Data Security Breaches: The Growing Liability Threat

Crafting and Implementing Policies to Prevent andpresents Crafting and Implementing Policies to Prevent and Respond to Inadvertent Disclosures

presents

A Live 90-Minute Teleconference/Webinar with Interactive Q&AToday's panel features:

Jonathan T. Rubens, Of Counsel, Bullivant Houser Bailey, San FranciscoCatherine D. Meyer, Counsel, Pillsbury Winthrop Shaw Pittman, Los Angeles

Aaron P. Simpson , Hunton & Williams, New York

Thursday, February 11, 2010

The conference begins at:1 pm Easternp12 pm Central

11 am Mountain10 am Pacific

CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.

You can access the audio portion of the conference on the telephone or by using your computer's speakers.Please refer to the dial in/ log in instructions emailed to registrations.

If no column is present: click Bookmarks or Pages on the left side of the window.

If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.

If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10

Reproduced with permission from Privacy & SecurityLaw Report, Vol. 6, No. 14, 04/02/2007, pp. 559-562.Copyright � 2007 by The Bureau of National Affairs,Inc. (800-372-1033) http://www.bna.com

Since 2005, there have been reports of over 500 U.S. security breaches. Proactive incident

response planning can help minimize the impact when and if a breach occurs. The authors

provide advice on responding to and managing a data breach, including information on

state law variations, relevant stakeholders, and tips on actual notification.

A How-To Guide to Information Security Breaches

BY LISA J. SOTTO AND AARON P. SIMPSON

C ontrary to what the headlines suggest, informationsecurity breaches are not a new phenomena. Whatis new is that we are hearing about them in record

numbers. While consumers are newly focused on infor-mation security due to the emergence of e-commerce,the reason security breaches now seem ubiquitous is aresult of the development of a body of state laws requir-ing companies to notify affected individuals in the eventof a breach. The differing requirements of over 35 statesecurity breach notification laws make legal compli-ance a challenge for organizations operating on a na-tional level.

BackgroundSince 2005, there have been reports of over 500 secu-

rity breaches, many of which have involved the most re-spected organizations in the United States.1 In fact, thenumber of reported incidents does not begin to definethe actual number of breaches that have occurred in theUnited States during the past two years. From universi-ties to government agencies to Fortune 500 companies,no industry sector has been spared. These breacheshave run the gamut from lost backup tapes and laptops,to hacking incidents, to organized crime. The reportedbreaches are estimated to have exposed personal infor-mation contained in over 100 million records. Conse-quently, a significant percentage of the American pub-lic has received notification that the security of theirpersonal information has been breached. Indeed, itseems that hardly a day goes by without a new press re-port of a significant security breach.

1 See Privacy Rights Clearinghouse, ‘‘A Chronology of DataBreaches,’’ available at http://www.privacyrights.org/ar/ChronDataBreaches.htm (last visited March 27, 2007).

Lisa Sotto heads the Privacy and InformationManagement Practice at Hunton & WilliamsLLP and is a partner in the New York office.She is also vice chairperson of the DHS DataPrivacy and Integrity Advisory Committee.Sotto may be contacted at lsotto@hunton.com.Aaron P. Simpson is an associate in the Pri-vacy and Information Management Prac-tice at Hunton & Williams, New York. He maybe contacted at asimpson@hunton.com.

REPORT

COPYRIGHT � 2007 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. 20037 ISSN 1538-3423

A BNA, INC.

PRIVACY &SECURITY LAW!

State Security Breach Notification LawsPublic awareness was not focused in earnest on secu-

rity breaches until 2005, fully two years after Californiaenacted a law requiring organizations to notify affectedCalifornians of a security breach.2 At the time of enact-ment, few understood the enormous implications ofthat law. Since 2005, 35 other states, as well as NewYork City, Washington, D.C. and Puerto Rico, havejumped on the bandwagon and enacted breach notifica-tion laws of their own. In addition, numerous federal se-curity breach bills have been proposed. With no clearfrontrunner, it is hard to predict when a federal lawmight be passed, thought a federal preemptive law ap-pears likely.

At the state level, the duty to notify individuals af-fected by a breach generally arises when there is a rea-sonable belief that unencrypted, computerized sensitivepersonal information has been acquired or accessed byan unauthorized person. Typically, the state laws define‘‘personal information’’ to include an individual’s firstname or first initial and last name, combined with oneof the three following data elements:

s Social Security number;

s driver’s license or state identification card number,or

s financial account, credit or debit card number,along with a required password or access code.

Unfortunately, entities struggling with a potentialbreach must look beyond the language of the ‘‘typical’’state law in the event of a national, or even multi-state,incident. The variations among state breach notificationlaws greatly complicates the legal analysis as towhether the breach laws are triggered with respect to aparticular event. Because most breaches impact indi-viduals in multiple jurisdictions, companies often musttake a ‘‘highest common denominator’’ approach toachieve legal compliance.

Key areas of variation among state breach notifica-tion laws include:

s Affected Media: Under most state breach laws, no-tification is required only if ‘‘computerized’’ datahas been accessed or acquired by an unauthorizedindividual. In some states, however, includingNorth Carolina, Hawaii, Indiana and Wisconsin,organizations that suffer breaches involving paperrecords are required to notify affected individuals.

s Definition of ‘‘Personal Information’’: Breach noti-fication laws in some states expand the definitionof personal information to include data elementssuch as medical information (Arkansas, PuertoRico), biometric data (Nebraska, North Carolina,Wisconsin), digital signatures (North Carolina,North Dakota), date of birth (North Dakota), em-ployee identification number (North Dakota),mother’s maiden name (North Dakota), and tribalidentification card numbers (Wyoming).

s Notification to State Agencies: Many states requireentities that have suffered a breach to notify stateagencies. Currently, the states that require suchnotification include Hawaii, Maine, New Hamp-shire, New Jersey, New York, North Carolina andPuerto Rico. In Puerto Rico, organizations mustnotify the state government within ten days of de-tecting a breach. In New Jersey, the breach notifi-

cation law requires entities to notify the state po-lice prior to notifying affected individuals.

s Notification to Credit Reporting Agencies: Whilethe threshold for notification differs among thestate laws, many states require organizations thatsuffer a breach to notify the three national con-sumer reporting agencies (Equifax, Experian andTransunion). Among the states with this require-ment, the state with the lowest threshold requiresnotification to the credit reporting agencies in theevent 500 state residents must be notified in accor-dance with the notification requirement.

s Timing of Notification to Affected Individuals:Most state notification laws require notification toaffected individuals within ‘‘the most expedienttime possible and without unreasonable delay.’’Some states, such as Ohio, Florida and Wisconsin,require notification within 45 days of discoveringthe breach.

s Harm Threshold: Some states (e.g., Indiana, Michi-gan, Ohio, Rhode Island, Utah and Wisconsin) re-quire notification of affected individuals only ifthere is a reasonable possibility of identity theft.Other states (e.g., Colorado, Idaho, Kansas, Maine,New Hampshire, New Jersey and Vermont) do notrequire notification unless it has been determinedthat misuse of the information has occurred or isreasonably likely to occur. And in other states(e.g., Arkansas, Florida, Hawaii and Louisiana) no-tification is not required unless there is a reason-able likelihood of harm to customers. For organi-zations that suffer multi-state security breaches,any harm threshold is irrelevant as a practical mat-ter because many state breach notification laws donot contain such a threshold.

Federal EnforcementIn addition to the compliance maze at the state level,

the Federal Trade Commission (FTC) has enforcementauthority in the privacy arena pursuant to Section 5 ofthe FTC Act.3 Section 5 of the FTC Act prohibits unfairor deceptive trade practices. The FTC recently hasbrought a number of enforcement actions pursuant toSection 5 stemming from security breaches. In fact,most of the enforcement actions brought by the FTC inthe privacy arena have resulted from security issues.Some of the more noteworthy FTC enforcement actionsstemming from security breaches have included thoseagainst BJ’s Wholesale Club, CardSystems, Choice-Point and DSW.

The CardSystems case highlights the significantreputational risk associated with privacy events gener-ally, and security breaches in particular. In this case,over 40 million credit and debit card holders’ informa-tion was accessed by hackers leading to millions of dol-lars in fraudulent purchases. In its enforcement action,the FTC alleged that the company’s failure to take ap-propriate action to protect personal information aboutmillions of consumers was tantamount to an unfairtrade practice. As part of its settlement with the FTC,CardSystems agreed to implement a comprehensive in-formation security program and conduct audits of theprogram biennially for 20 years. The real punishment,however, was the reputational damage the companysuffered in the wake of the breach. Both Visa and Dis-cover severed their relationship with CardSystems and

2 Cal. Civ. Code § 1798.82 (2006). 3 15 U.S.C. § 45 (2005).

2

4-2-07 COPYRIGHT � 2007 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. PVLR ISSN 1538-3423

the company ultimately was sold to an electronic pay-ment company in Silicon Valley.

As our society becomes increasingly information-dependent, it is likely that there will be an increase inFTC enforcement associated with security breaches. Infact, in response to heightened consumer concern andan increased need for regulatory oversight in this arena,the FTC recently established a new division of Privacyand Identity Protection. This signals a new FTC focuson data privacy and security, along with what will likelybe a concomitant increase in enforcement.

Managing a Data BreachIf a possible breach occurs, it is critical to determine

as quickly as possible whether the event triggers a re-quirement to notify affected individuals. To make thisdetermination, organizations must be able to answerthe following questions:

1. What information was involved? Does the com-promised information meet the definition of ‘‘per-sonal information’’ under any of the state breachnotification laws? As discussed above, certainstates have adopted expansive definitions of ‘‘per-sonal information’’ for purposes of their breachnotification laws. These broader definitions mustbe considered in analyzing the information in-volved in the event.

2. Was the information computerized? In moststates, only incidents involving computerized in-formation require individual notification. But spe-cial attention should be paid to the laws in thosestates in which notification is required for inci-dents involving personal information in any form,including paper.

3. Was the information encrypted? Encryption isavailable as a safe harbor under every extant statesecurity breach notification law. Importantly, all ofthe relevant laws are technology-neutral, meaningthey do not prescribe specific encryption technol-ogy. If the information is maintained in an unread-able format, then it may be considered encryptedfor purposes of the state breach laws. Encryptiondoes not, however, include password-protectionon equipment such as desktop computers, laptopcomputers and portable storage devices. As a re-sult, many organizations have been required to no-tify affected individuals when laptop computerssubject to password-protection have been lost orstolen.

4. Is there a reasonable belief that personal informa-tion was accessed or acquired by an unauthorizedperson? If an entity has a reasonable belief that theinformation was compromised by an unauthorizedperson, notification is required. Note that a num-ber of state breach notification laws contain aharm threshold whereby notification is not re-quired unless there is reasonable possibility ofharm, misuse or identity theft (see above). Organi-zations should be wary of relying on harm thresh-olds, however, because they are not included inmany state breach laws and thus may not be avail-able in the event of a multi-state breach.

Because breaches come in all shapes and sizes, manyof them require significant technical analysis to answerthese questions. Organizations often must enlist the as-

sistance of highly skilled forensic investigators to assistwith the evaluation of their systems.

Recognize the StakeholdersOnce an organization has determined that the breach

notification laws have been triggered, it is important tounderstand the panoply of stakeholders throughout thebreach process. Depending on the type of organizationinvolved, the potential universe of stakeholders is ex-tensive and may include:

s Affected individuals: Individuals affected by a se-curity breach are the primary focus for every orga-nization during the notification process. Althoughthe breach may not have occurred as a result ofany misdeeds by the organization suffering thebreach, in the eyes of consumers, employees andother affected individuals, the organization is re-sponsible for the data it collects and maintains. Asa result, regardless of the circumstances, an orga-nization suffering a security breach should be ap-propriately helpful and respectful to individualswhose data may have been compromised.

s Board of Directors/Senior Management: Informa-tion security is no longer an area of a company thatis relegated to the dusty basement. Front-pageheadlines and stock drops stemming from early se-curity breaches made sure of that. It is often advis-able to involve the Board of Directors (or itsequivalent) and senior management soon afterlearning of a security breach affecting the organi-zation.

s Law Enforcement: Depending on the nature of theevent, it may be important to report the securitybreach to law enforcement authorities for pur-poses of conducting an investigation. The state se-curity breach laws allow organizations to delay no-tifying affected individuals pending a law enforce-ment investigation. New Jersey’s breachnotification law makes it a legal requirement to no-tify law enforcement prior to notifying affected in-dividuals.

s State and Federal Regulators: In addition to thelaws’ requirements to notify state regulators, orga-nizations should give serious consideration to noti-fying the FTC in the event of a significant securitybreach. Proactively notifying the FTC, while not alegal requirement, provides an organization withthe opportunity to frame the circumstances of thebreach and provide appropriate context. Becausethe FTC will undoubtedly learn about every signifi-cant security breach, organizations are well-advised to tell the story themselves rather thanhave the FTC learn about the breach from unfavor-able media reports.

s Financial Markets: For publicly-traded companies,some security breaches rise to the level of report-able events. In these cases, it may be necessary tonotify the Securities and Exchange Commissionand the relevant exchange of the breach.

s Payment Card Issuers: To the extent paymentcards are involved, it is often essential to consultthe card issuers as early as possible in the process.Organizations should review their contractual obli-gations with the card issuers because there arelikely to be provisions relevant to a securitybreach. In addition, the card issuers may requireorganizations suffering breaches to file formal in-cident reports. Depending on the scope of thebreach, the card issuers also may require that an

3

PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 4-2-07

independent audit be conducted by their own audi-tors.

s Employees: In some cases, employees of the orga-nization should be notified of an incident affectingcustomers. Many employees care deeply about theentity for which they work. To the extent the orga-nization’s reputation may be tarnished by theevent, employees will not want to be left in thedark about the incident.

s Shareholders: Public companies that sufferbreaches must consider their shareholders in theaftermath of a breach. The investor relations de-partment should be mobilized in the event of a sig-nificant breach to respond to investors’ concerns.

s Auditors: In some cases, security breaches mayneed to be reported to a company’s auditors.

s Public: Security breaches often ignite the passionsof the public at-large. In managing the process ofnotification, organizations should give careful con-sideration to the anticipated public response to theincident. In many cases, it is helpful to work withexperienced public relations consultants. The riskto an organization’s reputation stemming from asecurity breach far exceeds the risk associatedwith legal compliance. Thus, it is imperative in re-sponding to a security breach to consider mea-sures that will mitigate the harm to an organiza-tion’s reputation.

Timing of NotificationOnce the extent and scope of the incident have been

defined and it is determined that notification is re-quired, the next step is to notify affected individuals.Most state security breach laws require organizationsthat suffer a breach to notify affected individuals ‘‘in themost expedient time possible and without unreasonabledelay.’’ In several states, notification is required within45 days of the date the incident was discovered. Underboth timeframes, the date of actual notification may bedelayed by the exceptions available in most states forlaw enforcement investigations and restoring systemsecurity.

Pursuant to the law enforcement exception, notifica-tion may be delayed if a law enforcement agency deter-mines that notification would impede a criminal inves-tigation. Thus, if law enforcement has requested such adelay, the clock does not start ticking on notificationuntil after the agency determines that notification willnot compromise the investigation.

As to the exception for restoring system security, no-tification to affected individuals may be delayed to pro-vide the affected organization time to take any securitymeasures that are necessary to determine the scope ofthe breach and to restore the ‘‘reasonable integrity ofthe system.’’ Organizations should not take this excep-tion lightly—notification to consumers of a system vul-nerability may tip off copycat fraudsters to a systemweakness they can exploit. Thus, prior to notifying af-fected individuals, it is essential for organizations suf-fering security breaches to restore the integrity of theirsystems.

Entities that rely on either the law enforcement orsystem security exception should document such reli-ance. In Hawaii, such documentation is a legal require-ment.

Notification to IndividualsLetters to individuals notifying them of a possible

compromise of their personal information should besimple, free of jargon and written in plain English. En-tities would be well-advised to avoid legalistic phrasesand any attempt to pin blame elsewhere. Organizationsthat have been most favorably reviewed by individualsfollowing a breach are those that have accepted respon-sibility and provided useful information to recipients.(A breach notification letter is not the place for market-ing!)

Organizations should keep in mind that, in additionto impacted individuals, the notification letter will likelybe scrutinized by numerous interested parties, includ-ing regulators, plaintiffs’ lawyers and the media. As aresult, it is essential to strike the appropriate tone whileat the same time providing a meaningful amount of sub-stance.

There is a growing de facto standard, depending onthe information breached, for the types of ‘‘offerings’’companies are making to affected individuals in theirnotice letters. These offerings typically include:

s Credit Monitoring: In the event a Social Securitynumber or some other form of identification thatmay contain a Social Security number (such as adriver’s license number or a military identificationcard number) has been compromised, it has be-come standard to offer affected individuals oneyear of credit monitoring services. Depending onthe size of the breach, this can be a significant costfor companies.

s Free Credit Report: Separate and apart from creditmonitoring, organizations should inform affectedU.S. individuals that they are entitled to one freecredit report annually from each of the three na-tional credit reporting agencies.

s Fraud Alert: Organizations also may want to rec-ommend that affected individuals place a fraudalert on their credit file for additional protection.There is no charge for this service. Because fraudalerts can have a significant impact on a consum-er’s day-to-day purchase habits, most organiza-tions simply suggest to consumers that this is anoption rather than insist they take such action.

In addition to the standard offerings, the letter shoulddescribe the details of the security breach. For obviousreasons, these details should never include the specificaffected payment card or Social Security numbers im-pacted by the breach. Instead of providing this detail, itis most effective to explain what happened and whatthe organization is doing to help individuals affected bythe breach. In many cases, this means providing the in-dividual with information about credit monitoring andother information about how they may protect them-selves. Also, it may be necessary to establish a call cen-ter (with trained agents) to handle consumer responseto the incident.

As a general rule, if an organization is required to no-tify in a few jurisdictions, it is recommended that it no-tify in all jurisdictions (often this includes foreign coun-tries). With few exceptions, this has become standard inthe privacy realm. A few companies that suffered earlysecurity breaches after California passed its law weretorched by the media and subjected to severe criticismby irate state attorneys general for notifying affectedCalifornians but not affected residents of other stateswithout breach notification laws. The collective experi-

4

4-2-07 COPYRIGHT � 2007 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. PVLR ISSN 1538-3423

ence of these companies highlights an important, butoften misunderstood, concept: technical compliancewith law is necessary but not sufficient in the privacyarena. Privacy events are hot button social issues thatoften transcend mere legal compliance. Indeed, the riskto an organization’s reputation and revenues often farexceeds the risk associated with non-compliance withbreach laws. As a result, organizations responding to abreach should focus on doing the right thing as opposedto doing only those things that are required by law.

Lessons LearnedSecurity breach notification laws have brought infor-

mation security issues into the spotlight. While no infor-mation security is perfect, proactive incident responseplanning can help minimize the impact when and if abreach occurs. Such planning includes inventorying theentity’s databases that contain sensitive personal infor-mation, understanding how sensitive personal informa-tion flows through the organization, conducting ongo-ing risk assessments for internal and external risk to

the data and responding to reasonably foreseeablerisks, maintaining a comprehensive written informationsecurity program, and developing a breach responseprocedure. Given that a recent survey of 31 breachesranging in size from 2,500 records to 263,000 recordsconducted by the Ponemon Institute found that the av-erage cost of responding to a security breach was $182per lost customer record with an average total cost of$4.8 million, the stakes are higher than ever for compa-nies to focus on their information security programs.4

Most importantly, concern and respect for informationsecurity should be integrated into the organization’score values. A breach response plan alone, without de-monstrable organizational concern for information se-curity generally, exposes the organization to significantrisk. With the stakes as high as they are, all organiza-tions should be taking a closer look at their informationsecurity practices.

4 See Ponemon Institute, ‘‘2006 Annual Study: Cost of aData Breach’’ (October 2006).

5

PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 4-2-07

Thursday, September 18, 2008

F O R M E T R O A R E A I N - H O U S E C O U N S E L

New York

Surviving an FTC Investigation

After a Data BreachBy LIsa J. sotto and aaron P. sImPson

Most large companies have likely experienced numerous informa-tion security incidents in the recent past. Given the high num-

ber of state security breach notification laws, incidents requiring notification have become relatively commonplace. These incidents range from the most innocuous to the most mali-cious—from a simple theft of an employee’s laptop or a vendor’s loss of backup tapes to a rogue employee stealing customer credit card data, a phishing attempt or a large-scale system intrusion.

Companies that have experienced informa-tion security breaches are required to notify not only the individuals whose personal information was impacted but also numerous state regulators. Rather than end the process there, however, in an increasing number of cases, breach notifica-tion triggers a new process: an investigation of the company’s privacy and information security practices by the U.S. Federal Trade Commis-sion (FTC).

When a company notifies affected indi-viduals of a security breach, the information quickly becomes public. Security breaches garner not only the attention of the media,

but also the attention of the consumer advo-cacy community. Since 2005, the Privacy Rights Clearinghouse, a nonprofit consum-er advocacy organization, has maintained a publicly available Web site containing a chronology of reported security breaches. See http://www.privacyrights.org/ar/ChronDataB-reaches.htm (last visited Aug. 19, 2008).

The chronology currently provides details on more than 1,000 breaches impacting more than 236 million records containing sensitive personal information. Given the publicity, it should come as no surprise that a byproduct of the notification requirement is increased aware-ness by regulators at both the state and federal levels. Most prominently, this has resulted in increased investigatory activity by the FTC.

FTC Authority

Since 1999, the FTC has asserted its jurisdic-tion in the privacy and information security arena pursuant to §5 of the FTC Act. See 15 USC §45 (2007). Section 5 states that the FTC is empowered to “prevent persons, partnerships, or corporations…from using…unfair or decep-tive acts or practices in or affecting commerce.” Id. at §45(a)(2). The FTC investigates and enforces data privacy and security incidents under both the “deceptiveness” prong and the “unfairness” prong of §5.

The ‘Deceptiveness’ Prong. Between 1999 and 2005, FTC enforcement in the privacy and information security arena focused primarily on the “deceptiveness” prong of §5. A “deceptive” trade practice in the privacy context typically involves inaccurate or untrue representations to the public regarding a company’s informa-tion practices. In practice, these representations are made in Web site privacy notices, which

California law requires many companies to post. See Calif. Bus. & Prof. Code §§22575-22579 (2005). The FTC has brought a number of enforcement actions against companies for failing to honor representations made in their Web site privacy notices, including enforcement actions against GeoCities, ToySmart.com, Eli Lilly, Microsoft and Gateway Learning Corpora-tion (“Gateway”).

The FTC’s enforcement action against Gate-way typifies this line of cases. In Gateway, the company’s Web site privacy notice originally indicated that the company did not sell, rent or loan personal information about its customers to any third party without explicit consent. After collecting personal information from customers under this privacy notice, Gateway changed its policy to indicate that it would share the information with third parties without notify-ing customers or obtaining their consent. The new policy offered customers the opportunity to opt out of Gateway’s disclosure of personal information to third parties.

The FTC charged Gateway with violating §5 of the FTC Act by making false claims in its privacy statement and deceptively changing its policy without notifying consumers. The FTC required, among other things, that Gateway obtain opt-in consent from customers prior to disclosing personal information to third par-ties and to disgorge the money it had earned from renting consumer information without explicit consent under the revised policy. See Gateway Learning Corp., FTC Decision and Order, Docket No. C-4120, at http://www.ftc.gov/os/caselist/0423047/040917do0423047.pdf (last visited Aug. 18, 2008).

The ‘Unfairness’ Prong. Starting in 2005, the FTC began to expand its jurisdiction in the privacy and information security context

Lisa J. sotto is a partner and head of the privacy and information management practice at Hunton & Williams in the New York office. She is also vice chair of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. aaron P. simpson is an associate with the firm in the New York office in the privacy and information management practice.

BIGSTOCKPHOTO.COm

GC New York

New York Law JourNaL

by focusing on information security breaches using the “unfairness” prong of §5. The timing of the FTC’s enhanced scrutiny was perhaps not coincidental; it commenced soon after the vast majority of states passed breach notification laws in 2005. Rather than using companies’ Web site privacy statements as its sole enforcement hook, the FTC’s use of the “unfair-ness” principle provided the agency with a way to significantly expand its consumer protection powers, resulting in its highest-profile data security cases to date, including those against BJ’s, ChoicePoint, Card-Systems, DSW, TJX and Reed Elsevier. These cases undoubtedly were prompted by the publicity generated as a result of the state breach notification laws.

FTC Enforcement Actions

From beginning to end, an FTC investigation and enforcement action against a company as a result of a data security incident can take over two years and cost the target company millions of dollars in legal and consulting fees. Once the initial process is complete, the FTC often imposes obligations on target companies that last decades into the future.

An FTC enforcement action generally begins with an investigation. Following a data breach, the agency typically sends an access letter to the target company, inquiring into the company’s information security prac-tices. The access letter consists of numerous questions and requests, including inquiries concerning:

• the personal information the company processes on behalf of consumers;• the steps the company has taken to secure per-sonal information it processes; and• information related to the incident that led to the investigation, including the production of all documents relating to the incident.

Based on the information it receives in response to the access letter and any follow-up inquiries, the FTC will decide whether to bring a formal enforce-ment action. If the FTC chooses to bring an action, it provides to the target company after a series of discussions a Draft Complaint and Proposed Consent Order. These documents do not become part of the public record unless and until they are accepted by a vote of the five FTC commissioners. This vote typi-cally takes place 30 days after the Draft Complaint and Proposed Consent Order are provided to the target company. Assuming the FTC commissioners accept the Proposed Consent Order, it is subject to public comment for 30 more days, after which the FTC commissioners decide whether to make the Pro-posed Consent Order final. If they decide to make it final, the FTC formally issues its Complaint and enters its Decision and Order, which typically occurs approximately two months after the end of the public comment period.

Complying With an FTC Order

When the Order becomes final about four to six months after the Draft Complaint and Proposed Con-sent Order are provided to the target company, the company’s substantive obligations officially begin. The FTC typically requires target companies to establish and

implement, no later than the date the Order is issued, a comprehensive information security program to protect consumer personal information. “Personal information” typically is defined broadly to include data such as name and address. The FTC requires that this information security program, which must be fully documented in writing, contain specific administrative, technical and physical safeguards.

Administrative safeguards include (i) privacy and information security policies and procedures, (ii) information security and awareness training, and (iii) the implementation of reasonable steps to select and retain service providers that will have access to personal information. Technical safeguards are security measures that dictate how technology within the company should be used to protect personal information, including implementing (i) mechanisms to control internal and external risks to the security, confidentiality and integrity of personal information and (ii) security measures to prevent unauthorized access to personal information transmitted over elec-tronic communications networks. Physical safeguards are security measures designed to protect informa-tion systems from unauthorized intrusions, including limiting physical access to information systems and the facilities where they are housed.

Given how ubiquitous this requirement to imple-ment administrative, technical and physical safeguards has become in FTC orders, it is imperative that com-panies subject to an FTC investigation get a head start on this process as it can take far longer than the four to six months allotted by the FTC to develop such a program. Establishing or enhancing an information security program presents unique challenges. The development of a solid program requires an in-depth understanding of the flow of personal information throughout the organization, from its collection or creation to its ultimate disposition. This information about data flow forms the foundation of any successful information security program.

Developing and implementing an information security program are only the beginning of the target company’s substantive obligations under an FTC Order. Within six months after service of the Order, the FTC requires the target company to file a formal written report setting forth the manner and form in which it has complied with the Order. For most companies that have experienced an FTC enforcement action, this means months of drafting and consultation with the many relevant stakeholders within the organization.

In addition to requiring the target company to submit its own written report on compliance, the FTC also requires the company to obtain a third-party assessment within two months after filing the company’s report. This assessment must be conducted by a qualified, objec-tive, independent third-party professional and it must (i) set forth the administrative, technical and physical safeguards implemented and maintained by the target company during the first six months after service of the Order; (ii) explain how such safeguards are appropri-ate to the target company’s size and complexity, the nature and scope of the company’s activities, and the sensitivity of the personal information collected from or about consumers; (iii) explain how the safeguards that have been implemented meet or exceed the protec-tions required by the FTC Order; and (iv) certify that

the target company’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality and integrity of personal information is protected.

The target company must provide this assessment, as well as all plans, reports, studies, reviews, audits, audit trails, policies, training manuals and assessments, whether prepared by or on behalf of the target company, to the FTC within 10 days after the independent assessment has been prepared.

Continuing Obligations

While the independent assessment marks the end of the immediate obligations imposed on the target company, the FTC typically imposes continu-ing obligations on companies subject to an Order. These obligations include:

• Conducting third-party assessments bien-nially for 20 years and retaining the written assessments and all materials relating to the assessments until the Order is terminated. • Maintaining, and making available to the FTC for five years, a copy of each document relating to compliance with the terms and pro-visions of the Order.• Delivering for 10 or more years a copy of the Order to all future principals, officers, directors and managers of the company, and to all future employees and other representatives having supervisory responsibilities with respect to the subject matter of the Order.

In most cases, the FTC Order terminates 20 years from the date of its issuance, or 20 years from the most recent date the FTC files a complaint in federal court alleging any violation of the Order, whichever comes later. The continuing obligations required by an FTC Consent Order mean that the target com-pany is beholden to the FTC in nearly all aspects of its operations for decades after the Order is issued. The toll on employees responsible for compliance with the Order and the financial burden associated with compliance cannot be underestimated.

Conclusion

The sharp uptick in FTC enforcement activity (along with a concurrent increase in state enforce-ment activity) sends a strong message: in today’s digital economy, the privacy and security of per-sonal information must be assured. This new focus on personal data as a company asset to be carefully safeguarded requires focus at the highest levels of management. Given the ubiquity of customer and employee personal information, and the FTC’s broad jurisdiction to enforce against companies that fail to take serious steps to protect the data entrusted to them, the message to secure data is one every U.S. company should heed.

reprinted with permission from the September 18, 2008 edition of the GC New York © 2008 aLM Properties, Inc. all rights reserved. Further duplication without permission is prohibited. For information, contact 877.257.3382 or reprintscustomerservice@incisivemedia.com. aLM is now Inci-sive Media, www.incisivemedia.com. # 070099-09-08-0002

ART BY ISTOCKPHOTO

BY LISA J. SOTTO AND AARON P. SIMPSON

DURING THE PAST YEAR,news headlines announced asteady stream of informationsecurity breaches. During this

time, roughly 170 breach incidents havebeen subject to public scrutiny; countlessother incidents have gone unreported. It isestimated that more than 81 million

individuals have been impacted by the publicized security breaches alone, including26.5 million individuals whose personalinformation was contained on a laptopcomputer lost by an employee of the

Department of Veterans Affairs in lateMay. While security breach incidents

certainly occurred prior to 2005, alittle-known California law passed

in 2002 brought about the sud-den surge in news coverage

of such incidents. This law, known as the California

Computer SecurityBreach Notification

Act (SB 1386), requiresbusinesses to notify

California residents whosepersonal information has been

the subject of a security breach.

Sounding the Alert On Data Breaches

Panoply of state laws on individual notification puts companies in a difficult position.

F O R M E T R O A R E A I N - H O U S E C O U N S E L

J U LY 1 7 , 2 0 0 6GGCCNew YorkNew YorkNew YorkNew YorkNew YorkNew York

Lisa J. Sotto, a partner in the NewYork office of Hunton & Williams, headsthe firm’s privacy and informationmanagement practice. She alsoserves as vice chairperson of theU.S. Department of HomelandSecurity’s Data Privacy andIntegrity Advisory Committee.Aaron P. Simpson is anassociate in Hunton &Williams’ New York office.

Not to be outdone, 29 other states havejumped on the California bandwagon andpassed breach notification laws of their ownafter witnessing the broad impact of theCalifornia law. With no federal law imminent, businesses that suffer securitybreaches are finding themselves in theunenviable position of having to complywith 30 state laws that require notificationto affected individuals. Making mattersmore complex, many of these 30 state lawsdiffer substantially, upping the ante on theneed for a thorough understanding of thelegal landscape in this ever-evolving area.

California and Other States

Under California’s SB 1386, businessesare required to notify individuals if personalinformation about them maintained incomputerized form was, or is reasonablybelieved to have been, acquired by an unauthorized person. “Personal informa-tion” means an individual’s name in combination with a (i) Social Securitynumber, (ii) driver’s license or state identification card number, or (iii) account, credit or debit card number incombination with any required securitycode. The law provides a safe harbor forencrypted personal information such thatnotification is not required in the event ofunauthorized acquisition.

If notification is required, businesses maysatisfy the law’s requirement by providing (i)written notice, (ii) electronic notice underlimited circumstances, or (iii) substitutenotice (consisting of e-mail notice,conspicuous posting on the business’ Website, and notification to major statewidemedia) if notifying customers will cost morethan $250,000 or if more than 500,000 customers are impacted.

In the initial months following the effective date of SB 1386 on July 1, 2003,companies that suffered security breachescomplied by providing notice to impactedindividuals in California. If the breachimpacted people outside of California,many companies chose not to notify thesenon-California residents, reasoning that the

legal notification obligation was limited toresidents of California. While this approachis correct from a strict legal perspective,companies that took this approach sufferedsignificant reputational harm in the mediafirestorm that ensued following discovery ofthe breach. This media frenzy resulted inthe passage of state security breach notification laws in a handful of other statesin which state legislators feared businesseswould continue to suffer breaches and notnotify their state residents. This handful,which did not begin passing breach

notification laws until 2005, quicklybecame 30 states by the beginning of 2006.

The panoply of security breach notification laws at the state level has madecompliance challenging for companies thathave suffered national breaches in the pastyear. While the state laws are similar inmany ways, they differ in four crucial ways,all of which bear on a company’s notification obligations. First, the lawsaddress different media. While most statesfollow California’s approach and regulate breaches thatinvolve “computerized”data, others (like NorthCarolina and Wisconsin)require notification if there hasbeen unauthorized access to andacquisition of personal informa-tion in any form, whether com-puterized, paper or otherwise.

A second area of conflictarises in how states define“personal information.”A significant per-centage of states

follow California’s approach and define personal information to include name plusSocial Security number, driver’s license orstate identification card number, or finan-cial account number. Other states, however,use a more expansive definition of personalinformation. For example, personal infor-mation includes medical information inArkansas, date of birth and mother’s maid-en name in North Dakota, and DNAprofile in Wisconsin.

A third key difference among the statelaws turns on whether the law contains aharm threshold that triggers notification. InCalifornia, no such harm threshold exists—all California residents whose personalinformation has been acquired, or is reason-ably believed to have been acquired, mustbe notified. That is not true in severalstates, where notification is required only ifthere is a reasonable likelihood that infor-mation acquired by an unauthorized personwill result in harm. In addition, the statelaws have different requirements about whoshould be notified by businesses that suffersecurity breaches. In California, businessesare required to notify only those individualsaffected by the breach. In other states, stateregulators and consumer reporting agenciesmust be notified. For example, in New Yorkand North Carolina, businesses that suffersecurity breaches must notify the AttorneyGeneral’s office, while in New Jersey thestate police must be notified.

These substantive differences highlightthe need for businesses that suffer a breachto understand all 30 state laws. This under-

standing is particularly important inlight of the reputational risk associatedwith notifying only in those states that

require notification. Given this reputa-tional risk, a business’ decision to notify all

individuals impacted by a breach (a num-ber that often reaches into the hundreds ofthousands and sometimes millions) can

turn on a faraway state’s notificationrequirement. Thus, from both a

compliance perspective and abottom line perspective, it is

imperative that businessesfully understand, and

GC N E W YO R K

NEW YORK LAW JOURNAL

JULY 17, 2006

II t is imperative

that businesses

fully understand, and prepare

to address, each of the 30

state laws governing

breach notification.

prepare to address, each of the 30 state lawsgoverning breach notification.

How to Respond

The first, and most critical, step any com-pany that learns of a possible securitybreach must take is to determine whetherpersonal information is reasonably believedto have been acquired or accessed by an unauthorized person. In making this determination, companies should look toseveral indicators, including whether theinformation (i) is in the physical possessionor control of an unauthorized person (e.g., astolen computer), (ii) has been downloadedor copied, or (iii) was used by an unauthorized person, such as having fraudulent accounts opened or reportedinstances of identity theft. Making thisdetermination is often easier said thandone. Depending on the complexity of thecircumstances, determining whether abreach has even occurred could requireworking with a forensic investigator, at significant expense, to recreate activity onthe database.

Once there is a reasonable belief that asecurity breach has occurred, the next stepinvolves going to law enforcement (if necessary) and taking any internal measures necessary to restore the integrityof the affected system. As part of the reportto law enforcement, companies shouldexplain that they intend to provide noticeof the breach to affected individuals in themost expedient time possible and withoutunreasonable delay. In certain situations,law enforcement authorities will ask companies to delay notification so as not toimpede their investigation. Most of thestate breach notification laws provide a safeharbor for these circumstances, but companies in this situation should makesure to ask law enforcement when it wouldbe appropriate to send the notification andto be prepared to send the notices as soon asreasonably practicable after getting the go-ahead from law enforcement.

Once given the go-ahead to notify, companies should provide written notice to

affected individuals in the most expedienttime possible. In some states, such as Floridaand Ohio, there is a time limit of 45 daysafter discovering the breach or receiving thego-ahead from law enforcement. Dependingon the sensitivity of the circumstances,drafting breach notices can be an arduoustask that requires significant assistance fromcounsel and public relations resources. Atthe very least, a breach notice shouldinclude (i) a general description of whathappened, (ii) the nature of the personalinformation involved, (iii) a description ofthe steps taken by the company to protectpersonal information from further unauthorized acquisition or access, (iv) adescription of how the company will assistaffected individuals (e.g., by providing credit monitoring for the affected individuals), (v) information on how individuals can protect themselves fromidentity theft, including contactinformation for the three credit reportingagencies, and (vi) contact information forthe Federal Trade Commission.

In addition to affected individuals, companies that suffer security breaches maybe required to notify other stakeholders,including state and federal regulators, credit reporting agencies and credit cardissuers. New York, New Jersey, NorthCarolina and Maine all require some formof notification to state regulators, typicallythe state Attorney General’s office. NewJersey is unique in that it requires companies that suffer a security breach to notify the state police, and this notification must take place prior to notifying affected individuals.

The notification to state regulatorsshould provide information as to (i) thenature and circumstances of the breach, (ii)the timing, content and distribution of thenotices, and (iii) the approximate numberof affected individuals. Because the creditreporting agencies will likely be inundatedwith calls from individuals affected by thebreach who wish to sign up for credit monitoring or obtain a credit report, it isalso a good idea, and a legal requirement inseveral states, to notify the credit bureaus.

In Minnesota, this notification is requiredto occur within 48 hours of notifying affected individuals. Finally, if the breachinvolves personal information associatedwith a credit card, the company is likelycontractually required to notify affectedcredit card issuers.

Planning Is Key

Given the panoply of state breach notifi-cation laws and their varying requirements,it is only a matter of time before Congresspasses a federal security breach notificationlaw. There are currently more than a dozensecurity breach notification bills that havebeen introduced in Congress. Most com-mentators agree that a law will not bepassed by the end of this fall’s congressionalsession. From a business perspective, themost important feature of any federalbreach notification law is that it pre-emptstate law. Because data often flows beyondstate boundaries, a federal law that pre-empts state breach notification laws wouldensure that affected residents of every stateare notified of a data breach while at thesame time easing the ability of companies toprovide such notification by allowing themto adhere to a single standard.

Until a federal law is passed, companiesthat suffer security breaches across statelines find themselves in the difficult posi-tion of analyzing the law in 30 or morestates to understand their compliance obli-gations. Given the reputational risks associ-ated with security breaches, in addition tolegal compliance exposure, it is imperativethat companies not only understand theseissues, but also have a plan in place to man-age the notification process in the eventthey suffer a security breach.

This article is reprinted with permission from the July17, 2006 edition of the GC NEW YORK. © 2006ALM Properties, Inc. All rights reserved. Furtherduplication without permission is prohibited. Forinformation, contact ALM Reprint Department at800-888-8300 x6111 or visit almreprints.com. #099-07-06-0003

GC N E W YO R K

NEW YORK LAW JOURNAL

JULY 17, 2006