IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor 951East Byrd Street, Eighth Floor Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579 Email: Daniel.Blake@leclairryan.com Email: Vijay.Mago@leclairryan.com www.leclairryan.com www.leclairryan.com
Important for HRCI Credits You must be logged in individually both via computer and via the teleconference for the duration of the event in order to qualify for the credits. (Sometimes two attendees will share an office and watch together that will only allow credit for the person who logged in.) If you are not, please login now individually to appear on the attendance report. At the end of the seminar, send an email to seminars@leclairryan.com if you need the HRCI certificate. It will be sent the following day after confirmation of attendance.
Today s attorneys and some notes... Daniel J. Blake Boston Vijay K. Mago Richmond Welcome. With the high number of attendees, please note that all lines have been muted for the event. Questions can be posted at the right of your screen, but any questions (time permitting) will be addressed at the end of the event. If using Q&A please send to both the host and the presenter. You can send direct questions (including request for copy of slides) to seminars@leclairryan.com with Identity Theft Webinar in the subject line. We will reply after the event.
DATA BREACHES THE NEED FOR LEGISLATION 2007 TJX disclosed that over 45 million customer accounts compromised. 2008 Hannaford Brothers disclosed that over 4 million customer transactions compromised. 2009 Heartland Payments Systems disclosed breach in processing system over 100 million transactions per month. Every industry affected.
LEGISLATION California led the way 2003 Legislation. Nearly every state (44 of 50) has enacted security breach legislation. No federal legislation yet unless otherwise under federal supervision (e.g. banks and broker-dealers).
WHAT S PROTECTED PERSONAL INFORMATION A typical definition: Personal Information usually means an individual s first name or initial and last name in combination with any one or more of the following: a. Social Security Number; b. Driver s License or other state-issued certification number; or c. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password. Some states also include medical information (e.g. Arkansas and California).
PERSONAL INFORMATION Typical Exceptions: Information lawfully obtained from publicly available information; or Information from federal, state or local government records lawfully made available to the general public.
APPLICATION OF LAWS Very Broad Coverage Most Employers Will Be Covered Examples: Massachusetts Law applies to all persons and entities (including those outside Massachusetts) that own or maintain personal information of a Massachusetts resident. New York Any person or business that conducts business in NY State and owns or licenses computerized data that includes private information. (Most states similar, e.g., California, Connecticut and Virginia) New Jersey Individuals not covered, but sole proprietors are covered (same in Maryland, North Carolina and Nevada).
TRIGGERING EVENTS Unauthorized access to or acquisition of protected data where security or confidentiality is compromised. Most state laws provide that a breach has not occurred where data is encrypted. Most state laws are triggered where data maintainer knows or has reason to know of breach.
NOTICE REQUIREMENTS Timing: Without Unreasonable Delay Consistent With Measures to Determine Scope of Breach and Restore System Integrity. Delay Permitted: Where law enforcement determines that notice will impede investigation. If covered by federal law and complying with that law. Entity following own policy for security breach procedures.
NOTICE REQUIREMENTS To Whom Notice Must Be Given: Affected Individuals Some states require that notice be given to a public agency/credit reporting agencies. Examples: Massachusetts Data Maintainer must notify the Office of Consumer Affairs and Business Regulation. New Jersey Data Maintainer must notify the State Police. Virginia Data Maintainer must notify the Attorney General. District of Columbia If over 1,000 affected, data maintainer must notify credit reporting agencies.
NOTICE REQUIREMENTS Notice can be: Written Electronic In some states, telephonic (not generally advisable) For large breaches (i.e. cost of notice would exceed $250,000) substitute notice is permitted. Substitute Notice E-mail if available Website posting Notify media outlets
NOTICE REQUIREMENTS Typical Content - Individuals General description of breach (Note! not permitted in Massachusetts). Information about police reports and credit rights. Information about nature of information lost. Contact information for the entity. Typical Content Government Agencies Nature of the Breach Number of Individuals Affected Steps Taken and/or Planned
REMEDIES AND PENALTIES Government Enforcement State Attorneys General can seek injunctive relief. Civil penalties for notice violations. States may also seek damages on behalf of citizens, usually through existing consumer protection laws.
REMEDIES AND PENALTIES Private Enforcement Only allowed in some jurisdictions, e.g., District of Columbia, Virginia and Illinois. Even where state data security law does not provide an express right of action, other claims may still exist.
BEST PRACTICES Security Program Computer System Security These practices may be required by state laws, e.g., Massachusetts.
BEST PRACTICES SECURITY PROGRAM 1. Designate responsible employee(s) to maintain the security program. 2. Identify where personal information is stored (paper, electronic, computing systems and storage media, including laptops and portable devices). 3. Place appropriate limits on the collection and use of personal information: Limit Time Information Is Retained Limit Information Collected Limit Access to Need-To-Know
BEST PRACTICES SECURITY PROGRAM 4. Identify and assess reasonably foreseeable risks to security of all media containing personal information and evaluate and improve the current safeguards including: On-going employee training Ensuring employee compliance with policies and procedures Developing means for detecting and preventing security system failures 5. Develop employee security policies regarding keeping, accessing and transporting records off-premises. Impose disciplinary measures for violations.
BEST PRACTICES SECURITY PROGRAM 6. Ensure terminated employees no longer have access to personal information by immediate termination of physical and electronic access, including deactivating passwords and user names. 7. Vendor Management Verify that vendors have capacity to protect personal information.
BEST PRACTICES SECURITY PROGRAM 8. Review security measures regularly and whenever there is a material change in business practices that may implicate the security and integrity of records containing personal information. 9. Review incidents of security breach and document responsive actions. 10. Identify and Train First Responders. This designee should be trained to follow your notification procedure (developed to be consistent with the timing requirements of your state law).
BASIC PRACTICES - COMPUTER SYSTEM SECURITY 1. Secure authentication protocols: Control user IDs and other identifiers. Have reasonably secure method of assigning passwords (can also use biometrics or token devices). Control data security passwords to ensure they are kept in a location/format that does not compromise the security of the data. Restrict access to active users and active accounts only. Block access after multiple unsuccessful attempts to gain access.
BASIC PRACTICES - COMPUTER SYSTEM SECURITY 2. Secure access control methods: Restrict access to records and files to/need-toknow. Assign unique identifications and passwords (not vendor defaults). 3. To the extent technically feasible, encrypt all records containing personal information that is: (1) transmitted over the internet; or (2) transmitted wirelessly.
BASIC PRACTICES - COMPUTER SYSTEM SECURITY 4. Monitor systems for unauthorized use of or unauthorized access to personal information. 5. Encrypt all personal information on laptops or other portable devices. 6. Maintain reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the internet.
BASIC PRACTICES - COMPUTER SYSTEM SECURITY 7. Maintain reasonably up-to-date versions of systems security agent software, including malware protection, and reasonably up-to-date patches and virus definitions. 8. Educate and train employees on the proper use of the computer security system and the importance of personal information security.
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS If you would like a copy of the PowerPoint or need a certificate of attendance for HRCI credit, please send an email to seminars@leclairryan.com. Any questions not posted during the webinar can also be emailed to this address. Thank you.
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Questions?
THE END! THANK YOU
Usage This webinar slide show provides general information and is not legal advice and should not be used or taken as legal advice for specific situations. You should consult legal counsel before taking any action or making any decisions concerning the matters in this show. This communication does not create an attorney-client relationship between LeClairRyan, A Professional Corporation, and the recipient. Copyright 2009 LeClairRyan, A Professional Corporation. All rights reserved.