Illinois Attorney General Issues Information Security and Security Breach Notification Guidance

Posted on February 1, 2012 by Robyn Sterling

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in preventing, preparing for and responding to data security breaches. The guidance suggests that entities assess the amount of personal information on file, reduce the amount of personal information available within the entity, protect the information accordingly and train employees to properly manage the information. In order to respond quickly and efficiently to a data security breach, the guidance encourages entities to create and implement an incident response plan that includes the PIPA notice requirements.     

For additional information about the Information Security and Security Notification Guidance, click here.

Tags: , , , , ,

"Illinois-ed" About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation

Posted on August 24, 2011 by Brendon Tavelli

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

A handful of U.S. states currently dictate what content, at a minimum, must be included in notices to individuals regarding a compromise of their personal information. In many instances, such information is included in order to help recipients evaluate what actions to take in response to a breach of personal information. At present, Illinois is not one of these “select” states. It soon will be. As of January 1, 2012, security breach notices to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a “statement that the individual can obtain information from these sources about fraud alerts and security freezes.”

HB3025 also expands the reach of the state’s breach notice law to include service providers who maintain or store, but don’t own or license personal information. It then requires such service providers to cooperate with the data owner or licensor with respect to breaches of personal information in the service provider’s care. Such cooperation must include “(i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach.” But the service provider is not required to disclose its own confidential business information or trade secrets or notify Illinois residents of the breach (that obligation remains with the data owner or licensor). With these amendments, Illinois joins seven other states in mandating cooperation between data owners and service providers.

In addition to amending the state’s breach notice law, HB3025 also establishes standards for disposing of materials containing personal information. Under the new law, a “person must dispose of [any] materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Appropriate methods of disposal include, for example, redacting, burning, pulverizing, or shredding hard copy records and destroying or erasing electronic media so that personal information cannot practicably be read or reconstructed. If you don’t want to, or can’t, do these things yourself, the law allows you to contract with a third party who will do them for you so long as appropriate monitoring policies and procedures are implemented to ensure that the third party will properly carry out its duties and protect the security of personal information. Once again, Illinois is not alone in requiring proper disposal of records containing personal information. In fact, Illinois’ new records disposal provisions closely track those already in existence in several other states.

If you operate nationwide, HB3025 won’t add much to your breach response plan, since other state breach notification laws have already included similar requirements. If not, HB3025 and the wave of recent amendments to state information security breach notice laws only further complicates an already difficult compliance landscape. So exactly when, you ask, will we get some federal relief from the burden of tracking and complying with almost fifty different breach notification laws? Good question.
Tags: , , , ,

No job? Bad credit? No problem! (In Illinois.)

Posted on August 23, 2010 by Andrew Hoffman

Illinois recently enacted legislation that broadly restricts a private employer from using credit reports regarding job applicants or current employees. Subject to certain exceptions, an employer may not inquire about, order, or obtain a job applicant’s credit report, or fail or refuse to hire or recruit an individual based on the individual’s credit report or history. With respect to current employees, an employer may not discharge or otherwise discriminate against an employee because of the employee’s credit history or credit report. The law also prevents an employer from requiring an applicant or employee to waive any rights under the new law and prohibits retaliatory and discriminatory acts by the employer. Importantly, the law creates a private right of action for an individual to seek injunctive relief and damages and provides for prevailing-party attorneys’ fees.

The newly-enacted law becomes effective January 1, 2011. Notably, there are a number of exceptions. For example, banks, credit unions, insurance companies, debt collectors, and a variety of other finance-related entities are exempted from the rule.  Law enforcement officers and other state or local government agencies are also exempted. The law also does not apply in a variety of other situations—when:

  • State or federal law requires bonding or other security covering an individual holding the position.
  • The duties of the position include custody of or unsupervised access to cash or marketable assets valued at $2,500 or more.
  • The duties of the position include signatory power over business assets of $100 or more per transaction.
  • The position is a managerial position which involves setting the direction or control of the business.
  • The position involves access to personal or confidential information, financial information, trade secrets, or State or national security information.
  • The position meets criteria in administrative rules, if any, that the U.S. Department of Labor or the Illinois Department of Labor has promulgated to establish the circumstances in which a credit history is a bona fide occupational requirement.
  • The employee’s or applicant’s credit history is otherwise required by or exempt under federal or State law.

The new Illinois law appears to be aimed at protecting individuals whose credit scores have suffered as a result of the financial downturn. The new law would protect an individual who, for example, lost his or her job and was unable to pay some of his or her bills during the period of unemployment. Although an employer could currently request access to the job applicant’s credit report, see the delinquent accounts, and refuse to hire the individual based on this information, as of January 1, 2011, the employer would be prohibited from even requesting the individual’s credit report—unless one of the many statutory exceptions applies. The legislature’s creation of a private right of action and attorneys’ fees provisions signifies the importance of an employer’s compliance with this new law.
Tags: , , , , , , ,

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted on May 29, 2007 by Proskauer Rose LLP

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

  • “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
  •  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
  • any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

  • account numbers retained by businesses be “indecipherable” to unauthorized persons;
  • that payment related data sent across a network be encrypted;
  • that companies have role-based restrictions for employee access to such data; and
  • the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

  

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision. 

The other pending bills, Connecticut S.B. 1089, Illinois S.B. 1675 and Massachusetts H. 213 all contain provisions similar to Minnesota’s liability provision making companies liable to banks or financial institutions that incur costs arising from a breach. It should be noted that the liability provisions of Massachusetts’ H. 213 were not included in omnibus versions of data breach notification, credit freeze and data security and disposal bills that have recently passed the Massachusetts House and Senate, and which await action by conference committee to resolve differences between the two versions.   
Tags: , , , , , , , , , , , , ,