LEGISLATIVE AND PUBLIC POLICY ADVISORY

Transcription

1 LEGISLATIVE AND PUBLIC POLICY ADVISORY January 10, 2006 Data Security Breach Measures Advance on Federal and State Levels INTRODUCTION Just hours before Congress recessed for the Christmas holiday, the House Energy and Commerce Committee announced that it would not mark up its data security breach bill, H.R. 4127, at full committee, postponing the effort until February 2006 at the earliest. At issue were partisan disagreements focusing on breadth of coverage and methods of enforcement. Specifically, Committee Democrats, led by Ranking Member John Dingell (D-MI), reportedly want to broaden coverage of the data security legislation to include privacy issues, including access and correction of allegedly inaccurate data held by companies about consumers. They also want to remove caps on damages and incorporate state attorneys general more fully into the bill s enforcement structure. Republicans, in contrast, want the bill to be subject to administrative enforcement only, and Chairman Joe Barton (R-TX) has pledged to oppose efforts to expand the bill s coverage into the unrelated subject of privacy. He has promised, instead, to introduce an omnibus privacy bill of his own early in This is the latest twist in a series of legislative reactions to the announcement last spring by Georgia-based ChoicePoint that it had sold information on 145,000 individuals to thieves posing as legitimate customers. Notice of other breaches came quickly thereafter, led by Bank of America, which reported that it lost computer tapes that contain names and personal information pertaining to 1.2 million federal employees. A plethora of bills were soon introduced in the states and in Congress to respond to this perceived problem, and several committees of the House and Senate began to act. Shortly thereafter, even more stunning industry announcements than before were made in June by CitiFinancial and Card System Solutions that they had suffered security breaches potentially compromising the personal information of up to 3.9 million and 40 million consumers, respectively. Such events, which garnered intense national media coverage, helped move some of these newly introduced bills more quickly through Senate committees. For example, a mid-june Senate Commerce Committee hearing, at which Federal Trade Commission (FTC) Chairman Majoras and her four fellow commissioners testified, was soon followed by a July committee markup, which resulted in the first data security bill in Congress, S. 1408, being reported to the floor of its respective chamber. Additionally, 1

2 just days before breaking for the Thanksgiving holiday, the Senate Judiciary Committee reported broad-based data security legislation that would subject businesses to a wide range of new compliance obligations. The Personal Data Privacy and Security Act of 2005, sponsored by Judiciary Chairman Arlen Specter (R-PA) and better known as S. 1789, is significantly broader than a measure reported by the committee earlier this fall, S sponsored by Sen. Jeff Sessions (R-AL). The Specter bill, cosponsored by Senators Pat Leahy (D-VT), Diane Feinstein (D-CA) and Russ Feingold (D-WI), also contains weaker federal preemption, a complicated definition of personal information and language that provides consumer access/opportunity to correct language that is presumed to be inaccurate and that is unrelated to the core issue of data security. This measure is yet another in a growing list of proposals facing federal legislators when they return for the 2006 legislative session. Since late July 2005, two Senate committees and two House committees have been considering or have reported federal legislation aimed at addressing perceived inadequacies in corporate data security procedures. More will soon join the fray. The attention being paid to the issue by legislators represents a public recognition that recent high-profile data security breaches have threatened consumer confidence in the ability of businesses that maintain sensitive personal information pertaining to them to have security adequate to protect them from identity theft. Recent action on S. 1408, S and several other pieces of federal data breach legislation sets the stage for a battle this year, in the midst of an election cycle, over the best approach to address the problem. Further complicating the situation is movement by various states to enact data breach measures. In all, twenty-three states to date have enacted related legislation, and more than 70 bills are pending in 19 states. Absent strong federal preemptive legislation, a resulting patchwork of existing and inconsistent state laws will likely serve only to confuse consumers, burden businesses and, ultimately, adversely affect the economy. This advisory provides an update on the current status of federal and state data breach legislation, outlines the current debate over unresolved issues, and discusses the prospect for Congressional action this year. PROPOSED FEDERAL LEGISLATION Senate Commerce Committee S. 1408, The Identity Theft Protection Act, sponsored by Senator Gordon Smith (R-OR) and cosponsored by Chairman Ted Stevens (R-AK), Co-Chairman Daniel Inouye (D-HI) and Senators Bill Nelson (D-FL), John McCain (R-AZ), Mark Pryor (D-AR) and Hillary Clinton (D-NY) 1 1 All but Sen. Clinton are members of the Senate Commerce Committee. 2

3 As taken up and reported out by the Senate Commerce Committee in July 2005 (the actual Committee Report did not become available until December 8, 2005), S would generally create an affirmative obligation on all businesses nationwide to provide reasonable security for personal information over which they are custodians, and to notify consumers of breaches in security that may pose a reasonable risk of identity theft. The bill would also create other obligations regarding security freezes and Social Security numbers. Specifically, the bill would: preempt state laws requiring entities to maintain information security programs, notify individuals of security breaches regarding sensitive personal information, require security freezes, and prohibit the solicitation or display of Social Security numbers; require that any sensitive personal information that a covered entity sells, maintains, collects, transfers, or disposes of, in any form or format (including paper), be secured (full compliance with the FTC s existing rules on Standards of Safeguarding Customer Information and Disposal of Consumer Report Information and Records would be deemed compliance with this requirement); require notification to consumers, the FTC, the functional regulators of certain industries (i.e., banking, insurance, etc.), and all consumer reporting agencies (if more than 1,000 consumers are affected) whenever a reasonable risk of identity theft exists (as defined in the bill) following the discovery of a breach of security; define reasonable risk of identity theft to mean that the preponderance of the evidence available to the covered entity establishes that identity theft for 1 or more individuals from the breach of security is foreseeable; define sensitive personal information as an individual s name, address, or telephone number, combined with one or more of the following data elements related to that individual: (1) Social Security number, taxpayer identification number, or an employer identification number that is the same or is derived from the Social Security number of that individual, (2) financial account number, or credit card or debit card number (together with any required security code, access code, or password that would permit access to such individual s account), and (3) state driver s license identification number or state resident identification number; empower the FTC to conduct a rulemaking to designate other identifying information as sensitive personal information for purposes of the act; create a safe harbor for compliance with the bill s data security and notification provisions for those entities already obligated under, and in compliance with, 3

4 title V of the Gramm-Leach-Bliley Act (GLB) and section 607(a) of the Fair Credit Reporting Act (FCRA); require private entities to institute security freezes on consumer report information upon the demand of a consumer, regardless of whether such consumer is a victim of, or is at risk of falling victim to, identity theft; prohibit the solicitation, purchase, sale, and display of Social Security numbers (with few exceptions); and authorize the FTC, functional regulators and state attorneys general to enforce the provisions of the act, but prohibit enforcement by private rights of action or class action lawsuits. Senate Judiciary Committee S. 1789, The Personal Data Privacy and Security Act of 2005, sponsored by Chairman Arlen Specter and cosponsored by Ranking Member Patrick Leahy and Senators Dianne Feinstein and Russell Feingold On November 17, 2005, the Senate Judiciary Committee reported S by a vote of 13 to 5. An amendment offered to the bill by Sen. Jeff Sessions that would have narrowed the notification trigger to a significant risk of identity theft standard failed, 9 to 9, with Chairman Specter joining a solid block of Democrats in opposition. Sen. Sessions argued that the underlying bill s broader standard would cause consumers to be bombarded with notices, desensitizing them to the possibility of a real threat if notice of one ever occurred. As reported by the Senate Judiciary Committee, S remains the broadest form of federal data security legislation considered to date and would, among other things: permit potentially inconsistent and/or conflicting state laws regarding data privacy and security obligations by using unclear and atypical legislative preemption language that only prohibits states from requiring covered entities to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifiable information; prohibit any state law from imposing requirements or prohibitions regarding any subject matter relating to individual access to, and correction of, personal electronic records held by data brokers ; preempt only any other provision of federal or state law relating to notification of a security breach (except that a state may require information regarding victim assistance and there is a carve-out for section 507 of GLB); 4

5 require, subject to limited safe harbors for financial and healthcare entities currently in compliance with federal data security regulations, that businesses collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. citizens must provide a data privacy and security program for protecting sensitive personally identifiable information; require, subject to certain exemptions, notification of security breaches upon the discovery of a compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, acquisition of or access to sensitive personal information that is unauthorized or in excess of authorization ; create enhanced criminal penalties for identity theft and other violations of the bill, including a felony punishable by fine and up to 5 years in jail for any person who intentionally and willfully conceals the fact of a security breach; define sensitive personally identifiable information as either: (1) a financial account number or credit or debit card number, along with any required security code, access code, or password; or (2) an individual s first and last name or first initial and last name, in combination with any one of the following: a non-truncated Social Security number, driver s license number, passport number, or alien registration number; any two of the following: (a) home address or telephone number; (b) mother s maiden name, if identified as such ; or (c) month, day, and year of birth; unique biometric data such as a finger print, voice print, retina or iris image, or any other unique physical representation ; a unique account identifier, electronic identification number, user name, or routing code along with any required associated security or access code, or password; provide individuals an opportunity to review information maintained by data brokers and permit individuals to correct inaccuracies in that information; provide for an exemption from breach notification requirements in the event a business entity determines, after a risk assessment, that there is no significant risk that the breach will result in harm to the individuals the business entity must notify the U.S. Secret Service (USSS) of this finding, and the USSS must not object in writing to that conclusion within 10 days for the exemption to apply; and 5

6 provide a cap of $250,000 for each violation of data broker access/correction provisions, a cap of $500,000 for each violation of data security obligations, and a cap on aggregate penalties for violations of breach notification requirements of $50,000 per day. S. 1326, Notification of Risk to Personal Data Act, sponsored by Senator Jeff Sessions Previously, on October 20, 2005, the Senate Judiciary Committee reported S. 1326, introduced by Sen. Jeff Sessions, which would require covered entities nationwide to implement and maintain reasonable security and notification procedures and practices appropriate to the size and nature of the entity and the nature of the information it maintains. Patterned in large part after California s 2003 law, Sen. Sessions S would, if enacted in its present form: preempt all state laws that relate in any way to electronic information security standards or security breach notification; tie consumer notification requirements to circumstances when a significant risk of identity theft exists as a result of a security breach; require that computerized data containing sensitive personal information be protected from unauthorized access, destruction, use, modification or disclosure; define sensitive personal information in a manner nearly identical to the California definition specifically, as a first and last name, and address or telephone number, in combination with one or more of the following data elements: a Social Security number, driver s license number, state identification number, financial account number, or credit or debit card number (in combination with any required security code, access code or password); and exempt from coverage encrypted data, truncated data, or otherwise publicly available information from the definition of sensitive personal information. House Energy and Commerce Committee H.R. 4127, Data Accountability and Trust Act or DATA, sponsored by Rep. Cliff Stearns (R-FL) and cosponsored by Reps. Deborah Pryce (R-OH), Fred Upton (R-MI), George Radanovich (R-CA), Charles Bass (R-NH), Mary Bono (R-CA), Mike Ferguson (R-NJ) and Marsha Blackburn (R-TN) 2 2 All but Rep. Pryce are members of the House Energy and Commerce Committee. 6

7 On November 3,2005, the House Energy and Commerce Committee s Subcommittee on Commerce, Trade and Consumer Protection passed H.R. 4127, DATA, by a vote of 13 to 8. Several amendments were offered unsuccessfully by Democratic members to broaden the notification requirements. The bill, as passed by the subcommittee, would cover all entities under the jurisdictional reach of the FTC, which includes nearly all entities except banks, credit unions, thrifts, investment companies, investment advisors, brokers and dealers, insurance companies, and common carriers (including telecommunications companies). As noted earlier, Committee Republicans and Democrats were engaged in detailed negotiations when the Congress recessed for the year. Those negotiations are expected to resume following the House s return in late January. If enacted in its present form, the bill would, among other things: require entities to develop and implement security policies and procedures for the protection of personal information ( information brokers would be required to submit their security policies to the FTC at the time of a breach notification or upon request by the FTC so that the FTC may conduct or require a post-breach audit of such policies); require notification of a breach of security where the unauthorized acquisition of data in electronic form establishes a reasonable basis to conclude that there is a significant risk to an individual, to whom the personal information relates, of being a victim of identify theft, fraud, or other unlawful conduct; define personal information as an individual s first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements: Social Security number, driver s license number, or other state identification number, or financial account number, credit or debit card number and any required security code, access code or password necessary to permit access to an individual s financial account; require entities notifying consumers of security breaches to provide, at no cost to each notified individual, quarterly consumer credit reports beginning no later than two months following discovery of a breach and continuing for a period of two years; authorize the FTC to enforce the act and conduct rulemakings to promulgate regulations regarding security policies and notification requirements, and to modify the definition of personal information (the act would also prohibit any person other than a state attorney general from bringing a civil action under state law if premised upon the defendant violating any provision of the act); and supersede[] state laws expressly affecting entities covered by H.R until the act sunsets (unless reauthorized) 10 years after its date of enactment. 7

8 House Financial Services Committee H.R. 3997, The Financial Data Protection Act of 2005, sponsored by Rep. Steven LaTourette (R-OH) and cosponsored by Reps. Darlene Hooley (D-OR), Mike Castle (R-DE), Deborah Pryce (R-OH) and Dennis Moore (D-KS) On November 9, 2005, the House Financial Services Committee s Subcommittee on Financial Institutions and Consumer Credit held a hearing on H.R. 3997, a bipartisan bill that had been introduced on October 6, 2005, following lengthy staff negotiations and drafting efforts to synthesize into a unified committee bill the several previously introduced and competing committee members bills on data security. In written testimony provided to the subcommittee on behalf of the National Coalition on E-Commerce and Privacy, Alston & Bird Partner Tom Boyd outlined the key principles for effective data breach legislation, emphasizing, in particular, the importance of federal preemption, a workable notification standard, and a reasonable compliance obligation. A subcommittee markup is expected to take place sometime in early February, and will be chaired by Rep. Spencer Bachus (R-AL). As introduced, H.R would, among other things: create a new section 630 of FCRA that would subject consumer reporting agencies, financial institutions and other businesses assembling or evaluating consumer reports, credit information or other information on consumers for various purposes, to new affirmative obligations to implement and maintain reasonable policies and procedures to protect the security and information of sensitive financial information of consumers against any unauthorized use that is reasonably likely to result in substantial harm or inconvenience to such consumers, and to notify them in the event of a breach of that security; define sensitive financial personal information to include two kinds of information, as follows: (1) sensitive financial account information, meaning a consumer s financial account number, such as a credit or debit card number, in combination with any security code, access code, biometric code, password, or other personal identification information that would allow access to the financial account; (2) sensitive financial identity information, meaning a consumer s first and last name, address, or telephone number, in combination with any of the following social security number, driver s license or equivalent state identification number, or taxpayer identification number; define substantial harm or inconvenience as the material financial loss to, or the imposition of civil or criminal penalties upon, a consumer, or the need for the consumer to expend significant time and effort to correct erroneous information relating to the consumer, including information maintained by consumer reporting agencies, financial institutions, or government entities, in order to avoid material 8

9 financial loss or increased costs or civil or criminal penalties, due to unauthorized use of sensitive financial personal information relating to such consumer; require entities notifying consumers of security breaches to offer a nationwide credit monitoring service to each consumer free of charge and for at least a 6-month period (so long as such service is requested by a consumer within 90 days of being notified of the security breach); create safe harbors for entities covered by, and in compliance with, title V of GLB; and prohibit the imposition of state law requirements or prohibitions on entities covered by H.R with respect to the responsibilities of such entities to comply with the obligations under the act. RECENT ACTION AND TRENDS IN STATE LAW Starting with passage of California s security breach notification legislation in 2002 (which took effect on July 1, 2003), twenty-two other states and one major municipality, New York City have adopted their own legislation on that original theme, sometimes also referring to it as identity theft legislation. Most recently, on December 22, 2005, Pennsylvania enacted the newest state law, S.B. 712, the Breach of Personal Information Notification Act. Previously, on November 17, 2005, Ohio enacted legislation that would require a state agency, an agency of a political subdivision, or a business that owns or licenses computerized data that includes personal information to notify Ohio residents if there is a reasonable belief that their personal information was acquired through an unauthorized breach of a computer system. Additionally, on November 9, 2005, the Wisconsin Senate had approved consumer data breach legislation, sending the measure to the state House for consideration. The Wisconsin measure would require state agencies and entities doing business in the state to notify Wisconsin residents in the event their electronic personal information is breached. Exceptions are provided for certain entities already subject to federal financial and medical privacy laws. Actions taken in 2005 by the various state legislatures varied widely, but certain general trends emerged in the passage of 22 new state security breach laws that raise significant concerns for businesses. First, several of the newer laws create a broader definition of personal information than California, and include notification requirements for either medical information, unique biometric data, electronic signatures, or account numbers regardless of whether they are accompanied by a required password. Second, some state legislation requires notification of security breaches to be made to those other than affected consumers, including consumer reporting agencies and state regulatory authorities. Third, with two exceptions (California and New York), state legislation generally does not preempt local government data security laws or ordinances. As a result, major metropolitan areas and localities (other than in California and New York) are free to follow New York City s example and pass more restrictive laws or ordinances. Finally, several 9

10 states (and at least one municipality) are increasingly using security breach legislation as a vehicle for instituting other data security and privacy measures, including restrictions on the solicitation, display, collection or use of Social Security numbers, and requirements that consumer reporting agencies verify adverse information in consumer reports. This trend toward more burdensome and restrictive state laws should be of immense concern to businesses operating nationally that would have to comply with such varied laws. OUTLOOK FOR 2006 Virtually any business that has custody over sensitive personal information will be covered by the legislation now percolating in the states and in Congress. Many believe that Congress should ultimately pass preemptive legislation that balances the interests of both consumers and industry, in the form of a national, targeted approach aimed squarely at reducing both the amount of, and damaging effects that may result from, future data breaches. It is therefore imperative that any responsible legislation Congress enacts in this area be narrowly targeted at data security and breach notification, and that they include the following four core features: (1) national uniformity; (2) technologyneutral security standards to better safeguard sensitive personal data from unauthorized access (excepting entities, including financial institutions, now covered under existing law); (3) a reasonable notification trigger, following a breach of security, by which business customers, and consumers generally, would be informed when their identities are exposed to a significant risk of identity theft or misuse; and (4) administrative enforcement by which experienced federal agencies, and state attorneys general, can exercise oversight and take action to punish those who fail to live up to their obligations to consumers. Unfortunately, a growing minority of Congressional members favor broad-based legislation that would go well beyond addressing the security of data containing sensitive personal information. These legislators are anxious to impose additional compliance obligations on business well beyond those necessary to address the issues related to inferior data security. Among other proposals, some would redefine data security as a data privacy issue and impose European-style opt-in data handling policies on American industry, without a parallel adjustment in compliance and enforcement policies. Such legislation might also include broadened consumer rights to access and correct personal information pertaining to them that is held by a business, as well as requirements for businesses to obtain a consumer s voluntary, affirmative consent before using personal information, even if acquired from publicly available records. At the outset of the 2006 legislative session, Congress will be holding Judge Samuel Alito s Supreme Court nomination confirmation hearings, which began January 9 in the Senate Judiciary Committee, and, most likely, will also hold hearings on National Security Agency wiretaps. However, key members of both chambers have assured industry that data breach legislation remains an important issue and that efforts to work through existing proposals will resume in early

11 This Legislative and Public Policy Advisory is published by Alston & Bird to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. The material may also be considered advertising under the applicable court rules. Please contact any of the following attorneys for additional information or guidance: Thomas M. Boyd tboyd@alston.com Paul G. Martino paul.martino@alston.com Kathryn Marks kathryn.marks@alston.com ATLANTA One Atlantic Center 1201 West Peachtree Street Atlanta, GA CHARLOTTE Bank of America Plaza 101 South Tryon Street Suite 4000 Charlotte, NC If you would like to receive future Legislative and Public Policy Advisories electronically, please forward your contact information including address to legislative.advisory@alston.com. Be sure to put subscribe in the subject line. NEW YORK 90 Park Avenue New York, NY RESEARCH TRIANGLE 3201 Beechleaf Court Suite 600 Raleigh, NC WASHINGTON, D.C. 601 Pennsylvania Avenue, N.W. North Building, 10th Floor Washington, D.C Alston & Bird LLP 2005