During the past seven years, 45 states have enacted laws mandating consumer notifications if there is a theft of personal data from the company computers that can be used by thieves to perpetrate identity theft. The Federal Trade Commission (FTC) has also brought enforcement actions against companies for not properly protecting sensitive personal data. The challenge, of course, is how to comply with 38 state laws and to avoid an FTC determination that a failure to protect personal data amounts to an unfair business practice in violation of 15 U.S.C. 45(a). This article will provide an overview of these various state laws and the FTC regulation and suggest the proactive measures a company can implement before and after a data breach to minimize its potential liability under this new regulatory scheme.
California was the first state to legislate a response to identity theft in 2003 by enacting Calif. Civ. Code ß 1798.82, et. seq., requiring any business or person “that maintains computerized data that includes personal information that the person or business does not own…[to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Id. at ß 1798.29(a). The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using it to empty their bank accounts or use their credit cards.
There are some variations among the state statutes
Forty-four states have followed California’s lead by enacting similar consumer notification laws, with legislation currently pending in 10 state legislatures. The requirements of these 44 statutes, while strikingly similar to the California statute, are not uniform, and the remedies and penalties for failing to provide proper notice vary. Some states, such as California, permit civil actions by consumers, including class actions and the recovery of attorney fees. Id. at ß 1798.84. New York vests enforcement in its state attorney general with the potential for fines up to $150,000. N.Y. Gen. Bus. Law ß 899-aa6(a). Fines in Florida can range up to $500,000. Fla.Stat. Ann. ß 817.5681(1)(b)(2).
On the federal level, the FTC has taken the lead. Two enforcement actions stand out. In June 2005, the FTC entered into a settlement agreement with BJ Wholesale Club for not properly protecting the personal information of thousands of its customers. The FTC required BJ to implement a comprehensive information security program that it was required to audit for the next 20 years. In January 2006, the FTC settled with ChoicePoint Inc., a consumer data broker that had compromised more than 163,000 consumer financial records, for a similar 20-year stipulated judgment in addition to $10 million in penalties and $5 million in consumer redress.
The primary goal of this regulatory scheme- both the FTC and the state statues-is to encourage companies to protect personal data. The state laws define personal information to include nonpublic information such as Social Security numbers, driver’s licenses or state identification cards and an “[a]ccount number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” 815 Ill. Comp. Stat. 530/5. This past October, California amended its law to include health and medical insurance data. Calif. Civ. Code ß 1798.29(e)(4)(5). Many of the statutes encourage companies to protect personal data by maintaining them in encrypted or redacted form; these laws provide that encrypted or redacted data are automatically exempted from the notification requirement. The FTC in the BJ enforcement action, however, focused on BJ’s failure to employ a whole variety of proper security measures beyond encryption to protect the personal data.
The state notification statutes, unlike the FTC regulation, are principally designed to require companies to notify individuals when their personal data have been compromised through a data breach. Even if a company that is the subject of a data breach is not located in one of the 45 states where notification laws exist, notification is required if the company conducts business in a such a state and an individual whose data were compromised resides there. See, e.g., id. at ß 1798.82(a). Each of the 45 state statutes sets forth various ways this notification may be accomplished and includes the options of direct mailing, emailing, telephonic and public notices. Many states provide for substitute notice, such as posting notice of the breach on a public Web site, when the cost of providing notice would exceed a specified cost or when the company does not have sufficient contact information to provide the notification.
The timing of the notice is obviously critical. The California statute, like most of the others, requires the notice to “be made in the most expedient time possible and without unreasonable delay.” Calif Civ. Code ß 1789.29(a). Wisconsin defines a reasonable time “not to exceed 45 days after the entity learns of the acquisition of personal information.” Wis. Stat. ß 895.507(3). Texas requires notification “as quickly as possible.” Texas Bus. & Comm. Code ß 48.103(b). Also, most of the statutes permit notifications in accordance with “an information security policy” so long as its “procedures are otherwise consistent with the timing requirements” of the statute. See, e.g., Del. Code Ann. tit. 6 ß 12B-103.
The standard exception to the timing of the notification is that it can be delayed “if a law enforcement agency determines that the notification will impede a criminal investigation.” Calif. Civ. Code ß 1798.29(c). Oregon requires law enforcement to be notified. 2007 Laws of Oregon Ch. 759. North Carolina (N.C. Gen. Stat. ß 75- 65(c)) and Vermont (Vt. Stat. Ann. tit. 9 ß 2435(b)(3)) require this determination to be in writing. Once “the law enforcement agency determines that the notification will not compromise the investigation,” notification must be made. Calif. Civ. Code ß 1798.29(c). Other states also permit notification to be delayed “[t]o determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.” Md. Code Ann. 14-3504(D)(1)(ii).
The key practical issue as to notification arises in the ambiguous circumstance when there may not be sufficient evidence to conclude that personal information “is reasonably believed to have been acquired by an unauthorized person.” Calif. Civ. Code ß 1798.29(a). For most businesses this is a critical issue, since the fact of notification does not send a positive message to customers, who will likely blame the business for mishandling their personal data. For example, if two customers who use their credit cards on a Web site report to the Web site owner that there has been a fraudulent use of their credit cards, that does not necessarily mean that there has been a data breach of all of the Web site’s credit card information. Whether the fraudulent use of these two credit cards is coincidental or is the result of a security breach can only be resolved by a thorough investigation.
Many states, such as Utah, require notification to be given only after the owner or licensee of the data “conduct[s] in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes.” Utah Code ß 13-44-202(1)(a)(b). Connecticut adds the requirement that even “after an appropriate investigation,” there must be “consultation with relevant federal, state and local agencies responsible for law enforcement” before there can be a reasonable determination “that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.” Conn. Gen. Stat. 36A-701(b). Maryland mandates that if the investigation “determines that notification… is not required,” records reflecting that determination must be maintained for three years. Md. Code Ann. 14-3504(B)(4).
Common themes offer companies some guidance
From this patchwork of state laws and FTC regulations, common themes emerge that provide guidance for a company:
* It is critical in the first instance to protect personal data in the company computers through encryption, redaction and other security measures. The protection of personal information should be a prime focus of any corporate compliance program. For that reason, the New York Stock Exchange requires its members to establish a compliance program that includes the protection of “all non-public information that might be…harmful to…its customers, if disclosed.” NYSE’s Listed Company Manual, ß 303A, ∂ 10.
* The company must be prepared to conduct an immediate investigation whenever facts emerge that suggest a breach of personal data. A plan should be in place to deal with data breaches so that an informed decision can be made immediately whether notice needs to be provided to law enforcement or consumers or whether the company should employ self-help by filing an immediate court action to retrieve the stolen data.
* If it is determined that a security breach occurred, the appropriate law enforcement agency should be notified.
* Accurate and complete documentation should be maintained whenever the possibility of a data breach is raised-the facts known about the alleged breach, the steps taken to determine whether a breach occurred and all communications with law enforcement. It is critical to create a contemporaneous record that may later be viewed by government regulators or private litigants, particularly if the decision is made not to notify consumers or law enforcement, to show that the company acted expeditiously and responsibly in its response to the data breach.