January 27, 2012

Download this article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Data Breach Legislation for 2012

By Ellen O’Laughlin

In anticipation of Data Privacy Day on January 28, 2012, KFP provides these highlights on the federal effort to enact a uniform standard for data breach notification, updates on newly enacted state laws and information on the Privacy Rights Clearinghouse new online complaint center.

 

Introduction

 

Data breaches continue to occur and have the potential to impact the personal information of a large number of individuals.  The Privacy Rights Clearinghouse estimates that at least 500 million sensitive records have been compromised nationwide since 2005. There have been a number of sensitive records compromised in 2011 alone, with multiple breaches on Sony servers including its Playstation Network and various third-party organizations hit by random attackers.

 

Just recently, Zappos, an online retailer, experienced a breach where hackers accessed the personal information of potentially 24 million of its customers. The personal information included names, addresses, phone numbers and email addresses. Scrambled passwords and the last four digits of customers’ credit cards were also exposed.  In another high-profile data security breach, a computer hacker penetrated the databases of the online marketing firm Epsilon, compromising name and email address information about the customers of scores of major U.S. businesses, including Target, Citigroup, and Walgreens, and affecting the privacy of millions of U.S. consumers.

 

Given the concerns over identity theft and misuse of an individual’s personal information it is more important than ever that individuals be notified in the event of a data breach and that personal information may have been compromised.  

 

Forty-seven states have already enacted data breach notification laws.  And because a recent amendment to the Texas date breach notification law reaches beyond Texas’ borders and requires notice wherever an individual lives, businesses will likely be required to provide notification of a data breach to all individuals affected wherever they may live.

 

Efforts to Pass a Federal Law

 

Many have called for a federal law that would provide uniform standards and procedures when providing notice of data breaches and also preempt state laws.  The Obama administration proposed legislation in May 2011 intended to simplify and standardize the existing patchwork of 47 state laws that contain data breach reporting requirements.  

 

Four bills now pending in the U.S. Senate would require notification to individuals in the event of a data breach and would provide a uniform standard across the country. Three bills passed out of the Judiciary Committee in September of 2011 and one is still pending in the Commerce Committee. The three bills that cleared the Senate Judiciary Committee were proposed by Chairman Leahy, S.1151, Senator Blumenthal, S.1535, and Senator Feinstein, S.1408. The fourth bill proposed by Senators Pryor and Rockefeller, S.1207, is still pending in the Commerce Committee.  All bills would replace existing state data breach notification laws with a uniform federal rule requiring most businesses and government agencies to notify individuals of a breach.

 

The three bills that passed through the Judiciary committee passed strictly upon party lines with no Republicans voting in favor of them.  There is no indication when or if these bills will be voted upon, consolidated or whether any activity will occur at all in 2012.   Also several bills are pending in the House but the full committee has not acted upon them.  Given the controversy and party line split it seems unlikely that much consideration will be given to these data breach notification bills during this election year.

 

The bills would require firms to safeguard personal data collected from consumers and establish a national data breach notification law.  Businesses that maintain personally identifiable information on 10,000 or more Americans must develop a personal data privacy and security program to regularly assess, manage and control risks, train employees, test regularly for vulnerabilities, require outsourcing partners overseas to secure the data, and periodically assess the program's effectiveness. Victims must be notified of a breach within 60 days by telephone or e-mail unless the organization could prove the breach did not cause much harm or if disclosure would threaten a criminal investigation. Businesses must also post a media notice and alert credit reporting agencies if the breach involves 5,000 or more individuals.

 

All three bills include provisions that would relieve businesses and agencies from breach notification if they conduct a risk assessment and conclude there is no significant risk of identity theft, economic loss or physical harm to individuals by the breach.  If businesses and agencies conclude there is no significant risk of harm arising from the breach, they must share the results of the risk assessment with the Federal Trade Commission (FTC), a critical safeguard against companies conducting slipshod risk assessments.  The “notification as default” or “notify unless there is no harm” is thought superior to a “notify only if there is harm” model of breach.

 

Senator Blumenthal’s bill, the Personal Data Protection and Breach Accountability Act of 2011, would also set up a process to help companies establish appropriate minimum security standards to safeguard sensitive consumer information and require companies to notify individuals promptly after a data breach.  It also includes health information, using language that resembles California state law.  The Leahy and Feinstein bills do not include health information. The Blumenthal bill also gives the FTC authority to modify certain definitions to keep pace with technology, but the Leahy and Feinstein bills do not.

 

An amendment to Senator Leahy’s data breach bill included a “data minimization” provision, requiring businesses to establish a plan to minimize the amount of personal information the business retains and to delete what is no longer needed to fulfill a (unspecified) business purpose or legal obligation.  Eliminating unnecessary data, as part of a comprehensive data security plan, lowers the risk of breaches happening in the first place and reduces the severity of breaches when they occur.

 

Senator Leahy’s bill also includes amendments to the Computer Fraud and Abuse Act and increases the penalties for computer crimes. However, a provision designed to ensure that the law is not used against people who merely violate website terms of service was included and would prevent prosecution as felonies for activities that happen every day, including a father logging onto his son’s Facebook account to check up on him, or a 17-year old clicking through a screen requiring him to be 18 years old in order to shop for clothes online.

 

Senator Feinstein's Data Breach Notification Act would require federal agencies and businesses that "engage in interstate commerce" who possess data containing sensitive personally identifiable information to disclose any breaches.

 

Senator Leahy had introduced similar measures in 2005, 2007 and 2009 which had gone through the Judiciary Committee but failed to get enough votes in the full Senate to become law. Leahy noted that in past years, privacy legislation received bipartisan support. If the Republicans continue to object to the bills, it’s possible the cyber-security bill will fail in the Senate. Sen. Chuck Grassley (R-Iowa) warned that the bills could result in "over-notification" that would desensitize consumers to the dangers of identity theft. The bills also would be a burden on small businesses, according to Grassley. "Under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost and consumers still going unprotected because the over-notifications will be ignored," Grassley said in a statement referencing Feinstein's bill.

 

Congress has considered data breach legislation several times before, so the chances that any of the current bills will be enacted are unclear. Data breach and computer crimes issues could be wrapped into cybersecurity legislation that Senate leadership is prioritizing, but cybersecurity legislation itself faces significant hurdles to enactment.

 

The problems of data breach and lax information security are only growing more prevalent but the chances of a uniform standard being implemented for 2012 are unclear.

 

States Strengthen Data Breach Notification Requirements

 

Meanwhile, while efforts to enact a federal law have stalled, states continue to enact and modify requirements for their data breach notification requirements.

 

California, which enacted the nation’s first data breach notification law in 2002, recently passed its own legislation strengthening and clarifying requirements for notifying individuals when personal information has been compromised.

 

The law, which took effect on January 1, 2012, updates California's current data breach notification law by requiring organizations to include in the breach notification letters the specifics of the security incident and advice on steps customers should take. The bill also includes provisions mandating that if the security breach affected 500 or more people, the organization must submit a copy of the letter to the state attorney general's office.

 

The breach notification letters must include information such as the type of personal information exposed, a description of what happened, time of the breach, and toll-free telephone numbers and addresses of major credit reporting agencies in California, according to the new law. The original law did not specify what information had to be included in the letters. The new law also requires the letters to be sent "in the most expedient time possible and without unreasonable delay."

 

Even though the law applies only to California residents affected by the breach, it will have an impact across state lines. Organizations are not likely to issue two sets of letters, one for California residents and one for other states, after a data breach. Organizations will have to adjust their data breach notification policies to make sure they are including the information required under California law for future incidents.

 

Texas expanded data breach protection to all individuals, not just Texas residents.  Texas also now requires that notification be made to all individuals, not just residents of Texas.  Effective September 1, 2012, any person who “conducts business” in the state of Texas and owns or licenses computerized data that includes sensitive personal information is required to give notice to any “individual” (changed from “resident of this state”) whose personal information may have been acquired through an unauthorized acquisition of that computerized data.  This notice should be given to all individuals whether or not that individual’s state requires it.  

 

By broadening its law, Texas has now protected the privacy information of individuals who reside in states that may not require notification following a breach of security of computerized data.  Texas requires notification upon the discovery of a data breach regardless of whether any harm stems from the breach. (This requirement differs from the bills pending in the Senate.)

 

This law is worded broadly enough to possibly affect a large number of businesses that deal with or conduct business in the state of Texas.  If a company sells their products in Texas and other states, that company may be required to properly notify all customers of a breach or face a lawsuit by the Texas Attorney General.  (An issue that may arise is whether Texas has the authority to penalize somebody for not providing notice to a resident of another state, but until that issue is litigated or questioned, this law stands.)

 

Illinois amended its data breach notification law effective January 1, 2012, and it is designed to increase protections for Illinois residents.

The amendments detail exactly what must be included in a notice to Illinois residents affected by the breach of security. The notice must set forth: toll-free numbers, addresses, and website addresses for consumer reporting agencies and the Federal Trade Commission; and a statement that the affected Illinois resident can obtain information from these sources regarding fraud alerts and security freezes.  The notification, however, shall not include the number of Illinois residents affected by the breach.

 

The Act continues to require notification to the affected Illinois residents within the most expedient time possible unless law enforcement agencies determine that timely notification will interfere with a criminal investigation.  In that case State or local governments can delay notification. Finally, the Act requires proper disposal of paper documents and electronic media containing personal information. Paper documents must be redacted, burned, pulverized or shredded and electronic media must be destroyed or erased. Violations of the Act with respect to improper disposal of information containing personal information may result in civil penalties of up to $50,000.

 

Other states are more than likely to follow California’s path and increase notification requirements unless a national cyber security law is enacted by the United States Congress.

 

The Privacy Rights Clearinghouse Has Launched Its Online Complaint Center

 

The Privacy Rights Clearinghouse, a nonprofit consumer organization based in California that advocates for and helps consumers protect their private information, announced the launch of its new online complaint center.  The Privacy Rights Clearinghouse (“PRC”) builds on its history of troubleshooting and responding to consumers’ complaints and questions regarding a wide variety of information on privacy issues, including background checks, debt collection, data breaches, financial information, and online data brokers.  

 

The PRC found through research from the University of California that consumers are concerned about data collection and they want greater control over their personal information but don't know to whom to complain, and consequently the PRC created the online complaint center to serve as clearing house for consumer privacy complaints.  Through this online complaint center, the PRC staff will provide personalized information to consumers and will review and respond to every complaint and provide information and strategies to the consumer as well as the opportunity to escalate the complaint to attorneys, public authorities and the media.  The PRC will also be able to identify trends and report on privacy related issues and policy.  More information and the reporting of actual complaints can be found at its website, privacyrights.org. 

 

For more information on this topic, please contact Ellen O’Laughlin,

eolaughlin@kfplegal.com