents, or (ii) there is insufficient contact information, then substitute notice is permitted through email, a conspicuous website posting, and statewide media

Breach Notification (Massachusetts)

• Notice to State Agencies:• Must include the nature of the breach, number

of residents effected, steps that have been or will be taken

• Notice to residents: • Must include information on the right to a

police report, the information required for a security freeze, and the fees that must be paid to a consumer reporting agency,

• Must NOT include the nature of the breach or number of residents affected

Breach Notification

States have inconsistent requirements • Major issue if a business services customers in multiple states• Ex. New Hampshire: Notice must include a general

description of the breach, the date of the breach, the type of information obtained, and a contact number

• Some issues to consider: • Types of information protected• Time limits on ability to delay notification• Penalties for failure to notify and private cause of action (CA)• Electronic v. paper records • Judgments as to whether there is a risk of identity theft• Exceptions for encrypted data• Form of notice • Jurisdiction • Safe harbors

IV. Enforcement and Litigation

FTC Enforcement after data breachesUnfair Trade Practices

• Violation of Privacy Policies• In re Guess, Inc. & Guess.com, Inc. (June 18, 2003)

• Failure to Protect Information• In re DSW Inc. (Dec. 1, 2005)• In re BJ’s Wholesale Club, Inc. (June 16, 2005)

• Failure to Recognize Obvious Signs of Identity Theft

• United States v. ChoicePoint, Inc. (N.D. Ga. Jan. 26, 2006)

Litigation

• Private Litigation

• Duty to protect is apparent; the Standard of Care is evolving• Wolfe v. MBNA America Bank, 485 F.Supp.2d 874 (W.D.

Tenn. 2007)• Guin v. Brazos Higher Educ. Serv., 2006 WL 288483 (D. Minn. 2006)

• The biggest stumbling block: showing a compensable injury• Loss of information, threat of future loss, emotional distress,

and prophylactic measures have been rejected as compensable injuries

• A resulting, direct financial loss from identity theft appears to be required (at a minimum)

• Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)

Litigation

• Causes of Action Surviving 12(b)(6)

• Breach of implied contract• Negligence• Negligent Misrepresentation• State Unfair Trade Practice Acts (FTC

Consent Decrees have been deemed relevant)

Enforcement

• State Enforcement• In re Providence Health System (Ore. Sept.

26, 2006) • Theft of unencrypted backup tapes and discs

• Three weeks before notification to OR AG

Enforcement

• Professional Obligations• N.J. Advisory Committee on Professional

Ethics, Opinion 701 (2006)• Duty to take “reasonable affirmative steps” to

prevent unauthorized access to client information

• Best Practices– Inventory your data,

destroy what you don’t need

– Involve senior management

– Due diligence service providers

– Be prepared for the inevitable breach

– Remember that data security is a process

• Worst Practices– Don’t use or permit

easy-to-guess User IDs & passwords

– Don’t over-promise in your data security policy

– Don’t act like you have something to hide

– Don’t treat data security solely as an IT issue

THANK YOU

Any Questions?

Molly Callaghan, Verrill Dana, [email protected]

Alistair Raymond, Verrill Dana, [email protected]

(207) 774-4000

data security regulation, identity theft, and protection of personal information

Documents