Privacy & Data Security Advisory - February 2009

Data Security Breaches Rise in 2008

Ever since California enacted in 2005 the nation’s first data breach notification regulation, a measure designed to help limit such breaches, reports of data breaches have increased steadily each year. According to the Identity Theft Resource Center, 312 data breaches were reported in 2006, 446 breaches in 2007 and 656 in 2008. The number of states with breach notification laws rose from just one in 2005 to 46 by the end of 2008. Despite states’ efforts to increase disclosure of the breaches, their incidence continues to grow.

Due largely to the increase in reports of data breaches and consumers’ concerns about safeguarding their personal information, lawmakers have faced growing pressure to respond with stricter data security regulations. State legislators are recognizing that it is not enough to require businesses to notify consumers and employees of data breaches. Instead, they are taking a proactive approach and looking at ways to prevent breaches from occurring in the first place. Some states have responded to these concerns by enacting general measures which require businesses and organizations to use reasonable measures to protect consumers’ personal information. Other states, however, like Massachusetts and Nevada, have gone further, setting forth specific data security requirements with which businesses must comply. In 2008, Washington, Michigan and New Jersey all followed suit and proposed similar regulations. If other states follow the approach that was taken by these early breach notification laws, a slew of such measures can be expected in the coming months and years. Anticipating that similar laws are likely to be enacted in additional states will allow entities that do business in those states an opportunity to plan for the often onerous obligations required by such laws.

Four States Pass Legislation Requiring Businesses to Take General or “Reasonable” Measures to Protect Consumers’ Personal Information

California, Connecticut, Texas and Rhode Island have all passed laws that regulate how businesses use and protect consumers’ personal information. The laws in these states are general and require businesses to adopt reasonable or standard procedures to protect personal information, without articulating any specific requirements as to the procedures implemented. The personal information protected by these laws differs somewhat by state, and some contain carve-outs and exemptions for certain types of organizations.

For example, in California, the law requires that a business that owns or licenses personal information about a California resident must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” (California Civil Code section 1798.81.5(b)). The Impersonation and Identity Fraud Act in Rhode Island contains almost identical provisions, and was passed shortly after the California law. (Chapter 11-49.1-1).  The law exempts health care providers, financial institutions and entities covered by HIPAA, the Vehicle Code or any federal or state law that requires more stringent protections. To determine whether a security procedure is reasonable, businesses should consider various factors, such as the nature of its business and the nature of the personal information. The law, however, provides no specific guidelines to businesses seeking to comply with its requirements.

A similar Texas statute requires businesses to “implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure of any sensitive personal information collected or maintained by the business in the regular course of business.” (Tex. Bus. & Com. Code Ann § 48.102(a)). The Texas statute differs from the California statute in that it only exempts financial institutions from its requirements, and requires businesses to take appropriate corrective action to maintain data security. (Id. at § 48.102(c)).

The Connecticut statute is more forgiving than the other statutes and applies only to willful violations. Like the California and Texas statutes, the Connecticut statute is general, stating that “[a]ny person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties. . .” (Public Act No. 08-167 §1(a)). Yet unlike these statutes, “[i]t shall not be a violation of this section if such violation was unintentional.” (Id. at §1(e)). The law does not define what will be found to be an intentional or an unintentional violation, thus leaving room for a wide variety of interpretations as to what the law covers. This escape hatch for “unintentional” violations scales back the scope and application of the law significantly.   

Two States Pass Legislation Requiring Businesses to Comply with Specific Data Security Mandates

In 2008, Massachusetts and Nevada joined the states that impose a duty on businesses to ensure data security. Unlike other states, these states ensure data security through very specific requirements. For Nevada, the legislature chose to focus solely on encryption, whereas Massachusetts mandated numerous specific requirements, including, but certainly not limited to, encryption. The Nevada statute took effect on October 1, 2008 and requires all Nevada businesses which store or use consumers’ personal information to encrypt such information when sent electronically, except if by fax. The Nevada law is the first to mandate encryption, and the text of the law is brief. It states that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”(Nev. Rev. Stat. § 597.970.1). Unlike the more general statutes, this law does not apply strictly to the personal information of Nevada residents, but rather, any personal information of a customer of a Nevada business, regardless of where a person resides. Although the Nevada law takes a step in the direction of mandatory data encryption, its scope is limited because it applies only to personal information which is being sent from an organization’s system and transmitted over electronic networks. Many security breaches occur when data stored or collected on an organization’s system is compromised.

The newly enacted Massachusetts law goes a step further than Nevada and protects stored information, as well as information in transit. The Massachusetts law mandates a litany of security requirements for businesses that own, license, maintain or store the personal information of Massachusetts residents. In addition to requiring that all organizations storing personal information of Massachusetts residents on portable devices encrypt this information, the law also mandates that these organizations create and document security programs which comply with specific guidelines. The law applies not only to organizations incorporated or doing business in the state, but to any business or organization which stores the personal information of a Massachusetts resident. As a result, the law has potentially widespread implications for businesses in and outside of Massachusetts in that it catches in its net virtually all businesses that touch Massachusetts residents in any way. For more information on the Massachusetts law, please see Goodwin Procter’s September 29, 2008, November 17, 2008 and February 13, 2009 Client Alerts.

The Massachusetts law was originally scheduled to take effect in January 2009, but due to current economic circumstances, this deadline has been extended until January 1, 2010.

Three More States Propose Specific Data Security Regulations

The trend towards state regulation of data security seems likely to continue, as a number of states are considering legislative proposals in this area. For example, a bill proposed by the Michigan Senate in January 2008, Michigan Senate Bill No. 1022, was similar to the Massachusetts bill, as it required businesses to encrypt stored consumer information. The bill requires businesses that regularly collect and store consumers’ personal information in a computerized database to encrypt that data according to current industry-standard encryption methods.

Washington state also proposed data security legislation in 2008. Washington Senate Bill 6425 §4 would mandate that any organization that regularly stores or collects personal information in connection with an access device must comply with payment card industry standard regulations. Both the Michigan and Washington bills attempt to strike a balance between the general “reasonable” standard of Connecticut, Texas and California, and the very specific and stringent requirements of the recently enacted Massachusetts law. While these proposed bills both recognize the importance of securing stored personal information, not just information in transit, both tie the encryption requirements to industry-standard methods and contain no other specific guidelines or requirements. Neither bill was signed into law during the 2008 session.

The N.J. Division of Consumer Affairs also attempted to garner support for new data security regulations in 2008. After facing heavy criticism in 2007 from the business community for proposed regulations which were similar to those enacted by Massachusetts, the Division of Consumer Affairs scaled back its approach and released “pre-proposal regulations” resembling the general requirements of California, Texas and Rhode Island. While the New Jersey regulations proposed in 2007 mandated the use of encryption methods which complied with Federal Information Processing Standards, the 2008 pre-proposal contains no such requirements. Instead, the proposal articulates general best-practices that businesses would be encouraged to adopt. The pre-proposal also requires organizations doing business in New Jersey to implement and document a comprehensive written data-security program.

Although these proposed data security regulations were not successfully implemented in 2008, it is likely that similar bills will reappear in 2009. As the number of data breaches increase, so too will the efforts to protect consumers’ personal information.

Beginning As of January 3, 2009, New York state further restricted the ability of New York employers to use Social Security numbers (SSNs) of their employees. The new measure adds to a growing body of state laws that place limitations on how and when social security numbers can be used, and expands the New York requirements concerning business use of SSNs.

New Restrictions

The legislation prohibits employers, except as required by federal or state law, from (i) publicly posting or displaying an employee’s social security number; (ii) visibly printing a social security number on any identification badge or card, including a time card; (iii) placing a social security number in files with unrestricted access; or (iv) communicating an employee’s personal identifying information to the general public. (N.Y. Lab. Law § 203-d).  As a result of the new law, businesses must now verify that employee SSNs are being stored in a secure manner so as to prevent unauthorized access. “Personal identifying information” includes not only SSNs, but also home addresses, telephone numbers, personal email addresses, internet identification names or passwords, a parent’s maiden name and drivers license numbers. The new measure also amends the existing law by including an additional prohibition on the use of SSNs under the General Business Law. The law now also prohibits businesses from encoding (rather than removing) a social security number, and any number derived from it, on a card or document either physically or digitally, by using a bar code, chip, magnetic strip or other technologies. (N.Y. Gen Bus. Law § 399-dd(f)). The new provisions also bar any SSNs from documents filed with the state, including any agency thereof, and with the courts.

The amendment also includes punitive measures and subjects employers to civil penalties of up to $500 per violation for any “knowing” violation of these provisions.  A violation is presumed “knowing” if the employer “has not put in place any policies or procedures to safeguard against such a violation, including procedures to notify relevant employees of these provisions.” (N.Y. Lab. Law § 203-d).

Existing Law

The law adds to existing limitations on the ability of companies to use SSNs, and any number derived from it (e.g. last four digits), that are already in place under New York Law. The New York Social Security Number Protection Law restricts companies from (i) intentionally communicating a social security number to the general public; (ii) printing a social security number on any card or tag required for the individual to access products, services or benefits provided by the business; (iii) requiring an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted; (iv) requiring an individual to use his or her social security number to access an Internet website, unless a password or unique personal ID number or authentication device is also required.; and (v) printing a social security number on any document that is mailed, other than in limited exceptions or unless otherwise required by law. (N.Y. Gen. Bus. Law § 399-dd).

Other Proposals

Public interest in limiting the use of SSNs was furthered on January 6, 2009 when Senator Dianne Feinstein (D-CA) introduced The Protecting the Privacy of Social Security Numbers Act (S.141). S.141 was co-sponsored by Senators Gregg (R-NH) and Snowe (R-ME) and would “prohibit federal, state and local governments from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks; prevent inmates from employment that would give them access to Social Security numbers of other individuals; and, provide limits on when businesses can ask customers for their Social Security numbers.”

From the beginning of the financial crisis, when the subprime mortgage market first began to unravel, to the takeover of Fannie and Freddie and the bankruptcies of Bear Stearns and Lehman Brothers, consumer confidence has been in steady decline. Now comes news that Bernard Madoff, one of the most trusted and established names on Wall Street, allegedly committed fraud. More troubling is that Madoff was able to operate his alleged scheme, despite being investigated twice by the SEC. These events have created a perfect storm, shaking consumer confidence and changing consumers’ mindsets for the foreseeable future.

So what does financial consumer confidence have to do with privacy regulations? The firms and individuals who were affected by the financial crisis were some of the most trusted in the industry and ones that had operated successfully for many years. Financial consumers, therefore, will be far more skeptical as to who they allow to handle their money. This level of scrutiny is likely to carry over to increased demand for dotting I’s and crossing T’s when it comes to consumers’ personal information. Gone are the days when consumers will place blind trust in those with access to their money and information.

Goodwin Procter has been closely monitoring the investigation of alleged fraud related to Bernard L. Madoff Investment Securities and is representing a number of clients in connection with this matter. Our deep experience representing the financial services industry, coupled with our expertise in the white collar, tax, bankruptcy, SEC enforcement and litigation areas, uniquely positions us to represent both institutional and individual clients in connection with this matter.