Protecting Personal Data

During the past seven years, 45 states have enacted laws mandating consumer notifications if there is a theft of personal data from the company computers that can be used by thieves to perpetrate identity theft.  The Federal Trade Commission (FTC) has also brought enforcement actions against companies for not properly protecting sensitive personal data.  The challenge, of course, is how to comply with 38 state laws and to avoid an FTC determination that a failure to protect personal data amounts to an unfair business practice in violation of 15 U.S.C. 45(a).  This article will provide an overview of these various state laws and the FTC regulation and suggest the proactive measures a company can implement before and after a data breach to minimize its potential liability under this new regulatory scheme.
California was the first state to legislate a response to identity theft in 2003 by enacting Calif. Civ. Code ß 1798.82, et. seq., requiring any business or person “that maintains computerized data that includes personal information that the person or business does not own…[to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”  Id. at ß 1798.29(a).  The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using it to empty their bank accounts or use their credit cards.
There are some variations among the state statutes
Forty-four states have followed California’s lead by enacting similar consumer notification laws, with legislation currently pending in 10 state legislatures.  The requirements of these 44 statutes, while strikingly similar to the California statute, are not uniform, and the remedies and penalties for failing to provide proper notice vary.  Some states, such as California, permit civil actions by consumers, including class actions and the recovery of attorney fees.  Id. at ß 1798.84.  New York vests enforcement in its state attorney general with the potential for fines up to $150,000.  N.Y. Gen. Bus. Law ß 899-aa6(a).  Fines in Florida can range up to $500,000. Fla.Stat. Ann. ß 817.5681(1)(b)(2).
On the federal level, the FTC has taken the lead.  Two enforcement actions stand out.  In June 2005, the FTC entered into a settlement agreement with BJ Wholesale Club for not properly protecting the personal information of thousands of its customers.  The FTC required BJ to implement a comprehensive information security program that it was required to audit for the next 20 years.  In January 2006, the FTC settled with ChoicePoint Inc., a consumer data broker that had compromised more than 163,000 consumer financial records, for a similar 20-year stipulated judgment in addition to $10 million in penalties and $5 million in consumer redress.
The primary goal of this regulatory scheme- both the FTC and the state statues-is to encourage companies to protect personal data.  The state laws define personal information to include nonpublic information such as Social Security numbers, driver’s licenses or state identification cards and an “[a]ccount number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”  815 Ill. Comp. Stat. 530/5.  This past October, California amended its law to include health and medical insurance data.  Calif. Civ. Code ß 1798.29(e)(4)(5).  Many of the statutes encourage companies to protect personal data by maintaining them in encrypted or redacted form; these laws provide that encrypted or redacted data are automatically exempted from the notification requirement.  The FTC in the BJ enforcement action, however, focused on BJ’s failure to employ a whole variety of proper security measures beyond encryption to protect the personal data.
The state notification statutes, unlike the FTC regulation, are principally designed to require companies to notify individuals when their personal data have been compromised through a data breach.  Even if a company that is the subject of a data breach is not located in one of the 45 states where notification laws exist, notification is required if the company conducts business in a such a state and an individual whose data were compromised resides there.  See, e.g., id. at ß 1798.82(a).  Each of the 45 state statutes sets forth various ways this notification may be accomplished and includes the options of direct mailing, emailing, telephonic and public notices.  Many states provide for substitute notice, such as posting notice of the breach on a public Web site, when the cost of providing notice would exceed a specified cost or when the company does not have sufficient contact information to provide the notification.
The timing of the notice is obviously critical.  The California statute, like most of the others, requires the notice to “be made in the most expedient time possible and without unreasonable delay.”  Calif Civ. Code ß 1789.29(a).  Wisconsin defines a reasonable time “not to exceed 45 days after the entity learns of the acquisition of personal information.”  Wis. Stat. ß 895.507(3).  Texas requires notification “as quickly as possible.”  Texas Bus. & Comm. Code ß 48.103(b).  Also, most of the statutes permit notifications in accordance with “an information security policy” so long as its “procedures are otherwise consistent with the timing requirements” of the statute. See, e.g., Del. Code Ann. tit. 6 ß 12B-103.
The standard exception to the timing of the notification is that it can be delayed “if a law enforcement agency determines that the notification will impede a criminal investigation.”  Calif. Civ. Code ß 1798.29(c).  Oregon requires law enforcement to be notified. 2007 Laws of Oregon Ch. 759. North Carolina (N.C. Gen. Stat. ß 75- 65(c)) and Vermont (Vt. Stat. Ann. tit. 9 ß 2435(b)(3)) require this determination to be in writing.  Once “the law enforcement agency determines that the notification will not compromise the investigation,” notification must be made. Calif. Civ. Code ß 1798.29(c).  Other states also permit notification to be delayed “[t]o determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.”  Md. Code Ann. 14-3504(D)(1)(ii).
The key practical issue as to notification arises in the ambiguous circumstance when there may not be sufficient evidence to conclude that personal information “is reasonably believed to have been acquired by an unauthorized person.”  Calif. Civ. Code ß 1798.29(a).  For most businesses this is a critical issue, since the fact of notification does not send a positive message to customers, who will likely blame the business for mishandling their personal data.  For example, if two customers who use their credit cards on a Web site report to the Web site owner that there has been a fraudulent use of their credit cards, that does not necessarily mean that there has been a data breach of all of the Web site’s credit card information.  Whether the fraudulent use of these two credit cards is coincidental or is the result of a security breach can only be resolved by a thorough investigation.
Many states, such as Utah, require notification to be given only after the owner or licensee of the data “conduct[s] in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes.”  Utah Code ß 13-44-202(1)(a)(b).  Connecticut adds the requirement that even “after an appropriate investigation,” there must be “consultation with relevant federal, state and local agencies responsible for law enforcement” before there can be a reasonable determination “that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.”  Conn. Gen. Stat. 36A-701(b).  Maryland mandates that if the investigation “determines that notification… is not required,” records reflecting that determination must be maintained for three years. Md. Code Ann. 14-3504(B)(4).
Common themes offer companies some guidance
From this patchwork of state laws and FTC regulations, common themes emerge that provide guidance for a company:
* It is critical in the first instance to protect personal data in the company computers through encryption, redaction and other security measures.  The protection of personal information should be a prime focus of any corporate compliance program.  For that reason, the New York Stock Exchange requires its members to establish a compliance program that includes the protection of “all non-public information that might be…harmful to…its customers, if disclosed.”  NYSE’s Listed Company Manual, ß 303A, ∂ 10.
* The company must be prepared to conduct an immediate investigation whenever facts emerge that suggest a breach of personal data.  A plan should be in place to deal with data breaches so that an informed decision can be made immediately whether notice needs to be provided to law enforcement or consumers or whether the company should employ self-help by filing an immediate court action to retrieve the stolen data.
* If it is determined that a security breach occurred, the appropriate law enforcement agency should be notified.
* Accurate and complete documentation should be maintained whenever the possibility of a data breach is raised-the facts known about the alleged breach, the steps taken to determine whether a breach occurred and all communications with law enforcement.  It is critical to create a contemporaneous record that may later be viewed by government regulators or private litigants, particularly if the decision is made not to notify consumers or law enforcement, to show that the company acted expeditiously and responsibly in its response to the data breach.

IntellectualL Property The PRO-IP Act

By Nick Akerman and Lile Deinard
In October, the federal government, with strong bipartisan support, reorganized its strategy and expanded the resources available to protect the nation’s intellectual property with the enactment of the Prioritizing Resources and Organization for Intellectual Property Act, known as the PRO-IP Act, 15 U.S.C 8101.  The legislation was formulated in response to the “billions of dollars in lost revenue for United States companies each year [caused by the theft of intellectual property] and even greater losses to the United States economy in terms of reduced job growth, exports, and competitiveness” and the concern that organized crime and terrorist groups “utilize piracy, counterfeiting, and infringement to fund some of their activities.”  P.L. 110-403, ß 503.  This article will describe the major innovations created in the act and discuss its implications for businesses with valuable IP assets.
The Pro-IP Act accomplishes three congressional goals.  First, it coordinates the federal government’s resources to protect copyrights, patents, trademarks, trade secrets and computer data through the newly created position of intellectual property enforcement coordinator (IPEC) to be appointed by the president and confirmed by the Senate.  Second, it provides increased funding to the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI) and local law enforcement to investigate and prosecute IP thieves.  And third, it significantly increases civil and criminal penalties for stealing IP.
IP enforcement coordinator is crucial to the act
The IPEC, the IP czar, is the centerpiece of the act.  This federal official has two responsibilities-to “chair the interagency intellectual property enforcement advisory committee established” by this act; and to coordinate the development, and assist in the implementation, of the Joint Strategic Plan against counterfeiting and piracy by the advisory committee.  15 U.S.C. 8111(b)(1).  The advisory committee is to “develop the Joint Strategic Plan.” 15 U.S.C. 8111(b)(3)(B).
The Joint Strategic Plan must address specified issues, including the reduction and disruption of “counterfeit and infringing goods in the domestic and international supply chain”; the identification of the impediments to effective enforcement; improvements to the efficient and legal sharing of information among law enforcement agencies; and the strengthening and coordinating of efforts of foreign countries to protect IP.  The plan must prioritize objectives and decide how to achieve those objectives by coordinating the efforts of federal agencies.  15 U.S.C. 8113(a), 8113(e).
Members of the advisory committee are to consist of “Senate-confirmed representatives of” various federal agencies, some of which are obvious, such as DOJ, the FBI, the U.S. Patent and Trademark office and the Department of Commerce, but others of which are not so obvious, such as the Office of Management and Budget, the State Department, the Department of Homeland Security, the Food and Drug Administration and the Department of Agriculture.  The committee may also include “any such other agencies as the President determines to be substantially involved in the effort of the Federal Government to combat counterfeiting and infringement.”  15 U.S.C. 8111(b)(3).
The IPEC is to assist “in the implementation of the Joint Strategic Plan” and provide “guidance to departments and agencies on basic issues of policy and interpretation, to the extent necessary to assure the coordination of intellectual property enforcement policy and consistency with other law.”  15 U.S.C. 8111(b).  The act also mandates that the plan strengthen “the capacity of other countries to protect and enforce intellectual property rights” and reduce the “number of countries that fail to enforce laws preventing the financing, production, trafficking, and sale of counterfeit and infringing goods.”  15 U.S.C. 8113(a)(5).
While the act expressly provides that the IPEC “may not control or direct any law enforcement agency…in the exercise of its investigative or prosecutorial function,” 15 U.S.C. 8111(b)(2), it does strengthen the enforcement efforts and the resources of DOJ.  It directs the attorney general, subject to appropriations, to create a task force to develop and “implement a comprehensive, long-range plan to investigate and prosecute international organized crime syndicates engaging in…crimes relating to the theft of intellectual property,” 42 U.S.C. 3713B(a)(4)(B); and to “ensure that all Computer Hacking and Intellectual Property Crime Units located” at an office of a U.S. attorney are assigned to at least two assistant U.S. attorneys “responsible for investigating and prosecuting computer hacking or [IP] crimes.”  42 U.S.C. 3713B(a)(2).
The Pro-IP Act also requires the FBI to create an operational unit of at least 10 additional agents to work with DOJ’s Computer Crime and Intellectual Property section on the investigation and coordination of complex IP crimes, and implement a comprehensive IP crime program.  42 U.S.C. 3713B(a)(1) , 3713(b).  The act also emphasizes and encourages cooperation among the FBI and state and local law enforcement agencies.  42 U.S.C. 3713(a), (b).  To facilitate that cooperation, the act provides for $25 million in annual grants to local law enforcement during the next five years “for training, prevention, enforcement and prosecution of [IP] theft and infringement crimes.”  42 U.S.C. 3713a.  The act also expands the federal criminal law.  The transshipment of infringing works through or exported from the United States is now a violation of ß 42 of the Trademark Act of 1946 and subjects violators to criminal prosecution.  18 U.S.C. 2320.
The civil and criminal forfeiture rules under the Copyright Act increase sentencing penalties in the event bodily harm or death occurs during the seizure and impounding of counterfeit goods.  The act provides for the forfeiture of property used to commit or facilitate trademark or copyright infringement (e.g. vehicles) and makes offenders subject to provisions comparable to those of the Comprehensive Drug Abuse Prevention and Control Act of 1970, 18 U.S.C. 2323.  The act abolishes the requirement that the copyrights which are the subject of criminal prosecution be registered with the register of copyrights.  17 U.S.C. 109. Civil enforcement for private litigants is also enhanced.  The act provides that a certificate of copyright registration, if only harmlessly inaccurate, and the register of copyrights so confirms, shall be deemed to satisfy the requirements of the Copyright Act for the commencement of a civil copyright infringement action. 17 U.S.C. 411.  The act facilitates the court’s authority to order the seizure of allegedly infringing materials and related business records documenting the manufacture, sale or receipt of the infringing works and permits the court to take into custody such seized materials. 17 U.S.C. 503.
It is now mandatory in a case involving a counterfeit mark that the court award judgment for three times the profits or damages, whichever is greater, plus attorney fees, in the event that the defendant is found to have intentionally used the mark, knowing it to be counterfeit.  Also, the court may award prejudgment interest on the amount of damages or profits.  15 U.S.C 1117.  Statutory damages in counterfeiting cases under the Trademark Act are now doubled in trademark counterfeiting cases from $500 to $1,000 minimum and from $100,000 to $200,000 maximum per product.  And an award of statutory damages is available in the maximum amount of $2 million per counterfeit mark for willful use.  Id.

The act should benefit businesses dependent on IP
All businesses dependent on IP to compete should benefit from the PRO-IP Act.  The focused criminal prosecutions envisioned by the act with increased penalties, additional investigative and prosecutorial resources, improved coordination of federal and local law enforcement agencies, and with real cooperation from key foreign countries could potentially have a significant impact in reducing the theft of IP.  The heightened measures enacted to protect IP and the new role of the U.S. government in the enforcement of IP civil and criminal laws are perceived as primarily intended to facilitate the investigation and prosecution of international crime syndicates that commit IP crimes, especially trademark counterfeiting of luxury goods, to support their terrorist and organized crime activities.  These enhanced civil and criminal enforcement powers will surely benefit U.S. businesses whose IP is their premium asset.
This does not mean that companies should sit back and assume the federal government will now be the protector of their IP.  Rather, the act invites companies to be proactive.  The act encourages companies to take advantage of the enhanced civil penalties and expressly provides that the IPEC “may consult with private sector experts in [IP] enforcement in furtherance of providing assistance to the members of the advisory committee.”  18 U.S.C. 8113(c)(2).  Businesses that are the victims of IP theft, the group which this act is intended to protect, should not be passive.  Most of these businesses have security experts and others who have been dealing with this problem on the front line for many years and are likely in the best position to advise the IP czar on how best to attack this problem on a global basis.  Thus, it is critical that companies not be shy in pressing their views in the formulation of the strategic plan mandated by the act.