1 / 48

DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION

DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION. Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan Alistair Raymond Verrill Dana, LLP. I. History and Background. Identity theft and data breach statistics.

wallace-carter
Télécharger la présentation

DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan Alistair Raymond Verrill Dana, LLP

  2. I. History and Background

  3. Identity theft and data breach statistics • EU Directive (October 24, 1995) • Gramm-Leach-Bliley Act (Pub. L. 106-102; November 12, 1999) • HIPAA “Security Rule” (health care; 45 CFR 164; February 20, 2003) • FISMA (federal government agencies; 44 USC 3541, 2002) • Sarbanes-Oxley (publicly traded companies; ’34 Act Rule 13a-15) • FTC and State AG Enforcement Actions

  4. II. Current Federal and State Regulation: Protection of Personal Information

  5. FTC Red Flags Rule. 16 CFR 681 • Requirements. Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” Compliance Deadline = November 1, 2009

  6. FTC Red Flags Rule. 16 CFR 681 • Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” • “Creditor” = a person who “regularly extends, renews, or continues credit,” including the right to purchase property or services and defer payment.

  7. FTC Red Flags Rule. 16 CFR 681 • Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” • “Covered Account” = “(1) [a]n account . . . primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions . . .”

  8. FTC Red Flags Rule. 16 CFR 681 • Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” • “Covered Account” = “. . . or (2) [a]ny other account . . . for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

  9. FTC Red Flags Rule. 16 CFR 681 • Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” • “Identity Theft” = “a fraud committed or attempted using the identifying information of another person without authority.” • “Identifying Information” = “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person . . .” 16 C.F.R. § 603.2

  10. FTC Red Flags Rule. 16 CFR 681 • Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” • “Red Flags” = a pattern, practice, or specific activity that indicates the possible existence of identity theft.

  11. What is a Red Flag? • Red Flags should be identified from (at least) the following sources: • Prior incidents of identity theft • Methods of identity theft identified generally • Applicable supervisory and regulatory guidance

  12. What is a Red Flag? • Requires a case-by-case analysis • Presentation of suspicious documents • Suspicious account activity • Complaints from customers regarding bills for services they never received • Personal information presented by a customer does not match prior records • Fraud alert or suspicious activity on a consumer report

  13. FTC Red Flags Rule • Program with reasonable policies and procedures for the following: • Identifying Red Flags relevant to your business • Detecting Red Flags • Responding appropriately to Red Flags to prevent and mitigate identity theft • Periodically update your program

  14. FTC Red Flags Rule (cont.) • What written procedures are appropriate when a Red Flag is detected? • Monitor the account • Request supporting documentation • Notify law enforcement • Close an account • Limit account access • CALL THE CUSTOMER!

  15. FTC Red Flags Rule (cont.) • Are you a Financial Institution or Creditor? • If yes, you must periodically determine whether you offer or maintain Covered Accounts • Do you offer or maintain Covered Accounts? • If yes, you must have a “written identity theft prevention program”

  16. FTC Red Flags Rule (cont.) • Can you delegate to IT? NO! • The Rule is risk-focused, not technology-focused • The initial program must be approved by the board of directors • The Senior management must be involved in oversight, development, implementation and administration • Training • Oversight of third party service providers

  17. FTC Red Flags Rule (cont.) • Hot Issue: What is a creditor? • Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5) and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. • Credit - the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor. • Creditor - any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

  18. FTC Red Flags Rule (cont.) Hot Issue: What is a creditor? • 11 Million Businesses Affected • Not impacted by the collection of personal information • Health Providers • Attorneys

  19. FTC Enforcement • If you are a Creditor, the Rule applies to all Covered Accounts, not just those involving credit • FTC is unlikely to (but may) enforce the rule against: • Businesses that know their customers personally • Industries with a low incidence of identity theft • Unfair Trade Practice • Premier Capital Lending, Inc. (Dec. 10, 2008) • You don’t have to be BJ’s • Third Party Service Providers

  20. Massachusetts Data Security Regulations201 CMR 17.00 (Regulations promulgated by the Office of Consumer Affairs and Business Regulation) • Compliance Deadline = March 1, 2010 • Applies to = every person that owns or licenses personal information about a Massachusetts resident • Requirement = develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing personal information about a MA resident

  21. Massachusetts Regulations • Top cause of ID theft in Massachusetts = lost and stolen laptops • Of 368 reported incidents of security breaches in Massachusetts, • 220 (60%) resulted from criminal/unauthorized acts (high incidence of stolen or lost laptops) • 77 involved data that had been password-protected • 11 involved encrypted data

  22. Every person that owns or licenses personal information about a Massachusetts resident must develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing such information. • “Personal information” = MA resident’s first name and last name, or first initial and last name, in combination with any one or more of the following that relate to such resident: • SSN • Driver’s license number or state ID number • Financial account number, credit or debit card number • DOES NOT INCLUDE: information that is lawfully obtained from publicly available sources, or from federal, state, or local records lawfully made available to general public

  23. Massachusetts Regulations The WISP • establishes minimum standards for safeguarding electronic and written records containing personal information • administrative, technical, and physical safeguards • tailored

  24. Massachusetts (cont.) The WISP must include at least: • Designate one or more employees to maintain WISP • Identifyand assess reasonably foreseeable internal and external risks to records containing personal information • Develop security policies for employees relating to storage, access, and transportation of records containing personal information • Impose disciplinary measures for violation of WISP rule • Prevent access by terminated or unauthorized employees

  25. Massachusetts (cont.) The WISP must include at least: • Reasonable restrictions on physical access to records containing personal information • Regular monitoring • Reviewing the scope of security measures at least annually or whenever there is a material change in business practices • Documenting responsive actions taken in connection with a security breach

  26. Massachusetts (cont.) The WISP must include at least: *** Oversee Third Party “Service Providers” • Take reasonable steps to select and retain Third Party Service Providers “that are capable of maintaining appropriate security measures” to protect personal information • Require Third Party Service Providers by contract to implement and maintain such measures

  27. Massachusetts (cont.) Computer system requirements in WISP: • Access control • Restrict access to those who need it for performance • Assign unique, non-vendor supplied IDs and passwords • Encryption • Laptops/USB drives • Blackberries/cell phones • User authentication • Control use of IDs and passwords • Block access after multiple unsuccessful attempts • Firewalls, malware protection, etc. • Education and training of employees

  28. Massachusetts Regulations: Points to Consider • Human element (errors, sloppy handling – not just hackers) • Enforcement outside Massachusetts • Currently no audit program

  29. Nevada. S.B. 227 (amends NRS Chapter 603A; effective January 1, 2010). Requirements. “Data collectors” doing business in Nevada must: Must comply with Payment Card Industry Data Security Standards (PCI DSS) in any transaction where the business accepts a credit or other payment card for the sale of goods and services, AND Must encrypt any personal information the business transfers, through an electronic, nonvoice transmission (other than fax), outside the business’ secure system, or moves, in any storage device, beyond the logical or physical controls of the business (or that of its data storage contractor). Safe Harbor. No liability for damages in the event of a breach if the data collector is in compliance with the statute, and the breach is not caused by gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.

  30. III. Breach Notification: Obligations after a Suspected Breach

  31. Purpose: to alert affected persons (who may wish to take steps in protecting themselves from identity theft) • Currently 45 states (including Maine) have security breach notification laws • Financial Institutions • Sarbanes-Oxley • HIPAA

  32. Breach Notification • Generally speaking, these laws require any business in possession of protected personal information to disclose a breach of security to affected persons. • Protected information is usually defined to include a person’s first name or initial plus last name AND SSN, driver’s license number, financial account or credit card number, DOB, other types of personal information susceptible to identity theft.

  33. Breach Notification Maine • Title 10, Chapter 210-B • 10 M.R.S.A. § 1348: • If a person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: • Information Broker: personal information is reasonably believed to have been acquired by an unauthorized person • Any other person: misuse of the personal information has occurred or it is reasonably possible that misuse will occur

  34. Breach Notification • Maine • Title 10, Chapter 210-B • 10 M.R.S.A. § 1348: • If person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: • Personal information does not include (i) encrypted/redacted information or (ii) lawfully publicinformation through government records, media, or third party insurance claims databases

  35. Breach Notification • Maine • Title 10, Chapter 210-B • 10 M.R.S.A. § 1348: • If person maintaining computerized data that includes personal information becomes aware of a breach of thesecurity of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: Unauthorized acquisition of computerized data compromising the security, confidentiality or integrity of personal information. Exception for good faith access by employees if not used for or subject to unauthorized disclosure.

  36. Breach Notification • Maine • Title 10, Chapter 210-B • 10 M.R.S.A. § 1348: Notice • Written • Electronic Notice (pursuant to 15 USC §7001, requiring consent and specific disclosures) • SubstituteNotice: permitted if (i) will cost greater than $5,000 (ii) more than 1,000 people affected, or (iii) insufficient contact information, then notice permitted by email AND website posting AND statewide media

  37. Breach Notification • Notice must be as expedient as possible and without unreasonable delay • delays permitted for law enforcement, to determine scope of breach, and to restore the reasonable integrity of the system • Must notify (i) the Attorney General or (ii) the Department of Professional and Financial Regulation • If more than 1,000 people affected, consumer reporting agencies must be notified • Safe harbor for compliance with other Maine or federal laws, regulations, procedures or guidelines if notification requirements are as protective

  38. Breach Notification Massachusetts • Applies to any written, drawn, spoken, visual, or electromagnetic information, regardless of form or characteristics • Substitute Notice: If (i) notice will cost more than $250,000, (ii) notice affects more than 500,000 residents, or (ii) there is insufficient contact information, then substitute notice is permitted through email, a conspicuous website posting, and statewide media

  39. Breach Notification (Massachusetts) • Notice to State Agencies: • Must include the nature of the breach, number of residents effected, steps that have been or will be taken • Notice to residents: • Must include information on the right to a police report, the information required for a security freeze, and the fees that must be paid to a consumer reporting agency, • Must NOT include the nature of the breach or number of residents affected

  40. Breach Notification States have inconsistent requirements • Major issue if a business services customers in multiple states • Ex. New Hampshire: Notice must include a general description of the breach, the date of the breach, the type of information obtained, and a contact number • Some issues to consider: • Types of information protected • Time limits on ability to delay notification • Penalties for failure to notify and private cause of action (CA) • Electronic v. paper records • Judgments as to whether there is a risk of identity theft • Exceptions for encrypted data • Form of notice • Jurisdiction • Safe harbors

  41. IV. Enforcement and Litigation

  42. FTC Enforcement after data breaches Unfair Trade Practices • Violation of Privacy Policies • In re Guess, Inc. & Guess.com, Inc. (June 18, 2003) • Failure to Protect Information • In re DSW Inc. (Dec. 1, 2005) • In re BJ’s Wholesale Club, Inc. (June 16, 2005) • Failure to Recognize Obvious Signs of Identity Theft • United States v. ChoicePoint, Inc. (N.D. Ga. Jan. 26, 2006)

  43. Litigation • Private Litigation • Duty to protect is apparent; the Standard of Care is evolving • Wolfe v. MBNA America Bank, 485 F.Supp.2d 874 (W.D. Tenn. 2007) • Guin v. Brazos Higher Educ. Serv., 2006 WL 288483 (D. Minn. 2006) • The biggest stumbling block: showing a compensable injury • Loss of information, threat of future loss, emotional distress, and prophylactic measures have been rejected as compensable injuries • A resulting, direct financial loss from identity theft appears to be required (at a minimum) • Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)

  44. Litigation • Causes of Action Surviving 12(b)(6) • Breach of implied contract • Negligence • Negligent Misrepresentation • State Unfair Trade Practice Acts (FTC Consent Decrees have been deemed relevant)

  45. Enforcement • State Enforcement • In re Providence Health System (Ore. Sept. 26, 2006) • Theft of unencrypted backup tapes and discs • Three weeks before notification to OR AG

  46. Enforcement • Professional Obligations • N.J. Advisory Committee on Professional Ethics, Opinion 701 (2006) • Duty to take “reasonable affirmative steps” to prevent unauthorized access to client information

  47. Best Practices Inventory your data, destroy what you don’t need Involve senior management Due diligence service providers Be prepared for the inevitable breach Remember that data security is a process Worst Practices Don’t use or permit easy-to-guess User IDs & passwords Don’t over-promise in your data security policy Don’t act like you have something to hide Don’t treat data security solely as an IT issue

  48. THANK YOUAny Questions? Molly Callaghan, Verrill Dana, LLP mcallaghan@verrilldana.com Alistair Raymond, Verrill Dana, LLP araymond@verrilldana.com (207) 774-4000

More Related