New England Biz Law Update
Many high-profile data security breaches have cropped up over the last couple of years. Since 2005, organizations such as ChoicePoint, Inc., BJ’s Wholesale Club, The Boston Globe, DSW and the Veterans Administration have reported losing consumers’ personal information because of significant breaches.
Most recently, the TJX Companies in Framingham, Mass. reported it had lost more than 45 million credit and debit card numbers belonging to its customers.
Data breaches create substantial reputational and legal risks for companies. For example, in January 2006, ChoicePoint, Inc. paid $10 million in civil penalties and $5 million for consumer redress related to a claim pursued by the Federal Trade Commission. The FTC claimed ChoicePoint’s security procedures violated consumers’ privacy rights and federal laws.
And in April 2007, three banking trade associations from Massachusetts, Connecticut and Maine filed a class action against TJX seeking millions in damages due to the company’s credit and debit card data breach.
Legal requirements
Generally speaking, companies have a duty to protect non-public personal information in their possession and control, including an individual’s name, combined with one or more identifying data elements such as a social security number, driver’s license, date of birth, financial account number, and credit or debit card number.
Certain industries are subject to specific federal requirements regarding privacy, such as those outlined in the Gramm-Leach-Bliley Act of 1999 for financial services institutions. Most other companies are subject to the FTC’s enforcement authority under Section 5 of the FTC Act.
In addition to federal laws, 39 states and the District of Columbia have enacted data breach notification laws, including Massachusetts, which passed its new law in August.
The Massachusetts law, which goes into effect Feb. 3, 2008, differs from other state laws in several aspects.
First, the law gives Massachusetts residents the right to put a freeze on their credit report. Once a consumer’s credit report is frozen, a consumer reporting agency is prohibited from releasing the report or any related information without the express authorization of the consumer. Only a consumer can lift this security freeze.
Second, it establishes standards for the destruction of written and electronic records containing personal information of Massachusetts residents. These records must be destroyed so they no longer can be practicably read or reconstructed. Third, the law applies to breaches involving both paper and electronic data (most other state laws focus on electronic data).
Similar to other state laws, the Massachusetts statute requires companies to provide notice to state residents whose personally identifiable information has been compromised. Under the law, a breach must create a “substantial risk” of identity theft before notice has to be provided.
If a company determines consumer notice is required, the notice must be provided to consumers “as soon as practical and without unreasonable delay.” The notice may be sent via written or electronic means (if consistent with electronic transaction laws). Posting it on a website is not sufficient unless certain criteria are met.
Complying with the new Massachusetts law and the numerous other state laws, each with their own separate requirements, is challenging when a company loses data containing records for individuals in multiple states. Things are further complicated if the information compromised relates to individuals outside the United States, since foreign data security laws, especially those in the European Union, are stricter than U.S. laws.
Several bills are pending in Congress that may alleviate some of the burden by creating a uniform national standard for data breach notification in the U.S. In the meantime, requirements must be met in every state where the information was compromised.
Best practices
How does a company deal with myriad legal requirements and other risks? More companies are dedicating substantial resources to data security – including significant dollars spent on technology – to prevent breaches from occurring.
Information security programs include an inventory of non-public personal data across the company and risk assessments to determine the controls needed to protect data.
In most instances, access to this information is restricted to a “need to know” basis. Additional controls are placed on information that is more vulnerable, such as data stored on laptops and PDAs.
Even with the best systems and controls, breaches can still occur. Recent cases have demonstrated that how a breach is handled once it is discovered is as important as creating a program to prevent the breach from occurring in the first place.
The following steps should be taken in the event of a breach:
1. Report the breach internally to the appropriate person(s) responsible for handling the investigation.
2. Assess the nature and scope of an incident, and identify what systems and types of customer information have been accessed or misused. Under most laws, notifications are required when a risk exists that the information may be subject to possible identity theft.
3. Take appropriate steps to contain and control the incident, such as monitoring, freezing, or closing affected accounts while preserving records and other evidence.
4. Notify the appropriate regulator or law enforcement agency as soon as possible after becoming aware of the incident involving unauthorized access to sensitive customer information.
5. Notify customers as required by the law. Federal and state laws provide detailed requirements on when this notice must provided, as well as the form and content of these notices. Legal counsel and compliance departments should maintain a matrix of the various federal and state requirements.
6. Conduct a thorough internal investigation. Results should be properly documented and corrective action established to prevent further occurrences.
In order to minimize the risks associated with data breaches, the steps above should be part of a formal risk incident response program. Employees should be trained on its elements, and the policy should be audited and updated at least annually.
John A. Beccia III is senior vice president and assistant general counsel for Boston Private Financial Holdings, Inc. He serves as the company’s privacy officer. Mr. Beccia is also co-chairperson of the Boston Bar Association’s Corporate Counsel Committee.
