140 likes | 337 Views
Data Security Breach Notification Laws: A Comparison. Presented By: Len Bernstein, Esq. / Reed Smith LLP lbernstein@reedsmith.com 215.851.8143 609.520.6005 Prepared With: Paul Bond, Esq. / Reed Smith LLP pbond@reedsmith.com 609.520.6393 . Pennsylvania and New Jersey: Neighbor States.
E N D
Data Security Breach Notification Laws: A Comparison Presented By: Len Bernstein, Esq. / Reed Smith LLP lbernstein@reedsmith.com 215.851.8143 609.520.6005 Prepared With: Paul Bond, Esq. / Reed Smith LLP pbond@reedsmith.com 609.520.6393
Pennsylvania and New Jersey: Neighbor States Right Now, It All Comes Down to The States • No unifying federal data breach notification law (yet) • Federal banking charter no guarantee of exemption • Laws are local; breaches are often national • Compliance means taking a hard look at the statutes State-by-State – 25 and more coming
New Jersey and Pennsylvania:Across the River, Data Security Obligations Change • Pennsylvania: Breach of Personal Information Notification Act (becomes effective June 20, 2006) • New Jersey: Identity Theft Protection Act (became effective January 1, 2006) • Which State’s law applies? • If sending notice, apply the law of the State in which the notice recipient lives. • If determining obligations to protect data, apply the law of every State in which you’re doing business.
What Constitutes a Breach of Security, Generally? Generally, a breach of security means: • unauthorized acquisition • of computerized data • that compromises the security and confidentiality • of personal information.
What Constitutes a Breach of Security: Materiality and Injury • Does the compromise of security have to be material to create a duty to send notice? • In PA, yes, in NJ, no. • Does the breach have to cause loss or injury (or do you have to reasonably believe it will cause loss or injury) before a duty to send notice exists? • In PA, yes, in NJ, no. • In each case, PA law presents a possible basis not to send notice… but also creates a risk that sending notice will be misread as an admission of materiality and imminent injury. • If the data acquired was encrypted, does its acquisition still trigger notice requirements? • In both PA and NJ, encrypted data is exempt from notice requirements
What Information Is Personal? • Name plus: • Social Security Number; or • Driver’s license/ state identification number; or • Financial account number and security code needed to access it • Does “personal information” include information fragmented throughout a document (dissociated) if the breach also exposed the method to piece those data together? • In NJ, yes, in PA, unclear.
Who Do You Have to Notice? • In both NJ and PA, notice is sent to the person about whom information has been acquired • In both NJ and PA, consumer reporting agencies must be told if you send notice to over 1,000 residents • In PA, there is no express duty to inform law enforcement before you send notice; in NJ, you must first report the incident to a Division of the State Police and wait for them to give you a green light before sending notice.
If a financial institution complies with the Interagency Guidelines, does it still have to give notice under the state law? • In PA, compliance with the Interagency Guidelines on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice is deemed compliance with the state Act. • In NJ, no such exemption.
Does the statute provide a private right of action for failure to notice? • In PA, only the Attorney General can bring an action for not complying with the notice statute… any failure to make a required notice is considered an “unfair or deceptive act or practice” in violation of PA’s Unfair Trade Practices and Consumer Protection Act. • In NJ, an intentional, knowing, or reckless failure to notice is considered a violation of NJ’s Consumer Fraud Act, under which injured consumers can bring a private individual or class action.
Are the statutes limited to imposing duties to notice after a breach? • The NJ Act also provides: • a mechanism for reporting identity theft incidents to the police, • a right to all New Jersey residents to put a security freeze on their credit reports, keeping would-be identity thieves from opening new accounts, • instructions on how Social Security numbers can and can’t be used, and • a mandatory method for the destruction of personal information • The PA Act limits itself to the requirement to notice
Data Security Breach Litigation: The Allure to Plaintiffs If You Do Send Notice • The Plaintiffs’ Bar sees data security breach notification letters as: • admitting fault • conceding that harm has or will befall the recipient • creating a pre-defined class • Data security breaches can implicate information about thousands, millions, or tens of millions of customers in one go • Anxiety about identity theft running high • For public actors, such as the FTC and Attorneys General, high-priority issue for their constituents
Data Security Breach Litigation: Causes of Action We’ve Seen • Negligence: you had a duty to protect my information and you didn’t. • Conversion and/or waste. I entrusted you with my valuable information and you lost it or made it less private (and, hence, less valuable) • Invasion of privacy. I have a reasonable expectation that my personal information will stay that way; you breached it. • Breach of contract and/or fiduciary duty. We agreed you’d keep this information safe; I trusted you to keep it safe; you didn’t. • Others: respondeat superior liability for acts of employees; violation of the Computer Fraud and Abuse Act (hacking); violation of the Fair Credit Reporting Act; violation of state recordkeeping acts, etc. etc.
Data Security Breach Litigation: The Next Asbestos? • Main question in at least a dozen actions filed: If information about someone is involved in a data security breach, does that alone constitute harm sufficient to bring suit? • Plaintiffs say yes… they liken the cost of credit monitoring to the cost of medical monitoring, saying that the expense is a present harm made necessary by a completed act of negligence. • Defendants say no... there’s no basis to extend monitoring as a cause of action from the narrowly-drawn life-and-death circumstance of exposure to toxic torts. • Forbes v. Wells Fargo Bank, N.A., 2006 WL 680522 (D. Minn. from March): Court held that credit monitoring is a voluntarily-incurred cost, even when someone loses information about you. Plaintiffs’ choice to buy additional credit monitoring did not constitute an injury. Since Plaintiffs did not allege any other harm, the Court dismissed the case.
Conclusion: Examine Laws, Prepare for Lawsuits • Complying with all the various data breach laws, difficult as that is, doesn’t mean you won’t be sued • Statutes often vague with no caselaw and little legislative history • Best practices and good corporate citizenship is best defense • Safeguards and prevention