Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

According to article 34 of the French Data Protection Act of January 6, 1978 (as later amended, the “Act”), data controllers must take all useful precautions, depending on the nature of the data and the risks involved in processing it, to preserve the security of the data and, in particular, to prevent its alteration and damage, or access by non-authorized third parties.

Failure to do so is punishable by five years' imprisonment and a fine of €300,000.

This duty to ensure the security of data continues throughout all stages of data processing, i.e. from the data’s creation, to its use, back-up, filing and through to its eventual destruction.

In its recently issued guidelines, the CNIL particularly recommends that companies:

1.  Manage/Restrict access to data:

• Give a user-ID to each data processor in order to authenticate such user by means of a password, smartcard, digital fingerprint…and make sure that in cases where a password is used, it is modified every 3 months. The CNIL also recommends that companies remind their employees never to give their passwords to anyone, never to use the same password for different accesses, and not to configure their software so that passwords are recorded;
• Implement a permission management system to determine which category of employees may have access to each database. The CNIL considers that that each user should only have access to the data s/he needs for carrying out his/her duties. In order to have an effective permission management system, it is, for instance, advised to delete users’ access permissions as soon they are no longer authorized to have such access or processing rights as well as when they are terminated.

2.  Log/Register the actions made by users on the system during a defined period of time:

• According to Article 6 of the Act, processing may only be performed on personal data that meets the following conditions: the data shall be obtained and processed fairly and lawfully; it shall be obtained for specified, explicit and legitimate purposes; and it shall not subsequently be processed in a manner that is incompatible with those purposes.
• The CNIL recommends that any logs of user data should be stored for a maximum of 6 months.
• The data components to be stored are: the user number, the log-in date and time, and the log-out date and time.

3.  Guarantee the integrity of the data:

• Article 6 of the Act provides that data shall be accurate, complete and, where necessary, kept up-to-date;
• The CNIL recommends implementing measures to avoid viruses and fraudulent intrusions of company computers, and to secure remote access via Internet. To this end, the following protective measures may be introduced: limiting the number of access log-in attempts, implementing firewalls and automatic lock sessions, and using up-to-date antivirus programs.

4.  Implement processes enabling the deletion, archiving or anonymization of the data:

• Article 6 of the Act also provides that data shall be stored in a form that allows the identification of data subjects for a period no longer than is necessary for the purposes for which such data was obtained and processed
• Two types of anonymization exist, the first is irreversible, i.e., there is no ability to make the data identifiable to an individual again. The second is reversible and allows for the anonymized data to be reconverted into a format where the personal data is maintained. Regarding reversible anonymization, the CNIL specifies that the re-identification process must be very secure.

In order to guide companies to self-assess the level of security of their data processing, the CNIL has issued a questionnaire that focuses on the following points:

• Analysis of the risks;
• Authentication of the users;
• Permissions management;
• Work stations security;
• Mobile IT security;
• Back-ups;
• Maintenance security;
• Log files access security;
• Protection of the premises;
• Protection of the internal IT network;
• Servers and applications security;
• Managing subcontracting;
• Archiving; and
• Security of data exchanges with other companies.

To continue to strengthen companies’ security with regard to data processing, the CNIL has announced that a more elaborated document is being prepared.

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.

Here are some key points regarding the new version of Nevada’s encryption law:

What is a “Data Storage Device?”  Included in the definition are: “computers, cellular phones, magnetic tape, electronic computer drives, optical computer drives and the medium itself.”  This is not an exclusive list.

What type of Encryption?  Under the old law, any sort of encryption satisfied the encryption requirement, the law did not specify a threshold for compliance.  S.B. 227, however, requires (1)  the use of “encryption technology that has been adopted by an established standards setting body . . . which renders such data indecipherable in the absence of associated cryptographic keys” and (2) “[a]ppropriate management and safeguards of cryptographic keys . . . using standards promulgated by an established standards setting body.”

Immunity from damages – If a data collector loses personal information, it is not liable, as long as it complied with the law and the loss did not result from gross negligence or intentional misconduct.  So the new law provides a safe harbor to businesses that follow the more stringent rules.  However, as we noted with respect to the old law, it is not entirely clear who may sue to enforce the law’s provisions.

Payment Card Exemption – If personal information is transmitted for use in a payment card transaction then “with respect to those transactions” the data collector need only comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  PCI DSS Requirement 4 requires encryption when the data is being transmitted on an open, public network.  The exact scope of “those transactions” is still unclear, but it is clear that the exemption will not encompass transmissions of personal information that are unrelated to payment card transactions. Payment cards are defined broadly to include almost any card that is issued to an authorized card user and that allows that user to obtain, purchase or receive anything of value.  See NRS 205.602.

Telecommunications Provider Exemption – Another interesting addition to the final draft of the law was an exemption for telecom companies that act “solely in the role of conveying the communications of other persons” because these providers are not responsible for the content transmitted using their systems.  This exemption is broad, and applies without regard to the mode of conveyance used, including wireless, voice over Internet protocol (“VOIP”) and other digital transmission technologies.

Remaining Questions – Unfortunately, S.B. 227 fails to answer some of our questions about the original law. Specifically, it remains to be seen, among other things, (a) who can enforce this law, (b) whether there is a private right to sue, and (c) what it means for a company to be “doing

business in this State.”

Stay tuned!

Proskauer summer associate Gary Silber contributed to this post.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.