The need for companies to have a predetermined plan in place in the



Similar documents
FEDERAL IDENTITY THEFT TASK FORCE. On May 10, 2006, the President signed an Executive Order establishing an Identity Theft

TITLE I FORMER VICE PRESIDENT PROTECTION ACT

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

HB By Representative Hall. RFD: Judiciary. First Read: 23-APR-13. Page 0

Department, Board, Or Commission Author Bill Number

Secretary of the Senate. Chief Clerk of the Assembly. Private Secretary of the Governor

OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009

Procedure for Managing a Privacy Breach

FEDERAL LAWS RELATING TO FRAUD, WASTE AND ABUSE

The Nuances Of California s Revisions To Its False Claims Act

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Data Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January

Cybercrime: A Sketch of 18 U.S.C and Related Federal Criminal Laws

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA

HILLENBRAND, INC. AND SUBSIDIARIES. Global Anti-Corruption Policy Statement and Compliance Guide

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Implementing DRA Section 6032: False Claims Acts Information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Privacy Impact Assessment of the Supervisory Enforcement Actions and Special Examinations Tracking System

HP0868, LD 1187, item 1, 123rd Maine State Legislature An Act To Recoup Health Care Funds through the Maine False Claims Act

Please see Section IX. for Additional Information:

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

Minnesota False Claims Act

AN ACT IN THE COUNCIL OF THE DISTRICT OF COLUMBIA

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

SUBJECT: Identity Theft / Patient Misidentification POLICY NUMBER: Page 1 of 16 GENERATED BY: Integrity Compliance Office APPROVED BY:

A Bill Regular Session, 2015 SENATE BILL 830

NEW YORK CITY FALSE CLAIMS ACT Administrative Code through *

CHAPTER 121 STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS

CYBERCRIME LAWS OF THE UNITED STATES

FEDERAL & NEW YORK STATUTES RELATING TO FILING FALSE CLAIMS. 1) Federal False Claims Act (31 USC )

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.

HOUSE DOCKET, NO FILED ON: 2/28/2014. HOUSE... No The Commonwealth of Massachusetts PRESENTED BY: Paul R. Heroux

The President s Task Force on Identity Theft and The FTC s Role in Identity Theft

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

UPDATED. OIG Guidelines for Evaluating State False Claims Acts

Oklahoma FALSE CLAIMS LAWS

An Introduction to Identity Theft. Letbighelptoday.com. Your Free Copy

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

ASSEMBLY BILL No. 597

Data security: A growing liability threat

Representing Whistleblowers Nationwide

Last Approval Date: May Page 1 of 12 I. PURPOSE

CALIFORNIA FALSE CLAIMS ACT GOVERNMENT CODE SECTION

First Regular Session Sixty-ninth General Assembly STATE OF COLORADO INTRODUCED HOUSE SPONSORSHIP

Consumer Federation of America Best Practices for Identity Theft Services. Version 2.0. November 17, 2015

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

SENATE FILE NO. SF0083. Senator(s) Peterson and Representative(s) Harvey A BILL. for. AN ACT relating to Medicaid; creating the Wyoming Medicaid

HIPAA BUSINESS ASSOCIATE AGREEMENT

(CHRI) CHECKS OF INDIVIDUALS CONDUCTING BUSINESS IN THE AREA OF INSURANCE AND; 2.)

Case: 1:07-cv Document #: 44 Filed: 03/12/09 Page 1 of 5 PageID #:<pageid>

ILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, Complaints (2007) Updated November 30, 2008

Protection of Privacy

MISSOURI IDENTITY THEFT RANKING BY STATE: Rank 21, 67.4 Complaints Per 100,000 Population, 3962 Complaints (2007) Updated January 11, 2009

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Avoiding Medicaid Fraud. Odyssey House of Utah Questions? Contact your Program Director or Emily Capito, Director of Operations

Cybersecurity Workshop

Chapter No. 367] PUBLIC ACTS, CHAPTER NO. 367 HOUSE BILL NO By Representatives Briley, Hargett, Pleasant

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

FALSE CLAIMS ACT STATUTORY LANGUAGE

HB Introduced by Representative Patterson AN ACT

Updated Administration Proposal: Law Enforcement Provisions

ASSEMBLY BILL No. 597

INITIAL REQUIRED NOTICES FOR BANKRUPTCY CLIENTS

51ST LEGISLATURE - STATE OF NEW MEXICO - FIRST SESSION, 2013

First Regular Session Seventieth General Assembly STATE OF COLORADO INTRODUCED SENATE SPONSORSHIP

Selected Text of the Fair Credit Reporting Act (15 U.S.C v) With a special Focus on the Impact to Mortgage Lenders

MINNESOTA FALSE CLAIMS ACT. Subdivision 1. Scope. --For purposes of this chapter, the terms in this section have the meanings given them.

Notice of Privacy Practices

Office of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority.

BURNET COUNTY ATTORNEY S OFFICE Don't Get Burned By A Hot Check

Hamilton.net User Agreement Revised August 31, Acceptance of Terms Through Use

Case 3:06-cv MJR-DGW Document 526 Filed 07/20/15 Page 1 of 8 Page ID #13631 IN THE UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF ILLINOIS

Anatomy of a Hotel Breach

Deficit Reduction Act of Employee Education About False Claims Recovery

Department of District Attorney

VNSNY CORPORATE. DRA Policy

T E X A S Y O U N G L A W Y E R S A S S O C I A T I O N A N D S T A T E B A R O F T E X A S I D E N T I T Y T H E F T G U I D E

Transcription:

Companies Must Prepare for Data Theft TIMOTHY J. CARROLL, BRUCE A. RADKE, AND MICHAEL J. WATERS The authors discuss steps that companies can take to mitigate the risks of, or damages caused by, a security breach. The need for companies to have a predetermined plan in place in the event of grand-scale data theft has been highlighted by recent events. On August 17, 2007, the job-search web site Monster.com discovered that invaders had stolen the personal information of approximately 1.3 million of its users. Hackers infiltrated Monster s password-protected resume library using credentials stolen from clients. Monster was informed of the issue by the Internet security company Symantec. Within days Monster s security team had identified the rogue servers, and the web-hosting company shut them down by the morning of August 21. Based on the security team s review, the breach was limited to names, addresses, phone numbers, and e-mail addresses. However, on August 21, Symantec reported that it had discovered copies of scam e-mails that the hackers used in their attempt to obtain more meaningful information such as financial data. The hackers were posing as official recruiters acting through the web site and asking recipients to provide information such as bank account numbers. These e-mails also contained links that could infect a recipient s computer with dangerous software if clicked on. Monster did not begin to inform users about the data theft until The authors, members of Vedder Price s privacy litigation team, can be reached at tcarroll@vedderprice.com, bradke@vedderprice.com, and mwaters@vedderprice.com, respectively. 122

COMPANIES MUST PREPARE FOR DATA THEFT August 22, five days after it had initially discovered the breach and a day after Symantec issued its report. While this might seem like a reasonable delay, it is unclear whether Monster s response was timely enough to avoid liability. Monster is not alone in falling victim to these crimes. On June 1, 2007, 17,000 past and present employees of Pfizer received a letter advising them of the unauthorized disclosure of their names, Social Security numbers, and, in some instances, addresses, and bonus information to one or more third parties. On June 29, a class action was commenced on behalf of these employees alleging that Pfizer had breached fiduciary duties owed to the class members and violated Louisiana s Database Security Breach Notification Law by failing to maintain the privacy of the employees information. Pfizer recently obtained dismissal of the class action due to the class s failure to plead actual damages. 1 The court s focus on actual versus speculative damages demonstrates the importance of prompt notification. The more timely the notification, the less likely individuals will suffer actual damages (such as identity theft) and the more likely the company can avoid liability to an entire class. While there is plenty of incentive to maintain an updated protocol to deal with data theft under the relevant legislation as it exists today, there are strong indications that those incentives are going to become even more compelling in the near future. Legislation is evolving in such a way that plaintiffs will be able to recover for harms that are not currently legally cognizable. For example, while many states do not yet recognize the cost of credit monitoring in the wake of a data security breach to be a cognizable injury, 2 federal legislation that would explicitly do so was recently proposed. The stated goal of the Identity Theft Enforcement and Restitution Act of 2007 is to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft. If this bill is passed, 18 U.S.C. 3663(b) would be amended to force defendants convicted of identity-theft crimes to pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense. 123

PRIVACY & DATA SECURITY LAW JOURNAL The Identity Theft Enforcement and Restitution Act signals the increasing legal recognition of the damage incurred when a victim s personal information is wrongly accessed and a resolve to amend the laws to punish those in a position to prevent such wrongful access. In light of these expanding legal rights, companies that maintain large databases of personal identifying information ( PII ) must have predetermined plans in place to deal with the likelihood of a security breach. Such plans allow companies to respond promptly and proportionately to data theft, minimizing the potential exposure to liability. Companies forced to analyze the issue for the first time in the hectic period after such a breach risk delays and errors that could easily translate to unnecessary civil liability. CURRENT AND PROPOSED DATA-THEFT LEGISLATION Identity theft (the use or the misuse of another individual s personal information without the individual s permission in order to commit fraud) results in billions of dollars in losses each year to individuals and businesses, according to a recent report by the President s Identity Theft Task Force. The prevalence and cost of identity theft to American consumers and companies has resulted in recent legislation that attempts to detect and prevent, and mitigate the damages of, identity theft and fraud. As of October 2007, each financial institution or creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, is required to develop and implement an Identity Theft Prevention Program ( Program ) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to: Identify relevant patterns, practices, and specific forms of activity that are red flags signaling possible identity theft and incorporate those red flags into the Program; Detect red flags that have been incorporated into the Program; Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and 124

COMPANIES MUST PREPARE FOR DATA THEFT Ensure that the Program is updated periodically to reflect changes in risks from identity theft. In addition, the final rules require those affected to: Develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card; and Develop policies and procedures to follow upon receipt of a notice of address discrepancy from a consumer reporting agency. Also in October 2007, the U.S. Senate proposed legislation to build upon previous bills designed to protect victims of identity theft. The Identity Theft Enforcement and Restitution Act of 2007 would: Give victims of identity theft the means to seek restitution for the loss of their time and the money they had to spend in an effort to restore their credit and remedy the residual harms of identity theft. 3 Currently, there is no remedy under federal law that allows for compensation to victims of identity theft for the time and effort it takes them to restore their credit; Expand the jurisdiction of federal computer-fraud statutes to cover small businesses and corporations; Focus on whether the victim s computer is used in interstate or foreign commerce, allowing for the prosecution of cases in which both the identity thief s computer and the victim s computer are located in the same state. Currently, in order to prosecute criminals under the federal law, sensitive identity information must have been stolen through an interstate or foreign communication; 4 Prosecute as a felony damage to ten or more computers occurring as a result of the use of spyware or keyloggers; and Prosecute as a misdemeanor any loss occurring as a result of damage to a victim s computer of less than $5,000. Under current law, only damages to a computer totaling more than $5,000 are prosecuted. 125

PRIVACY & DATA SECURITY LAW JOURNAL STEPS A COMPANY CAN TAKE TO MITIGATE THE RISKS OF, OR DAMAGES CAUSED BY, A SECURITY BREACH There will always be a risk that a hacker will work around a security system or that an identity thief working from within a company will steal company-held personal or financial information. In light of this, what steps can a company take to protect itself from hackers or other identity thieves? Implement an Identity Theft Prevention Program pursuant to FACTA; Establish and maintain a comprehensive information security program. Upgrade security systems rather than waiting for a security breach; Obtain audits by an independent third-party security professional on an annual basis. It is prudent to conduct an audit after any upgrade, change to the system, or change in retention, disposition, or privacy policy; Implement and abide by a privacy policy that will help mitigate real or potential damages caused by a security breach; Conduct background checks on employees who have access to personal identifying information; Implement procedures to provide consumer data only to legitimate businesses for lawful purposes; Do not cover up a security breach. Thirty-five states, including California, Illinois, and New York, have enacted legislation requiring companies and/or state agencies to disclose security breaches involving personal information. Inform authorities and clients/customers immediately for a minimal lag time between the breach and disclosure of the breach. Any delay in disclosure could be construed by potential plaintiffs as a cover-up or nondisclosure; and Inform all clients/customers of the potential breach; disclosure of a security breach must be over-inclusive. Avoid sending out a second notice at a later date because the initial notification of the breach was 126

COMPANIES MUST PREPARE FOR DATA THEFT limited to a specific group. The second group could incur additional damages as a result of a delayed notification. NOTES 1 Ponder v. Pfizer, Inc., 522 F.Supp 2d. 793 (M.D. La. 2007). 2 See Pisciotta v. Old National Bancorp, 499 F. 3d 629 (7th Cir. Aug. 23, 2007). 3 18 U.S.C. 3663(b). 4 18 U.S.C. 1030(a)(2)(c). 127

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information