ppt by wuyunqing

VIEWS: 72 PAGES: 50

									Privacy: Is It Any of Your Business?
 Part I: Data Collection/Legislative Trends




                    By John P. Hutchins
                       (404) 885-3460
            john.hutchins@troutmansanders.com

                     December 8, 2005
          Technology Law Section Quarterly Meeting
                        Atlanta, GA
 Data Collection: Everyone’s Doing It

• Electronic Commerce Has Led to
  Explosion of Data
  – Between 2002-2005, the world will generate
    more data than all the data generated on earth
    over the last 40,000 years.

                          University of California at Berkeley Study
           “Read All About It!”
• February 2005 - ChoicePoint discloses that, in
  October 2004, it sold information on 145,000 people
  to data thieves posing as legitimate businesses
• March 1 - Bank of America reports that it lost
  computer data tapes containing social security
  numbers and account information on up to 1.2
  million federal employees, including some members
  of the U.S. Senate
• March 10 - LexisNexis reports that hackers
  commandeered one of its databases, gaining
  access to personal files of as many as 32,000
  people
           “Read All About It!”
• Mid-March - Boston College reports that a computer
  with files on 120,000 alumni was breached
• March 28 - Reports stolen laptop containing
  personal information on nearly 100,000 University of
  California at Berkeley alumni, students and past
  applicants (some data was 30 years old)
• April 12 - Tufts University sends letters to 106,000
  alumni, warning of ''abnormal activity" on a
  computer that contained names, addresses, phone
  numbers, and some Social Security and credit card
  numbers
           “Read All About It!”
• April 20 - DSW Shoe Warehouse reports that
  thieves stole 1.4 million credit card numbers of
  customers
• May 2 - Time Warner reports that a shipment of
  backup tapes with personal information of about
  600,000 current and former employees was lost
  during a routine shipment to offsite storage
• June 1 - Washington Post reports that FBI is
  investigating theft of Justice Department laptop from
  Omega World Travel office in Fairfax, VA, believed
  to contain personal data on 80,000 Justice
  Department employees
           “Read All About It!”
• June 6 - CitiFinancial states that it has begun
  notifying 3.9 million customers that computer tapes
  containing information about their accounts had
  been lost
• June 18 - MasterCard International reports that the
  networks of its third- party processor, CardSystems
  Solutions, were hacked and that data on 40 million
  credit card accounts were compromised
• June 24 - IRS discloses that it is investigating
  whether unauthorized people gained access to
  sensitive taxpayer and bank account information

• Someone has estimated 50 million people!
         California SB 1386
 California Information Practice Act
 or Security Breach Information Act
• First in the nation
• Effective July 1, 2003
• “Law uses fear and shame to make companies think
  more seriously about information security”
• ChoicePoint and others reported in accordance with this
  law
• Opened floodgates
   – Media
   – other businesses experiencing data “breaches”
• Copycat legislation, lawsuits, new legal theories,
  technical reactions (encryption)
                Legislation
• Legislation introduced in more than 35 states
  and Congress.
• Legislation passed in 20 other states in 2005,
  including:Arkansas, Connecticut, Delaware,
  Florida , Georgia, Illinois, Indiana, Louisiana,
  Maine, Minnesota, Montana, Nevada, New
  Jersey, New York, North Carolina, North
  Dakota, Rhode Island, Tennessee, Texas and
  Washington
• Nine federal bills introduced in 2005
• New York City has its on ordinance
            Fundamental Shift
• “Privacy breaches” come in all shapes and sizes
  – Some are the result of old-fashioned “con”
  – Some are the result of a sophisticated computer
    “hack”
  – Some are the result of simple larceny
  – Some are the result of basic human error (i.e., it’s just
    lost)
  – Some are the result of a third-party’s non-
    performance
• But all are “big news”
          The Shift is Broader
           Than Data Theft
• “CardSystems: Should Not Have Kept
  Records” – June 20, 2005, Atlanta
  Journal-Constitution
• “Bosses on the prowl for risque pics” –
  June 17, 2005, News.com
• “119 students who failed courses get
  group e-mail” – USA Today, June 20,
  2005
“I’m mad as hell, and I’m not going
       to take this anymore!”
                  “Howard Beale” – Network (1976)
           What Is “Privacy” Law?
•   Gramm-Leach-Bliley                •   CALEA
•   FCRA-FACTA                        •   E-mail hazards (i.e., SPAM,
•   HIPAA                                 Phishing, Spoofing)
•   COPPA                             •   Data aggregator liability and
•   USA Patriot Act                       compliance*
•   EU Data Protection Directive      •   Identity theft and other
                                          cybercrimes
•   Privacy in the workplace (i.e.,   •   Department of Homeland
    background screening, employing       Security/FERC regulations
    monitoring, video surveillance)       regarding critical infrastructure
•   Federal Sentencing Guidelines         information
    regarding executive background    •   ISP liability
    checks
•   Customer Proprietary Network      •   Spyware
    Information                       •   Document retention and
                                          destruction
                                      •   Sarbanes-Oxley
        Copycat Legislation
• California’s statute is the model
• Much legislation passed in a rush to “do
  something”
• Not well-conceived or implemented
• Federal legislation moving slowly through
  Congress
  – Might sort out a lot of issues
  – Might create regulatory morass
         California SB 1386
        Whom Does It Affect?
• Applies to state government agencies, for-
  profit and non-profit organizations
• Applies to all “data collectors” who
  maintain computerized “personal
  information” on Californians
      What Does It Require?
• Requires that any business that owns or
  licenses computerized data that includes
  personal information to give notice of any
  breach of the security of the data following
  discovery of such breach to any resident
  of the state whose unencrypted personal
  information was or is reasonably believed
  to have been acquired by an unauthorized
  person
          Personal Information
•   Personal Information – a person's name
    in combination with:
    –   social security number
    –   driver's license or state issued i.d. number
    –   account number or credit card number, in
        combination with security code
    NOT Personal Information
• Personal Information specifically does not
  include “information lawfully made
  available to the general public from
  federal, state or local government
  records.”
     Breach of the Security of the
              “System”
• Breach of the Security of the System -
  unauthorized acquisition of an individual's
  computerized data that compromises the
  security, confidentiality, or integrity of personal
  information of such individual.
• Does not include “good faith” acquisition, as long
  as no “bad faith” use or “subject to further
  unauthorized disclosure”
• NOTE: Not necessarily limited to a breach of a
  computer system, despite the word "system" in
  the definition
                      Notice
•   Notice means:
    –   Written notice (addressed to whom?)
    –   Electronic notice, if provided consistent with
        provisions federal Electronic Signatures Act
        (basically, consumer consents)
           Substitute Notice
• Substitute notice - if information broker
  demonstrates (?) that
  – cost notice > $250K
  – # of persons > 500K
  – insufficient contact information to provide
    written or electronic notice
          Substitute Notice
• E-mail notice (when the person or
  business has an email address)
• Conspicuous posting on website
• Notification to major, state-wide media.
         “Do-It-Yourself” Notice
• If
   – Person or business that has its own notification
     procedures, as part of an information security policy
     for the treatment of personal information; and,
   – Policy is consistent with timing requirements of SB
     1386
• Then
   – Compliance with policy = compliance with statute
        Time Requirements
• “Most expedient time possible and without
  unreasonable delay”
• Potentially long delay for
  – legitimate needs of law enforcement
  – any measures necessary to determine scope
    of breach and restore the data system’s
    reasonable integrity
               Remedies
• Civil suit for damages
• Injunction
       Georgia’s Approach

• Georgia Code §§ 10-1-911 & 912
  Georgia Code §§ 10-1-911 &
             912
• Requires that any information broker who
  maintains computerized data that includes
  personal information to give notice of any breach
  of the security of the system following discovery
  of such breach to any resident of the state
  whose unencrypted personal information was or
  is reasonably believed to have been acquired by
  an unauthorized person
• If more than 10,000 Georgia residents must be
  notified at one time, the information broker must
  also notify all consumer reporting agencies
         Information Broker
• Information broker - business, in whole or
  in part, is collecting, assembling,
  evaluating, compiling, reporting,
  transmitting, transferring, or
  communicating information concerning
  individuals for the primary purpose of
  furnishing personal information to
  nonaffiliated third parties, for a fee.
    Breach of the Security of the
             “System”
         (I wasn’t kidding about copycats!)

• Breach of the Security of the System -
  unauthorized acquisition of an individual's
  computerized data that compromises the
  security, confidentiality, or integrity of personal
  information of such individual.
• Does not include “good faith” acquisition, as long
  as no “bad faith” use or “subject to further
  unauthorized disclosure”
NOTE: Not necessarily limited to a breach of a
  computer system, despite the word "system" in
  the definition
          Personal Information
•   Personal Information – a person's name in
    combination with:
    –   social security number
    –   driver's license number
    –   account number or credit card number (if it can be
        used without codes) ?
    –   account passwords or PINs ?
    –   “catchall” - any information listed, but not
        connected with name, which it would be sufficient
        for identity theft.
             Remedies????
• Does not specifically give rise to civil
  action
        Additional Approaches
• North Dakota expands the definition of personal
  information to include mother's maiden name and date of
  birth
• Montana and Arkansas require harm or a likelihood of
  harm to individuals before the notification is mandatory.
• Several states require notification to nationwide
  consumer reporting agencies if the number of residents
  to be notified exceeds a set number (ranging from 500 to
  10,000).
• Many states allow the Attorney General to prosecute
  violations.
• Some states go further and require companies to
  maintain adequate data protection, including destruction
  procedures.
   – Copycat to federal bills
      Where Are We Headed?
• Georgia Legislature declares as follows:
  – “The privacy and financial security of individuals is increasingly
    at risk due to the ever more widespread collection of personal
    information by both the private and public sectors”
  – “Credit card transactions, magazine subscriptions, real estate
    records, automobile registrations, consumer surveys, warranty
    registrations, credit reports, and Internet websites are all sources
    of personal information and form the source material for identity
    thieves”
              More Declarations
• “Identity theft is one of the fastest growing crimes committed
  in [this state] [California]”
   – California legislature used three-year old data that shows 108
     increase
   – Georgia cites no statistics
• “Victims of identity theft must act quickly to minimize the
  damage; therefore, expeditious notification of unauthorized
  acquisition and possible misuse of a persons’ personal
  information is imperative”
• “Implementation of technology security plans and security
  software as part of an information security policy may provide
  protection to consumers and the general public from identity
  thieves”
• “Information brokers should clearly define the standards for
  authorized users of its data so that a breach by an
  unauthorized user is easily identifiable”
          Federal Legislation
• Feinstein Bill
   – Modeled after California legislation
• Specter/Leahy Legislation
   – Personal Data Privacy & Security Act
   – most likely federal bill?
       • pre-emption
       • SS # control?
• Other bills exploring multiple approaches
   – tax incentives for security
   – fraud alerts/credit freezes
• Focus on identity theft?
            Federal Legislation
• Feinstein Bill – essentially mirrors SB 1386
   – no substitute notice by e-mail
   – media notice required to be in market where person
     believed to reside, and must include toll-free number
   – requires that data collector make burden of proof “that
     all notifications were made”
      • including evidence of necessity of any delay
      • requires written request of law enforcement delay
   – FTC fines of $1000 per person, up to $50,000 per day
   – Enforcement by States Attorneys General, including
     damages
   – Preemption of “inconsistent” state laws
 Personal Data Privacy & Security Act

• Likely passage?
• Specter/Leahy
  – Chair of Judiciary Committee
  – Ranking Republican on Committee
• Already approved in Committee
• Much broader than just a notice statute
• Broader preemption than other
  approaches
 Personal Data Privacy & Security Act
• Increased criminal penalties for actual criminals
   – But, makes it a crime to conceal a security
     breach of personal data !!!!
• Gives individuals access to and the right to
  correct personal data held by data brokers;
  requires accuracy
• Requires entities maintaining personal data to
  establish internal policies and vet third-parties
  they hire
• Notice provisions
• Does not limits buying and selling of social
  security numbers without consent, but there is
  other legislation pending
             “Data Broker”
• business entity which for monetary fees or
  dues regularly engages in the practice of
  collecting, transmitting, or providing
  access to sensitive personally identifiable
  information on more than 5,000 individuals
  who are not the customers or employees
  of that business entity or affiliate primarily
  for the purposes of providing such
  information to nonaffiliated third parties on
  an interstate basis.
        Data Privacy and Security
                Programs
• Applies to every business with electronic data on more than
  10,000 people
   – exempts entities that must comply GLB
   – exempts entities that must comply with data security
     requirements of HIPAA
• But these entities are not exempted from notification
  provisions
   – and parts of business not currently regulated would
     become regulated
       • like Kaiser Permanente, health information currently
         regulated by HIPAA
       • but credit card information currently unregulated
 Personal Data Privacy & Security Act

• Requires covered entities to:
  – regularly assess, manage and control risks to
    data privacy and security
  – publish information security policy
  – provide employee training
  – conduct system tests
  – ensure compliance by vendors
• One year to comply
 Personal Data Privacy & Security Act

• Violations
  – “civil penalties” of $5,000 per violation, up to
    $500,000
  – double penalties for willful violation
• Authorizes actions by FTC and States
  Attorneys General
 Personal Data Privacy & Security Act
• Notice procedures
  – expands definition of personally identifiable
    information to include:
     • the ridiculous?
     • as defined by section 1028(d)(7) of title 18, United States
       Code
         – name, social security number, date of birth, official State or government
           issued driver’s license or identification number, alien registration
           number, government passport number, employer or taxpayer
           identification number, unique biometric data, such as fingerprint, voice
           print, retina or iris image, or other unique physical representation
• Notice to CRA’s if more than 1000 people
  impacted
  Personal Data Privacy & Security Act
• Notice requirements are very explicit
   – content of notice is very robust
       • summary of rights
       • notice of state laws regarding security freezes on
         credit reports
• “Victim Assistance” – eliminated!
   – Requires that business offer victims free monthly
     access to their credit report and credit monitoring
     services for a year
• Exemptions
   – Risk assessment, conducted with law enforcement
     and the attorneys general of each state, determines
     de minimus
 Personal Data Privacy & Security Act

• Violations
  – “civil penalties” of $1,000 per day per
    individual, up to $55,000 per person
  – no extra penalties for willful violation
  – enforcement by Justice Depart or States
    Attorneys General, including damages
    What Can Be Done?
• Draft and Implement Information
  Security Policy
  – Consider FTC guidelines
    • Policy should contain administrative, technical
      and physical safeguards that are appropriate
      for
       – size and complexity organization
       – nature and scope of company activities
       – sensitivity of company customer information
Information Security Policy
• Policy objectives should include
   –insuring the security and
    confidentiality of customer
    information
   –protecting against any anticipated
    threats or hazards to the security or
    integrity of such information
   –protecting against unauthorized
    access to or use of such
    information that could result in
    substantial harm or inconvenience
    to any customer
    Information Security Policy
• Designate person with system-wide
  responsibility to administer and coordinate
  the policy
• Continually identify internal and external
  security risks that could result in the
  unauthorized disclosure, misuse,
  alternation, destruction or other
  compromise of information
    Information Security Policy
• Continually assess sufficiency of
  safeguards put in place to control
  identified risks
  – Employee training and management
  – Information systems
     • processing
     • storage
     • disposal
        Assessment, cont.
– Detection, prevention and response to all
  forms of attacks, intrusions, or other failures of
  security (technological and “human”)
– Regular audits of the effectiveness of
  safeguards
– Relationships with third parties and their
  adherence to safe safeguards
          John P. Hutchins
           (404) 885-3460
john.hutchins@troutmansanders.com

								
To top