Legislative Update – Federal Data Breach Notification Bills Move Forward
After several years of jumps and starts (and more than a few misfires), Congress appears to finally be making some headway towards enacting a federal data protection law that includes breach notification requirements. Since 2005, following the highly publicized data security breaches at DSW Warehouse, ChoicePoint and LEXIS-NEXIS, various members of Congress have attempted to have enacted federal legislation that would protect personally identifiable information (PII). Additionally, various of the bills would have been a welcome relief to businesses faced with data security breaches, who currently must comply with up to 36 state data breach notification laws, as well as numerous other related laws dealing with security freezes, data protection, and data retention and destruction. Several of the current bills have actually been approved by the Judiciary Committee or by the Commerce Committee in the past two months, and are poised for consideration by the full Senate.
On May 3, 2007, the Senate Judiciary Committee approved two bills and the Senate Commerce Committee approved one bill, each of which would impose notification obligations on businesses and federal agencies when PII maintained by such organizations has been breached or compromised, among other protections. While this is the furthest point to which any of the previously introduced bills have advanced, whether the bills actually are passed remains to be seen, since various groups, including the National Association of Attorneys General, have raised significant concerns.
S. 495, the “Personal Data Privacy and Security Act of 2007,” is sponsored by Senators Leahy and Specter. It requires notice of a security breach without unreasonable delay, although those entities covered by the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Protection and Accountability Act (HIPAA) are excluded. It also gives individuals the right to review their data broker files for a reasonable fee, plus the right to correct inaccuracies. It requires that businesses that hold information on more than 10,000 U.S. persons establish administrative, technical and physical standards for safeguarding PII, and for the development and implementation of such standards. It does not go as far as some of the state legislation, which in some cases requires that periodic free credit reports be provided to individuals whose information was breached, nor does it address security freezes, a process whereby an individual can require a credit reporting agency to freeze any activity on the individual’s credit file where identity theft is suspected. It displaces state laws related to notification of a security breach, individual access to and correction of personal electronic records held by data brokers, and administrative, technical and physical safeguards for PII. It does, however preserve state laws that provide for additional victim protection assistance. Finally, it provides the state attorneys general with enforcement authority. S. 495 provides for fines of $1,000 per day per individual, up to $1,000,000 per violation, and makes it a crime to “intentionally or willfully” conceal a security breach involving PII.
S. 1178, the “Identity Theft Prevention Act,” is sponsored by Senators Inouye and Stevens. This bill also requires notice of a security breach, but only where the breached entity determines that the breach creates a reasonable risk of identity theft, based upon whether the information can be accessed and is or could be usable. Like S. 495, S. 1178 does not require free credit reports be provided to individuals, nor does it address information maintained by data brokers. However, it does require the development, implementation and enforcements of security protection plans. And it goes further than S. 495 by including several other significant provisions. For example, it allows all individuals to place a security freeze on their credit files for a fee, unless the individual is a victim of identity theft who requests the freeze in writing, is a senior citizen, or is a member of, or a spouse of a member of, the armed forces. It also imposes restrictions on the solicitation and use of a Social Security number, except that the restrictions do not apply to government entities. Just as with S. 495, S. 1178 displaces state laws regarding notification of security breaches, development and implementation of safeguards for protection of PII, state laws relating to collection and use of Social Security numbers, and those relating to security freezes, to the extent they are inconsistent with federal law. This bill also provides for enforcement by the state attorneys general.
S. 239 is sponsored by Senator Feinstein, and is called the “Notification of Risk to Personal Data Act of 2007.” Like the other two bills, it provides for notification of individuals whose PII has been subjected to a security breach, and its breach notification requirements are substantially similar to those found in S. 495. If more than 5,000 persons must be notified, the agency or company would need to coordinate with credit reporting agencies. The bill would also require notice to the U.S. Secret Service if the breach involves the federal government, national security or law enforcement.
All of the bills attempt to cover a lot of ground, and for that reason may run into roadblocks. Additionally, given the Senate’s continued attention to Attorney General Gonzalez and the Iraq war, it is too soon to say whether a privacy bill will pass Congress this session. However, Senator Feinstein’s S. 239 likely has the best chance of being passed, since it limits itself to security breach notification alone.
Litigation Update – Federal Court Clarifies Requirements for Liability for Security Breach
A recent federal court decision has provided some clarification to the murky area of claims for damages against the holder of the breached information. In May, 2007, the U.S. District Court for the Southern District of Ohio held that the cost incurred by the plaintiff to enroll in a credit protection program as a result of a data security breach by a mortgage loan service provider was not enough to support a claim for negligence against the service provider.
When the defendant discovered that six unmarked hard drives had been stolen, four of which included personal information of former customers, including that of the plaintiff, it waited four weeks to send notice to the persons whose information was on the hard drives. In the notice, it explained the type of information contained on the stolen hard drives, provided information about the FTC web site as a source for preventive measures against identity theft, and provided a toll-free telephone number for any questions. The notice also recommended that the individuals place a fraud alert on their credit reports and provided the phone numbers for the three major credit reporting agencies.
The plaintiff alleged that the defendant was negligent in its failure to adequately protect the nonpublic personal information of its customers and former customers, by failing to provide sufficient security for the facility where the hard drives were stored. The defendant challenged the allegations, describing the security measures it had in place, including limited access and password protection.
The plaintiff did not place a fraud alert on her credit report, as recommended; however, she experienced no unauthorized use of her personal information following the theft of the hard drives. Prior to the theft of the hard drives, the plaintiff had enrolled in a “Wallet Protection Program” through her bank; following the theft of the hard drives, she added an additional service of credit report monitoring at a cost of $12.99 per month.In analyzing the plaintiff’s negligence claim, the court found that a threat of future harm was not a sufficient injury to support the “injury” element of a negligence claim. The court cited other federal district court cases to support its ruling that in the identity theft context, courts have consistently held that “an alleged increase in risk of future injury is not an ‘actual or imminent’ injury.” The plaintiff must show a present injury or reasonably certain future injury to sustain a claim. Kahle v. Litton Loan Servicing, LP, 2007 WL 1461790 (S.D. Ohio May 16, 2007).
State Regulatory Update – State Attorneys General Flex Their Muscle
Two developments from state attorneys general offices reveal that these elected officials have discovered that the security breach notification laws of their states provide an opportunity to raise their offices’ profiles.
New York Attorney General Andrew Cuomo has recently utilized the powers of his office to enforce New York’s Information Security Breach and Notification Law against a Chicago-based claims management company (the “Company”), in the wake of a security breach that affected 540,000 New Yorkers. Unfortunately for the Company, the requirement to give notification was mandated even though it had been determined by the FBI that computer had been stolen by a cleaning company employee, had been recovered, and no data on the stolen computer had been accessed.
The security breach arose out of a missing computer that contained the names and addresses of workers’ compensation benefits claimants. Despite the fact that the breach occurred in early May of 2006, the Company did not send notice to the owner of the missing information and the FBI until six weeks thereafter. At the request of the FBI, to prevent impeding its investigation, the Company delayed sending notification to affected persons, but notified several New York state agencies at that time, including the Attorney General’s office, as required by the New York law. Two weeks thereafter, with the permission of the FBI, the Company sent notices of the security breach to the New Yorkers potentially affected by the theft, even though there was absolutely no risk of harm to those consumers. This is consistent with New York law, which does not condition the notification requirement on there being a reasonable cause to believe there is a risk of identity theft or other fraud, as in some states. Attorney General Andrew Cuomo imposed a fine on the company, stating that the company was in violation of the law for failing to promptly notify the individuals affected, since at the time they discovered the theft, the Company had sufficient cause to believe the information in the missing computer had been acquired by unauthorized persons.
In the matter of the much publicized ChoicePoint security breach, the Connecticut Attorney General recently announced a settlement with ChoicePoint that was joined by 43 other states’ attorneys general. ChoicePoint is in the business of collecting and maintaining personally identifiable information on consumers. Under the settlement agreement, ChoicePoint agreed to adopt significantly stronger security measures, including obtaining written certification from their clients as to their security procedures. In some cases ChoicePoint is required to make on-site visits to verify the legitimacy of their client companies before they permit access to the information. Additionally, ChoicePoint is required to conduct periodic audits to ensure that their client companies are using the information for legitimate purposes. Finally, ChoicePoint will pay $500,000 to the states in fines, substantially less than the $10 million in civil penalties and $5 million in consumer redress imposed on ChoicePoint by the FTC.
The settlement by ChoicePoint with the attorneys general has raised the standard for information companies by requiring protections for such information that had previously only been required of companies for financial information.