Responding to New Identity Theft Laws March 2011
Privacy Expectations Today, there is increasing recognition that an individual has a legitimate interest in controlling the collection, use and disclosure/dissemination of personal information. 2
Data Breaches on the Rise Businesses, governments, and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans.» Washington Post, January 6, 2009 Page D2. There were 9.9 million U.S. residents who were victims of identity theft in 2007. That represents 3.3% of adults. The total cost of identity theft in 2008 was $48 billion.» California Office of Privacy Protection at http://www.privacy.ca.gov/identity_theft_firstaid.htm; Javelin Strategy and Research survey, February 2009. 3
Gaps in Federal Law There is no federal data security law of general applicability to business. Instead, there are sector-specific laws. Gramm-Leach-Bliley Act (financial) HIPPA (medical and health records) Children s Online Privacy Protection Act (children under 13) 4
States are Filling the Void Individual states are becoming increasingly aggressive in adopting laws of general applicability to protect consumer privacy rights. Security breach notification Data disposal Safeguarding Social Security numbers Dealings with third parties Data encryption Written data security plans MODEL LETTER FOR THE COMPROMISE OF SOCIAL SECURITY NUMBERS Dear : We are contacting you about a potential problem involving identity theft. [Describe the information compromise and how you are responding to it.] We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. Equifax Experian TransUnionCorp 800-525-6285 888-397-3742 800-680-7289 Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. We have enclosed a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft. [Insert closing] Your Name 5
State Breach Notification Laws Nearly all states have adopted security breach notification laws. These laws usually require that prompt notice of a security breach be provided to: Affected persons Law enforcement Nationwide credit reporting agencies Federal Trade Commission Released February 26, 2009 6
What is a Security Breach? A security breach generally means unauthorized access to computerized data that compromises the security, confidentiality, or integrity of personal information. Personal information generally means a person s name in combination with Social Security number; Driver s license or state ID number; or Credit, debit, or financial account number along with any necessary passwords 7
State Laws Not Uniform Some state laws are not limited to computerized data (Alaska, Hawaii, Massachusetts) Some states define personal information more broadly to include, for example, date of birth and mother s maiden name (North Dakota) Some states define personal information as including Social Security or financial account numbers alone, even if not combined with name (Oregon) 8
Exemptions Vary Notice not required if data is encrypted (most states) Notice not required if data is encrypted or redacted (Arizona) Notice not required if data is publicly-available from federal, state, or local government records (most states) Notice not required if misuse not likely (many states) 9
Frequent Misunderstandings State notification laws don t apply to us because We don t collect personal information from our customers. We are a small non-profit organization. We are located in California and comply with CA law. 10
The Facts These laws generally apply to personal information collected. by anyone (retail, manufacturing, accounting, law firms, schools, churches) about anyone (customers, employees, vendors, and financial donors) irrespective of physical location (relevant question is whether data was collected on a resident of a state). 11
Additional State Laws Data Disposal. Personal records must be disposed of in a manner that will prevent unauthorized access (FTC and many states). Social Security Numbers. Disclosure of Social Security numbers must be restricted to prevent unauthorized access (many states). Dealings with Third Parties. Reasonable security procedures must be required in contracts when personal information is shared with third parties (some states). 12
Additional State Laws Encryption. Two states now prohibit electronic transmission of personal information unless it is encrypted. Nevada NRS 603A.215 effective January 1, 2010 Massachusetts 201 CMR 17.04 effective March 1, 2010 Written Plan. Massachusetts requires a comprehensive written plan to protect personal information (effective March 1, 2010). 13
Massachusetts Law Most comprehensive data security law in the nation (effective 3/1/2010) Applies to any business (profit or non-profit, irrespective of physical location) that collects personal information from MA residents. Accepting credit card payments from MA customers Collecting Social Security numbers from MA employees Accepting financial donations from MA residents Fines and penalties of $5000 per violation investigative, litigation and enforcement costs. 14
Practical Recommendations If you collect personal information from customers, create a privacy policy (required in CA) and follow it to the letter. Limit the personal information you collect and don t keep personal information for longer that you need it. Identify potential security gaps and close them. 15
Fish Services 1. Matrix of state security breach laws. 2. Internal Plan and Procedures for responding to a security breach. 3. Security Breach Notification Plan with requirements of all states. 4. Written Data Security Plan as required by Massachusetts. 5. Privacy Policy required in California and recommended for most clients. 16
State Matrix Summarizes state security breach notification requirements in all states. 17
Security Breach Notification Plan Describes external breach notification requirements in all states including sample notices and related guidance. 18
Internal Plan and Procedures Instructs employees how to respond in the event of a security breach. 19
Written Data Security Plan Comprehensive plan that describes relevant data security practices and procedures as required under new Massachusetts law. 20
Privacy Policy Summarizes how personal information can be obtained, used and disclosed by client. 21
For More Information Contact Edwin N. Lavergne Fish & Richardson P.C. 1425 K Street, N.W. Washington, D.C. 20005 Direct: 202-626-6359 lavergne@fr.com Copyright 2011 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of professional conduct of the jurisdictions in which we practice. The material contained in this newsletter has been gathered by the lawyers at Fish & Richardson P.C. for informational purposes only and is not intended to be legal advice. Transmission is not intended to create and receipt does not establish an attorney-client relationship. Legal advice of any nature should be sought from legal counsel. For more information about Fish & Richardson P.C. and our practices, please visit www.fr.com. 22