Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Identity theft is on the rise. According to the latest available data, the Federal Trade Commission received 214,905 complaints of identity theft in 2003, which marked an increase of almost 33 percent from the previous year (161,836 complaints). Thus, the security of personal information stored on digital databases has become a hot topic. As state and federal governments look for new ways to combat identity theft, the trend is to require companies to disclose security breaches of their databases containing personal information. The most notable legislation in this area is California’s widely publicized Database Breach Notification Security Act, which took effect on July 2, 2003. It requires any person or business conducting business in California and owning or licensing computerized data that include personal information to disclose any security breach to “any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Personal information is defined as an individual’s first and last name together with at least one of certain identifying items of information, such as the number of an account, credit card, or debit card. The act does not require knowledge of a security breach to trigger the disclosure obligation. Instead, a reasonable belief by the business that a security breach has caused the unauthorized acquisition of personal information is sufficient. While the law provides for exceptions to the disclosure obligation, such as for encrypted personal information, it nonetheless has a very wide reach. Simply selling products to a California resident and storing the resident’s name and credit card information in a database without encryption may suffice to subject a business to the act. Since most U.S. national and foreign businesses have California customers and store their personal information in this way, many businesses may not be aware of their disclosure obligations under the act. FEDERAL BILLS ARE PENDING Efforts to require disclosure of security breaches are also under way in the federal government. Around the time of the California act, Sen. Dianne Feinstein (D-Calif.) introduced the Notification of Risk of Personal Data Act, a bill pending in the Senate Judiciary Committee. Under its provisions, any person engaged in interstate commerce who owns or licenses electronic data containing personal information would be required, upon discovery of a breach of security, to notify any U.S. resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill would define a breach of security as a compromise of the security, confidentiality, or integrity of computerized data that has resulted, or is reasonably believed to have resulted, in the unauthorized acquisition of and access to personal information. If enacted, it would require U.S. and foreign businesses engaged in interstate commerce and maintaining U.S. residents’ data to disclose security breaches implicating personal information. In other developments, legislators and regulators are considering disclosure notification requirements specifically for financial institutions. A bill (H.R. 818) introduced by Reps. Jerry Kleczka (D-Wis.) and Paul Ryan (R-Wis.) to amend the Gramm-Leach-Bliley and the Fair Credit Reporting acts would require a financial institution to notify a consumer whose nonpublic personal information maintained by the financial institution has been compromised by an employee of the financial institution or through an unauthorized entry into the records of the financial institution. The House bill is broader than the Senate bill insofar as it would cover any unauthorized entry into records (not only a database) and imposes additional assistance and reimbursement obligations. It is currently pending in the House Financial Services Committee. Simultaneously, federal financial regulators have requested comments on proposed rules requiring financial institutions to establish a response system, including customer notification, in the event of a security breach. See “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” 68 Fed. Reg. 47954. Discovery of a database security breach may also give rise to disclosure obligations under state and federal criminal law because such security breaches typically constitute a crime under federal or state law. See, e.g., 18 U.S.C. 1030; Minn. Stat. �609; Texas Penal Code �33.02. Minnesota, for example, expressly requires that any “person who has reason to believe that any provision of section 609.99 [computer damage], 609.89 [computer theft], or 609.891 [unauthorized computer access] is being or has been violated shall report the suspected violation to the prosecuting authority in the county in which all or part of the suspected violation occurred.” Minn. Stat. �609.8911. The increase in identity theft and computer crime may prompt other states to require disclosure of security breaches to law enforcement. Moreover, businesses should be aware that disclosure obligations may arise from express or implied contracts, such as privacy policies or other customer agreements. Also, in some situations, a duty to warn has been recognized at common law. See Restatement (Second) of Torts ��330-336. Consistent with recognized tort law principles, courts may expand the common law duty to warn to include database security breaches. Thus, disclosure obligations may arise from a variety of sources. But determining whether a disclosure obligation exists is only the first step. Whether or not disclosure is required, business decisions remain. If disclosure is required, the business must decide the manner and extent of the disclosure. For example, since the Database Breach Notification Security Act requires only notification of California residents, the business must decide whether non-California residents should be notified. And if no disclosure obligation exists, the business must decide whether and, if so, how it should disclose a security breach. In both cases, the decisions involve business judgments that include weighing the advantages and disadvantages of disclosure under the given circumstances. The obvious disadvantage from the disclosure of a database security breach is the risk of shaking customers’ confidence in the business’s security system. But if the business can show it has taken commercially reasonable steps to secure its database, it may be able to limit the fallout from the disclosure. In fact, early disclosure can be useful because it avoids the appearance of a cover-up and allows the business to control how the security breach is presented to the affected customers and the public. Early disclosure may have other advantages. Once notified, the affected customer is in the position to stop or limit the use of misappropriated personal data, such as by blocking credit or debit cards or changing e-mail addresses. Customers who have been notified early may thus have fewer damages and be less likely to sue than those who have sustained losses that would have been avoidable with early notice. Early disclosure may also be a good public-relations step because it conveys to the public that the business cares about its customers’ personal data, takes identity theft and security breaches seriously, and is candid and honest in its customer relations. The business decisions likely will depend on the results of factual investigations, such as the impact of the security breach, what databases were exposed during the breach, whether the breach implicated personal information, and whether such data have actually been misappropriated. If a business is not able to verify some or all of this information, it may be prudent for the business to assume a worst-case scenario. LEGAL COUNSEL IN DECISION MAKING While, in the absence of a legal obligation, the decisions of whether, to whom, and in what manner to disclose a security breach is a business decision, legal counsel should be closely involved in the decision making. An important role for legal counsel is assessing the business’s potential liability arising from the security breach. For example, if an employee of the business was involved in the security breach, the business may have exposure under principles of vicarious liability. Another role is the protection of privileged information because a misguided disclosure may put evidence into the hands of potential plaintiffs. The likelihood of security breaches in today’s data-intensive business environment, and the liability exposure resulting from them, will increasingly raise questions in connection with their disclosures. Because of the complexities involved in these questions, in-house and outside attorneys are advised to start the process of analysis and planning for a security breach before it occurs. This process includes monitoring legal and other developments regarding disclosure obligations and developing an internal procedure or guide for use in the event of a security breach. Such a procedure or guide will enable the business and its attorneys to confront a security breach in a coordinated fashion and make the necessary decisions quickly and efficiently. Heiko E. Burow is an associate in the Dallas office of Baker & McKenzie, where he practices intellectual property law. He can be reached at [email protected]. Brian C. McCormack is a partner in that office and a member of the global intellectual property group. He can be reached at [email protected]. This article first appeared in the ALM weekly newspaper The National Law Journal .

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.