X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
This year has produced one news account after another concerning companies or governmental agencies whose databases of personal information have been compromised. Why the sudden avalanche of these reports? Are the number of hackers increasing? Or are they merely getting more efficient in their methods? One theory is that computer security breaches have been occurring at nearly this frequency for years but were simply never made public. This thinking often credit a set of statutes enacted in California in July 2003 as the reason why such breaches are now reported with regularity. Other state legislatures appear to have bought into this theory, with at least 35 states proposing similar legislation in 2005. And New York has wholeheartedly joined the fray by passing the Information Security Breach and Notification Act, which becomes effective Dec. 7. New York’s new law basically incorporates all of the provisions of its California predecessor, albeit with several interesting additions. Before parsing out the various components of these laws, it is important to see just how serious a problem identity theft is. In its 2005 report on “National and State Trends in Fraud & Identity Theft,” the Federal Trade Commission demonstrates the continuing growth of identity theft. The number of complaints received each year rose from 162,000 in 2002 to 215,000 in 2003 and to 247,000 last year. Despite the significant rise, there is one particularly revealing statistic that remains relatively constant. In each of the last three years, identity theft encompassed about 40 percent of all fraud complaints received by the FTC, making it by far the largest category of fraud, outdistancing its nearest competitor by 250 percent. In fact, the legislative memorandum supporting New York’s new statutes specifically recounts highly publicized breaches occurring in two unrelated businesses in 2004 as justifying a local need for a version of California’s law. In one of these breaches, only California victims were originally notified until the company succumbed to public pressure and notified all breach victims. It is this spate of recently publicized breaches coupled with a fear that companies and governmental agencies need only notify California citizens to comply with the law as it stood prior to 2005 that have led to this year’s trend of legislative activity in the various states outside California. The conceptual underpinnings of California’s breach notification statutes (Civil Code ��1798.29 and 1798.82) can probably be summarized as requiring California’s state governmental agencies, as well as persons and businesses that conduct business in California, to notify any California residents whose unencrypted computerized information was, or is reasonably believed to have been, acquired by an unauthorized person in bad faith, as long as that information is not otherwise publicly available. New York’s law nearly identically adopts all of these concepts, but some of the minor differences may ultimately prove disconcerting. Of even greater concern will almost certainly be many of the additional requirements New York’s Legislature tacked on to the California version. PROTECTED INFORMATION Both states’ laws require persons to be notified when “private information” in a business’ or state agency’s possession has been breached. “Private information” is defined as “personal information” plus one or more of that individual’s following information: (1) Social Security number, (2) driver’s license number or non-driver identification card number, or (3) “account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual’s financial account.” One interesting distinction between the California and New York statutes is what constitutes the kinds of “personal information” that must be coupled with at least one of the three specified additional pieces of identity information to become the “private information” that triggers the notification requirements. In California, “personal information” is specifically defined as an individual’s last name and either first name or first initial. New York’s law does not define what constitutes “personal information,” leaving a broad range of possibilities open. Both statutes similarly describe a breach to mean “unauthorized acquisition or acquisition without authorization of computerized data which compromises the security, confidentiality or integrity” of the information. Not exactly the most narrow or clearly defined standards. New York attempts to provide some guidance to its definition of breach by adding certain “factors, among others,” which should be considered in determining if a breach has occurred, including whether the information is “in the physical possession or control of an unauthorized person,” or if there have been “indications that the information has been downloaded or copied,” or “indications that the information was used.” EXCEPTIONS TO NOTIFICATION California and New York law provide four scenarios under which notification of a breach is not required, even when “private information” as defined by those statutes has been accessed. First, there is a good faith acquisition exception for any employee or agent who accesses the information for the purposes of the business or state agency as long as the “private information is not used or subject to unauthorized disclosure.” Second, if the data is encrypted then notification is not required unless the “encryption key” that decrypts the data is also acquired. Third, if the breached “private information” is “publicly available” in that it is “made available to the general public from federal, state, or local government records,” then notification is not required. The fourth exception provides only temporary relief. If “a law enforcement agency determines that such notification impedes a criminal investigation” then notification is delayed only until the law enforcement agency “determines that such notification does not compromise such investigation.” A significant point here is that merely reporting the breach to law enforcement does not necessarily dispense with notification; only an affirmative request of a delay in notification from law enforcement triggers that exception. UNCERTAIN LANGUAGE One of the murkier provisions of both breach notification statutes is the business’ or state agency’s level of control of the data that has been improperly accessed. The statutes apply not only to data that is owned by the organization, but also to what is leased with the latter term not being defined. Hence, if a business or agency employs one of the commercial providers of identification information and the provider’s computer system is breached, is the business or government agency utilizing the provider’s service also required to notify the provider’s breached customers for whatever identification information the business or government agency accessed from the provider, regardless of what notification steps are taken by the provider? The logical answer appears to be no, since the information has been purchased from the provider not leased. On the other hand, the California statute has yet to undergo litigation for precedent on this (or any other) issue. Also undefined and, therefore, unclear is the applicability of the phrase “doing business in the state,” which makes companies subject to either the California or New York statutes. If the courts apply the “minimum contacts” standard commonly used in civil litigation, considering the expansive geographical reach of the Internet, then “long-arm jurisdiction” may be exceedingly long indeed when enforcing the information breach notification statutes. The timing of the notification in relation to the breach is not exactly well defined either. The statutes require notification “in the most expedient time possible and without unreasonable delay.” Another timing issue is not as murky. What if the breach occurred before the effective date of the new statute, but is still known to the business or state agency after the Dec. 7 effective date? Since the language focuses on the occurrence of the breach, it would appear there is no duty to notify in this case. CONTENTS AND METHODS Notice can be direct or substituted under both states’ laws. Direct notice can be given in writing, by e-mail (under certain conditions described in the statute) and by telephone (for businesses only). Substituted notice is permissible if the business or state agency documents for the state attorney general that the cost of providing notice would exceed $250,000 or the subject class to be notified exceeds 500,000 or the organization lacks sufficient contact information for those to be notified. In such instances, substituted notice may be accomplished by e-mail or conspicuous postings on the organization’s Web site or other statewide media. Only New York’s law places requirements as to the contents of the notification. It must contain contact information of the organization issuing the notification and a description of the information released or believed to be released due to the breach. While that addition to California’s statutes is relatively innocuous; others are potentially onerous. If New Yorkers are being notified, the organization must also notify the state attorney general, the consumer protection board and the state Office of Cyber Security. If more than 5,000 New Yorkers are being notified, notice must also go to the consumer reporting agencies. So the cost of notification under New York law will be many times that of the cost in California. New York’s law also includes another potentially nightmarish requirement. Within 120 days of its enactment all “cities, counties, municipalities, villages, towns and other local agencies … shall adopt a notification policy.” These local agencies “may” develop a notification policy that mirrors New York’s law but it is not required, thereby inviting the danger of dozens — even hundreds — of variations. In contrast, local governments are pre-empted from making any changes in the New York’s notification statutes as those rules apply to businesses. Sanctions only apply to businesses that ignore notification. The attorney general may secure injunctive relieve to force compliance. Civil penalties can also accrue to the greater of $5,000 or up to $10 per failure to notify up to a maximum of $150,000. The statutes also preserve the right of all breach victims to pursue any other available legal remedies. CONCLUSION The clear import of this new wave of legislation is to force companies and governmental agencies to either encrypt personal information data stored in their computers or seek the assistance of law enforcement in undertaking an investigation. Failing to encrypt data will almost inevitably lead to a breach at some point. The remaining alternative of accepting the burdens of notification incurs both substantial costs and likely public embarrassment. With at least seven other states having already enacted their own versions of the California statute and the prospect of every local agency in New York issuing its own rules (New York City already has several proposals on the table), there appears little likelihood of this regulatory structure reversing itself any time soon. Congress has discussed developing overarching federal legislation since the California laws were enacted. But two years have already passed with nothing arriving in the foreseeable future. This may be one of the times Congress utilizes its powers under the commerce clause to eliminate confusing, conflicting and varied individual approaches from states and local municipalities across the country. Whatever the final result, this is another area of cyberlaw, like so many others, where no easy answers appear readily identifiable. Stephen V. Treglia is an assistant district attorney in Nassau County, N.Y. and chief of the office’s technology crime unit.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.