By Scott Hervey
Businesses own and acquire vast amounts of valuable consumer data; they stockpile this information on networked servers and exchange it with affiliates or third parties subscribers.#160 Recently, national and state regulators have focused on how businesses manage this data.#160 In the wake of the large scale identity thefts from ChoicePoint, Inc. and Bank of America Corp. these issues are now under a white hot light.#160 Businesses and their counsel should pay attention to how consumer data is collected and managed, and how security breaches are responded to.#160 This is not a task for the IT department to handle on their own; corporate counsel needs to be involved.
Federal and State Regulations
There are a number of Federal regulations that address the protection of electronic data.#160 The Sarbanes-Oxley Act, a federal law implemented to address corporate fraud, requires that companies establish and implement “internal control” procedures that provide reasonable assurance to prevent or allow for the timely detection of unauthorized acquisition, use or disposition of company assets that could have a material effect on the financial statements.#160
The recent ChoicePoint situation exemplifies how data loss or theft can have a material effect on a company’s financial statements.#160 The Chicago Tribune (March 14, 2005) reports that ChoicePoint Inc. is suspending sales of consumer information to small businesses in the wake of the security breach that allowed hackers to take personal information of about 145,000 people. The Tribune reported Chief Executive Derek Smith as stating that the decision to halt sales to small businesses follows “the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them.”#160 According to the Tribune, ChoicePoint’s 17,000 small-business customers accounted for about 5 percent of its annual revenue of $900 million. As a result of suspending sales to them, ChoicePoint said it expects a decline in revenue this year of $15 million to $20 million.
In addition to Sarbanes, several federal agencies have issued data management regulations to the financial industry in connection with the implementation of the Gramm-Leach-Bliley Act (GLB).#160 These agencies include the Federal Trade Commission (the Safeguard Rules), and the Treasury Department (Interagency Safety and Soundness security guidelines).#160 Generally, the regulations mandate that regulated companies institute processes for responding to data intrusion and that they be consistent with the best practices and part of an overall information security plan.#160
The healthcare area has nearly identical statutory requirements under the Health Insurance Portability and Accountability Act (HIPPA).#160 The HIPPA guidelines specifically require that “documenting and reporting incidents, as well as responding to incidents, are an integral part of a security program.”
California Goes Further
Although Sarbanes, HIPPA and the GLB contend that companies should have data management and control processes in place and that these processes should reflect “best practices,” they do not give any guidance on what the processes should entail.#160 #160The state of California recently implemented legislation that, in the wake of recent events, appears to provide this element.#160 (In support of the proposition that California’s data security laws establish the minimum requirements for internal control processes,#160 California Senator Dianne Feinstein, in response to the ChoicePoint situation, introduced a bill that is similar to California’s Data Security Law (AB 1950)).
AB 1950, California’s Data Security Act, was enacted on September 29, 2004.#160 This new law applies to companies that own or license unencrypted personal information about California residents and it requires these companies to “implement and maintain reasonable security procedures and practices for that data.”#160 #160 The law applies to companies located both inside the state and out (and possibly outside of the U.S.); the jurisdictional nexus is the ownership or possession of a Californian’s “personal information.”#160 The “personal information” which, if owned or licensed, triggers compliance with this new law is: name and Social Security number; drivers license number; financial account information; medical information; and other private information.#160
The Act also requires companies that disclose the above personal information to vendors or other non-affiliated third parties require by contract the third parties implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the information” provided, and protect the information from unauthorized access, destruction, use, modification or disclosure.#160 Obviously, any business affected by California’s Data Security Act that discloses personal information to non-affiliated third parties should also include other provisions, including but not limited to an indemnity provision, in their contracts.
The crux of the Act revolves around providing California residents with notice of a breach in the security of the database in which their personal information is housed.#160 The Act requires companies to#160 disclose any breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.#160 The section also provides that “any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
In addition to data security, California also regulates the way in which certain information belonging to a Californian can be used.#160 As part of the Data Security Act, California has implemented restrictions on the use of certain information in direct marketing.#160 If a business discloses “personal information” to third parties, and knows or reasonably should know that the third parties used the personal information for the third parties’ direct marketing purposes, then the business is under certain document retention and disclosure requirements.#160 The disclosure requirements include establishing a mailing address, electronic mail address, or a toll-free telephone or facsimile number where customers may request (and businesses must provide ) a written list of the categories of personal information disclosed by the business to third parties for the third parties’ direct marketing purposes during the immediately preceding calendar year, as well as the names and addresses of all of the third parties that received personal information from the business for the third party’s direct marketing purposes during the preceding calendar year.
What qualifies as “personal information” triggering the above disclosure requirements?#160 It is the following: name and address; electronic mail address; age or date of birth; names of children; electronic mail or other addresses of children; number of children; the age or gender of children; height; weight; race; religion; occupation; telephone number; education; political party affiliation; medical condition; drugs, therapies, or medical products or equipment used; the kind of product the customer purchased, leased, or rented; real property purchased, leased, or rented; the kind of service provided; social security number; bank account number; credit card number; debit card number; bank or investment account, debit card, or credit card balance. payment history; or information pertaining to the customer’s creditworthiness, assets, income, or liabilities.
The law also requires companies to have a “Your Privacy Rights” section on its webpage and describe these rights to the user.#160 A company can’t, as part of its “Terms of Use” or any other contract, require users to waive their rights.#160 Any such waiver is void as against public policy.#160 Any customer injured by a violation of the above provisions may bring a civil lawsuit and recover damages, as well as attorneys’ fees and costs.
It’s Time To Take Data Management Seriously
In addition to the above, a company has additional laws, rules and requirements it must meet in connection with the acquisition, management and use of consumer information.#160 The laws and regulations discussed above hardly scratch the surface.#160 Companies and their counsel are encouraged to take a hard look at data management protocols and take steps to come into compliance with existing Federal and State requirements.