A recent wave of high-profile data security breaches involving unauthorized access to personal data highlights the increasing problem of identity theft and other information-related crimes. These personal data security breaches and the proposed state and federal legislation triggered by such security failures mean that companies' data security practices will be subject to increased scrutiny. Failing to take appropriate measures to prevent a data security breach might result in potential enforcement action from federal and state governmental authorities (and possibly also from foreign authorities), private lawsuits, and negative publicity.
Companies, particularly any entities that realize that they have become complacent about adhering to data security requirements, should reevaluate their data security practices for any inadequacies in light of applicable data protection laws and the representations made in their privacy policies.
This article discusses recent instances involving the breach of data security; it also informs companies of certain governmental enforcement actions, relevant legislation and federal agency guidance involving data security issues, and describes certain actions that companies should take when reevaluating their data security practices. Finally, this article discusses briefly data security issues in the context of global outsourcing.
I. Recent Breach Of Data Security Occurrences
The most notable instance in the recent string of data security breaches involves ChoicePoint, one of the largest consumer data warehousers in the U.S. ChoicePoint allowed criminals posing as legitimate businesses to have access to the personal data of approximately 145,000 individuals. ChoicePoint notified consumers whose personal data was stolen that such data might have been compromised as a result of the security breach. The notification was prompted in large part by a California law requiring such disclosure (discussed in more detail below). Other recent occurrences include LexisNexis (a compiler of legal and other information), which initially admitted that hackers had gained access to the personal data of 32,000 individuals, but then revised that number to approximately 310,000 affected individuals, and DSW (a nationwide shoe retailer), which informed the public that credit card information had been stolen from more than 100 of its stores. Furthermore, data security breaches have occurred abroad. Japan's Mizuho Bank, for example, has acknowledged losing the personal data of 270,000 customers.
More recently, a security breach at CardSystems Solutions ("CardSystems"), an Atlanta-based payments processor, exposed more than 40 million account numbers to thieves. CardSystems is the largest security breach yet reported in the recent string of similar reports.
In addition to companies, universities have had significant data security problems due to "hacker" incidents or lost laptops. Boston College, for example, recently warned over 100,000 alumni that their identities could be compromised as a result of a data security breach. At the University of California, Berkeley, a thief stole a laptop computer that reportedly contained the personal data of approximately 100,000 students, former students and applicants. Hackers also gained access to a computer system of the University of California, San Diego, compromising the personal data of 380,000 individuals.
II. State And Federal Reaction
A. Enforcement Actions and Authority
In an 8-K filing with the Securities and Exchange Commission ("SEC") earlier this year, ChoicePoint states that "the SEC is conducting an informal inquiry into the circumstances surrounding any possible recent identity theft, recent trading in ChoicePoint stock by [certain ChoicePoint officers] and related matters." In the same filing, ChoicePoint further states that the Federal Trade Commission ("FTC") "is conducting an inquiry into [ChoicePoint's] compliance with federal laws governing consumer information security and related issues." In addition, it has been reported that the ChoicePoint incident is being investigated by a number of states, including North Carolina, Louisiana, Pennsylvania, California, Massachusetts, Connecticut and Texas.
Generally, federal agencies may bring enforcement actions under several federal laws that address the protection of personal data, including without limitation the Gramm-Leach-Bliley Act ("GLBA") (protects personal data collected by financial institutions and nonaffiliated third parties); the Health Insurance Portability and Accountability Act (protects personal data collected by covered entities, such as health plans, healthcare clearinghouses and healthcare providers); the Children's Online Privacy Protection Act (protects personal data collected from children under the age of 13); and the Fair Credit Reporting Act (protects consumer privacy, enhances the accuracy of credit report information, and helps prevent identity theft).
From an international perspective, U.S. companies could also face enforcement action from foreign governmental authorities in the event there are data security breaches that involve the personal data of foreign customers.
B. Proposed Laws, Congressional Hearings and Federal Guidance
What prompted ChoicePoint and perhaps others to disclose the fact that there was a breach in data security is a California law (S.B. 1386) that requires companies to provide notification to consumers when there is a data security breach involving their personal data. Other states, including Georgia, Connecticut, Arkansas, Montana, North Dakota and Washington, have already enacted legislation similar to the California law; similar legislation is pending in other states.
There are dozens of privacy-related bills pending in Congress. Senator Dianne Feinstein has called for additional federal protection against identity theft, and has introduced legislation setting federal standards for consumer notification of data security breaches (S. 115). In addition, there are bills pending in the House and Senate, H.R. 1080 and S. 500, respectively, that would give the FTC additional authority to oversee entities that collect and sell personal data. More recently, Senator Arlen Specter, Chairman of the Senate Judiciary Committee, and Senator Patrick Leahy, the committee's ranking member, introduced S. 1332, the Personal Data Privacy and Security Act of 2005, a comprehensive privacy bill that would impose stringent compliance requirements and create new penalties, including jail time, for intentionally and willfully concealing the fact of, or information related to, a security breach.
At a recent Senate hearing (June 2005), the FTC recommended that Congress consider broadening data security protections for sensitive consumer data and require all companies, not just financial companies, that possess such data to inform consumers when there is a security breach that could result in identity theft. Specifically, the FTC "recommends that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement could extend the FTC's existing GLBA Safeguards Rule to companies that are not financial institutions. Further, the [FTC] recommends that Congress consider requiring companies to notify consumers when the security of this information has been breached in a manner that creates a significant risk of identity theft."
In March 2005, the Office of Thrift Supervision, the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation jointly issued "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice."1 This final guidance interprets these agencies' customer information security standards under the GLBA and states that financial institutions should implement a response program addressing data security breaches involving customer information. The guidance document describes the appropriate elements of a response program, including customer notification procedures. Additionally, under the final guidance, an institution should notify its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of certain "sensitive customer information."
In addition, the FTC similarly has published a guidance document on how to comply with the "Safeguards Rule" of the GLBA, which includes a discussion on managing system failures for financial institutions subject to FTC jurisdiction.2 For example, this document suggests that customers should be notified promptly if their personal data is subject to loss, damage or unauthorized access. The FTC also offers a separate guidance document on information compromise and the risk of identity theft.3 This second document provides guidance on when it would be appropriate to notify law enforcement, affected businesses and consumers in the event of a security breach.
III. Data Security Practices
A company that collects personal data should reevaluate its data security practices and ensure that:
(1) one or more employees have been designated to coordinate such practices;
(2) procedures are in place to regularly monitor and test such practices;
(3) firewall, encryption and other data security software is in place and up to date;
(4) customers are properly verified before they are allowed access to their personal data;
(5) third parties receiving personal data are verified as legitimate businesses;
(7) for employees who have access to personal data, there are employee background checks, employees sign nondisclosure agreements and employees are properly and adequately trained regarding data security measures;
(8) unusual employee access (and timing) to personal data is monitored;
(9) clear and effective security management procedures are in place to address issues raised by an actual breach in data security;
(10) paper shredders or similar devices are used to properly dispose of offline data;
(11) hard drives and backup devices are properly wiped and destroyed before being discarded;
(12) access to data servers and other storage devices is restricted, and physical measures are used to protect such devices;
(13) large-scale downloads and transfers of personal data are monitored and restricted; and
(14) reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for personal data, and such service providers should be required by contract to implement and maintain such safeguards, among other measures (e.g., requiring such service providers to notify the company in the event there is a breach of data security).4
The security measures discussed herein should be adopted and implemented in harmony with data protection laws applicable to a company's business practices, as well as industry security standards applicable to such practices. For example, most companies that work with credit card companies must meet a set of standards required by a group of credit card companies, including American Express, Mastercard International and Visa International, for securing cardholder information. Data security procedures should be flexible enough to keep pace with evolving data protection laws and applicable security standards, as well as sophisticated cyber threats, and companies should continue to monitor such laws and standards in light of their business practices. It is important to note that, although computer hackers cause data security breaches by circumventing firewalls and stealing personal data, there are other situations that involve stolen laptops or similar portable devices that store personal data. Thus, companies should simply avoid storing personal data on such devices if it is not necessary to do so. In addition, companies should reduce the amount of personal data on their systems by removing, and no longer collecting, data that they do not actually need (in accordance with applicable laws).
IV. Global Outsourcing And Data Security
In the FTC's view, a company subject to privacy obligations under U.S. laws may not avoid such obligations by outsourcing its data processing activities to offshore service providers. Specifically, the FTC stated that "[a] company that is subject to U.S. laws is responsible for the use and maintenance of consumer information in accordance with those laws. Simply because a company chooses to outsource some of its data processing to a domestic or offshore service provider does not allow that company to escape liability for any failure to safeguard the information adequately." In those cases, the FTC "would look to whether the company that outsourced the data processing employed sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information."5
Thus, it is imperative that companies engaging in global outsourcing arrangements understand the significant legal implications that arise when personal data is involved in such arrangements. Of particular concern is that many countries to which personal data is outsourced do not have data protection laws. Before entering into an outsourcing relationship with a foreign service provider, a company should take appropriate due diligence measures with respect to the service provider (e.g., ensure that the provider has procedures in place to accommodate certain standards imposed by the company). The foreign service provider should be obligated by contract to take appropriate measures to safeguard the personal data that is collected, used or disclosed on behalf of the company, in accordance with the company's data protection standards. Companies should be particularly wary of "confidential" contract form language in these arrangements.
The trend toward greater data protection and security is likely to continue through legislative efforts at both the state and federal levels. Companies should pay close attention to the flurry of privacy-related legislation that is currently being considered in state and federal legislatures, in addition to similar recently enacted legislation. Companies that collect personal data from foreign consumers should also be aware of the potential applicability of foreign data protection laws.
Many data security breach instances involve a failure in the security process, rather than the security technology. Thus, employees and vendors must be properly screened and trained to handle personal data. It is imperative that every single link in the company's chain, including vendors that handle outsourced information, is taken into account when data security policies are created.
4 Existing contracts with service providers should also be amended to provide for the security of personal data.
5 Letter from Timothy J. Muris, Chairman, Federal Trade Commission, to the Honorable Edward J. Markey, U.S. House of Representatives (May 7, 2004).
Timothy McTaggart, a Partner in the Corporate and Financial Services Department, and Demetrios Eleftheriou, an Associate in the Telecommunications Department, are with Willkie Farr & Gallagher LLP in the firm's Washington, D.C. office.