Posted on June 19, 2009 by Brendon Tavelli

What Happens in Vegas Really Does Stay in Vegas (Unless It Is Encrypted)

A new Nevada law, S.B. 227, will require entities doing business in that state to beef up their protections of personal information. Previously, we wrote about Nevada’s personal information encryption law. See our blog post here. The current law requires encryption of any personal information transmitted electronically (other than by facsimile). But S.B. 227, which becomes effective on January 1, 2010, will require encryption of all personal information leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device.”

Here are some key points regarding the new version of Nevada’s encryption law:

What is a “Data Storage Device?”  Included in the definition are: “computers, cellular phones, magnetic tape, electronic computer drives, optical computer drives and the medium itself.”  This is not an exclusive list.

 

What type of Encryption?  Under the old law, any sort of encryption satisfied the encryption requirement, the law did not specify a threshold for compliance.  S.B. 227, however, requires (1)  the use of “encryption technology that has been adopted by an established standards setting body . . . which renders such data indecipherable in the absence of associated cryptographic keys” and (2) “[a]ppropriate management and safeguards of cryptographic keys . . . using standards promulgated by an established standards setting body.”

 

Immunity from damages – If a data collector loses personal information, it is not liable, as long as it complied with the law and the loss did not result from gross negligence or intentional misconduct.  So the new law provides a safe harbor to businesses that follow the more stringent rules.  However, as we noted with respect to the old law, it is not entirely clear who may sue to enforce the law’s provisions.

 

Payment Card Exemption – If personal information is transmitted for use in a payment card transaction then “with respect to those transactions” the data collector need only comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  PCI DSS Requirement 4 requires encryption when the data is being transmitted on an open, public network.  The exact scope of “those transactions” is still unclear, but it is clear that the exemption will not encompass transmissions of personal information that are unrelated to payment card transactions. Payment cards are defined broadly to include almost any card that is issued to an authorized card user and that allows that user to obtain, purchase or receive anything of value.  See NRS 205.602.

 

Telecommunications Provider Exemption – Another interesting addition to the final draft of the law was an exemption for telecom companies that act “solely in the role of conveying the communications of other persons” because these providers are not responsible for the content transmitted using their systems.  This exemption is broad, and applies without regard to the mode of conveyance used, including wireless, voice over Internet protocol (“VOIP”) and other digital transmission technologies.

 

Remaining Questions – Unfortunately, S.B. 227 fails to answer some of our questions about the original law. Specifically, it remains to be seen, among other things, (a) who can enforce this law, (b) whether there is a private right to sue, and (c) what it means for a company to be “doing

business in this State.”

 

Stay tuned!

 

Proskauer summer associate Gary Silber contributed to this post.
Tags: , , , , , , , ,
Posted on May 12, 2009 by Jennifer Roche

Third Time's a Charm for "Data Accountability and Trust"? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

H.R. 2221 provides for notification following discovery of a breach of security of a system maintained by any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. The bill would require notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Importantly, the bill expressly preempts state laws regarding data breach notification. Preemption of state laws, such as those in California that contain different “trigger” language governing when notification is required, was one reason the bill struggled when initially introduced in 2005.

Where notification is required, the bill specifies methods for and required content of notification. Written, or in some circumstances, email, notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

Other provisions in the bill call for regulations to be promulgated governing the establishment of policies and procedures regarding practices to protect data containing personal information by those who own or possess such information. State laws regarding information security practices on the treatment of such data also would again be subject to preemption. Additionally, the bill contains specific provisions covering information brokers – requiring that brokers supply their security policies to the FTC either in conjunction with a breach notification or upon the Commission’s request. Under the proposed Act, information brokers would be required to allow each individual whose personal information it maintains to review his or her own data for accuracy.

Rep. Boucher (D-Va), who is planning to introduce a bill addressing how information collected online is stored and used, and Rep. Rush are planning to hold a hearing this summer to discuss how their bills “intersect.”

Stay tuned.
Tags: , , , , , , , , ,
Posted on February 13, 2009 by Brendon Tavelli

Massachusetts Regulators Postpone Compliance Deadline and Issue Revised ID Theft Regulations

On Thursday, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) revised and postponed -- for the second time -- its comprehensive data security regulations. The new deadline for all covered entities to achieve full compliance with the Massachusetts regulations is January 1, 2010. This fixed deadline replaces a tiered-compliance schedule established by OCABR in November 2008 that would have given covered entities until May 1, 2009 to install certain data security safeguards, including encrypting personal information on laptops, and until January 1, 2010 to implement more aggressive security measures. (See our prior post here.)

Responding to the concerns of the regulated community, the OCABR’s revised regulations, 201 CMR 17.00, do not require covered entities to obtain written certification of compliance with the regulations from third party service providers handling personal information on their behalf. Instead, covered entities need only take steps to verify that third party service providers are able to, and do, employ the kind of personal information security measures required by 201 CMR 17.00. The revised regulations are otherwise nearly identical to the OCABR’s earlier version, which is described here.

In the OCABR’s Thursday press release, Undersecretary Daniel Crane expressed the importance of the new regulations to Massachusetts consumers and the need for businesses to take steps toward compliance. As to the revised compliance timeframe, Crane said “[w]e understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”
Tags: , , , , , , ,
Posted on July 7, 2008 by Joseph K. Wright

New Connecticut Law Threatens $500,000 Penalty for Privacy Violations

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008. 

The new law penalizes any individual or business that intentionally fails to protect personal information.  “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.        

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.
Tags: , , , , , ,
Posted on April 15, 2008 by Brendon Tavelli

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

In the FTC’s action against TJX, the Commission alleged that TJX failed to prevent unauthorized access to personal information on its computer networks. These failures allowed a hacker to exploit vulnerabilities and obtain tens of millions of credit and debit payment cards used at the retailer’s stores along with personal information about approximately 455,000 consumers that returned merchandise without receipts. The FTC alleged that TJX:

  • Created an unnecessary risk to personal information by storing it on and transmitting it between various computer networks in clear text;
  • Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
  • Did not require the use of strong passwords or different passwords to access different programs, computers, and networks;
  • Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
  • Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software. 

The FTC’s settlement with TJX requires the retailer to implement and maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. The program must include certain administrative, technical and physical safeguards that are appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. In particular, TJX must:

  • Designate an employee or employees to coordinate the information security program;
  • Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
  • Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
  • Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
  • Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

In addition, TJX must retain an independent, third party security auditor to assess the sufficiency of its information security program at least once every two years for the next 20 years. This security auditor will be required to certify that the company’s security program satisfies the requirements of the consent agreement and is operating with sufficient effectiveness to provide reasonable assurance that consumers’ personal information is being protected. The FTC is not seeking any financial penalty to resolve the charges.

The proposed agreement is subject to public comment until April 28, 2008, after which the FTC will decide whether to make it final.
Tags: , , , , , , ,
Posted on October 14, 2007 by Tanya Forsheit

Governor Schwarzenegger Says No to California A.B. 779

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,
Posted on August 16, 2007 by Tanya Forsheit

Massachusetts Is 39th State to Mandate Breach Notification

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

The law defines "personal information" as a resident's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number, 2) driver's license number or state-issued identification card number, or 3)  financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The new law can be found here.

Tags: , , , ,
Posted on August 3, 2007 by Tanya Forsheit

Breach Law Data

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included).  We also provide links, or uploaded copies, where available.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 4-1-11 et seq.)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Michigan (S.B. 309)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-42-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Washington (WASH. REV. CODE § 19.255.010)

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

For a helpful compilation of state laws addressing credit freezes and Social Security numbers, and proposal federal legislation addressing identity theft, see Congressional Research Service Report for Congress, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, June 1, 2007.
Tags: , , , , ,
Posted on July 31, 2007 by Tanya Forsheit

Oregon Becomes 38th State to Adopt Breach Notification Law

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

The bill defines "breach of security" as the "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person" (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, "after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach."

For purposes of the bill, "personal information" is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data "would be sufficient to permit a person to commit identity theft."

Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data." An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.

Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

The full text of S.B. 583 is available here.
Tags: , , , ,