Presentation is loading. Please wait.

Presentation is loading. Please wait.

DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan.

Similar presentations


Presentation on theme: "DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan."— Presentation transcript:

1 DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan Alistair Raymond Verrill Dana, LLP

2 I. History and Background

3 Identity theft and data breach statistics EU Directive (October 24, 1995) Gramm-Leach-Bliley Act (Pub. L ; November 12, 1999) HIPAA “Security Rule” (health care; 45 CFR 164; February 20, 2003) FISMA (federal government agencies; 44 USC 3541, 2002) Sarbanes-Oxley (publicly traded companies; ’34 Act Rule 13a-15) FTC and State AG Enforcement Actions

4 II. Current Federal and State Regulation: Protection of Personal Information

5 FTC Red Flags Rule. 16 CFR 681 Requirements. Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” Compliance Deadline = November 1, 2009

6 FTC Red Flags Rule. 16 CFR 681 Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” “Creditor” = a person who “regularly extends, renews, or continues credit,” including the right to purchase property or services and defer payment.

7 FTC Red Flags Rule. 16 CFR 681 Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” “Covered Account” = “(1) [a]n account... primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions...”

8 FTC Red Flags Rule. 16 CFR 681 Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” “Covered Account” = “... or (2) [a]ny other account... for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

9 FTC Red Flags Rule. 16 CFR 681 Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” “Identity Theft” = “a fraud committed or attempted using the identifying information of another person without authority.” “Identifying Information” = “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person...” 16 C.F.R. § 603.2

10 FTC Red Flags Rule. 16 CFR 681 Requirements. (cont.) Any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” is required to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft “Red Flags.” “Red Flags” = a pattern, practice, or specific activity that indicates the possible existence of identity theft.

11 What is a Red Flag? Red Flags should be identified from (at least) the following sources: Prior incidents of identity theft Methods of identity theft identified generally Applicable supervisory and regulatory guidance

12 What is a Red Flag? Requires a case-by-case analysis Presentation of suspicious documents Suspicious account activity Complaints from customers regarding bills for services they never received Personal information presented by a customer does not match prior records Fraud alert or suspicious activity on a consumer report

13 FTC Red Flags Rule Program with reasonable policies and procedures for the following: Identifying Red Flags relevant to your business Detecting Red Flags Responding appropriately to Red Flags to prevent and mitigate identity theft Periodically update your program

14 FTC Red Flags Rule (cont.) What written procedures are appropriate when a Red Flag is detected? Monitor the account Request supporting documentation Notify law enforcement Close an account Limit account access CALL THE CUSTOMER!

15 FTC Red Flags Rule (cont.) 1)Are you a Financial Institution or Creditor? a)If yes, you must periodically determine whether you offer or maintain Covered Accounts 2)Do you offer or maintain Covered Accounts? a)If yes, you must have a “written identity theft prevention program”

16 FTC Red Flags Rule (cont.) Can you delegate to IT? NO! The Rule is risk-focused, not technology- focused The initial program must be approved by the board of directors The Senior management must be involved in oversight, development, implementation and administration Training Oversight of third party service providers

17 FTC Red Flags Rule (cont.) Hot Issue: What is a creditor? Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5) and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Credit - the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor. Creditor - any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

18 FTC Red Flags Rule (cont.) Hot Issue: What is a creditor? 11 Million Businesses Affected Not impacted by the collection of personal information Health Providers Attorneys

19 FTC Enforcement If you are a Creditor, the Rule applies to all Covered Accounts, not just those involving credit FTC is unlikely to (but may) enforce the rule against: Businesses that know their customers personally Industries with a low incidence of identity theft Unfair Trade Practice Premier Capital Lending, Inc. (Dec. 10, 2008) You don’t have to be BJ’s Third Party Service Providers

20 Compliance Deadline = March 1, 2010 Applies to = every person that owns or licenses personal information about a Massachusetts resident Requirement = develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing personal information about a MA resident Massachusetts Data Security Regulations 201 CMR (Regulations promulgated by the Office of Consumer Affairs and Business Regulation)

21 Massachusetts Regulations Top cause of ID theft in Massachusetts = lost and stolen laptops Of 368 reported incidents of security breaches in Massachusetts, –220 (60%) resulted from criminal/unauthorized acts (high incidence of stolen or lost laptops) –77 involved data that had been password- protected –11 involved encrypted data

22 Every person that owns or licenses personal information about a Massachusetts resident must develop, implement, and maintain a comprehensive, written information security program (WISP) applicable to any records containing such information. “Personal information” = MA resident’s first name and last name, or first initial and last name, in combination with any one or more of the following that relate to such resident: SSN Driver’s license number or state ID number Financial account number, credit or debit card number DOES NOT INCLUDE: information that is lawfully obtained from publicly available sources, or from federal, state, or local records lawfully made available to general public

23 Massachusetts Regulations The WISP establishes minimum standards for safeguarding electronic and written records containing personal information administrative, technical, and physical safeguards tailored

24 Massachusetts (cont.) The WISP must include at least: a)Designate one or more employees to maintain WISP b)Identify and assess reasonably foreseeable internal and external risks to records containing personal information c)Develop security policies for employees relating to storage, access, and transportation of records containing personal information d)Impose disciplinary measures for violation of WISP rule e)Prevent access by terminated or unauthorized employees

25 Massachusetts (cont.) The WISP must include at least: f)Reasonable restrictions on physical access to records containing personal information g)Regular monitoring h)Reviewing the scope of security measures at least annually or whenever there is a material change in business practices i)Documenting responsive actions taken in connection with a security breach

26 Massachusetts (cont.) The WISP must include at least: *** Oversee Third Party “Service Providers” 1)Take reasonable steps to select and retain Third Party Service Providers “that are capable of maintaining appropriate security measures” to protect personal information 2)Require Third Party Service Providers by contract to implement and maintain such measures

27 Massachusetts (cont.) Computer system requirements in WISP: 1)Access control a)Restrict access to those who need it for performance b)Assign unique, non-vendor supplied IDs and passwords 2)Encryption a)Laptops/USB drives b)Blackberries/cell phones 3)User authentication a)Control use of IDs and passwords b)Block access after multiple unsuccessful attempts 4)Firewalls, malware protection, etc. 5)Education and training of employees

28 Massachusetts Regulations: Points to Consider Human element (errors, sloppy handling – not just hackers) Enforcement outside Massachusetts Currently no audit program

29 Nevada. S.B. 227 (amends NRS Chapter 603A; effective January 1, 2010). Requirements. “Data collectors” doing business in Nevada must: 1.Must comply with Payment Card Industry Data Security Standards (PCI DSS) in any transaction where the business accepts a credit or other payment card for the sale of goods and services, AND 2.Must encrypt any personal information the business a.transfers, through an electronic, nonvoice transmission (other than fax), outside the business’ secure system, or b.moves, in any storage device, beyond the logical or physical controls of the business (or that of its data storage contractor). Safe Harbor. No liability for damages in the event of a breach if the data collector is in compliance with the statute, and the breach is not caused by gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.

30 III. Breach Notification: Obligations after a Suspected Breach

31 Purpose: to alert affected persons (who may wish to take steps in protecting themselves from identity theft) Currently 45 states (including Maine) have security breach notification laws Financial Institutions Sarbanes-Oxley HIPAA

32 Breach Notification Generally speaking, these laws require any business in possession of protected personal information to disclose a breach of security to affected persons. Protected information is usually defined to include a person’s first name or initial plus last name AND SSN, driver’s license number, financial account or credit card number, DOB, other types of personal information susceptible to identity theft.

33 Breach Notification Maine Title 10, Chapter 210-B 10 M.R.S.A. § 1348: If a person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: Information Broker: personal information is reasonably believed to have been acquired by an unauthorized person Any other person: misuse of the personal information has occurred or it is reasonably possible that misuse will occur

34 Breach Notification Maine Title 10, Chapter 210-B 10 M.R.S.A. § 1348: If person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: Personal information does not include (i) encrypted/redacted information or (ii) lawfully public information through government records, media, or third party insurance claims databases

35 Breach Notification Maine Title 10, Chapter 210-B 10 M.R.S.A. § 1348: If person maintaining computerized data that includes personal information becomes aware of a breach of the security of the system, that person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused AND must give notice of the breach following discovery or notification to State Resident if: Unauthorized acquisition of computerized data compromising the security, confidentiality or integrity of personal information. Exception for good faith access by employees if not used for or subject to unauthorized disclosure.

36 Breach Notification Maine Title 10, Chapter 210-B 10 M.R.S.A. § 1348: Notice Written Electronic Notice (pursuant to 15 USC §7001, requiring consent and specific disclosures) Substitute Notice: permitted if (i) will cost greater than $5,000 (ii) more than 1,000 people affected, or (iii) insufficient contact information, then notice permitted by AND website posting AND statewide media

37 Breach Notification Notice must be as expedient as possible and without unreasonable delay delays permitted for law enforcement, to determine scope of breach, and to restore the reasonable integrity of the system Must notify (i) the Attorney General or (ii) the Department of Professional and Financial Regulation If more than 1,000 people affected, consumer reporting agencies must be notified Safe harbor for compliance with other Maine or federal laws, regulations, procedures or guidelines if notification requirements are as protective

38 Breach Notification Massachusetts Applies to any written, drawn, spoken, visual, or electromagnetic information, regardless of form or characteristics Substitute Notice: If (i) notice will cost more than $250,000, (ii) notice affects more than 500,000 residents, or (ii) there is insufficient contact information, then substitute notice is permitted through , a conspicuous website posting, and statewide media

39 Breach Notification (Massachusetts) Notice to State Agencies: Must include the nature of the breach, number of residents effected, steps that have been or will be taken Notice to residents: Must include information on the right to a police report, the information required for a security freeze, and the fees that must be paid to a consumer reporting agency, Must NOT include the nature of the breach or number of residents affected

40 Breach Notification States have inconsistent requirements Major issue if a business services customers in multiple states Ex. New Hampshire: Notice must include a general description of the breach, the date of the breach, the type of information obtained, and a contact number Some issues to consider: Types of information protected Time limits on ability to delay notification Penalties for failure to notify and private cause of action (CA) Electronic v. paper records Judgments as to whether there is a risk of identity theft Exceptions for encrypted data Form of notice Jurisdiction Safe harbors

41 IV. Enforcement and Litigation

42 FTC Enforcement after data breaches Unfair Trade Practices Violation of Privacy Policies In re Guess, Inc. & Guess.com, Inc. (June 18, 2003) Failure to Protect Information In re DSW Inc. (Dec. 1, 2005) In re BJ’s Wholesale Club, Inc. (June 16, 2005) Failure to Recognize Obvious Signs of Identity Theft United States v. ChoicePoint, Inc. (N.D. Ga. Jan. 26, 2006)

43 Litigation Private Litigation Duty to protect is apparent; the Standard of Care is evolving Wolfe v. MBNA America Bank, 485 F.Supp.2d 874 (W.D. Tenn. 2007) Guin v. Brazos Higher Educ. Serv., 2006 WL (D. Minn. 2006) The biggest stumbling block: showing a compensable injury Loss of information, threat of future loss, emotional distress, and prophylactic measures have been rejected as compensable injuries A resulting, direct financial loss from identity theft appears to be required (at a minimum) Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)

44 Litigation Causes of Action Surviving 12(b)(6) Breach of implied contract Negligence Negligent Misrepresentation State Unfair Trade Practice Acts (FTC Consent Decrees have been deemed relevant)

45 Enforcement State Enforcement In re Providence Health System (Ore. Sept. 26, 2006) Theft of unencrypted backup tapes and discs Three weeks before notification to OR AG

46 Enforcement Professional Obligations N.J. Advisory Committee on Professional Ethics, Opinion 701 (2006) Duty to take “reasonable affirmative steps” to prevent unauthorized access to client information

47 Best Practices –Inventory your data, destroy what you don’t need –Involve senior management –Due diligence service providers –Be prepared for the inevitable breach –Remember that data security is a process Worst Practices –Don’t use or permit easy-to-guess User IDs & passwords –Don’t over-promise in your data security policy –Don’t act like you have something to hide –Don’t treat data security solely as an IT issue

48 THANK YOU Any Questions? Molly Callaghan, Verrill Dana, LLP Alistair Raymond, Verrill Dana, LLP (207)


Download ppt "DATA SECURITY REGULATION, IDENTITY THEFT, AND PROTECTION OF PERSONAL INFORMATION Business Law Institute Augusta, Maine September 25, 2009 Molly Callaghan."

Similar presentations


Ads by Google