Share |
Article Categories Advertising, Marketing & Trademark Antitrust and Trade Regulation Bank & Finance China Construction Corporate & Securities Electronic Discovery Resources Employment & Labor Energy Family Law Government Relations Health Law Immigration Intellectual Property Internal Investigations International Internet, Technology &
E–Commerce Life Sciences Litigation Non-Competes & Trade Secrets Real Estate Shareholder Disputes Tax Planning & Business Organization Trusts & Estates White Collar & Regulatory Defense
 
Karen L. Grandstrand

Karen L. Grandstrand Banking & Financial Services

kgrandstrand@fredlaw.com
612.492.7153
Printable Version

Data Security Laws: New Obligations and Risks for Financial Institutions and Other Companies

By: KAREN L. GRANDSTRAND

September 2005

The FDIC, LexisNexis, Boston College and ChoicePoint all have something in common - they all recently made the headlines for data security breaches. Perhaps the most notable case involves ChoicePoint, one of the largest consumer data warehouses in the United States. ChoicePoint allowed criminals access to the personal data of approximately 145,000 individuals, later notifying consumers about the security breach. Similarly, LexisNexis, a compiler of legal and other information, recently informed the public that hackers had gained access to the personal data of over 300,000 individuals.

State Laws

ChoicePoint disclosed the security breach, at least in part, due to California law (S.B. 1386) that requires companies to provide notice to consumers when there is a data security breach involving personal data. Many other states, including Minnesota, North Dakota, Georgia, Florida, Texas, Washington, Illinois, Rhode Island, Colorado, North Carolina and Connecticut, have either enacted or are expected to introduce legislation similar to the California law.

Minnesota's new law, passed quietly during the recent legislative session, becomes effective on January 1, 2006. Following the discovery or notification of a breach in the security of data, notice is required to be given to any resident of Minnesota whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, "financial institutions," as defined by United States Code, title 15, section 6809(3), and entities subject to the federal privacy and security regulations adopted under the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA), are exempt.

North Dakota's law, passed on April 22, 2005 and effective June 1, 2005, requires businesses maintaining personal information in electronic form to disclose to consumers any breaches in security. A "breach of security" only applies to unauthorized acquisition of unencrypted computerized personal information. Significantly, a financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the federal "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" is deemed to be in compliance with the law.

Federal Guidance

In March 2005, the Office of Thrift Supervision, Comptroller of the Currency, Federal Reserve System, and Federal Deposit Insurance Corporation issued "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice." The guidance, issued under section 501(b)(3) of the Gramm-Leach-Bliley Act (GLBA) states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to "sensitive customer information" maintained by the financial institution or its service provider.

Sensitive customer information means a customer's name, address or telephone number in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. It also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.

Customers must be notified whenever a financial institution becomes aware of an incident of unauthorized access to sensitive customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur.

The Guidance states the following information must be in the notice: description of the incident, type of information subject to unauthorized access, measures taken by the institution to protect customers from further unauthorized access, telephone number customers can call for information and assistance, and reminder to customers to remain vigilant over the next 12 to 24 months and to report suspected identity theft incidents to the institution.

The FTC has also published guidance on how to comply with GLBA's rules on safeguarding customer information (the "safeguards rule"). The document suggests that customers should be notified promptly if their personal data is subject to loss, damage or unauthorized access.

Enforcement Actions

The SEC reportedly is conducting an informal inquiry into the circumstances surrounding any possible recent identity theft, recent trading in ChoicePoint stock, and related matters. Similarly, the FTC "is conducting an inquiry into [ChoicePoint's] compliance with federal laws governing consumer information security and related issues." In addition, ChoicePoint is reportedly being investigated by a number of states.

Federal agencies may generally bring actions under several federal laws that address the protection of personal data, including GLBA, HIPPA, the Children's Online Privacy Protection Act, and the Fair Credit Reporting Act. The FTC also has enforcement authority under section 4(a) of the Federal Trade Commission Act, which prohibits unfair and deceptive practices affecting commerce, including misrepresentations in a privacy policy regarding the use and disclosure of personal data. The FTC has brought several actions for misrepresenting the security provided to consumers' personal data. In addition the FTC has brought action against companies for violating the "safeguards rule" under GLBA.

Data Security Practices

Financial institutions should continually reevaluate their data security practices for any inadequacies in light of applicable data security laws, as well as representations made in their privacy policies. Under the recently issued "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" and other federal and state laws, an institution faces increased obligations to notify customers of security breaches related to information maintained by the institution as well as its service providers. Failure to give required notice can result in fines, private rights of action and agency enforcement actions.