Archive for the ‘Data Breach Notification Law’ Category
The Federal Trade Commission’s (FTC) Red Flag Rules have been revised to exclude certain professionals prior to the latest enforcement deadline of December 31, 2010. Specifically, President Obama signed into law on December 18, 2010, the Red Flag Program Clarification Act of 2010 (Clarification Act), which clarifies the scope of the FTC’s Red Flags Rule. Under the amendment, professionals such as doctors, lawyers, and accountants are excluded from the Red Flags Rule. For a full copy of the Act, click here
The Red Flags Rule was enacted to protect consumers from identity theft by requiring “creditors” covered under the Rule to establish written policies and procedures to identify risks of identity theft to their customers. Under the plain language of the Red Flags Rule, a business becomes a “creditor” when it provides products or services in advance and require payment from the customer at a later time. Further, under prior FTC interpretations “creditor” was broadly interpreted to cover lawyers, doctors, accountants, and others because they bill for services after the services have been performed.
Under the the Clarification Act, however, the meaning of the term “creditor” now includes only those who (1) regularly and in the ordinary course of business obtain or use consumer reports in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds. The Clarification Act does not specifically exclude doctors, lawyers, and accountants. But Senator Christopher Dodd (D.-Conn.) and Senator Mark Begich, (D.-Alaska) make clear that the Clarification Act does not extend to these professionals and other small businesses as creditors covered under the Red Flags Rule simply because they provide services and bill clients, patients, and customers for payment at a later time, except to the extent that they furnish information to consumer reporting agencies in connection with a credit transaction. Finally, the Clarification Act allows the FTC to determine in the future whether the scope of the Rule should be expanded to include other types of creditors that offer or maintain accounts subject to a reasonably foreseeable risk of identify theft.
From a practical standpoint, even those professionals and businesses specifically exempted from the Red Flags Rule should establish an identity theft prevention program: It is a good business practice to eliminate or, at least, minimize the chance of a data breach and minimizing the subsequent fall out with your customers. Additionally, there may be other applicable regulations that may require certain protection programs. For example, doctors must have HIPAA security programs in place and there is a patchwork of state statutes that cover data security and reporting requirements for breaches.
For questions about Red Flags Rule Compliance, establishing an information security program, or improving your organization’s current policies and procedures for preventing losses, contact E-Business Counsel, PLC.
Mr. Locke explained that the motivation for this initiative is “[b]ecause of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations.”
Further, the Commerce Department is seeking public comment from all Internet stakeholders through a Notice of Inquiry (NOI) published in the Federal Register. One question the Department seeks to answer is “whether current privacy laws serve consumer interests and fundamental democratic values.”
Please contact me about offering insight on this topic or joining in the submission of a comment pursuant to the NOI. Your suggestions would be greatly appreciated. Thanks.
BusinessWeek’s CEO Guide To Technology reported that – based on data from the security firm Symantec – about 66% of all identities exposed in 2008 were from the theft or loss of laptops, USB keys, and other backup devices. Against this backdrop, BusinessWeek presented an interesting podcast about data breaches based on Rachael King’s interview with the Ponemon Institute’s founder Larry Ponemon. The Ponemon Institute is a pre-eminent research center dedicated to privacy, data protection and information security policy. Click here for a link to the podcast and here to download BusinessWeek’s podcast. Definitely worth a listen.
Employers find they are walking a tightrope when it comes to balancing employee privacy, information protection, and not creating ammunition for retaliation claims
It is increasingly common for companies to require employees to use “web-based” company portals to access company information, such as HR policies, training materials, wage information, 401K accounts, and processing applications. This is in addition to personal information, e.g., social security numbers, contact information, drivers license numbers, etc., that companies maintain in company databases. The use of such measures provide numerous benefits, including cost-savings and providing employees with convenient access to such information. But employers increasingly find thy are walking a tightrope when it comes to balancing employee privacy concerns, information protection laws, and avoid providing ammunition to prospective retaliation claims by current or former employees.
In regard to retaliation claims, at least in Michigan, they follow a basic fact pattern: (1) The plaintiff claims he or she was engaged in a “protected activity”; (2) The plaintiff was discharged or otherwise discriminated against regarding the employee’s compensation, terms, conditions, location, or privileges of employment; and (3) There was a “causal connection” between the protected activity and the discharge. Under Michigan law, “protected activity” may include reporting to a public body a violation of a law, regulation, or rule; about to report such a violation to a public body; or being asked by a public body to participate in an investigation.”
A recent decision, Zungoli v United Parcel Service (New Jersey, 2009), provides new twist on this basic retaliation fact pattern and potentially expands the universe of “protected activity” that employers will have to manage.
In Zungoli, a former United Parcel Service (UPS) employee claimed that he was retaliated against for refusing to use UPS’s web-based employee portal. This portal provided access to UPS information related to HR, payroll, and training materials. Plaintiff also refused to use UPS’s employee management database that debuted in May 2006. In August 2006, Plaintiff received a less than satisfactory performance rating that was expressly based in part upon his refusal to register and use the UPS portals.
In response, Plaintiff filed suit alleging that he believed (this belief has important implications discussed below) UPS was violating public policy because UPSers.com and the UPSnetwork were not secure and could expose personal confidential employee information. In support of his claim, Plaintiff pointed to: (1) the fact that the terms and conditions of UPSers.com specifically informed employees that they had no reasonable expectation of privacy when using UPS portals; (2) the fact that for most users, UPSers.com did not have a user authentication system to protect its users’ confidential information; and (3) that UPSers.com allowed another individual to be contemporaneously logged on with the same username and password without notifying the user.
UPS brought a motion to dismiss the claim and thereby avoid further litigation, which the Court rejected. In reaching this decision, the Court noted that “there is a substantial causal nexus between the complained of conduct by UPS and a law, rule or mandate of public policy.” In this regard, the Court pointed to New Jersey’s Identity Theft Protection Act, (N.J.S.A. 56:11-44), which is a legislative recognition that it is necessary to restrict access to citizens’ social security numbers “in order to detect and prevent identity theft and to enact certain other protections and remedies related thereto and thereby further the public safety.”
The Zungoli decision is significant for employers on two fronts: First, for employers that have established similar web-based portals for their employees or that maintain confidential employee information on databases:
- As a best practice – and in light of the Zungoli decision and data breach laws – employers should assess their existing security measures protecting personal employee and customer information (as well as information critical to business success), have a written security policy in place for such information, a written breach response procedure, evaluate whether only necessary employee information is collected by the employer, and educate employees about data security. Companies should also review and update data security and privacy practices on a regular basis.
- Evaluate what employee information is collected and how such information is maintained. Michigan, like many other states, have laws pertaining to the use, display, and handling of social security numbers and other “personal information.” In addition, the majority of states have adopted data breach notification laws, which require companies to notify individuals whose personal information has been breached.
- Employers should consider allowing employees in states with identity protection and privacy protection laws to opt-out without fear of discipline or other adverse employment action if an employee expresses concern that the employer failed to implement appropriate security protections. This opt-out consideration may not be practical, however, if significant cost savings would be lost if employees broadly opted-out. Refusing an op-out procedure must be carefully assessed against the backdrop that – at least in Michigan – a whistle blower generally does not have to be correct in making his or her claim. Instead, the complaining employee must only have a “reasonable belief” that the complained-of activity is illegal or a violation. Thus, an employee may erroneously assert that a given employee database lacked adequate security, but still be entitled to whistle blower protection and damages if the employee can show he or she was retaliated against by the employer. Further, it is not uncommon for a an employer to obtain a favorable judgment as to a whistle blower claim, but still lose as to retaliation. See Weishuhn v Catholic Diocese of Lansing (Mich App, 2008) (trial court granted dispositive motion with respect to the Whistleblowers’ Protection Act claim, but it denied the motion with respect to the retaliation claim. Court of Appeals, vacated the trial court’s decision on other grounds).
- If opting out is not practical, is it possible to limit the company web portal to information specific to the company as opposed to the individual employee? For example, company training materials or HR information could be made available through a web portal, accessible upon the creation of a basic user profile that did not depend upon the disclosure of personally identifiable employee information.
- Any disclaimer language companies use should be carefully evaluated in light of privacy, security, and employee expectation. For example, the disclaimers used by the UPS portals advised users that they have no reasonable expectation of privacy with respect to their personal information, yet the plaintiff was still required to use the portal. While no system can guarantee security and privacy, implementing reasonable and appropriate technical, administrative and physical security measures should be instituted to safeguard employee (and customer) information). Otherwise, as in Zungoli, companies may unintentionally invite whistle blower and privacy lawsuits by employees.
The second important consideration for companies to consider is that while Zungoli involved a retaliation claim based on information security measures for an employee web portal, it is not difficult to envision a former employee/plaintiff making similar allegations as to information security measures for customer information. In that regard, the New Jersey ID Theft Protection Statute referenced in Zungoli is one of over 40 state data breach laws that could form the “causal connection” necessary to assert a retaliation claim. And in that scenario, a company would not only be required to respond to the employment litigation, but also potential downstream issues of public relations with its customers, new litigation filed by customers, or applicable regulatory investigation into a plaintiff’s allegations. These are certainly “worst case scenarios,” but scenarios that can quickly develop into an expensive reality.
Feel free to contact me for a copy of the Zungoli opinion or with any questions or concerns about this post. Thanks.
Three men have been arrested in Tallahasee, Fla., in connection with the Heartland Payment Systems data breach. Click here for the full story reported in SC Magazine by Chuck Miller. The nonprofit Open Security Foundation (a data breach clearinghouse) reported over a hundred banks have been affected by the Heartland breach, which has required these institutions to reissue cards to customers. The Heartland breach is a textbook example for making the business case for addressing information security. For information about proactive steps companies can take fo minimize the chance of becoming the next Heartland, click here.
In the preceding post, Preventing Data Breaches – On the Cheap, the cost of responding to data breaches was briefly referenced as a reason for companies to invest resources to prevent such breaches. The article, Watch out! Privacy litigation damages becoming more viable, reports that as more data breaches find their way into courts that these costs will rise. For example, one case cited in this article, Department of Veterans Affairs Data Theft Litigation, (D. D.C. Jan. 27, 2009), saw the Department of Veterans Affairs agree to pay $20 million to set up a fund for to pay the expenses of anyone directly affected by the breach, which includes credit-monitoring expenses and mental health costs for those who may have suffered extreme emotional distress as a result of the breach. Click here for Information Week’s article, Cost Of Data Breaches Keeps Going Up, for more (bad) news regarding increasing costs for responding to data breaches.
In a prior post, Warren Buffett’s Fighting Stance, the principles of a good martial arts fighting stance were applied to protecting competitive, proprietary information. The value of a good “information protection fighting stance” was also highlighted in the wake of the recent data breach (also as noted in an earlier post) where Heartland Payment Systems disclosed it was subject to a massive data breach, which potentially exposed the personal information of 600 million cardholders. Now, a week after this disclosure, Heartland will have to defend class action litigation arising from this breach: A lawsuit was filed on January 27, 2009 in U.S. District Court in Trenton, N.J, which alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. Click here for a copy of the Complaint.
This massive data breach is likely to galvanize support for federal legislation. In this regard, Senator Dianne Feinstein (D-Calif.) re-introduced two bills concerning consumer privacy protection earlier this month. Additionally, immediately after taking the oath (the first time), President Obama outlined his plan to enhance the nation’s cyber-security.
While it is premature to weigh in on the merits of federal data protection legislation, companies may actually welcome such steps. For example, President Obama’s plan and federal legislation would likely alleviate a company’s burden in complying with the existing patchwork of state data protection and security breach notification laws. Further, federal legislation would also bring additional resources and enforcement power of the federal government to an area that generally crosses state and international lines.
In the meantime, however, companies have a number of low costs options for improving their own information security fighting stance. And the significance of taking such steps is underscored by two points:
First, a 2008 Data Breach Investigations Report by Verizon concluded that of more than 500 data breaches that were investigated, more than half required no or only a low degree of skill to perpetrate. Further, the report found that basic security tools and precautions would have prevented the breaches.
Second, a 2008 survey by the Computer Security Institute of 144 respondents identified the average loss arising from a data related breach to be $288,618.00 per respondent. Survey results may be downloaded here.
So with this in mind, companies should consider incorporating these points into their information protection fighting stance:
- Identify the information to be protected: Satisfying a company’s obligation to protect information begins by understanding what information the company has and where it is located. Private personal customer data – like sensitive company information such as transaction data, R&D results, corporate financial records, — are often stored (or duplicated) in widely dispersed locations. The company cannot protect information until it knows that it exists, where it is located, and how it is used and stored.
- Control Access: Once a company identifies the information to be protected, it needs to take steps to restrict access to protected information — paper and electronic files — to those with a legitimate business need to access such information. Companies also need to continually evaluate their access controls to make sure terminated employees’ access rights are terminated or reassessed as job responsibilities change. This point may generate a sarcastic mental inquiry of “yah’ think so Einstein” but this oversight happens … a lot. See Former Fannie IT Contractor Indicted for Planting Malware (The IT contractor was terminated, but his server privileges were not).
- Employee Education: Training and education for employees is a critical component of any security program. Without it, it is analogous to installing heavy duty doors with state of the art locks but leaving the doors wide open or forgetting to lock the doors so that anyone may pass through. Simply put, security measures are of little value if employees do not understand their roles and responsibilities.
- Control what and how information leaves the office: Companies should have a written policy for when employees may remove personal information from the company facility and under what circumstances. This is especially important because portable devices and laptops are the most likely sources for a data breach. For example a June 2008 study conducted by the Ponemon Institute on behalf of Dell found that more than 12,000 laptops are lost by users each week as they pass through airports. Click here for the study. Additionally, companies may find themselves on the hook for the negligence of their employees with respect to mishandling data. See Bell v. Michigan Council 25 of American Federation of State, County, Municipal Employees, AFL-CIO, Local 1023 2005 (Mich. App. 2005) where plaintiffs – victims of identity theft – asserted that the Union they were members of was liable for not safeguarding their personnel information and that this negligence facilitated the identity theft perpetrated by a third party. On appeal, the Court found the Union did owe plaintiffs a duty and the question of negligence was properly submitted to the jury.
- Encrypting Private Data: There are a number of commercial encryption solutions available to protect digital information. Also small businesses or business professionals could consider open source solutions like TrueCrypt (www.truecrypt.org), which is a free, open source, on-the-fly encryption software that can encrypt a dedicated space on your hard drive, a partition or the whole disk, as well as removable storage devices. Encrypting or redacting data may also eliminate the need in some states to provide notifications of a data breach.
- Don’t Forget Third Parties: Attention should be given to third party vendors with access to protected information. This includes evaluating information security, background checks, and addressing data security in contractual agreements. It is a good practice to spell out in an agreement between the company and the third-party vendor the vendor’s responsibilities in protecting the data and for reporting breaches. You may also want to consider reserving the right to conduct periodic audits of the vendor’s security measures or to pass risks of exposure onto the vendor.
- Properly Destroy Personal Information: Properly disposing of personal/confidential information is a must. For an egregious example of “why” data needs to be properly destroyed (and monitored) see Thrift shop MP3 player contained U.S. military documents. For paper, this means shredding. For all storage devices containing personal information, deleting or reformatting is not sufficient. Instead, destruction should be pursuant to a recognized security standard, e.g., U.S. Department of Defense Standard DoD 5220.22-M, to ensure that old data cannot be recovered.
- Prepare for the Worst — ahead of time: If a breach occurs, how will the company respond? A number of issues need to be addressed, including technical, legal, and public relations issues. This plan should ensure that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken–both to respond to the breach (to stop further information compromises and to work with law enforcement), to notify regulators and people who may be potentially injured, and to deal with the press. Such a plan should clearly address how the company will comply with the requirements of the applicable security breach notification laws. Certainly no business professional wants to be put in a position to address these decisions, let alone making these difficult decisions on the fly.
In addition to preventing costly data breaches, these no-costs steps also highlight to your customers and employees that you are taking extra precautions to protect their data, which, unfortunately, may separate you from your competitors.
Jason Shinn works with companies to address best practices for information protection, including complying with state and federal laws. Feel free to contact him with any questions or concerns about this topic and the issues raised in this post.