Identity Theft in 2009: Compliance by Business Owners and Government Agencies under Draft Federal Data Breach Notification Act
Posted January 31, 2009 by Bierce & Kenerson, P.C. · Print This Post
Personally identifiable information is the core to the global economy. All businesses, large and small, rely upon information technology, outsourced to external service providers, to process such information for a wide range of uses, including HR payroll and administration, purchase orders, accounting, finance, credit card payments, debt collection, tax compliance, records management, procurement, engineering, market analytics, business intelligence, e-discovery, legal services, and logistics. All businesses must comply with data breach notification laws. In the U.S., these laws will likely be extended and federalized in 2009.
As of early 2009, already 42 states mandate notifications of breaches of data security affecting personally identifiable information that could be used for identity theft. Under a proposed federal Data Breach Notification Act introduced by Senator Dianne Feinstein (D., Calif.), such breaches would also violate federal law. Most significantly, federal governmental agencies would also be subject to the breach notification procedures. Both businesses and governmental agencies could avoid notification under exemptions for national security or law enforcement investigations, but not to “conceal violations of law, inefficiency or administrative error,” “prevent embarrassment” to the agency or business or “restrain competition.”
Disclosure Requirements. The draft legislation, S. 139, 111 th Cong., 1 st. Sess., builds on prior efforts to adopt a federal law mandating disclosure of data security breaches that could result in identity thefts. Such legislation already exists, without the embellishments of Secret Service review. Under a 2006 law, contracts for data processing or maintenance issued by the U.S. Department of Veteran Affairs for the performance of any Department function must include the following data protections:
- The contractor shall not, directly or through an affiliate, disclose any “sensitive personal information” to any other person unless the disclosure is lawful and expressly permitted under the contract. Thus, subcontracting to affiliates and third parties is prohibited unless expressly authorized. This follows “best practices” in outsourcing and data processing contracts.
- The contractor (or any subcontractor) will promptly notify the Secretary of Veteran Affairs of any data breach that occurs with respect to any sensitive personal information. This is also a “best practice” in outsourcing and data processing contracts.
The Veterans Admninistration data breach rules do not define “sensitive personal information,” which could mean either “personally identifiable information” (“PII”) or “protected health information” under HIPAA.
Damages for Data Security Breach. The debate over damages and remedies for security breaches remains unresolved.
- Private Cause of Action. A key policy question for legislators is whether to give individuals a private cause of action against businesses or their service providers for data breach relating to sensitive personal information Only California appears to have done so. The draft federal Data Breach Notification Act, S. 139, would expressly state that nothing in it establishes a private cause of action against a business entity for violation of that law, if enacted. Similar text appears in the data breach legislation of states other than California. However, the lack of a federal or state statute does not eliminate the risk of common law claims for fraud, fraudulent inducement, breach of contract, negligence and other torts.
- Liquidated Damages. As an alternative remedy, the data processing services contractor might be required to pay liquidated damages to its customer. In the case of the Department of Veterans Affairs, each data processing contract must include a liquidated damages clause All such damages paid would be segregated into a fund for credit protection services on behalf of affected individuals.
Notification where Only One Individual’s Data is Breached. A further policy questions for federal and state legislators is whether there is a threshold number of individuals whose sensitive personally identifiable information is breached before there is a duty of notification. In the legislation adopted by the states, the general threshold is that 5,000 individuals must be affected before any notification is required. In the proposed federal Data Breach Notification Act, notification would be required if only one individual’s data were breached.
Federal vs. State Enforcement Action. Federal preemption of prosecutions for data breach would apply if a federal law were enacted. This draft federal law would allow the consolidation of pending state and federal actions by attorneys general, and suspend enforcement action by a state attorney general while the U.S. Attorney General enforces the law. This would be very limited federal preemption, since state attorneys general would still have the right to enforce civil remedies, whether or not the U.S. Attorney General had prosecuted for criminal liability.
Best Practices. All businesses, particularly small to mid-sized ones, need a strategy to implement best practices in privacy and security. Under existing and pending legislation, such practices will become all-pervasive, protecting even one individual in case of any data breach. Best practices increasingly will include:
- Records management policies and procedures that identify the intended uses and committed limitations on custody of sensitive personal information. (Legal regimes in Europe and Canada impose detailed rules on records management of personal information about their residents, too.)
- Encryption.
- Procedures for deleting data after use, including permissions for doing so. Where data cannot be deleted due to multiple backups and permanent archiving, the physical and logical security procedures must continue indefinitely.
- Database design to include metatags or field descriptors that enable automatic purging, regardless where the data is stored.
- Contract requirements with service providers of data processing, business processes, data storage, backup services, data entry and even one’s affiliates to identify and allocate obligations for compliance.
Enterprises considering practical means of adopting these best practices should consult with competent legal counsel and technology advisors.