Roundup of Legal Developments in Cubersecurity & Privacy Law

Adler InfoSec & Privacy Group LLC

Roundup of Legal Roundup of Legal Developments in Developments in

Cubersecurity & Privacy LawCubersecurity & Privacy Law

M. Peter Adler JD, LLM, CISSP, CIPPM. Peter Adler JD, LLM, CISSP, CIPPAdler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC

Interim Director of Privacy and Cybersecurity, Montgomery College, Interim Director of Privacy and Cybersecurity, Montgomery College, Rockville, MDRockville, MD

Educause Security Professionals Conference 2007Educause Security Professionals Conference 2007

Adler InfoSec & Privacy Group LLC 2

AgendaAgenda

Overview of Federal Security and Overview of Federal Security and Privacy Legislation Relating to Privacy Legislation Relating to Privacy and SecurityPrivacy and Security

Developments in security and Developments in security and privacy laws and regulations over privacy laws and regulations over the past yearthe past year

Key agency actions and litigationKey agency actions and litigation


Overview of Federal Overview of Federal Security and Privacy Security and Privacy

Legislation Relevant to Legislation Relevant to Higher EducationHigher Education


Key Laws and Regulations, Privacy Federal –Key Laws and Regulations, Privacy Federal –HIPAA, GLBA, COPPA HIPAA, GLBA, COPPA

GLBA: GLBA: Gramm-Leach-Bliley ActGramm-Leach-Bliley Act, 15 U.S.C. , 15 U.S.C. §§6801,6805§§6801,6805


GLBA - ReachGLBA - Reach The Securities and Exchange Commission The Securities and Exchange Commission

("SEC")("SEC"); 65 Fed. Reg. 40362, codified at 17 C.F.R. ; 65 Fed. Reg. 40362, codified at 17 C.F.R. § 248.30 (SEC) § 248.30 (SEC)

The National Credit Union Administration The National Credit Union Administration (“NCUA”)(“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 ; 12 C.F.R. Parts 716 (privacy) and 748 (security)(security)

Federal Banking Agencies: Interagency Federal Banking Agencies: Interagency Guidelines Establishing Standards for Guidelines Establishing Standards for Safeguarding Customer InformationSafeguarding Customer Information; 66 Fed Reg. ; 66 Fed Reg. 8616, codified as follows: 8616, codified as follows: The Office of the Comptroller of the Currency (“OCC”)The Office of the Comptroller of the Currency (“OCC”), ,

12 C.F.R. Part 30 (Treasury)12 C.F.R. Part 30 (Treasury) The Board of Governors of the Federal Reserve SystemThe Board of Governors of the Federal Reserve System, ,

12 C.F.R. Parts 208, 211, 225 and 26312 C.F.R. Parts 208, 211, 225 and 263 The Federal Deposit Insurance Corp. ("FDIC")The Federal Deposit Insurance Corp. ("FDIC"), 12 C.F.R. , 12 C.F.R.

Parts 408 and 364,Parts 408 and 364, The Office of Thrift Supervision ("OTS"The Office of Thrift Supervision ("OTS"); codified at 12 ); codified at 12

C.F.R. Parts 568 and 570 (security) and 573 (privacy)C.F.R. Parts 568 and 570 (security) and 573 (privacy)


GLBA and Higher EducationGLBA and Higher Education

Most higher education is pulled Most higher education is pulled under GLBA for processing of under GLBA for processing of student loansstudent loans GLBA Privacy provisions are met if the GLBA Privacy provisions are met if the

institution complies with FERPA institution complies with FERPA The Security Regulations Do ApplyThe Security Regulations Do Apply

Standards for Safeguarding Customer Standards for Safeguarding Customer InformationInformation; Final Rule: 67 Fed. Reg. ; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”)(“GLBA Safeguards”)


Additional GLBA ProvisionsAdditional GLBA Provisions

In addition to the imposition of safeguards, these In addition to the imposition of safeguards, these regulations also provide forregulations also provide for Record Disposal: FRCA (as amended by Fair and Accurate Record Disposal: FRCA (as amended by Fair and Accurate

Credit Transactions Act of 2003) FACTA) 15 USC §1681 Credit Transactions Act of 2003) FACTA) 15 USC §1681 (record disposal)(record disposal)

Breach Notification RuleBreach Notification Rule


Family Education Rights & Privacy ActFamily Education Rights & Privacy Act(FERPA)(FERPA)

Leading federal privacy law for educational Leading federal privacy law for educational institutions.institutions.

Imposes confidentiality requirements over Imposes confidentiality requirements over student educational records.student educational records.

Prohibiting institutions from disclosing "personally Prohibiting institutions from disclosing "personally identifiable education information" such as identifiable education information" such as grades or financial aid information without the grades or financial aid information without the student's written permission. student's written permission.

Provides students with the right to request and Provides students with the right to request and review their educational records and to make review their educational records and to make corrections to those records. corrections to those records.

Law applies with equal force to electronic and Law applies with equal force to electronic and hardcopy records.hardcopy records.


Federal Information Security Act of 2002 FISMAFederal Information Security Act of 2002 FISMA FISMA: FISMA: Federal Information Security Act of 2002Federal Information Security Act of 2002, 44 U.S.C. , 44 U.S.C.

§3537 §3537 et seqet seq.. Requires compliance with a set of standards federal government Requires compliance with a set of standards federal government

information security information security Federal Information Processing Standards (FIPS) Federal Information Processing Standards (FIPS) NIST StandardsNIST Standards

Applies to Federal information SystemApplies to Federal information System An information system used or operated by an executive An information system used or operated by an executive

agency, or by another organization on behalf of an agency, or by another organization on behalf of an executive agencyexecutive agency

May be applicable to higher education:May be applicable to higher education: Through government contracts Through government contracts Also, some federal agencies (labor) are beginning to hold Also, some federal agencies (labor) are beginning to hold

fund recipients to these standards. Department of fund recipients to these standards. Department of Education, National Science Foundation and National Education, National Science Foundation and National institutes of Health may do the same: See ECAR Report institutes of Health may do the same: See ECAR Report 3.Page 93.


HIPAAHIPAA

HIPAA: HIPAA: Health Insurance Portability Health Insurance Portability and Accountability Actand Accountability Act, 42 U.S.C. §§ , 42 U.S.C. §§ 1320d-2 and 1320d-41320d-2 and 1320d-4 45 C.F.R. Parts 160 and 16445 C.F.R. Parts 160 and 164 Applies to health care providers, Applies to health care providers,

plans and clearinghousesplans and clearinghouses In higher education will apply to In higher education will apply to

student health servicesstudent health services


Sarbanes OxleySarbanes Oxley

Sarbanes Oxley ActSarbanes Oxley Act, 15 U.S.C. §§7241 , 15 U.S.C. §§7241 and 7267 (SOX)and 7267 (SOX)

Not really relevant to Higher Not really relevant to Higher Education, but some institutions Education, but some institutions desire to become “SOX Compliant”desire to become “SOX Compliant”


SOX and SecuritySOX and Security Sarbanes Oxley ActSarbanes Oxley Act, 15 U.S.C. §§7241 and 7267 , 15 U.S.C. §§7241 and 7267

COBIT StandardCOBIT Standard SOX is "basically silent" on information security,SOX is "basically silent" on information security, However Information Security is implicit:However Information Security is implicit:

Certification of effectiveness of controls (404)Certification of effectiveness of controls (404) Annual assessment and report on effectiveness of the Annual assessment and report on effectiveness of the

controls (302)controls (302) The SEC final rules The SEC final rules

rules require management to certify that two types of rules require management to certify that two types of controls have been established and their effectiveness controls have been established and their effectiveness has been assessedhas been assessed

Access Security Access Security Internal ControlsInternal Controls


SOX Standards: COSO and COBITSOX Standards: COSO and COBIT Committee on Sponsoring Committee on Sponsoring

Organization of the Treadway Organization of the Treadway Commission (COSO) Commission (COSO)

COSO is a voluntary private sector COSO is a voluntary private sector organization dedicated to organization dedicated to improving the quality of financial improving the quality of financial reporting through business ethics, reporting through business ethics, effective internal controls, and effective internal controls, and corporate governance corporate governance

Integrity and Ethical ValuesIntegrity and Ethical Values Commitment to CompetenceCommitment to Competence Board of Directors or Audit Board of Directors or Audit

CommitteeCommittee Management Philosophy and Management Philosophy and

Operating StyleOperating Style Organizational StructureOrganizational Structure Assignment of Authority and Assignment of Authority and

ResponsibilityResponsibility Human Resource Policies and Human Resource Policies and

ProceduresProcedures

COBIT (Control Objectives COBIT (Control Objectives for Information and related for Information and related Technology)Technology)

COBIT Security Baseline: COBIT Security Baseline: Security PolicySecurity Policy Security StandardsSecurity Standards Access and AuthenticationAccess and Authentication User Account ManagementUser Account Management Network SecurityNetwork Security MonitoringMonitoring Segregation of DutiesSegregation of Duties Physical SecurityPhysical Security


EmergingEmergingIssues Issues


Communications Assistance for Law Communications Assistance for Law Enforcement Act (CALEA)Enforcement Act (CALEA)

Aug. 5, 2005, The FCC adopted a final order Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications hybrid between traditional telecommunications carriers and information services)carriers and information services)

Privacy groups challenged the commission's ruling Privacy groups challenged the commission's ruling in courtin court

June 9, 2006, The U.S. Court of Appeals for the June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP law to certain broadband Internet service and VoIP providers is legal (providers is legal (American Council on Educ. v. American Council on Educ. v. FCCFCC, , D.C. Cir., No. 05-1404, D.C. Cir., No. 05-1404, petition deniedpetition denied 6/9/06 6/9/06


Applicability of CALEA to Private Applicability of CALEA to Private NetworksNetworks

The FCC’s Order recognized that “private broadband networks The FCC’s Order recognized that “private broadband networks or intranets that enable members to communicate with one or intranets that enable members to communicate with one another and/or to receive information from shared data another and/or to receive information from shared data libraries not available to the general public . . . appear to be libraries not available to the general public . . . appear to be private networks for purposes of CALEA,” and thus exempt.private networks for purposes of CALEA,” and thus exempt.

At the same time, however, the Order suggested that the At the same time, however, the Order suggested that the exemption could be lost if such private networks connect to exemption could be lost if such private networks connect to the Internet, as virtually all higher education networks do. The the Internet, as virtually all higher education networks do. The Order stated: “To the extent that . . . private networks are Order stated: “To the extent that . . . private networks are interconnected with a public network, either the PSTN or the interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection Internet, providers of the facilities that support the connection of the private network to the public network of the private network to the public network are subject to are subject to CALEA under the SRPCALEA under the SRP.”.”

In subsequent meetings and press statements, the FCC In subsequent meetings and press statements, the FCC declined to elaborate on the meaning of this statement.declined to elaborate on the meaning of this statement.


Does the Campus Network Does the Campus Network “Support” the Connection to the “Support” the Connection to the

Internet?Internet?

While the language in the FCC Order is While the language in the FCC Order is cryptic, the FCC’s court brief sets forth a cryptic, the FCC’s court brief sets forth a more workable test: Colleges and more workable test: Colleges and universities that “provide their own universities that “provide their own connection to the Internet” are subject to connection to the Internet” are subject to CALEA (at least with respect to those CALEA (at least with respect to those Internet connection facilities), while Internet connection facilities), while institutions that rely on a third party for institutions that rely on a third party for this connection are exempt.this connection are exempt.


Does the Campus Network Does the Campus Network “Support” the Connection to the “Support” the Connection to the

Internet?Internet?

This still leaves some gray areas, but the This still leaves some gray areas, but the FCC most likely would conclude that an FCC most likely would conclude that an institution institution provides its own Internet provides its own Internet connectionconnection when it constructs, purchases, when it constructs, purchases, leases, or otherwise operates fiber optic or leases, or otherwise operates fiber optic or other transmission facilities and other transmission facilities and associated switching equipment that link associated switching equipment that link the campus network to an ISP’s point of the campus network to an ISP’s point of presence.presence.


Communications Assistance for Law Communications Assistance for Law Enforcement Act (CALEA) - exemptEnforcement Act (CALEA) - exempt

In contrast, the FCC most likely would conclude that In contrast, the FCC most likely would conclude that an institution is an institution is exemptexempt if it obtains access to the if it obtains access to the Internet by (1) contracting with an ISP or regional Internet by (1) contracting with an ISP or regional network to pick up Internet traffic from a campus network to pick up Internet traffic from a campus border router, (2) purchasing a private line or other border router, (2) purchasing a private line or other transmission servicetransmission service from a telecommunications from a telecommunications carrier on a contractual or tariffed basis (as opposed carrier on a contractual or tariffed basis (as opposed to leasing dark fiber or other to leasing dark fiber or other facilitiesfacilities), or (3) relying ), or (3) relying on some combination of these approaches.on some combination of these approaches.

If a campus network is closed (If a campus network is closed (i.e.i.e., does not connect , does not connect to the Internet), it is clearly exempt from CALEA to the Internet), it is clearly exempt from CALEA under the private network exemption.under the private network exemption.

Interconnected networks that support their own Interconnected networks that support their own Internet connection appear to enjoy a Internet connection appear to enjoy a limitedlimited exemption if they otherwise qualify as “private.” exemption if they otherwise qualify as “private.” Specifically, only the gateway equipment itself is Specifically, only the gateway equipment itself is subject to CALEA – the Internet portions of a private subject to CALEA – the Internet portions of a private network remain exemptnetwork remain exempt..


Communications Assistance for Law Communications Assistance for Law Enforcement Act (CALEA) deadlinesEnforcement Act (CALEA) deadlines

The CALEA compliance deadline remains May 14, The CALEA compliance deadline remains May 14, 2007, and applies equally to all facilities-based 2007, and applies equally to all facilities-based broadband access providers and interconnected broadband access providers and interconnected VoIP service providers, with restricted availability VoIP service providers, with restricted availability of compliance extensions. of compliance extensions.

Carriers are permitted to meet their CALEA Carriers are permitted to meet their CALEA obligations through the services of “Trusted Third obligations through the services of “Trusted Third Parties (TTP)” including processing requests for Parties (TTP)” including processing requests for intercepts, conducting electronic surveillance, intercepts, conducting electronic surveillance, and delivering information to LEAs. However, and delivering information to LEAs. However, carriers remain responsible for ensuring the carriers remain responsible for ensuring the timely delivery of information to the LEA and timely delivery of information to the LEA and protecting subscriber privacy, as required by protecting subscriber privacy, as required by CALEA. CALEA.


Discovery Rules Discovery Rules

The Federal Rules of Civil The Federal Rules of Civil Procedure (and most state law) Procedure (and most state law) provides the following discovery provides the following discovery tools:tools: DepositionsDepositions Upon Written or Upon Written or

Oral Written Questions (Rules Oral Written Questions (Rules 30, 31 and 32)30, 31 and 32)

Written InterrogatoriesWritten Interrogatories (Rule (Rule 33)33)

ProductionProduction of Document or of Document or Things (Rule 34)Things (Rule 34)

Permission to EnterPermission to Enter Upon Land Upon Land for Inspection and Other for Inspection and Other Purposes (Rule 34)Purposes (Rule 34)

Physical and Mental Physical and Mental ExaminationsExaminations (Rule 35) (Rule 35)

Requests for AdmissionRequests for Admission (Rule (Rule 36)36)

Tools to Ensure or Tools to Ensure or Excuse DiscoveryExcuse Discovery Motion to CompelMotion to Compel

(Rule 37(a))(Rule 37(a)) SanctionsSanctions (Rule 37 (b), (Rule 37 (b),

(c)&(d))(c)&(d)) Protective OrdersProtective Orders

(Rule 26(c))(Rule 26(c))

““The pretrial devices that can be used by one party to obtain The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist facts and information about another party in order to assist the party’s preparation for trial.”the party’s preparation for trial.” - Blacks Law Dictionary - Blacks Law Dictionary


E-Discovery: 12/2006E-Discovery: 12/2006 New and amended rules of civil procedure governing New and amended rules of civil procedure governing

the treatment of electronically stored information the treatment of electronically stored information (ESI) are expected by December of this year. (ESI) are expected by December of this year.

These Rules are broken into the following categories:These Rules are broken into the following categories: Early attention to electronic discovery issues: Early attention to electronic discovery issues:

Rules 16 and 26(f)Rules 16 and 26(f) Better management of discovery into ESI that is Better management of discovery into ESI that is

not reasonably accessible: Rule 26(b)(2)not reasonably accessible: Rule 26(b)(2) New provision setting out procedure for assertions New provision setting out procedure for assertions

of privilege after production: Rule 26(b)(5)of privilege after production: Rule 26(b)(5) Interrogatories and Requests for Production of ESI: Interrogatories and Requests for Production of ESI:

Rules 33 and 34Rules 33 and 34 Application of sanctions rules pertaining to ESI: Application of sanctions rules pertaining to ESI:

Rule 37Rule 37


Real ID ActReal ID Act Real ID ActReal ID Act (H.R. 1268) – Part of a supplemental bill funding (H.R. 1268) – Part of a supplemental bill funding

wars in Iraq and Afghanistan (Signed May 2005)wars in Iraq and Afghanistan (Signed May 2005) Will tighten requirements for identification cards acceptable to Will tighten requirements for identification cards acceptable to

the federal government, require proof that an applicant is the federal government, require proof that an applicant is legally in the country, and require state participation in a legally in the country, and require state participation in a national driver's license data sharing programnational driver's license data sharing program

Tasked the DHS with proposing regulations to implement Tasked the DHS with proposing regulations to implement minimum standards for identification cards acceptable for minimum standards for identification cards acceptable for federal government purposes, such as boarding a domestic federal government purposes, such as boarding a domestic airline flightairline flight

Requires data exchange between the states and between Requires data exchange between the states and between individual states and the Federal government.individual states and the Federal government.

Commercial airline passengers would have to provide the new Commercial airline passengers would have to provide the new card or a passport to board a U.S. planecard or a passport to board a U.S. plane

Amounts to the first step toward creation of a national Amounts to the first step toward creation of a national identification card which raises concerns about ensuring the identification card which raises concerns about ensuring the privacy and security of information being sharedprivacy and security of information being shared


New LawsNew Laws Veterans Benefits, Health Care, and Information Technology Veterans Benefits, Health Care, and Information Technology

Act of 2006" (S. 3421). Act of 2006" (S. 3421). Requires the VA to adopt rules for notifying veterans in the Requires the VA to adopt rules for notifying veterans in the

case of breach of their personal data case of breach of their personal data Signed December 22, 2006Signed December 22, 2006

Undertaking Spam, Spyware, and Fraud Enforcement Undertaking Spam, Spyware, and Fraud Enforcement Beyond Borders Act" (S. 1608 Beyond Borders Act" (S. 1608 Known as the US SAFE WEB Act (S. 1608), authorizes the FTC Known as the US SAFE WEB Act (S. 1608), authorizes the FTC

to share information with foreign agencies that treat consumer to share information with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue.fraud and deception as a criminal law enforcement issue.

Signed December 22, 2006 Signed December 22, 2006 Telephone Records and Privacy Protection Act of 2006 (HB Telephone Records and Privacy Protection Act of 2006 (HB

4709)4709) Anti-pretexting lawAnti-pretexting law Signed by the President January 12, 2007Signed by the President January 12, 2007


Pending Federal Pending Federal Notice of Breach Notice of Breach

LegislationLegislation


Federal Efforts – Notice of Federal Efforts – Notice of Security Breach, SenateSecurity Breach, Senate

Senate:Senate: S 495, “Personal Data Privacy and

Security Act of 2007” (PDPSA), Leahy Specter Bill.

S. 239, “Notification of Risk to Personal Data Act of 2007”

Both would preempt state lawBoth would preempt state law Differ in terms of safe harbor, exemptions, Differ in terms of safe harbor, exemptions,

penalties, notice procedurespenalties, notice procedures


Federal Notice of Breach Law Federal Notice of Breach Law StatusStatus

Personal Data Privacy and Security Act of 2007 would, among other would, among other things, things, require organizations to notify consumers require organizations to notify consumers

of security breaches of security breaches mandates the adoption of internal mandates the adoption of internal

policies to protect personal data. policies to protect personal data.


Leahy-Specter 2007 Leahy-Specter 2007 Security ProgramSecurity Program

Requires companies that have databases with Requires companies that have databases with personal information on more than 10,000 personal information on more than 10,000 Americans to:Americans to: establish and implement data privacy and establish and implement data privacy and

security programs, and security programs, and vet third-party contractors hired to process vet third-party contractors hired to process

data. data. There are exemptions for companies already There are exemptions for companies already

subject to data security requirements under subject to data security requirements under Gramm-Leach-Bliley and the Health Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.Information Portability and Accountability Act.


Leahy-Specter 2007Leahy-Specter 2007

Personal Data Privacy and Security Personal Data Privacy and Security Act of 2007Act of 2007 would: would: Make it a crime to intentionally or willfully hide a Make it a crime to intentionally or willfully hide a

security breach; security breach; Provide consumer access and correction rights Provide consumer access and correction rights

to information held by commercial data brokers;to information held by commercial data brokers; Require companies to notify authorities of Require companies to notify authorities of

breaches; breaches; Require government agencies to adopt privacy Require government agencies to adopt privacy

protection rules when agencies use information protection rules when agencies use information from commercial data brokers; andfrom commercial data brokers; and

Require audits of government contracts with Require audits of government contracts with commercial data brokers. commercial data brokers.


Leahy-Specter 2007 Leahy-Specter 2007 Required NoticesRequired Notices

Requires notice to law enforcement, Requires notice to law enforcement, consumers and credit reporting agencies consumers and credit reporting agencies when digitized sensitive personal when digitized sensitive personal information has been compromised. information has been compromised.

The trigger for notice is tied to significant The trigger for notice is tied to significant risk of harm with appropriate checks-and-risk of harm with appropriate checks-and-balances to prevent over-notification as balances to prevent over-notification as well as underreporting. well as underreporting.

There are exemptions for national security There are exemptions for national security and law enforcement needs, credit card and law enforcement needs, credit card companies using fraud-prevention companies using fraud-prevention techniques or where a breach does not techniques or where a breach does not result in a significant risk of harm.result in a significant risk of harm.


Federal Efforts – Notice of Federal Efforts – Notice of Security Breach, HouseSecurity Breach, House

The "Data Security Act of 2007" (H.R. 1685), sponsored by second term Rep.Tom Price (R-GA), would require businesses and federal government agencies to notify individuals if their sensitive personal or financial information is compromised through a data security breach.

The "Cyber-Security Enhancement and Consumer Data Protection Act of 2007" (H.R. 836), introduced Feb. 6 by Rep. Lamar Smith (R-TX), ranking member of the Judiciary Committee, and eight other GOP cosponsors, would require notification of federal law enforcement officials of certain data breaches and provide criminal and civil penalties for knowingly concealing such breaches

The "The "Data Accountability and Trust ActData Accountability and Trust Act" (H.R. 958), introduced by " (H.R. 958), introduced by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-FL). Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-FL). The bill's goal is to curb identity theft. It would require companies The bill's goal is to curb identity theft. It would require companies

to implement data security programs and to notify individuals to implement data security programs and to notify individuals affected by a data security breachaffected by a data security breach

It would require business to notify individuals if their personal It would require business to notify individuals if their personal information is compromised in a data breach incident. In addition, information is compromised in a data breach incident. In addition, businesses would be required to notify the FTC of the breach.businesses would be required to notify the FTC of the breach.


Federal BreachesFederal Breaches Staff report of the Committee on Government Reform, Staff report of the Committee on Government Reform,

dated October 13, 2006dated October 13, 2006 Data breach incidents in federal agencies since January 2003 Data breach incidents in federal agencies since January 2003

have been more widespread and numerous than previously have been more widespread and numerous than previously disclosed disclosed

Report found:Report found: All 19 Departments and agencies reported at least one loss of All 19 Departments and agencies reported at least one loss of

Personally Information (“PI”) since 1/1/03Personally Information (“PI”) since 1/1/03 Agencies do not always know what has been lostAgencies do not always know what has been lost Physical security of data is essentialPhysical security of data is essential Contractors are responsible for many of the reported breachesContractors are responsible for many of the reported breaches

Veterans Benefits, Health Care, and Information Technology Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421). Act of 2006" (S. 3421). Requires the VA to adopt rules for notifying veterans in the Requires the VA to adopt rules for notifying veterans in the

case of breach of their personal data case of breach of their personal data Signed December 22, 2006Signed December 22, 2006


State State Notice of Breach Legislation Notice of Breach Legislation


11stst Law on Notice of Security Breach - Law on Notice of Security Breach - SB 1386SB 1386

Applies to all companies in California or that do business in California

Companies must disclose any security breaches to each affected California customer whose PI has been compromised.

Personal information (notice triggering information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account.

Failure to comply may result in lawsuits and damages.


Since Then…State Breach Since Then…State Breach Notice Laws ProliferateNotice Laws Proliferate

Georgia (Georgia (Ga. Code §Ga. Code § 10-1-910 et seq.10-1-910 et seq. ) )

Hawaii (Hawaii (Hawaii Rev. Stat. §Hawaii Rev. Stat. § 487N-2487N-2 ) )

Idaho (Idaho (Id. Code §§Id. Code §§ 28-51-104 to 28-51-10728-51-104 to 28-51-107 ) )

Illinois (Illinois (815 Ill. Comp. Stat.815 Ill. Comp. Stat. 530/1 et seq.530/1 et seq. ) )

Indiana (Indiana (Ind. Code §Ind. Code § 24-4.924-4.9 ) ) Kansas (Kansas (Kansas Stat. 50-7a01, Kansas Stat. 50-7a01,

50-7a02 (50-7a02 (2006 S.B. 1962006 S.B. 196, Chapter , Chapter 149)149) ) )

Louisiana (Louisiana (La. Rev. Stat. §La. Rev. Stat. § 51:3071 et seq.51:3071 et seq. ))

Maine (Maine (Me. Rev. Stat. tit. 10 §§Me. Rev. Stat. tit. 10 §§ 1347 et seq.1347 et seq. ) )

Arizona Arizona ((Ariz. Rev. Stat. §Ariz. Rev. Stat. § 44-750144-7501 ) )

Arkansas Arkansas ((Ark. Code §Ark. Code § 4-110-101 et seq.4-110-101 et seq. ) )

CaliforniaCalifornia ( (Cal. Civ. Code §Cal. Civ. Code § 1798.821798.82 ) )

ColoradoColorado ( (Col. Rev. Stat. §Col. Rev. Stat. § 6-1-7166-1-716 ) )

ConnecticutConnecticut ( (Conn. Gen Stat.Conn. Gen Stat. 36A-701(b)36A-701(b) ) )

DelawareDelaware ( (De. CodeDe. Code tit. 6, § 12B-101 et seq.tit. 6, § 12B-101 et seq. ))

FloridaFlorida ( (Fla. Stat. §Fla. Stat. § 817.5681817.5681 ) )


……and Proliferate!and Proliferate! Ohio (Ohio (Ohio Rev. Code §Ohio Rev. Code § 1349.191349.19, §, §

1347 et seq1347 et seq.. ) ) Oklahoma (Oklahoma (Okla. Stat. §Okla. Stat. § 74-3113.174-3113.1 ) ) Pennsylvania (Pennsylvania (73 Pa. Cons. Stat. § 73 Pa. Cons. Stat. §

23032303 ) ) Rhode Island (Rhode Island (R.I. Gen. Laws §R.I. Gen. Laws §

11-49.2-1 et seq11-49.2-1 et seq.. ) ) Tennessee (Tennessee (Tenn. Code §Tenn. Code §

47-18-210747-18-2107 ) ) Texas (Texas (Tex. Bus. & Com. Code §Tex. Bus. & Com. Code §

48.001 et seq.48.001 et seq. ) ) Utah (Utah (Utah Code §Utah Code § 13-44-101 et seq. 13-44-101 et seq.

)) Vermont (Vermont (Vt. Stat. Tit. 9 §Vt. Stat. Tit. 9 § 2430 et 2430 et

seq.seq. ) ) Washington (Washington (Wash. Rev. Code §Wash. Rev. Code §

19.255.01019.255.010 ) ) Wisconsin (Wisconsin (Wis.Stat. §Wis.Stat. § 895.507 895.507 ) ) Wyoming (SF 53)Wyoming (SF 53)

Michigan (Michigan (2006 S.B. 309, Public 2006 S.B. 309, Public Act 566Act 566))

Minnesota (Minnesota (Minn. Stat. §Minn. Stat. § 325E.61 325E.61, , §§ 609.891 609.891 ) )

Montana (Montana (Mont. Code §Mont. Code § 30-14- 30-14-1701 et seq.1701 et seq. ) )

Nebraska (Nebraska (Neb. Rev StatNeb. Rev Stat 87-801 87-801 et. seq.et. seq. ) )

Nevada (Nevada (Nev. Rev. Stat.Nev. Rev. Stat. 603A.010 603A.010 et seq.et seq. ) )

New Hampshire (New Hampshire (N.H. RSN.H. RS 359- 359-C:19 et seq.C:19 et seq. ) )

New Jersey (New Jersey (N.J.Stat.N.J.Stat. 56:8-163 56:8-163 ) ) New York (New York (N.Y. Bus. Law §N.Y. Bus. Law § 899-aa 899-aa ) ) North Carolina (North Carolina (N.C. Gen. Stat §N.C. Gen. Stat §

75-6575-65 ) ) North Dakota (North Dakota (N.D. Cent. Code §N.D. Cent. Code §

51-30-01 et seq.51-30-01 et seq. ) )


2007 Notice of Breach Proposed 2007 Notice of Breach Proposed LegislationLegislation

Alaska (H.B. 31, S.B. Alaska (H.B. 31, S.B. 21)21)

Arizona (S.B. 1042)Arizona (S.B. 1042) District of Columbia District of Columbia

(B16-810)(B16-810) Illinois (H.B. 3743, H.B. Illinois (H.B. 3743, H.B.

4198, S.B. 209, S.B. 4198, S.B. 209, S.B. 1479, S.B. 1798, S.B. 1479, S.B. 1798, S.B. 1899, S.B. 3040)1899, S.B. 3040)

Kentucky (HB 7)Kentucky (HB 7) Massachusetts (H.B. Massachusetts (H.B.

4775)4775)

Maryland (HB 208, S Maryland (HB 208, S 194)194)

Mississippi (S.B. 2089)Mississippi (S.B. 2089) Montana (S.B. 33)Montana (S.B. 33) New Jersey (A.B. 259, New Jersey (A.B. 259,

A.B. 2104, A.R. 190, A.B. 2104, A.R. 190, S.R. 51)S.R. 51)

Oregon (SB 583)Oregon (SB 583) South Carolina (H.B. South Carolina (H.B.

3035, S.B. 8, SB 453)3035, S.B. 8, SB 453)


State Breach Notification LawsState Breach Notification Laws Most of the laws require notification if there has Most of the laws require notification if there has

been, or there is a reasonable basis to believe that, been, or there is a reasonable basis to believe that, unauthorized access that compromises personal unauthorized access that compromises personal data has occurreddata has occurred

Some states have some form of harm or risk Some states have some form of harm or risk threshold, under which entities need not notify threshold, under which entities need not notify individuals of a breach if an investigation by the individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the enforcement) finds no significant possibility that the breached data will be misused to do harm to the breached data will be misused to do harm to the individual individual

Some state laws may require certain security Some state laws may require certain security standards, e.g., California, but there may be others.standards, e.g., California, but there may be others.


State Breach Notice LawsState Breach Notice Laws Generally, the State Data Breach laws were modeled on Generally, the State Data Breach laws were modeled on

California's S.B. 1386. The laws: California's S.B. 1386. The laws: apply only to breaches of unencrypted personal information, apply only to breaches of unencrypted personal information,

and require written notification after a breach is discovered; and require written notification after a breach is discovered; at a minimum, define "personal information“ -- as a name, in at a minimum, define "personal information“ -- as a name, in

combination with a Social Security number, driver's license or combination with a Social Security number, driver's license or state identification number, or financial account or debit card state identification number, or financial account or debit card number plus an access code --the breach of which triggers the number plus an access code --the breach of which triggers the need to notify consumers; need to notify consumers;

give state’s Attorney General enforcement authority; give state’s Attorney General enforcement authority; allow for a delay in notification if a disclosure would allow for a delay in notification if a disclosure would

compromise a law enforcement investigation, except Illinois; compromise a law enforcement investigation, except Illinois; allow substitute notice to affected individuals via allow substitute notice to affected individuals via

announcements in statewide media and on a Web site if more announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds; and Ohio set lower thresholds; and

some provide a “safe harbor” for covered entities that maintain some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification internal data security policies that include breach notification provisions consistent with state law.provisions consistent with state law.


2006 Higher Education Security Breaches2006 Higher Education Security Breaches

Virginia Commonwealth University, 2100 Virginia Commonwealth University, 2100 affectedaffected““Human error caused the names, Social Security numbers and Human error caused the names, Social Security numbers and e-mail addresses of about 2,100 current and former Virginia e-mail addresses of about 2,100 current and former Virginia Commonwealth University students to be available online for Commonwealth University students to be available online for eight months, the school says. VCU announced yesterday that eight months, the school says. VCU announced yesterday that it is contacting affected students, but there is no indication it is contacting affected students, but there is no indication that their information has been viewed or used. According to that their information has been viewed or used. According to VCU, the personal information of freshmen and graduate VCU, the personal information of freshmen and graduate engineering students from the fall semester of 1998 through engineering students from the fall semester of 1998 through 2005 was unintentionally placed in a folder available on the 2005 was unintentionally placed in a folder available on the Internet. VCU said the problem was discovered Tuesday by a Internet. VCU said the problem was discovered Tuesday by a student who Googled her name and found personal student who Googled her name and found personal information. The data became exposed in January when files information. The data became exposed in January when files on a School of Engineering server were moved to an insecure on a School of Engineering server were moved to an insecure folder.” (Timesdispatch.com, September 1, 2006)folder.” (Timesdispatch.com, September 1, 2006)



Vermont State Colleges, 20,000 affectedVermont State Colleges, 20,000 affected““Two unions representing workers in the Vermont State Two unions representing workers in the Vermont State College system want the administration to pay the costs of College system want the administration to pay the costs of protecting workers' personal information lost when a laptop protecting workers' personal information lost when a laptop computer was stolen. Many employees are worried about computer was stolen. Many employees are worried about what the loss of information such as Social Security what the loss of information such as Social Security numbers, birth dates, home addresses and bank account numbers, birth dates, home addresses and bank account numbers could mean for them. . . . The laptop was stolen numbers could mean for them. . . . The laptop was stolen Feb. 28 in Montreal from the car of a Lyndon State College Feb. 28 in Montreal from the car of a Lyndon State College information technology employee. It contained six years information technology employee. It contained six years worth of personal and financial information of an estimated worth of personal and financial information of an estimated 20,000 present and former employees and students at all 20,000 present and former employees and students at all five state colleges.” (Associated Press Newswires, April 9, five state colleges.” (Associated Press Newswires, April 9, 2006)2006)



Georgetown University, 41,000 affectedGeorgetown University, 41,000 affected

““A cyber attack on a Georgetown University computer server A cyber attack on a Georgetown University computer server that exposed personal information on 41,000 elderly District that exposed personal information on 41,000 elderly District residents was discovered almost three weeks ago during a residents was discovered almost three weeks ago during a routine, internal inspection, a university spokesman said routine, internal inspection, a university spokesman said yesterday. . . . The invaded server was used by a researcher to yesterday. . . . The invaded server was used by a researcher to monitor services provided to the elderly for the D.C. Office on monitor services provided to the elderly for the D.C. Office on Aging. The personal information, including names, birthdates Aging. The personal information, including names, birthdates and Social Security numbers, was supplied by about 20 groups and Social Security numbers, was supplied by about 20 groups that contract with the Office on Aging to serve the elderly.” that contract with the Office on Aging to serve the elderly.” ((The Washington PostThe Washington Post, March 5, 2006), March 5, 2006)



University of South Carolina, 1400 University of South Carolina, 1400 affectedaffected

““University of South Carolina officials are advising students University of South Carolina officials are advising students to watch their credit reports after the Social Security to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly e-numbers of as many as 1,400 students were mistakenly e-mailed to classmates. A department chairwoman mailed to classmates. A department chairwoman distributing information about summer classes accidentally distributing information about summer classes accidentally attached a database file to an e-mail she sent Sunday. The attached a database file to an e-mail she sent Sunday. The database included students‘ Social Security numbers.” database included students‘ Social Security numbers.” (Associated Press Newswires, April 14, 2006)(Associated Press Newswires, April 14, 2006)



University of Texas Austin, 106,000 University of Texas Austin, 106,000 affectedaffected

““Whoever hacked into the computer system at the Whoever hacked into the computer system at the University of Texas at Austin's business school obtained the University of Texas at Austin's business school obtained the names and Social Security numbers of 106,000 people, names and Social Security numbers of 106,000 people, including all faculty and staff, most students and about half including all faculty and staff, most students and about half the alumni, a UT official said Monday. . . . [Dan] Updegrove the alumni, a UT official said Monday. . . . [Dan] Updegrove said student academic information, alumni personal said student academic information, alumni personal financial information and credit card information was not financial information and credit card information was not exposed.” (Associated Press Newswires, April 24, 2006)exposed.” (Associated Press Newswires, April 24, 2006)



University of Idaho, 331,000 affectedUniversity of Idaho, 331,000 affected

Three desktop computers disappeared from the University Three desktop computers disappeared from the University of Idaho's Advancement Services office containing personal of Idaho's Advancement Services office containing personal data of alumni, donors, employees and students. While an data of alumni, donors, employees and students. While an internal investigation shows that as many as 70,000 SSNs, internal investigation shows that as many as 70,000 SSNs, names and addresses may have been on the harddrive, the names and addresses may have been on the harddrive, the school is notifying 331,000 people who may have been school is notifying 331,000 people who may have been exposed. The computers "went missing" over Thanksgiving. exposed. The computers "went missing" over Thanksgiving. Police asked the school to delay notice for investigative Police asked the school to delay notice for investigative purposes.purposes.



University of Missouri, 2500 affectedUniversity of Missouri, 2500 affected

A hacker broke into the University of Missouri's Research A hacker broke into the University of Missouri's Research Board Grant Application System and gained access to the Board Grant Application System and gained access to the SSNs of at least 1,220 researchers. The passwords for more SSNs of at least 1,220 researchers. The passwords for more than 2,500 people may well have been compromised, than 2,500 people may well have been compromised, according to a college spokesperson, which could lead to according to a college spokesperson, which could lead to exposure of information.exposure of information.



Georgia Tech University, 3000 affectedGeorgia Tech University, 3000 affected

An unauthorized access to a Georgia Tech computer may An unauthorized access to a Georgia Tech computer may have compromised about 3,000 current and former have compromised about 3,000 current and former employees. The stolen info includes names, addresses, employees. The stolen info includes names, addresses, SSN, and other sensitive information including about 400 SSN, and other sensitive information including about 400 state purchasing card numbers.state purchasing card numbers.


Cost of Security BreachesCost of Security Breaches

From 2005 to 2006 there From 2005 to 2006 there was 30% increase in was 30% increase in average cost of data average cost of data breach incidents to $183 breach incidents to $183 per lost customer record per lost customer record comprised of:comprised of: Average Direct Costs - Average Direct Costs -

$54 (8% increase) $54 (8% increase) Lost Productivity - $30 Lost Productivity - $30

per lost record (100% per lost record (100% increase)increase)

Costs of Keeping Costs of Keeping Existing and Getting Existing and Getting New Clients - $99 per New Clients - $99 per lost record (31% lost record (31% increase).increase).

The average total The average total cost of breach to cost of breach to each company was each company was $4.8 million$4.8 million. .

The reported costs of The reported costs of each breach ranged each breach ranged from from $226,000$226,000 to to $22 $22 millionmillion, ,

Total reported costs Total reported costs for all of the for all of the breaches was breaches was $148 $148 millionmillion..

Ponemon Institute Survey - 31 companies that faced data Ponemon Institute Survey - 31 companies that faced data breach incidents in 2006, ranging from loss of 2,500 breach incidents in 2006, ranging from loss of 2,500 records to 263,000 records and resulted in a total loss of records to 263,000 records and resulted in a total loss of 815,000 compromised customer records815,000 compromised customer records


Security Breach SurveySecurity Breach SurveyOther Findings from the Ponemon Survey: Other Findings from the Ponemon Survey:

Nearly 30% of the reported breaches involved data lost Nearly 30% of the reported breaches involved data lost by contractors, consultants, or other external partners. by contractors, consultants, or other external partners. Over 90% of the breaches involved the loss of electronic Over 90% of the breaches involved the loss of electronic data rather than paper documents. data rather than paper documents. 35% of the total breach incidents reported Lost or stolen 35% of the total breach incidents reported Lost or stolen laptop computers. laptop computers. Only 10% of the reporting companies had an expert, Only 10% of the reporting companies had an expert, such as a privacy, security or compliance officer, in place such as a privacy, security or compliance officer, in place to handle breach recovery effortsto handle breach recovery efforts

““2006 Annual Study: Cost 2006 Annual Study: Cost ofof a Data a Data BreachBreach" is available from" is available fromthe Ponemon Institute at the Ponemon Institute at [email protected]@ponemon.org


Federal Spyware Federal Spyware LegislationLegislation


Proposed Federal Spyware Proposed Federal Spyware LegislationLegislation

H.R. 964 ("H.R. 964 ("Securely Protect Yourself Against Securely Protect Yourself Against Cyber Trespass ActCyber Trespass Act") (Spy Act) Rep Mary ") (Spy Act) Rep Mary Bono, (formerly H.R.2929; formerly H.R.29) Bono, (formerly H.R.2929; formerly H.R.29)

Status: Passed House, May 23, 2005. Status: Passed House, May 23, 2005. Reintroduced, February 8, 2007. Reintroduced, February 8, 2007.

Prohibits certain specific practices except with Prohibits certain specific practices except with user authorization. Requires notice, consent, user authorization. Requires notice, consent, and uninstall capability for certain information and uninstall capability for certain information collection and advertising programs. Leaves collection and advertising programs. Leaves many key details to the Federal Trade many key details to the Federal Trade Commission. Grants enforcement power only to Commission. Grants enforcement power only to the FTC. Preempts existing state laws about the FTC. Preempts existing state laws about spyware.spyware.


State Spyware and SSN State Spyware and SSN LegislationLegislation


Spyware – State LawsSpyware – State Laws AlaskaAlaska

S. 140 (Pop-Up Ads)S. 140 (Pop-Up Ads) ArizonaArizona

HB 2414HB 2414 ArkansasArkansas

SB 2904SB 2904 CaliforniaCalifornia

SB 1436, SB 1436, SB 92SB 92 GeorgiaGeorgia

SB 127SB 127 IowaIowa

HF 614HF 614 LouisianaLouisiana

HB 690HB 690 New HampshireNew Hampshire

Chapter 238Chapter 238

New YorkNew York A. 891F A. 891F

Rhode IslandRhode Island HB 6811HB 6811

TennesseeTennessee (SB 2069)(SB 2069)

TexasTexas SB 327SB 327

UtahUtah HB 104, amending HB HB 104, amending HB

323323 VirginiaVirginia

HB 2471HB 2471 WashingtonWashington

HB 1012HB 1012


Spyware – Proposed 2007Spyware – Proposed 2007 Illinois (SB 1199, SB 1495) - proposed (Civil Penalties)Illinois (SB 1199, SB 1495) - proposed (Civil Penalties)

Maine (LD 1029) – ProposedMaine (LD 1029) – Proposed

Massachusetts (SD 1800, HD 460)Massachusetts (SD 1800, HD 460)

Michigan (SB 145) – Proposed (allows private causes of Michigan (SB 145) – Proposed (allows private causes of action)action)

Missouri (HB 993) - Proposed (Criminalizing)Missouri (HB 993) - Proposed (Criminalizing)

Mississippi (SB 2261) – ProposedMississippi (SB 2261) – Proposed

New York (s 3655, S 1459, A 340) - Proposed New York (s 3655, S 1459, A 340) - Proposed

Pennsylvania (HB 755) – ProposedPennsylvania (HB 755) – Proposed


2006 State Social Security Laws2006 State Social Security Laws Over the last two years the number of Over the last two years the number of

states with some sort of SSN restriction states with some sort of SSN restriction law has grown from eight to 25. The law has grown from eight to 25. The following are those that passed over the following are those that passed over the last year:last year: Pennsylvania - Social Security Number Privacy Pennsylvania - Social Security Number Privacy

Act (H.B. 2134), 11/29/06 Act (H.B. 2134), 11/29/06 New York, S. 6909C, 9/26/06New York, S. 6909C, 9/26/06 Hawaii, Social Security number protection bill Hawaii, Social Security number protection bill

(Act 137), 5/25/06(Act 137), 5/25/06 Minnesota, S.F. 3132, 5/25/06Minnesota, S.F. 3132, 5/25/06 Tennessee, P.A. 06-555, 4/24/06 Tennessee, P.A. 06-555, 4/24/06 Colorado, H.B. 1156, 3/31/06Colorado, H.B. 1156, 3/31/06 Wisconsin, A.B. 536, 3/16/06Wisconsin, A.B. 536, 3/16/06


Typical SSN Use ProhibitionsTypical SSN Use Prohibitions The Social Security Laws vary widely from state-The Social Security Laws vary widely from state-

to-state. Some prohibitions on SSN uses that are to-state. Some prohibitions on SSN uses that are common are as follows:common are as follows: public posting of SSN information; public posting of SSN information; use of SSNs on registration and service cards; use of SSNs on registration and service cards; requiring SSNs for access to Web sites; requiring SSNs for access to Web sites; transmitting SSN data over the Internet; transmitting SSN data over the Internet; sending mail with visible SSNs; sending mail with visible SSNs; putting SSNs on faxes; putting SSNs on faxes; using SSNs as an employee ID number; using SSNs as an employee ID number; using SSNs as customer account numbers; using SSNs as customer account numbers; printing SSNs on pay stubs; and printing SSNs on pay stubs; and selling SSNs.selling SSNs.


Agency Actions and Agency Actions and LitigationLitigation


FTC AuthorityFTC Authority Section 5 of the FTC Act (“FTCA”) permits the Section 5 of the FTC Act (“FTCA”) permits the

FTC to bring an action to address any unfair or FTC to bring an action to address any unfair or deceptive trade practice that occur in the deceptive trade practice that occur in the course of commercial activitiescourse of commercial activities Deceptive trade practiceDeceptive trade practice is any commercial conduct is any commercial conduct

that includes false or misleading claims or claims that includes false or misleading claims or claims that omit material facts that omit material facts

Unfair trade practicesUnfair trade practices are commercial conduct that are commercial conduct that causes substantial injury, without offsetting benefits causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoidand that consumers cannot reasonably avoid

While this is not relevant to higher education, While this is not relevant to higher education, understanding how these cases are enforced understanding how these cases are enforced helps to prepare for GLBA enforcementhelps to prepare for GLBA enforcement


FTC Authority to Investigate FTC Authority to Investigate FTC has broad authority to investigate and FTC has broad authority to investigate and

bring actionsbring actions May work with company to resolve the May work with company to resolve the

mattermatter Where a pattern of non-compliance or Where a pattern of non-compliance or

egregious behaviors are involved, FTC will egregious behaviors are involved, FTC will bring an enforcement actionbring an enforcement action

These actions usually result in settlements These actions usually result in settlements through consent decrees that include an through consent decrees that include an FTC mandated privacy and security FTC mandated privacy and security programprogram


Enforcement/Consent Orders - FTCAEnforcement/Consent Orders - FTCA Section 5 “Unfair and Deceptive Trade Practices” Violations Section 5 “Unfair and Deceptive Trade Practices” Violations

for Erroneous Representations in Posted Privacy Practices – for Erroneous Representations in Posted Privacy Practices – Consent OrdersConsent Orders Eli-LillyEli-Lilly (1/18/02) (1/18/02)

Information about Prozac usersInformation about Prozac users MicrosoftMicrosoft (8/8/02) (8/8/02)

Technology not as secure as claimed, but no Technology not as secure as claimed, but no security breach uncoveredsecurity breach uncovered

Tower RecordsTower Records (4/21/04) (4/21/04) Security flaw in the company’s web site Security flaw in the company’s web site

exposing customer’s personal informationexposing customer’s personal information Guess?Guess? (6/18/03) (6/18/03)

Failed to use reasonable and appropriate Failed to use reasonable and appropriate measures to protect customer’s personal measures to protect customer’s personal informationinformation

Petco Animal SuppliesPetco Animal Supplies (11/ 11/04)(11/ 11/04) Failed to use reasonable and appropriate Failed to use reasonable and appropriate

measures to protect customer’s personal measures to protect customer’s personal informationinformation

Vision Vision II Properties, LLC Properties, LLC (3/10/05) (3/10/05)


FTC Enforcement - SecurityFTC Enforcement - Security

Practices that "threaten data Practices that "threaten data security" under the FTC Act's security" under the FTC Act's unfair practices prongunfair practices prong:: In the matter of BJ’s Wholesale ClubIn the matter of BJ’s Wholesale Club, FTC , FTC

No. 042-3160, 6/16/2005No. 042-3160, 6/16/2005 In the Matter of DSW, Inc.In the Matter of DSW, Inc., FTC, No. 053-, FTC, No. 053-

3096, 12/1/053096, 12/1/05 In re CardSystems Solutions IncIn re CardSystems Solutions Inc., ., FTC, File FTC, File

No. 052 3148, No. 052 3148, consent orderconsent order 9/5/06 9/5/06


Limitation of FTC AuthorityLimitation of FTC Authority

FTC: FTC: cannot regulate industries that are cannot regulate industries that are

otherwise regulated (e.g., financial otherwise regulated (e.g., financial industries, common carriers)industries, common carriers)

Does not apply to non-profitsDoes not apply to non-profits may nevertheless work closely with may nevertheless work closely with

these other industriesthese other industries may share enforcement authority with may share enforcement authority with

other agencies/authorities (e.g., DOJ)other agencies/authorities (e.g., DOJ)


GLBA Safeguards EnforcementGLBA Safeguards Enforcement

Violations of GLBA Violations of GLBA Safeguards Rule (FTC)Safeguards Rule (FTC) In re Sunbelt Lending ServicesIn re Sunbelt Lending Services, FTC, File , FTC, File

No. 042-3153, 11/16/04)No. 042-3153, 11/16/04) In the Matter of Nationwide Mortgage In the Matter of Nationwide Mortgage

Group, Inc., and John D. EubankGroup, Inc., and John D. Eubank, FTC File , FTC File No. 042-3104 4/15/05No. 042-3104 4/15/05

In re Superior Mortgage Corp.,In re Superior Mortgage Corp., FTC, File FTC, File No. 052 3136, 9/28/05No. 052 3136, 9/28/05


FTC Privacy and Security FTC Privacy and Security Programs in Consent DecreesPrograms in Consent Decrees

Originally, FTC would bring these actions due to a Originally, FTC would bring these actions due to a misrepresentation of privacy and security misrepresentation of privacy and security protections contained in a company’s privacy protections contained in a company’s privacy notice or other documentnotice or other document

Consent order includes a requirement to establish Consent order includes a requirement to establish and maintain a security and privacy program, and maintain a security and privacy program, including:including: Training and proper oversight of employees and agentsTraining and proper oversight of employees and agents Identification of reasonably foreseeable risksIdentification of reasonably foreseeable risks Design and implementation of reasonable and Design and implementation of reasonable and

appropriate safeguardsappropriate safeguards Regular evaluation of the programRegular evaluation of the program


FTC Privacy and Security FTC Privacy and Security Programs in Consent Decrees Programs in Consent Decrees (cont.)(cont.)

An obligation to have the privacy and security An obligation to have the privacy and security program reviewed annually by an independent program reviewed annually by an independent qualified third party (i.e., CISSP or other qualified qualified third party (i.e., CISSP or other qualified party)party)

A requirement to provide certain documents A requirement to provide certain documents related to the representations made about the related to the representations made about the company’s programs and compliance upon company’s programs and compliance upon request by the FTCrequest by the FTC

An obligation to notify the FTC of any change An obligation to notify the FTC of any change which may affect the company’s compliancewhich may affect the company’s compliance

A final written report of compliance upon request A final written report of compliance upon request by the FTCby the FTC


SB 1386 LitigationSB 1386 Litigation Parke v. CardSystems Solutions IncParke v. CardSystems Solutions Inc., ., Cal. Cal.

Super. Ct., No. CGC-05-442624.Super. Ct., No. CGC-05-442624. Class Action continues in 2006, despite settlement Class Action continues in 2006, despite settlement

with FTCwith FTC Status Conference February 3Status Conference February 3 Status Conference March 7Status Conference March 7 Basis of ClaimBasis of Claim

Defendants negligent in permitting CardSystems to Defendants negligent in permitting CardSystems to process credit card transactions when they knew or process credit card transactions when they knew or should have known that the company failed to comply should have known that the company failed to comply with Credit Card Industry Data Security Standards with Credit Card Industry Data Security Standards (PCIDSS). (PCIDSS).

Separate VISA and MasterCard data security standards Separate VISA and MasterCard data security standards formed the basis for that common set of data formed the basis for that common set of data protection standardsprotection standards


Civil Suits for Civil Suits for Security/Privacy BreachesSecurity/Privacy Breaches

Lambert v. HartmannLambert v. Hartmann, No. 1:04cv837 , No. 1:04cv837 (S.D. Ohio Dec. 29, 2006)(S.D. Ohio Dec. 29, 2006) Plaintiff claimed constitutional right of Plaintiff claimed constitutional right of

privacy when SSN was published on the privacy when SSN was published on the WebWeb

The court held SSN are not constitutionally The court held SSN are not constitutionally protected against publication on the Web . protected against publication on the Web .

The plaintiff's claimed damages are The plaintiff's claimed damages are merely financial and the constitutional merely financial and the constitutional right of privacy is not implicated.right of privacy is not implicated.



Guin v. Brazos Higher Educ. Serv. Corp. Inc.Guin v. Brazos Higher Educ. Serv. Corp. Inc., , No. 05-668 (D. Minn. Feb. 2,2006)No. 05-668 (D. Minn. Feb. 2,2006)

loan company lost Plaintiff's laptop that loan company lost Plaintiff's laptop that included his financial data in unencrypted included his financial data in unencrypted form. form.

The court held The court held that heightened risk of identity theft was that heightened risk of identity theft was

insufficient to win a negligence actioninsufficient to win a negligence action that there was no duty to encrypt data under the that there was no duty to encrypt data under the

Gramm-Leach-Bliley Act, so no negligence when an Gramm-Leach-Bliley Act, so no negligence when an employee took unencrypted data home on a laptop.employee took unencrypted data home on a laptop.

The court determined that the employer had a data The court determined that the employer had a data protection policy in place, and that it followed it protection policy in place, and that it followed it even though the data was lost.even though the data was lost.



Key v. DSW Inc.Key v. DSW Inc., 454 F. Supp. 2d 684 , 454 F. Supp. 2d 684 (D. Ohio 2006); (D. Ohio 2006); Bell v. Acxiom CorpBell v. Acxiom Corp.., , No. 4:06CV00458-WRW (E.D. Ark. No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006)Oct. 3, 2006) In both the court cited In both the court cited GuinGuin for the for the

proposition that a mere fear of identity proposition that a mere fear of identity theft is not a sufficient injury to support theft is not a sufficient injury to support a negligence action or to create a negligence action or to create standing to sue in federal court.standing to sue in federal court.



CollegeNET Inc. v. XAP Corp.CollegeNET Inc. v. XAP Corp., 442 F. Supp. , 442 F. Supp. 2d 1070 (D. Ore. 2006)2d 1070 (D. Ore. 2006) In a dispute between competing online In a dispute between competing online

marketers, marketers, Court held that the defendant was engaged in Court held that the defendant was engaged in

unfair competition when it collected names of unfair competition when it collected names of prospects through the use of a deceptive opt-prospects through the use of a deceptive opt-in/opt-out policy and instructed jury that it is in/opt-out policy and instructed jury that it is possible to put a monetary value on personal possible to put a monetary value on personal informationinformation

A jury later concluded that the plaintiff's A jury later concluded that the plaintiff's damages were $4.5 million.damages were $4.5 million.


Contact InformationContact Information

Telephone: (202) 251-7600Facsimile: (703) 997.5633Email: [email protected]

M. Peter Adler

2103 Windsor RoadAlexandria, VA 22307

Adler InfoSec & Privacy Group LLC

Roundup of Legal Developments in Cubersecurity & Privacy Law

Documents

Transcript of Roundup of Legal Developments in Cubersecurity & Privacy Law