Security & Surveillance Data Breach Notification and - - PDF document
Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. Jonathan P . Armstrong, Eversheds LLP , Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C.
Jonathan P . Armstrong, Eversheds LLP , Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C.
Reprinted from the December 2005 issue of BNA International’s World Internet Law Report
By Jonathan P . Armstrong, an Associate in the Leeds
with Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C. The authors may be contacted at tel. (+44) (0)113 200 4658, jonathanarmstrong@ eversheds.com; and tel. (+1) 202 662 8435, bruceh@ prestongates.com, respectively.
The issues surrounding security breach have been prominent in both the United States and the European Union during the latter half of 2005 and already, there are signs that 2006 may become “the year of the security breach”. There is a contrasting approach to regulation in this area on each side of the Atlantic. In the United States, a significant number of states have, or are proposing legislation, mandating the reporting of security breaches following the model of legislation first enacted in California. There also are a number of pending federal bills. A survey by Eversheds LLP this year of more than 25 European jurisdictions, revealed that in Europe there are as yet no direct equivalents of the Californian legislation either at an E.U. level or a domestic level. This article shows the current position in the United States and the contrasting approach in Europe.
Legal Requirements in the United States
California’s Breach Notification Law: S.B. 1386
In April 2002, a California state government data centre processing payroll information suffered a security breach, resulting in the disclosure of confidential information including names, social security numbers, and payroll information of over 250,000 state employees. Prompted by
passed, and then Governor Davis signed, S.B. 1386.1 The law was the first of its kind in the country, and took effect
The new law required anyone conducting business in California to promptly notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, disclosed to an unauthorised person as a result of a breach of their computer system. The law covers all sizes and types of businesses with no exemptions for small businesses or non-profit
“conducting business in California”, not just California corporations or other entities registered with the state. It is possible that activity as minimal as having a few employees in the state could subject a company to its requirements. In addition, on its face the law applies to a company doing business in California even if the personal information is stored on data servers in other states. The law applies to those who “own or license” electronic personal information, defined as an individual’s first name,
more of the following:
■ social security number; ■ drivers licence number or California Identification Card
number; or
■ account number, credit card or debit card number in
combination with any password that would permit access to an individual’s financial account. Notification must occur quickly using one of a variety of specified means. The content of the notice is not specified. Injured customers may bring a civil suit for damages and a business may be enjoined. Some key points about S.B. 1386 are set out below.
What Triggers the Notice Requirement?
Notice is required whenever there is a cybersecurity breach and the knowledge or reasonable belief that unencrypted personal information was in fact disclosed to an authorised
is confident that no information was disclosed, then no notification is necessary. Also, the bill specifically states that: “Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure”.
When Must Notification be Made?
After learning of an incident (“following discovery or notification”), notification is supposed to occur as quickly as possible consistent with determining the scope of the breach, stopping further disclosures, and cooperating with any law enforcement agency investigation.
How Must Notification be Provided?
The statute states that notice may be provided either by written notice or by electronic notice, if the electronic notice is consistent with the federal Electronic Signatures in Global and National Commerce Act of 2000 (known as “E-SIGN”). Alternatively, the business may opt to provide “substitute notice” if it can show that the cost of providing notice in
the affected class of subject persons to be notified exceeds 500,000, or that insufficient contact information is available. Substitute notice requires that the business notify its customers by doing all of the following:
■ e-mailing notice when it has an e-mail address for affected
persons;
■ conspicuously posting the notice on its website (if it
maintains one); and
■ notifying major statewide media.
Security & Surveillance
2
What Must the Notice Say?
On this key point the law is silent.2 It would appear that the notice must at least state that computerised unencrypted personal information of the individual was, or is reasonably believed to have been, acquired by an unauthorised
people on notice and allow them to take protective actions if they believe it necessary to do so, it would also seem that the notice should state what personal information was
Exceptions
There are three notable exceptions to the statute’s
“unencrypted personal information” – specifically, where neither the individual’s name nor a data element is encrypted.3 Second, the statute specifically provides that businesses that maintain notification procedures as part of their own information security policies may follow those procedures if they are consistent with the timing requirements of the new law. Third, service providers who maintain another company’s data and suffer a breach are
its customers).
California’s Data Security Law
The California law required companies to promptly notify residents of security breaches, but was silent about the duties of companies (or state agencies) to protect the information in the first place. The omission did not go unnoticed for long. In 2004, the California legislature passed a new law to impose a requirement for the protection of computerised personal information. This law was the first in the United States to establish an explicit, general, cybersecurity requirement. California Law A.B. 19504 went into effect on January 1, 2005 and requires businesses that own or license personal information about California residents to: “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure” [emphasis added]. It also states that a business that discloses personal information about a California resident pursuant to a contract with a non-affiliated third party, require by contract that the third party implement and maintain reasonable security procedures and practices. The statute explains that “it is the intent of the Legislature to ensure that personal information about California residents is protected” and to “encourage” (although the statute is mandatory) businesses to provide “reasonable security” for personal information (although the statute does not define reasonable security).5 Violation of A.B. 1950 is also subject to a civil suit for damages as well as an injunction.6 The law retains the broad definition of “personal information” found in the breach notification law, with the addition of medical information. The statute also defines the phrase “owns or licenses” broadly as: “intended to include, but is not limited to, personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates”. The law is intended as a minimum, broadly applicable, baseline standard for the treatment of personal information by entities which are not covered by specific privacy
business that is regulated by a state or federal law providing greater protection to personal information than that provided by this law (e.g., medical and financial entities under HIPAA and GLBA).
Other States React to a Flood of Breach Notifications
Although the California Breach Notification law became effective on July 1, 2003 there was scant press attention paid to any notifications of cybersecurity breaches which may have occurred during the next 18 months. That changed suddenly in February 2005 when ChoicePoint, a corporation that collects and compiles personal and financial information on millions of consumers, disclosed that it had been the victim of a security breach by selling the personal information of almost 145,000 people to a criminal enterprise intent on ID theft. The company first disclosed the breach only to California residents – approximately eight months after the breach had occurred! It subsequently disclosed that residents of other states may also have been affected by the breach of security. Since that time, each week seems to reveal yet another
According to one such list, in 2005, personal information on
included leading American companies such as Bank of America, Lexis Nexis, Motorola, as well as public institutions including universities, departments of motor vehicles, and departments of health services. The type of breaches varied. In some cases computers were stolen, in
insiders, stolen passwords or outsiders successfully hacking into systems. One incident alone potentially compromised 40 million credit card accounts as a result of hackers attacking payments processor CardSysems Solutions Inc. As a result of these breach notifications, the National Conference of State Legislatures reported that in the first six months of 2005, legislation involving breach notification and computer security was considered in at least 32 states. By the end of November, laws had been enacted in 22 states! In general, they all include breach notification requirements and procedures that are similar to the California law. However, each state law has its own particular requirements and specifications leading to potential compliance burdens. In addition, Arkansas, Rhode Island and Texas also affirmatively require reasonable security procedures and practices.8
Federal Legislation
State legislatures are not the only ones to become active in response to proliferating reports of security breaches. Consumers (voters) are also clamouring for the Federal Government to “do something!” American industry is also
3
Security & Surveillance
supportive of federal legislation under certain conditions. The growing number of state laws, each with their idiosyncrasies and possibly conflicting requirements, has led many businesses to be receptive to the idea of a single national standard. The result is that mid-way through the 109th Congress, three Senate and three House committees have each been working on solutions to the perceived problems. In part, each committee’s response is guided by that committee’s particular jurisdiction. The commerce committees would increase the authority of the Federal Trade Commission. The judiciary committees emphasise enforcement and enhanced penalties. Banking/financial services committees focus on credit reports (a subject beyond the scope of this article). Nevertheless, there are a number of key issues that repeatedly surface in the commerce and judiciary committee bills including:
■ Federal pre-emption.
Companies operate nationally and argue forcibly that they need to be able to operate pursuant to a single set of
simply sets a “floor” rather than a “ceiling” does not solve the problem.
■ No private right of action.
Companies are adamant that federal legislation should not be the basis for an individual or class action lawsuit. Instead, the U.S. Attorney General, the Federal Trade Commission, and perhaps State Attorneys General should have exclusive authority to enforce the federal statute.
■ Notification only in cases where the disclosure of
unencrypted personal information could result in a “significant risk” of harm from identity theft or financial fraud. Businesses worry about compliance costs and negative
“over-notification” could lead individuals to ignore notices (as many say is true for privacy notices required to be sent
■ Responsibility for notification.
Some argue that a company should be responsible for notifying its customers – even if the breach occurs at a third party service provider.
■ Workable requirements.
Companies believe they should be allowed a reasonable period of time to investigate and take corrective action before notification. Companies are concerned about impractical dictates and also seek a safe harbour for their
information security policy. This would be consistent with the California law.
■ All efficient methods of notification should be permitted –
companies seek flexibility to mail, telephone, e-mail, post notification online or utilise any other major media. A major issue receiving lots of attention is what, if any, substantive cybersecurity requirements should be imposed by any federal legislation. There are already specific requirements for particular sectors. GLBA and HIPAA require an information security programme for financial and health information that includes administrative, technical and physical safeguards that:
■ are appropriate to the size and nature of the company, the
activities and sensitivity of the information; and
■ protect against anticipated threats and hazards,
unauthorised access, use or disclosure. As discussed above, California law AB 1950 was the first generalised cybersecurity statute and required companies to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information…”.9 But some in industry argue that any general federal legislation should impose an even more flexible cybersecurity requirement. Many companies believe they should only be required to implement and maintain security procedures and practices of their choosing and limit the government to enforcing those commitments a company does make. Another possibility would be to require businesses to take protective measures that follow recognised “best practices” in industry. At a minimum, industry is in widespread agreement that legislation should not dictate particular cybersecurity measures. Neither Congress nor the FTC have the expertise to dictate specific technology requirements or specify particular hardware or software. The U.S. Senate Commerce Committee acted first this year, adopting breach notification legislation as part of the “Identity Theft Protection Act” (S.1408) in July. The bill requires companies to notify individuals of breaches of security affecting sensitive personal information (kept on and off-line) if after investigation there is a “reasonable risk
create a private right of action, and gives primacy to federal
party providers or safe harbours for those who have their
are also left to the FTC rulemaking. Importantly, the bill also empowers the FTC to set substantive cybersecurity standards by:
■ requiring companies to have and use an information
security programme including “administrative, technical and physical safeguards”;
■ deeming a company to be in full compliance with the
statute if it complies with the FTC’s rules on Standards for Safeguarding Customer Information and Disposal of Consumer Report Information and Records;
■ requiring the FTC to establish regulations requiring
procedures for authenticating credentials; and
■ requiring the FTC to establish with industry an Information
Security Working Group to develop best practices and report to Congress. The Senate Judiciary Committee acted next by favourably reporting two – in many respects conflicting – bills. First was a bill sponsored by Senator Jeff Sessions (S.1326) that required companies to notify individuals of breaches of security affecting sensitive personal information if there is a “significant risk of identity theft… ”. Like the
Security & Surveillance
4
Commerce Committee bill, this legislation also preempts state law, precludes a private right of action, and gives primacy to federal enforcement. Unlike the Commerce Committee bill, it also requires notification only by those who own or license data (not third party contractors) and provides a safe harbour for companies’ own breach notification procedures. Rather than empowering the FTC to set an affirmative cybersecurity obligation, the Sessions bill statutorily requires companies to: “implement and maintain reasonable security and notification procedures and practices appropriate to the size and nature
The Judiciary Committee then reported a broader and more complex bill dealing with ID theft sponsored by Chairman Specter and Ranking Member Leahy (S.1789).10 This bill is tougher on business than either Senator Sessions or the Commerce Committee bills. This bill requires notification (by those who own or license data) whenever sensitive personally identifiable information (defined broadly and including even encrypted information) is subject to a security breach – there is no “significant risk” threshold. Preemption of state law is weaker, there is only partial preclusion of a private right of action, and no “safe harbour” for a company’s own breach identification procedures. There is primacy of federal enforcement. The bill requires companies to implement comprehensive data security programmes that include: “administrative, technical and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities”. Businesses are required to comply with those safeguards as well as any others identified by the FTC in a rule making. Most recently, in November the House Commerce Committee’s Consumer Protection Subcommittee, approved an amended version of H.R. 4127, The Data Accountability and Trust Act (“DATA”), which had been introduced by the Committee leadership. The bill requires notification (by those who own or license data) where there is a “significant risk” of identity theft or fraud or other unlawful conduct. The use of robust encryption with appropriate key safeguards creates a rebuttable presumption that there is no reasonable basis to conclude that there is such a significant
right of action, but there is no safe harbour for a company’s
promulgate regulations to require companies engaged in interstate commerce that own or possess data in electronic form containing personal information to: “establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information …”. The FTC’s requirements are to be consistent with the size, nature, scope, complexity of activities; the “current state of the art in administrative, technical, and physical safeguards for protecting such information;” and the costs of implementing such safeguards. Note, however, that as reported the bill also specifically prohibits the FTC from mandating the use of particular technology mandates. It remains to be seen whether, and in what form, federal breach notification and cybersecurity legislation will emerge from Congress. On the one hand, the multiple committees involved can seriously complicate prospects for settling on a single final bill. The second Session of Congress is also always shorter and it becomes easier to delay and stop
not be a viable strategy in this area. After all, 2006 is an election year and as Members of Congress get closer to the time when they have to face their constituents for re-election, will they really want to tell the voters that they did not pass legislation to address their concerns about identity theft and financial loss?
Legal Requirements in Europe
As already stated at the start of this article, a survey by Eversheds LLP has revealed that as yet, there are no direct equivalents of the Californian legislation either at E.U. level
been looking at the increasing number of security breaches, in the main the response has been to use existing privacy legislation to take action.
The Legislative Background in Europe
Currently around 33 different European jurisdictions (including the 25 within the European Union) have some form of privacy or data protection law in place. Broadly speaking, these laws protect the personal data (i.e., any data from which a living individual can be identified, whether from the data itself, or from the data and other information in the possession of the person handling the data) of data subjects. Data subjects are similarly broadly defined – whilst data subjects in most countries are living individuals this is not always the case. The starting point in looking at a security breach which touches on Europe should be the data protection legislation in the country concerned – in the United Kingdom for example, the Data Protection Act 1998 includes the seventh data protection principle: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of,
The definition of the word “processing” is a wide one and it will include obtaining, recording, destroying, altering or holding the data. Section 4 of the U.K. Act makes it a duty of a data controller to comply with the data protection principles in relation to all personal data which he controls. There are obvious similarities with the equivalent legislation in other European countries for example, with the equivalent Austrian legislation Article 14, para 1: “Measures to ensure data security shall be taken by all
processor [Dienstleister] that use data. Depending on the kind of data used as well as the extent and purpose of the use and considering the state of technical possibilities and economic justifiability it shall be ensured that the data are protected against accidental or intentional destruction or
5
Security & Surveillance
loss, that they are properly used and are not accessible to unauthorised persons”. Some countries in Europe have additional domestic provisions dealing with security. There are some parallels here with the security obligation imposed in California – in Italy for example, under sections 31 and 32 of the Italian Privacy Code the obligation is that: “personal data shall be processed and controlled, taking into account its nature, the specific features of the processing as well as the technological innovations in security measures and devices in such a way as to minimise the risk of destruction or loss of data, whether by accident or not, as well as of any unauthorized access to the data or processing
purposes for which the data have been collected. Where there is a particular risk of a breach of network security, the provider of a publicly available communications service must inform subscribers and, if possible, users concerning that risk and, when the risk lies outside the scope of the measures to be taken by the provider the provider must give details of possible additional measures including an indication of the likely costs involved”. This information must also be provided to the Italian Privacy Authority and the Italian Authority for Communications Safeguards. The other main way in which privacy law could come in to play might be after intervention by a data subject. The data subject (perhaps suspecting a breach) could make a subject access request which might of itself force disclosure of a security breach – for example, a data controller is mandated in most jurisdictions to disclose who has seen the data. It is important to remember that these requests must ordinarily be answered within a short space of time prescribed by law. This is especially relevant given that some of the U.S. disclosures we have seen so far have been months after the suspected breach. In many cases it would be open to pressure groups or business competitors to use the subject access request mechanism to force disclosure of a suspected security breach. As well as in-country data protection legislation, like in the United States, there may also be additional regulation for certain types of activity which will be relevant to a business’s information security policy. There are no Europe-wide direct equivalents of HIPAA or GLB but as an example in the United Kingdom, the Financial Services Authority (FSA) has said that it intends to keep a close eye
the operators to account for any breaches. U.K. websites who collect credit cards payments online will also have to meet the Payment Card Industry Data Security Standard which imposes the requirement of a 12-step security audit every three months. Other criminal legislation could also have a role to play. Many countries in Europe criminalise hacking and any resultant criminal prosecution might also lead to significant publicity for the original attack. In many cases whilst there may not be a black-letter obligation to inform data subjects
authorities is likely to lead to a “voluntary” disclosure being encouraged.
Prior Registration
Most jurisdictions in Europe operate a prior registration scheme (also called notification) for the processing of personal data. In some jurisdictions (like Austria and Hungary) the registration number it then obtains must be given to data subjects before data on them can be
register. Registration authorities are also increasingly using the registration mechanism to enforce information security
specify the precautions they will take against disclosures of personal data as part of the registration process. It seems likely that a security breach in violation of the information security policy notified to the registration authority could also prove actionable.
Possibility of Civil Actions
As in California the general scheme is to allow individuals to commence civil actions for losses sustained as the result of a security breach in addition to any action the regulatory authorities might take. Section 13 of the UK Data Protection Act 1998 for example, creates a specific right of remedy: “(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements
controller for that damage. (2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements
controller for that distress if - (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes. [defined elsewhere in the Act as the processing of data for journalistic, artistic or literary purposes]”. In addition, in many cases a contractual relationship will also exist between the parties which might also give rise to an action – for example, under a written privacy policy on a website or under an employment contract. Civil actions across Europe are not common at present but at least one class action seems planned.
Manually Held Data
It is important to remember that, unlike the current California legislation most of Europe applies data protection law equally to electronically and manually held data. Those regulatory authorities (like Ireland) who insist on seeing a company’s information security policy before sanctioning the holding of personal data will therefore extend their enquiry to manual records including details of who holds the keys to locked cabinets. Even here however there are differences from country to country. In Spain for example, manually held data will in general not fall within the scope
15/1999 on Data Protection) until October 2007. In the meantime however, a separate Royal Decree (Royal Decree 994/1999, of June 11, on Security Measures) establishes
Security & Surveillance
6
mandatory security measures that must be taken by data controllers electronically processing data and the Spanish authorities have said that they take the view that manually held data is covered by this secondary legislation.
Conclusion
As more U.S. States adopt their own legislation, as Federal legislation in the United States comes into consideration and as more breaches inevitably happen, we can expect focus on his area for some time to come. Whilst the two regimes show markedly differing approaches we can expect similar results. Businesses will however need to think carefully when faced with a breach of computer security and they will need to do this quickly as the time limits under European legislation for dealing with subject access requests and under some U.S. legislation for making the report of a breach can be tight.
1 Senate Bill No. 1386 adds and amends California Civil Code Sections 1798.29, 1798.82 and 1798.84. 2 The California Office of Privacy Protection subsequently issued “recommended practices” (admitting the statute was silent) specifying what information should be included and providing sample notice letters. 3 The statute does not define what is meant by “unencrypted”. But the California Office of Privacy Protection called for use the Advanced Encryption Standard adopted by the U.S. National Institute of Standards and Technology. 4 Assembly Bill No. 1950 adds and amends California Civil Code section 1798.81.5 5 Generally security procedures and practices fall into three categories of administrative, technical and physical measures. The California Senate Judiciary Committee staff report cites the bill’s author’s office that the "bill specifically seeks to avoid the specific mandates and requirements that industry has consistently opposed in other bills. Instead, the bill seeks to establish a minimum baseline standard that draws upon the reasonableness standard well established in existing law…this standard is fact-specific…[and] reflects the author’s goal of letting industry exercise its own judgment as to what constitutes an appropriate level of security”. 6 CA Civ Code Sec. 1798.84. The California Senate Judiciary Committee staff also tried to address concerns about the new cause of action by explaining that it “does not create a cause of action for each and every unauthorized disclosure or access
maintain reasonable security procedures. If reasonable procedures are maintained, a business would not be liable under the bill even if there were an unauthorized disclosure. For example, if a hacker broke through a well-designed computer security system to obtain personal information that would not mean that the system was ‘unreasonable’. While the fact that information was disclosed would be relevant evidence, it would not in and of itself trigger liability under the bill”. 7 www.privacyrights.org/ar/ChronDataBreaches.htm 8 Although beyond the scope of this article, some of these laws also address “security freezes” on credit reports, requirements for data disposal, and limitations on the use of social security numbers. 9 Federal law also requires government agencies to develop information security programmes depending on the sensitivity of the information and the risk involved. 10 The bill covers a number of additional subjects: increasing penalties for identity theft and other violations of data privacy and securities; state and local law enforcement assistance; government access to and use of commercial data. The bill also requires data brokers to disclose the information they maintain and create an accuracy resolution process.
Other contributors to this article include Donald A. Cohn at EI DuPont de Nemours and Paul Stimers off Preston Gates, together with the following at Eversheds International: Alvise Donà Dalle Rose (Italy); Florencia Grinberg (Spain); Bernadett Lastofka (Hungary); Arwid Mednis (Poland); Georg Röhsner (Austria); Kristine Karsten (France) & Christof Lamberts (Germany).
7
Security & Surveillance