X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Identity theft is on the rise. The Federal Trade Commission reports that it received 214,905 complaints of identity theft in 2003, which marks an increase of almost 33 percent from the previous year (161,836 complaints). See National and State Trends in Fraud & Identity Theft, January-December 2003. On this background, the security of personal information stored on digital databases has become a hot topic. As state and federal governments look for new ways to combat identity theft, the trend is to require companies to disclose security breaches of their databases containing personal information. The most notable legislation in this area is California’s widely publicized Database Breach Notification Security Act, Calif. Civ. Code � 1798.82, Senate Bill (SB) 1386, which came into effect on July 2, 2003. It requires any person or business conducting business in California and owning or licensing computerized data that include personal information to disclose any security breach to “any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Personal information is defined as an individual’s first and last name together with at least one of certain identifying items of information, such as an account, credit card or debit card number. SB 1386 does not require knowledge of a security breach to trigger the disclosure obligation. Instead, a reasonable belief by the business that a security breach has caused the unauthorized acquisition of personal information is sufficient. While SB 1386 provides for exceptions to the disclosure obligation, such as for encrypted personal information, it nonetheless has a very wide reach. Simply selling products to a California resident and storing the resident’s name and credit card information in a database without encryption may suffice to subject a business to the act. Since most U.S. national and foreign businesses have California customers and store their personal information in this way, many businesses may not be aware of their disclosure obligations under SB 1386. FEDERAL BILLS ON DISCLOSURE OF BREACHES ARE PENDING Efforts to require disclosure of security breaches are also under way in the federal government. Around the time of SB 1386, U.S. Senator Dianne Feinstein, D-Calif., introduced the Notification of Risk of Personal Data Act (S. 1350), a bill that is pending in the Senate Judiciary Committee. Under S. 1350, any person engaged in interstate commerce who owns or licenses electronic data containing personal information would be required, upon discovery of a breach of security, to notify any U.S. resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. S. 1350 would define a breach of security as a compromise of the security, confidentiality or integrity of computerized data that has resulted, or is reasonably believed to have resulted, in the unauthorized acquisition of and access to personal information. If enacted, S. 1350 would require U.S. as well as foreign businesses engaged in interstate commerce and maintaining U.S. residents’ data to disclose security breaches implicating personal information. In other developments, legislators and regulators are considering disclosure notification requirements specifically for financial institutions. A bill (H.R. 818) introduced by U.S. representatives Jerry Kleczka, D-Wis., and Paul Ryan, R-Wis., to amend the Gramm-Leach-Bliley and Fair Credit Reporting acts would require a financial institution to notify a consumer whose nonpublic personal information maintained by the financial institution has been compromised by an employee of the financial institution or through an unauthorized entry into the records of the financial institution. H.R. 818 is broader than S. 1350 insofar as it would cover any unauthorized entry into records (not only a database) and imposes additional assistance and reimbursement obligations. H.R. 818 is currently pending in the House Financial Services Committee. Simultaneously, federal financial regulators have requested comments on proposed rules requiring financial institutions to establish a response system, including customer notification, in the event of a security breach. See “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” 68 Fed. Reg. 47954. Discovery of a database security breach may also give rise to disclosure obligations under state and federal criminal law because such security breaches typically constitute a crime under federal or state law. See, e.g., 18 U.S.C. 1030; Minn. Stat. � 609; Texas Penal Code � 33.02. Minnesota, for example, expressly requires that any “person who has reason to believe that any provision of section 609.99 [computer damage], 609.89 [computer theft], or 609.891 [unauthorized computer access] is being or has been violated shall report the suspected violation to the prosecuting authority in the county in which all or part of the suspected violation occurred.” Minn. Stat. � 609.8911. The increase in identity theft and computer crime may prompt other states to require disclosure of security breaches to law enforcement. Moreover, businesses should be aware that disclosure obligations may arise from express or implied contracts, such as privacy policies or other customer agreements. Also, in some situations, a duty to warn has been recognized at common law. See Restatement (Second) of Torts �� 330-336. Consistent with recognized tort law principles, courts may expand the common law duty to warn to include database security breaches. Thus, disclosure obligations may arise from a variety of different sources. But determining whether a disclosure obligation exists is only the first step. Whether or not disclosure is required, business decisions remain. If disclosure is required, the business must decide the manner and extent of the disclosure. For example, since SB 1386 requires only notification of California residents, the business must decide whether non-California residents should be notified. And if no disclosure obligation exists, the business must decide whether, and if so how, it should disclose a security breach. In both cases, the decisions involve business judgments that include weighing the advantages and disadvantages of disclosure under the given circumstances. The obvious disadvantage from the disclosure of a database security breach is the risk of shaking customers’ confidence in the business’ security system. But if the business can show that it has taken commercially reasonable steps to secure its database, it may be able to limit the fallout from the disclosure. In fact, early disclosure can be useful because it avoids the appearance of a cover-up and allows the business to control how the security breach is presented to the affected customers and the public. Early disclosure may have other advantages. Once notified, the affected customer is in the position to stop or limit the use of misappropriated personal data, such as by blocking credit or debit cards or changing e-mail addresses. Customers who have been notified early may thus have fewer damages and be less likely to sue than those who have sustained losses that would have been avoidable with early notice. Early disclosure may also be a good public-relations step because it conveys to the public that the business cares about its customers’personal data, takes identity theft and security breaches seriously and is candid and honest in its customer relations. The business decisions likely will depend on the results of factual investigations, such as the impact of the security breach, what databases were exposed during the breach, whether the breach implicated personal information and whether such data have actually been misappropriated. If a business is not able to verify some or all of this information, it may be prudent for the business to assume a worst-case scenario. LEGAL COUNSEL SHOULD BE INVOLVED IN DECISION-MAKING While, in the absence of a legal obligation, the decisions of whether, to whom and in what manner to disclose a security breach is a business decision, legal counsel should be closely involved in the decision-making process. An important role for legal counsel is assessing the business’potential liability arising from the security breach. For example, if an employee of the business was involved in the security breach, the business may have exposure under principles of vicarious liability. Another role is the protection of privileged information because a misguided disclosure may put evidence into the hands of potential plaintiffs. The likelihood of security breaches in today’s data-intensive business environment, and the liability exposure resulting from them, will increasingly raise questions in connection with their disclosures. Because of the complexities involved in these questions, in-house and outside attorneys are advised to start the process of analysis and planning for a security breach before it occurs. This process includes monitoring legal and other developments regarding disclosure obligations and developing an internal procedure or guide for use in the event of a security breach. Such a procedure or guide will enable the business and its attorneys to confront a security breach in a coordinated fashion and make the necessary decisions quickly and efficiently. Heiko E. Burow is an associate in the Dallas office of Baker & McKenzie, where he practices intellectual property law. He can be reached at [email protected] Brian C. McCormack is a partner in that office and a member of the global intellectual property group. He can be reached at [email protected] If you are interested in submitting an article to Law.com, please click here for our submission guidelines.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.