• Publications
• Events
• Blogs & Social Media Sites
• Sign-up for Publications

Action Guide for Data Security Breaches

In recent months, frequent reports of data security breaches involving personal information of individuals in the United States have made headlines.  Beginning with news reports in February 2005 of the disclosure of a massive data loss at ChoicePoint, one of the largest US data brokers, reports of similar data security breaches continued through the spring months involving Bank of America, Household Bank, DSW Shoe Warehouse, and LexisNexis.  Most recently, MasterCard and VISA reported a data security breach involving a third-party processor that affected thousands of cardholders.  While it is logical to deduce from these reports that the security measures being used to protect Americans’ personal information are deficient, in fact the recent news reports and the massive publicity surrounding such breaches can be attributed to a California law that was passed in 2002 and became effective July 1, 2003.  This law requires that companies that do business in California must notify affected consumers if personal information maintained in computerized data files have been compromised by unauthorized access.  According to Beth Givens, Director of the Privacy Rights Clearinghouse: "In the past, companies usually did not notify their customers when their electronic data had been compromised, subsequently leaving them at risk for identity theft or financial fraud. Now individuals can take the appropriate proactive steps to safeguard their financial health when they learn that their information may have been accessed by hackers or unauthorized employees."

The California law applies to companies doing business in California, and its scope is quite broad.  Since there is no definition of what constitutes “doing business,” and California case law on the issue is not definitive, most companies have taken a conservative approach and have decided to notify if they have California residents as customers, even if they have no physical presence in the state.  “Personal information” is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:  (1) Social Security number,  (2) Driver's license number or California Identification Card number,  (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.  Notification must be sent in written form to the consumer, either by U.S. mail or electronically, unless the cost of such notice is too great, in which case the statute permits certain substitute notice procedures, including publication of notice in statewide media and conspicuous posting on the company’s web site.  Additional “best practices” guidance is available from the California Office of Privacy Protection (http://www.privacy.ca.gov/). 

Notifying only California residents of a data security breach may be a consideration, but given the publicity that often follows such a notification, good business sense dictates notification of all affected consumers, no matter what their state of residence.  Further, while California has been at the forefront in enacting consumer privacy protection measures, other states have begun to enact such measures as well.  In recent months Georgia, Minnesota, Montana, and North Dakota have enacted laws requiring both businesses and government agencies to report a breach of computer security to those individuals affected.  These laws have become effective or will be effective within the next six months.  Further, pending legislation in many other states would require such notification measures to be taken.

Additionally, numerous bills have been introduced during this session of the US Congress that would address the problem of unauthorized disclosure of consumer information, and attempt to provide further protections against identity theft.  Some impose restrictions on the disclosure and use of Social Security numbers; others would regulate information brokers and protect individual rights with respect to personally identifiable information; still others would either prohibit or regulate the distribution of personal information outside the United States without the individual’s prior consent.   Most notable is the Notification of Risk to Personal Data Act (S751), introduced by Senator Dianne Feinstein, which is patterned after the California law and would require notification to consumers of a security breach.  It is a good bet that one or more of these bills will be passed this year.

The federal banking regulators have also been proactive on the issue of notification of consumers of a security breach involving regulated financial institutions.  An Interpretative Guidance (the “Guidance”) recently issued by the banking regulatory agencies is instructive as to the appropriate response by an organization when faced with an unauthorized disclosure of its customers’ information.  Pursuant to Section 501(b) of the Gramm-Leach-Bliley Act, the federal banking regulators previously issued the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines,” formerly known as the “Interagency Guidelines Establishing Safeguards  for Customer Information”).  These Security Guidelines direct every financial institution to develop an information security program, which shall include an assessment of risks to its information security.  In furtherance of the Security Guidelines, the Guidance was issued to assist financial institutions in developing their security programs.  The Guidance states that a financial institution has an affirmative duty to protect its customers’ information against unauthorized access, and that notifying its customers of unauthorized access to or use of the customer’s information is a key part of that duty.  To that end,  as part of its security program, the financial institution must design a response program, including customer notification procedures, which a financial institution can follow in the event of unauthorized access to or use of nonpublic customer information.  The Guidance uses a two part test:  1) Is the information “sensitive customer information”? and 2) Is misuse of the information reasonably possible?

With the goal to preventing substantial harm or inconvenience to customers, the Guidance places the following types of information within the definition of “sensitive customer information”:  a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account.  The definition also includes any combination of the aforementioned components of customer information that would allow someone to access the customer’s account.  This definition is notably similar to the definition of “personal information” in the California notification law, the unauthorized disclosure of which requires notification. 

The Guidance permits the institution to assess the potential impact of the unauthorized disclosure or access in deciding its course of action.  It states that if the institution can determine that the misuse of the information is reasonably possible, it should notify all customers in the group.  However, if the institution can reasonably determine that the potential for misuse of the disclosed information is limited to a particular subgroup of the affected customers, it may limit its disclosure to those specific customers.  In contrast, the California law speaks in terms of a “breach of the security system,” and describes this as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency.”  The California standard would appear to provide less latitude, since it bases the requirement for notification on the actual compromise or “breach” of the security, without allowing for the further analysis of whether there is a potential for misuse of the information.

The Guidance also requires that the notice be given in a clear and conspicuous manner, that it describe the incident generally and the type of customer information that was disclosed, and include an explanation as to what the institution has done to protect the customers’ information from further unauthorized access.  The telephone number of a contact at the institution should be included as well in the event the customer may desire further assistance.  Finally, the notice should remind customers of the need to remain vigilant over the next twelve to twenty-four months and to report any incidents of suspected identity theft to the institution.

            Other points that the Guidance suggests may be addressed in the notice include:           

• Recommending that customers review their account statements and immediately report any suspicious activity to the financial institution
• Describing fraud alerts and explaining how the customer may place one on his or her credit report
• Recommending that the customer periodically obtain credit reports from all three nationwide credit reporting agencies and a reminder that the customer may obtain a credit report free of charge annually
• Reminding customers of the availability of the FTC’s online guidance regarding what a consumer can do to protect against identity theft, along with the FTC’s web site address and toll-free number

Finally, the Guidance recommends that the notice be delivered in a timely manner, and by any means designed to ensure receipt, whether by telephone, email (if the institution has a valid email address and the customer has agreed to receive notice electronically), or regular U. S. Mail.  As noted above, the California law also provides for notice by U.S. or electronic mail, but provides for other alternatives if the cost is prohibitive. 

Dealing with an unauthorized disclosure of consumer information can be a tumultuous experience for a business, particularly where the business believes it has been vigilant as to its security program and the preventive measures it has adopted to buttress that security.  But, as many businesses have learned and continue to learn, no security program is airtight.  A response program should always be a part of a business’s security program, and is in fact required of any financial institution subject to the Gramm-Leach-Bliley Act.   In the event of an unauthorized disclosure, a response program can provide structure and guidance that will facilitate a prompt and appropriate reaction, including notification where warranted.  While the Guidance discussed above is binding only upon financial institutions subject to regulation by the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corporation, or the Office of Thrift Supervision, it nevertheless provides a template for other types of businesses in structuring their own response programs.  Additionally, a business also needs to review where its customers reside, in the event other state laws may be applicable.

Prompt and appropriate action in the wake of an unauthorized disclosure makes good business sense – it may reduce a business’s legal risk, and it is important to remember that every communication with a customer presents an opportunity.

Attorneys