Recently, there have been a number of well-publicized incidents in which Web sites have been hacked and personal information that could lead to identity theft was compromised. Ray Gustini, one of the nation’s leading privacy attorneys, summarizes the proposed federal and state legislation currently pending to set new rules for appropriate response, including whether and when to notify affected customers, to such attacks.

Background

According to recent Congressional testimony by Vermont’s assistant attorney general, in 2005 there have already been 118 data leaks affecting some fifty-seven million U.S. consumers. In July 2003, California was the first state to enact a comprehensive data protection and notice law. Since then, some twenty-one states have followed California’s lead and provided protections that supplement, differentiate and in some instances go beyond federal law, including those currently under consideration. The principal debate involves the definition of sensitive personal information, the manner of notice to consumers, and whether all or a portion of existing federal data protection law (principally GLBA) should control and preempt state law and whether a federally mandated credit freeze right should be provided.

• In recent months, a cascade of highly publicized data leaks, theft, and losses have greatly increased public awareness and policymaker concerns:
  • ChoicePoint
  • Ralph Lauren
  • Bank of America
  • Kellogg School of Management
  • Boston College Alumni
  • MasterCard International

Overview of Principal Federal Legislative Initiatives

As a result of the convergence of publicized data breaches, the rapid enactment of data protection laws by a number of state legislatures, and the desire of businesses for uniform nationwide standards, momentum is building for federal legislation. Although unlikely in 2005, it is increasingly a case of when and not if. The four principal vehicles are the following:

1. H.R. 3997, The Financial Data Protection Act, House Financial Services Committee
   • Sponsors:Representatives LaTourette, Hooley, Price, Castle and Moore
   • Amends: FCRA
   • Approach: Goes beyond GLBA by creating uniform requirements and standards for all companies that hold a consumer’s “sensitive financial identity” and “sensitive financial account” information
   • Notice Trigger: In event of a breach, consumer reporter must notify consumers if security breach is reasonably likely with respect to “sensitive financial identity and sensitive financial account information” if reasonably likely to be misused in a manner causing substantial harm to the consumer. Uniform consumer notice standards are a key element.
   • GLBA Safe Harbor: Yes
   • Preemption: Amendments FCRA to preempt state law with respect to responsibility to protect or safeguard information to investigate and provide notices.
   • Principal Open Issue(s): Credit freezes and notice requirements
   • Private Right of Action: None
2. H.R. 4127, Data Accountability and Trust Act, House Energy and Commerce Committee
   • Sponsors: Representatives Stearns, Pryce, Upton, et al.
   • Amends: Free standing
   • Data Security: Persons engaged in interstate commerce that own or possess “sensitive personal information” are required to establish and implement information security practices.
   • Notice Trigger: If a “breach of security” occurs, notice must be given to consumer upon discovery.
   • GLBA Safe Harbor: No specific safe harbor, but sponsors assert that financial institutions are exempt. The extent of the exemption and whether bank subsidiaries and nonbank affiliates are covered is unclear.
   • Preemption: Any provision of state law that expressly requires security of personal information and notice is preempted. Only entities covered by the Act and subject to regulations thereunder obtain preemption protection.
   • Private Right of Action: None
3. S. 1408, Identity Theft Protection Act, Senate Commerce Committee
   • Sponsors: Senators Smith, Nelson, Stevens, McCain, Pryor, Inouye, and Clinton
   • Amends: Free standing
   • Data Security: Requires covered entity that collects “sensitive personal information,” including social security numbers, drivers license information, financial account information, or information that FTC determines can be used for identity theft, to secure it with physical and technological safeguards. Also covers purchases of information.
   • Notice: If a “breach of security” is discovered, notice to consumers must be provided when it creates a “reasonable risk” of identify theft.
   • Breach: Unauthorized access to and acquisition of data in any form containing sensitive personal information that compromises the security or confidentiality of such information and creates a reasonable risk of identity theft.
   • Identity Theft: Means (i) unauthorized acquisition, purchase, sale, or use by any person of a person’s “sensitive personal information” that violates 18 USC § 1028 (fraud and related activity in connection with identification documents and information, (ii) similar state laws describing identity theft, or (iii) if the unauthorized acquisition results in economic loss.
   • GLBA Safe Harbor: Compliance with the Act’s notification and security requirements is deemed to exist if the security and notification requirements of GLBA are met.
   • Enforcement: FTC issues regulations on when and how notice is given. Breaches involving more than 1,000 persons are required to be reported to the FTC, consumer reporting agencies, and the entities’ primary regulator. Notice must be timely filed.
   • Private Right of Act: None
   • Preemption: Specifically identifies the type of state laws that are preempted, e.g., laws involving information, security, notice of breach, liability for failure to protect data or notify consumers, consumer report freeze, and social security numbers. Other local and state laws are not preempted.
4. S. 1789, Personal Data Privacy and Security Act, Senate Judiciary Committee
   • Sponsors: Senators Spector, Leahy, Feinstein, and Feingold
   • Amends: Free standing with no explicit rulemaking requirements
   • Data Security: Any business collecting, storing, accessing, transmitting, using, or disposing of “sensitive personally identifiable information” on 10,000 or more U.S. persons must comply with FTC safeguards rule.
   • Notice: Must be given to any U.S. person when sensitive, personally identifiable information has been accessed or acquired.
   • Breach: Occurs when there is a compromise in the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in unauthorized access to or acquisition of sensitive, personally identifiable information.
   • Sensitive Personally Identifiable Information: Means (i) a person’s first and last name, or first initial and last name, in combination with a complete social security number or similar identification number; or (ii) any two of the following: home address or telephone number; mother’s maiden name; month, day, and year of birth; unique biometric information; unique electronic identification number; other information determined by the FTC; or (iii) a financial account number in combination with the security or access code or password.
   • GLBA Safe Harbor: The legislation exempts financial institutions covered under GLBA from the security provisions. However, no safe harbor is provided with respect to notice provisions.
   • Private Right of Action: None
   • Preemption: Preempts state notification laws involving individual access to and correction of personal electronic records.
5. Activity at the State Level

   California’s law, the California Security Breach Information Act (the “California Act”), SB 1386, became effective in 2003. A number of states have adopted similar laws.

   • California Act took effect on July 1, 2003:
     • Triggered by a breach, e.g., unauthorized acquisition of stored, unencrypted confidential personal information on customers or employees.
     • Form of Notice: Left to company
     • Applies to any company that stores information on a computerized file of any type and that has one or more employees or customers in California regardless of size and includes those companies who store data.
     • The California Act does not authorize actions by the state attorney general and requires no notice to any government officials.
   • Other States: Great variety of approaches. New York, for example, has enacted (effective December 7, 2005) the Information Security Breach and Notification Act (the “New York Act”). The New York Act in some ways provides greater protection for consumers, and could be viewed as more onerous by businesses.
   • The New York Act features:
     • Encrypted Data: The New York Act is triggered even where data is encrypted if it can be shown the encryption feature is no longer valid.
     • Notice to Public Officials: The New York Act requires notice to public officials such as the state attorney general.
     • State Attorney General: Has right to initiate legal actions for damages.
   • Laws in Other States
     • Notice and data protection laws have been enacted in Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, North Carolina, North Dakota, Rhode Island, Tennessee, Texas, and Washington.
6. Other Issues
   • Credit Freeze: A number of states have enacted laws permitting consumers to order credit bureaus to place a credit freeze on consumer accounts. In some cases there is a cost for a credit freeze; in others (such as were ID theft has occurred) it is free. With a credit freeze, no third party can obtain any credit in a consumer’s name and third parties are not able to obtain access.
   • Credit freeze laws have been enacted in California, Texas, Louisiana, Vermont, Washington, Nevada, Connecticut*, Illinois*, Maine*, and Colorado*.
   • Credit Freeze at the Federal Level: Credit freeze provisions available on a nationwide basis will likely be part of the debate on all federal data security bills going forward.
     • Industry Reaction: Credit freezes are viewed as impractical and having a distinct chilling effect on point-of-sale purchases relying on credit checks—for example, cell phones, automobiles, or preapproved credit cards.
   • Fraud Alert: Viewed as less cumbersome than freeze. Burden on retailer to verify identity of the consumer with a fraud alert.

*Effective in 2006.