Resources

Data on Security Breach and Identity Theft

Security Breach Notification Laws Resources

Highlights

Security Breach Notification Laws: Views from Chief Security Officers. Samuelson Law, Technology & Public Policy Clinic, University of California-Berkeley School of Law (December 2007)
http://groups.ischool.berkeley.edu/samuelsonclinic/files/cso_study.pdf
This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from in-depth discussions with information security officers. The analysis considers the effects of security breach notification laws on enhanced security measures and resulting regulatory and industry pressure, finding in part that, regardless of the risk of identity theft and alleged consumer apathy toward notices, the simple fact of having to notify publicly causes organizations to implement stronger security standards that protect personal information. The study also discusses proposed improvements to existing notification requirements, including (1) establishing a uniform standard for all security breaches; (2) notifying a centralized organization in addition to consumers; (3) clarifying definitions for forms of data storage that are exempt from notification standards and broadening of technology safe harbor provisions; (4) creating a safe harbor period for notifications; and (5) collecting more information on the appropriate notification trigger language.

CIPPIC – Approaches to Security Breach Notification: A White Paper
http://www.cippic.ca/index.php?page=privacy-legislation-and-regulation
This paper advocates for the implementation of security breach notification requirements in Canada’s Personal Information Protection and Electronic Documents Act. It reviews current gaps in Canadian information protection laws and investigations into reform by various Canadian agencies, and explores relevant U.S. state laws requiring notification of security breaches, “where over half the states have enacted a mandatory security breach disclosure requirement and where several federal bills are currently pending.” The paper focuses on several key aspects of U.S. notification requirement legislation, including notification triggers, responsibility for monitoring and notification, notification methods and timelines, and private rights of action. The authors conclude with the legal case for notification requirements and recommendations for a Canadian breach notification law based on U.S. examples. Noting that victims of security breaches face a disincentive towards notification based on a desire to avoid the loss of public confidence, they argue that breach notification is necessary to enable individuals to protect themselves from potential fraud following an incident.

CISCO White Paper – Data Leakage Worldwide: The High Cost of Insider Threats
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.pdf
CISCO conducted a worldwide survey of company employees and IT professionals to evaluate the data security threats posed by employee behavior. The data revealed that IT professionals generally underestimate the serious “insider threats” posed by uninformed, careless, or disgruntled employees. Significant sources of insider data loss included employees failing to log out of company machines, accessing unauthorized websites, leaving passwords in view, losing data storage devices, and stealing company data and/or devices.

Paul Schwartz & Edward Janger, Notification of Data Security Breaches, 105 Mich L. Rev. 913 (2007)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=908709
This paper argues that current regulatory regimes covering data security and breach notification should be reconfigured to provide: (1) greater protection for consumers; (2) a more efficient method of notifying consumers when breaches have occurred; (3) stronger government oversight; and (4) increased communication between breached entities. The authors argue that these goals might best be achieved through the creation of a coordinated response organization, the Coordinated Response Agent (CRA). The CRA would oversee investigations into data security breaches, facilitate communication between data-storing entities and consumers, and supervise a systematic response to data breaches. This paper argues that in the absence of an oversight authority, breached companies often fail to notify consumers whose personal information has been accessed or misused because notification will likely result in lost business opportunities. Additionally, when companies do notify consumers of a data breach, the information is often communicated in a confusing manner. The authors propose that companies lack the internal incentives to rectify these, as well as other, issues. Therefore, an independent regulatory agency might provide greater consumer protection by overseeing breached entities and ensuring that they mitigate potential harm to consumers.

Verizon Data Breach Investigation Report 2008
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
This report summarizes the findings of the Verizon Business RISK Team on the topic of enterprise system breach and data compromise, based on data collected from over 500 forensic engagements between 2004 and 2007. It provides statistical information on topics such as the sources, sizes, demographics, and types of data breach, attack pathways, types of data compromised, and target industries, among others. The report indicates that data compromises are four times as likely to result from external attacks than internal attacks and twice as likely to result from external attacks than attacks coming from business partners. However, it further establishes that the size of data compromises (in terms of records compromised) is significantly greater in internal and partner attacks, making these two forms of attack riskier possibilities for enterprises. The report also contains conclusions and recommendations regarding mitigation efforts, focusing on securing business partner pathways and establishing and enforcing “essential” security standards rather than worrying about maximizing protection. Enterprises are encouraged to monitor event logs, control data, and develop an incident response plan, as these precautions can be enough to dissuade hackers from attacking a system in favor of other “low-hanging fruit.”

Legislation

Security Breach Notification Chart – US Enacted Legislation
This resource offers a compilation of the various security breach notification laws enacted in U.S. jurisdictions. The chart identifies the SBN statutes and effective dates by state and summaries important features of each, including: parties with notification obligations, legislative definitions of personal data and security breaches, notice requirements, notice timing, and exceptions. As of May 2008, 45 jurisdictions (including the District of Columbia and Puerto Rico) had enacted SBN laws, many relying heavily on California’s original legislation as a model.

State Security Breach Notification White Paper (Vigilant Minds, 2006)
This paper summarizes and analyzes various state security breach notification laws, suggesting preferred approaches to data security legislation and private best practices for compliance across jurisdictions. First, the author uses California’s pioneering SBN statute as a model, discussing its core features and significant variations implemented by other states. For example, California defined personal information as social security, driver’s license, or account number in combination with the owner’s name, but several states significantly expanded this definition to include items like photos, birth dates, or fingerprints. Other significant differences among the states include the definition of encryption, required timeframes for notification, and provisions providing exceptions to notification requirements in certain situations. In general, the author advocates strengthening existing laws by implementing more explicit definitions of key terms and removing subjective exceptions to notification requirements. Furthermore, the author recommends general procedures for covered entities to ensure compliance and improve information security.

International Information Security: A Brief Survey of Global Data Security Regimes
5 Privacy & Security Law Report 914 (BNA 2006)
This survey examines the policies of countries across Europe, Asia, and the Americas that have taken steps to develop comprehensive data security regimes. For each country, the survey outlines the specific areas of data security regulation – from handling of sensitive data to breach notification to anti-hacking laws – on which the regime focuses, and also elaborates on enforcement and penalty structures. The authors note that security breach notification requirements are conspicuously absent from the data security regimes of several major players, but that recent data security reform movements in Canada, Australia, and elsewhere suggest an evolving standard.

Data Security Surveys

L. Ponemon, National Encryption Survey (Dec. 2005)
4 Privacy & Security Law Report 1521 (BNA 2005).
This 2005 national survey of privacy and data security professionals found that respondents have the most confidence in their organization’s security program when it uses encryption as part of an enterprise-wide implementation plan. Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location. The primary reason for not encrypting sensitive or confidential information is concern about system performance, followed by complexity and cost. The top reasons for encryption is are to prevent data breaches, to protect the company’s brand or reputation, to comply with Sarbanes-Oxley, and to avoid having to notify customers or employees after a data breach occurs. The most important types of data that should be encrypted are business confidential documents, records containing intellectual property, only sensitive costumer information, accounting and financial information, and employee information. Less than 8% of respondents said it was important to encrypt customer and consumer information. The top five types of personal information that respondents say should be encrypted are health information, sexual orientation, Social Security number, family members, and work history; the bottom five types of information are e-mail, home location and telephone, educational background, interests and preferences, and gender.

81 Percent of U.S. Companies Face Loss, Theft of Devices With Private Data
5 Privacy & Security Law Report 1162 (BNA 2006).
A survey of information technology and cybersecurity officials in companies and government agencies found that over a 12 month period, 81% of companies faced the loss or theft of a portable electronic storage device, such as a laptop computer or USB memory stick, that contained sensitive or confidential information. Many respondents said that they would “never” be able to determine with accuracy what information had been compromised, and a high percentage had “never” even conducted an inventory of the confidential and personal information maintained by their organization such as customer and consumer information, employee records, confidential business records, and intellectual property holdings. The survey emphasized that not all of the incidents or lost or stolen mobile data storage devices amounted to reportable data breaches because the data on some of the missing devices was encrypted.

Firms Better at Breach Detection Than Prevention; Tech Costs Still a Barrier
5 Privacy & Security Law Report 1223 (BNA 2006).
A nationwide survey of information security professionals found that found that while a majority of companies report that they could effectively detect data breaches, only about one-third believed that they could effectively prevent them. Respondents also reported that their company is not effective at enforcing compliance with data protection policies and procedures due to a lack of proper leadership structure or assigned resources. The results show that the probability of detecting a breach depends on the size of the breach: the larger the breach, the more likely it will be detected; the smaller the breach, the less likely it will be detected. Respondents also noted a problem with the generation of false positive reports of breaches, and rated the loss or theft of intellectual property as the most serious risk of financial damage and harm to a company’s reputation, ahead of the loss or theft of consumer data. Close monitoring and supervision of workers with access to sensitive or confidential material was cited as a primary means of preventing breaches.

L. Gordon, M. Loeb, W. Luchyshyn, and R. Richardson, 2006 CSI/FBI Computer Crime and Security Survey
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
This survey, considered by the authors to be the longest-running continuous survey in the information security field, considers long-term computer security trends including the unauthorized use of computer systems, the number of incidents, the types of attacks or misuse detected, and the actions taken in response to computer intrusions. The survey also addresses emerging security issues related to the economic decisions that organizations make regarding computer security and the management of risk associated with breaches, including the techniques that organizations use to evaluate the performance of their computer security investments, training needs, spending, the impact of outsourcing, the use of audits and external insurance, the role of the 2002 Sarbanes-Oxley Act, and the portion of information technology budgets devoted to computer security.

2006 Australian Computer Crime and Security Survey
This survey, conducted by the Australian High Tech Crime Centre and law enforcement agencies around Australia, explores 2006 trends in electronic attacks, computer crimes, and computer access abuse among a survey population of public and private sector organizations in 17 different industries in Australia. The survey examines annual data on incident rates, types, and points of origin, organizational readiness behaviors, new threats and challenges, and reporting attitudes and behaviors. The data indicate that electronic attacks have fallen by 27% in Australia since 2004, from 49% of respondents to 22% of respondents reporting attacks in the 12-month period. Additionally, attacks are increasingly coming from points of origin outside its borders. Despite these data, Australian organizations reported a reduction in the use of IT security measures, and a smaller number of organizations reported increasing their IT security budget in 2006. Given the increasing threat, the report argues that now is not the time to be scaling back budgets and security measures.

L. Ponemon, 2005 Benchmark Study of Corporate Privacy Practices
4 Privacy & Security Law Report 980 (BNA 2005).
This Ponemon Institute benchmark study of corporate privacy practices examines how privacy professionals at North American-based organizations are handling privacy and data protection challenges in eight areas: privacy policy, communications and training, privacy management, data security methods, privacy compliance, choice and consent, global standards, and redress. Positive trends include increases in executive focus on IT compliance issues, global IT security awareness, and IT security activity and training. Gap areas identified by the study focus on a lack of improvement in privacy monitoring programs and privacy redress mechanisms for consumers.

Many Customers Sever Ties With Businesses After Breach Notice
4 Privacy & Security Law Report 1214 (BNA 2005).
A survey by the Ponemon Institute indicates that some 19 percent of consumers sever ties with a business or other organization after they receive notice of a data security breach and 40 percent say they consider discontinuing their relationship. Only 8 percent of the over 9,000 respondents said that the organization reporting a breach was “not to blame”. The survey also claims that customers are frustrated by unclear and ineffective communication of privacy breach notices. 41% of survey respondents reported a desire to receive all the facts surrounding a security breach, and respondents overwhelmingly indicated a desire to be notified of all breaches, regardless of the type of information compromised or the nature of the breach. These desires are not currently reflected in state or federal legislation, which contains broad exemptions for required breach notification.

U.K Firms Cite Fewer Laptop Breaches than U.S. Counterparts
5 Privacy & Security Law Report 1500 (BNA 2006).
A Ponemon Institute report indicates that, in a 12 month span, 57% of surveyed U.K. companies had experienced a loss or theft of a portable electronic storage device (laptop, PDA, etc.) containing sensitive or confidential information, compared with 81% of surveyed U.S. companies. The report indicated that data breach reporting requirements in the U.S. may have been a substantial factor in the disparity and that many businesses would never be able to determine what data were lost due to insufficient data inventory processes. Additionally, U.S. and U.K. companies differed in their views of what types of data lost presented the greatest risk. U.K. companies indicated that employee and customer data were most valuable, while U.S. companies were most concerned with intellectual property and business data.

Comply on the Fly – Keeping Pace With the Challenges of Mobile Data Management
This report, underwritten by the Business Performance Management Forum, focuses on the current state of mobile business information security. The report notes a significant lack of management action regarding the development of mobile-device related security systems and policies among companies of varying sizes. Qualitative interviews with senior executives and quantitative survey data were analyzed across a number of topics, from mobile device usage to mobile IT spending and compliance. The report spends some time focusing on the disconnect between IT management, as drivers of mobile security policy and implementation, and senior executives who may control decision making but lack the technical expertise to accurately assess the issues. Addenda include a case study on the InfoExpress CyberGatekeeper technology, an excerpt from “Work Goes Mobile: Nokia’s Lessons from the Leading Edge” on mobile device selection, and a white paper on mobile security and compliance developments by Sybase, Inc.

CISCO Presentation – The Challenge of Data Leakage for Businesses and Employees Around the World
In summer 2008, CISCO commissioned an international survey of corporate employees and IT officials to assess (1) the actual risks posed by employees’ use of company-issued technology devices and (2) the perception of such risks by both the employees and IT officials. The survey found significant overlap between professional and personal activities performed on company computers. For example, 78% of employees reported using work computers to send and receive personal email, with significant numbers also using their work machines for personal tasks like online banking, shopping, and file sharing. Accordingly, most IT officials believed their employees were using non-approved programs and applications on company machines although most believed such employee behavior to be relatively inconsequential, estimating that such activities were responsible for less than quarter of data loss incidents at their respective companies. Furthermore, approximately 40% of employees allowed others to use their company-issued computers, and 20% reported sharing sensitive company information with family or friends. The report emphasizes that both behavior and technology contribute to data security and that IT departments should focus as heavily on developing employee relations and employee education as they do on technology plans.

National Survey on the Detection and Prevention of Data Breaches – August 2006
A national survey on the experience of information security professionals in detecting and preventing the leakage of sensitive or confidential information to unauthorized parties outside of an organization focused on four issues: (1) how information security practitioners respond to data breaches; (2) the technologies, practices, and procedures that are employed by organizations to detect and prevent data breaches; (3) the issues, challenges, and possible impediments to effectively detecting and preventing data breaches; and (4) how organizations attempt to enforce compliance with their data protection policies. The author concludes that while many such professionals are confident about their ability to detect the occurrence of a large data breach, they are less than confident about their ability to prevent one. Technology is used by a majority of organizations to prevent a breach, but a significant percentage of respondents believe it is too expensive. Some (16%) believe it could never happen to them, and another 16% believe manual procedures are sufficient.

What Marketing Professionals Think About The Value of Privacy to Customers – September 2006
A survey of marketing professionals in US-based organizations probed the attitudes of those marketers toward privacy, the management of privacy permissions as part of marketing campaigns, privacy-related marketing practices, and cooperation between marketing and privacy personnel within the corporate environment. According to the author, the survey results indicate that companies do not understand the strategic significance of privacy within the context of a successful, profitable marketing campaign: in spite of growing evidence showing that privacy is important to marketing, and in spite of associates between consumer privacy and brand trust, the data show that privacy is still regarded as an inconvenience to the marketing community rather than an opportunity to build strong, long-lasting relationships.

Higher Education IT Security Report Card 2006 (CDW-G)
CDW Government (CDW-G) conducted this survey in an attempt to better understand the extent to which security breaches occur on university and college campuses, the attitudes regarding security breaches on these campuses, and the challenges and barriers preventing better information security programs on campuses. CDW-G found that 58% of higher education institutions experienced at least one data breach in 2006. The study also found that a majority of IT directors and managers at these institutions believe that although their network infrastructures are moderately safe, their network infrastructures need improvement. IT directors and managers cite “lack of funding” and “too few staff resources” as the primary difficulties preventing the improvement of IT security on campuses. CDW-G also states that a lack of student and faculty awareness of IT security policies contributes to the possibility of security breaches. CDW-G suggests that IT departments quantify the financial affect a data breach would have and present this information to their administration in an attempt to receive additional funding. IT departments should use a portion of any increased funding to organize mandatory security training and awareness programs for students and faculty. IT departments should also invest in technologies to assist its staff in preventing data breaches.

What Do Data Breaches Cost Companies? Beyond Dollars, Customers Are Lost
4 Privacy & Security Law Report 1310 (BNA 2005).
This study attempts to quantify the direct and indirect pecuniary affects of a data breach that requires consumer notification. The Ponemon Institute’s survey analyzed expenditures associated with a data breach such as: detection of the breach; notification that the breach occurred; and activities to mitigate harm to consumers whose private information has been accessed or misused. The survey also addresses indirect costs associated with data breaches, including existing client turnover and diminished new client acquisition. The data indicates that indirect costs, or lost business opportunities, constitute the costliest breach-related expenditures. Furthermore, detection and notification of the breach are the least costly breach-related expenses. Therefore, indirect costs should be carefully calculated when a company is determining the extent to which it will invest in measures to prevent data breaches.

Survey Finds Breach Costs on the Rise; Productivity, Customer Turnover Affected
5 Privacy & Security Law Report 1500 (BNA 2006).
According to a survey report by the Ponemon Institute, 2006 saw an increase in the average cost to companies of data breach incidents. The report noted that an increase in state laws requiring consumer notification of breaches to their personal information contributed to the rise in average cost per lost record, which was $182 in 2006—thirty percent higher than 2005. The survey also found that: (1) external partners were responsible for data lost in around thirty percent of the reported breaches; (2) over ninety percent of the reported incidents involved breaches to electronic data; (3) thirty-five percent of the breaches resulted from lost or stolen laptop computers; and (4) only ten percent of the breached entities maintained “privacy or compliance officers” to lead breach recovery efforts.

Fear of Bad Publicity Stems Reporting of Cyber Losses
5 Privacy & Security Law Report 1126 (BNA 2006).
A 2006 survey conducted by the Computer Security Institute (CSI) and the FBI found a decrease from 2005 in the willingness of organizations to report computer security breaches to law enforcement officials. According to this report, fear of negative publicity was the principal factor contributing to the withholding of information regarding security breaches. However, the survey did conclude that there appeared to be a real decline in the amount of breaches occurring. Survey respondents indicated that compliance with the Sarbanes-Oxley Act and the Health Insurance Accountability and Portability Act, in addition to other laws regarding information security, are primary focuses for their organizations’ IT departments and have had a substantial impact on their organizations’ computer security measures.

Federal Trade Commission – 2006 Identity Theft Survey Report
http://ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf
In 2006, the Federal Trade Commission (FTC) sponsored an ID theft survey of adults in the U.S. and found, in addition to other data, the following: around 8.3 million people discovered that they had become ID theft victims in 2005; nearly forty percent of those victims discovered the theft within one week of its occurrence; more than seventy-five percent of victims did not personally know the ID thief; almost forty percent of the victims became aware of the ID theft through monitoring credit and other account activity; less than thirty percent of the victims reported the ID theft to law enforcement agencies; only nine percent of the victims had received notification that their personal information had been unlawfully accessed or stolen; and only half of those who received notification proactively took measures to mitigate damages that might result from the ID theft.

Benchmark Study of European and U.S. Corporate Privacy Practices
A 2006 report conducted by the Ponemon Institute concluded that with regard to information security, U.S. companies are not lagging behind their European counterparts. Generally, European and U.S. firms address privacy issues differently—European firms appear to focus on the need to create a “culture of responsible information use” and U.S. firms seem to focus on the need to establish more robust technical and administrative protection measures. U.S. entities appear to confront privacy and security issues with “technical, administrative and physical control systems,” which attempt to restrict unauthorized access to personal information, quickly detect when breaches occur, and provide downstream notification to individuals whose personal information has been comprised. European companies “are more concerned about organizational culture.” For many European firms, the principal concern is to ensure that storage and transfers of personal information is tightly confined to limited “permissible purposes.” European organizations tend to focus less on technical protection measures that monitor and mitigate damages from data breaches than U.S. organizations because, generally, they are not as likely to participate in “gratuitous secondary data use and data sharing.”

Data on Security Breach and Identity Theft

S. Romanosky, R. Telang, and A. Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft?
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926
This paper summarizes the debates surrounding security breach notification laws and evaluates their impact on the latest FTC data on identity theft. The authors’ analysis reveals a modest but statistically significant effect of security breach disclosure laws in reducing identity theft rates by approximately 2%. The authors conclude that the effectiveness of SBN legislation is contingent on improved security practices by both firms and consumers.

Cybercrime Against Businesses, 2005 – Bureau of Justice Statistics Special Report
A DOJ cybercrime survey of over eight thousand U.S. businesses indicated that computer viruses were the most common form of cybercrime and that 86% of victimized businesses detected multiple incidents, among other findings. 91% of respondents who were victims of cybercrime experienced losses, and 74% of cyber theft incidents involved insiders. Conversely, most businesses did not report cyber attacks to law enforcement authorities, instead reporting incidents internally or to other IT organizations. The report further indicated that insufficient anti-virus software as the most prevalent vulnerability, and businesses that outsourced all or part of their computer security had a greater prevalence of incidents.

FTC ID Theft Clearinghouse Yearly Complaint Data
http://www.ftc.gov/bcp/edu/microsites/idtheft/reference-desk/national-data.html
The FTC has compiled a yearly report of identity theft complaints since 2000, and it makes each available through its website. In 2007, the FTC logged over 800,000 complaints for consumer fraud and identity theft with a total cost to consumers exceeding $1.2 billion. Credit card fraud led identity theft complaints at 23% of the total, followed by utilities fraud (18%), employment fraud (14%), bank fraud (13%), government documents fraud (11%), and loan fraud (5%). The 2007 average and median costs per fraud victim were $2507 and $349, respectively. The reports also provide analogous state-by-state data on fraud and identity theft complaints.

Government Reform Committee – Staff Report on Agency Data Breaches
In 2006, the Government Reform Committee requested that government agencies submit information regarding security breaches resulting in lost or compromised personal information. The responses demonstrated that: (1) since January 2003, one or more security breaches has occurred in at least nineteen government departments or agencies; (2) it appears that government agencies are neither monitoring for security breaches nor tracking lost personal information; therefore, they are not certain what information has been breached or how many individuals have been affected; (3) most data breaches resulted from lost or stolen computer equipment; and (4) contractors were responsible for many of the security breaches. The Government Reform Committee releases an annual scorecard for information security. In 2006, the federal government received an overall score of D+.

Policy Discussions

The New York State Consumer Protection Board’s Business Privacy Guide: How to Handle Personal Identifiable Information and Limit the Prospects of Identity Theft
This guide advocates good information security practices as a core value for businesses looking to retain customers and avoid liability. The guide divides effective information security practices into four basic principles:

   1. Identify – Businesses should comprehensively examine all facets of their collection and use of data and understand their jurisdictions’ relevant information security laws.
   2. Secure – Businesses should adopt proper administrative, physical, and technological protection measures to secure sensitive data.
   3. Educate – Clients and staff members should be fully informed of the business’s information security policies and know how to implement effective data protection measures.
   4. Plan – Business should devise a strategy to implement in the event of a security breach.

Debix, Inc. – Data Breach Incident Response Workbook (2008)
This workbook is intended to provide general guidance and assistance in developing security standards that are appropriate for individual businesses. Such measures vary depending on factors including the size and complexity of the business, the industry, and sensitivity of data. The workbook is designed to address issues related to fraud prevention and avoiding losses to institutions and consumers by presenting an outline and recommendations for planning a response to a compromise of data such as personally identifiable information. The workbook dissects the anatomy of a data breach and how to prepare for it by building a strong internal response team, provides checklists and sample forms and model letters for business use, and considers the complexities of notifying customers and affected businesses.

S. Bennett, Data Security Breaches: Problems and Solutions – November 2006
5 Privacy & Security Law Report 1619 (BNA 2006).
This article provides a list of potential actions that institutions may wish to consider in order to minimize the risk of data security breaches and the consequences of breaches when they occur.
The author suggests that companies should proactively identify the weak spots in their existing systems and set out effective preventive measures. The article discusses risk assessment, risk evaluation, and the implementation of technical solutions; the establishment of comprehensive data-detailed security policies; the creation of a security-conscious workforce through training and periodic reminders; and investment in new data security technologies to stay ahead of ever-evolving security threats. The authors also discuss what companies should do after a breach has occurred, particularly with respect to their legal duties of notification to affected persons.

“Security Breach Notification Laws: What Threats Do They Pose for Insurers?”
This paper addresses the effect that new security breach notification laws might have on insurance companies. Although most of these laws are modeled after California’s 2002 SBN laws, many states are including alterations that could have significant negative effects on the insurance industry. The paper urges insurers to closely monitor the ways in which various states are approaching the following issues in their breach notification laws: (1) personal information—expanding the definition of “personal information” could cause interstate compliance problems for insurers; (2) notice triggers—heightened notice, or disclosure, triggers should be avoided; (3) further notice requirements—the threshold for triggering the requirement for companies to notify consumer-reporting agencies of data breaches should be set as high as possible; (4) notice exemptions—exemption language should be included in breach notification laws to allow companies to implement their own breach notification and disclosure procedures; and (5) penalties—new laws should not include a private cause of action for notification law violations.

Notable Caselaw

Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007)
In this case about state regulation of privacy and security in computer and internet law, customers sought compensation for the credit monitoring services that they obtained after a third-party hacker gained access to their bank’s website and compromised their confidential personal information. The Seventh Circuit affirmed the district court decision to dismiss the action against the database owner for this data exposure injury because the damages sought were not compensable as a matter of Indiana law. The provisions of Ind. Code § 24-4.9 et seq. –applicable to private entities storing personal information – require only that a database owner disclose a security breach to potentially affected consumers; they do not require the database owner to take any other affirmative act in the wake of a breach. This duty to disclose is the only affirmative duty imposed by the statute, which creates no private right of action against the database owner by an affected customer and imposes no duty to compensate affected individuals for inconvenience or potential harm to credit, such as identity theft, that may follow.

Preferred Nat’l Ins. Co. v. Docusearch, Inc., 829 A.2d 1068 (N.H. 2003)
The underlying claim by an administratrix alleged that the insured – a private investigation company – negligently disseminated information by providing the decedent’s social security number and place of employment to another person, who allegedly used the information in connection with his murder of the decedent. The disputed insurance policy provided commercial general liability coverage, but contained endorsements limiting damages for assault and battery. The state supreme court held that, although the trial court properly granted summary judgment for the insurance company as to the negligence claim, the trial court erred when it did not specifically address the invasion of privacy or the consumer protection claims and accordingly reversed and remanded for further proceedings on those issues.

Conboy v. AT&T, 241 F.3d 242 (2d Cir 2001)
This case arose out of a claim that AT&T disseminated proprietary information about its customers to an affiliated credit card company, UCS, and other unidentified companies in order to help them collect credit card debt. AT&T provided UCS plaintiffs’ unlisted phone number, which UCS used to repeatedly call plaintiffs regarding their daughter-in-law’s credit card debt. Plaintiffs never authorized the release of this information to UCS or to anyone else, and even paid a monthly fee for “non-published service,” intended to prevent the release of their names, address, and telephone number to any directory or anyone who directed inquiries to directory assistance. Among other claims, the plaintiffs sought monetary and injunctive relief under sections 51.217(c) and 64.1201(c)(2) of CFR Title 47, which restrict telecommunications carriers from distributing information other than name and billing address of customers who wish to remain unlisted. The court held that plaintiffs did not have a right to private action under either section. The Telecommunications Act provides for the enforcement of an FCC “order” preventing conduct by common telecommunications characters, but does not provide the court with the power to authorize monetary damages or equitable remedies directly.

Ruiz v. GAP, 540 F. Supp. 2d 1121 (ND Cal 2008)
This case concerns a class-action claim against Gap, Inc., arising out of the theft of two laptops from a third party, contracted by Gap for recruiting purposes. The laptops contained the unencrypted personal information, including social security numbers, of approximately 800,000 Gap job applicants. In response to these thefts, Gap notified the applicants whose personal information was on the computers and offered to provide these applicants, including the plaintiff, with twelve months of credit monitoring and fraud assistance without charge, as well as $50,000 identity theft insurance. Responding to Gap’s motion for summary judgment on Ruiz’s claims of negligence, bailment, violation of the California Business and Professions Code, and violation of the California constitutional right to privacy, the court granted in part and denied in part. The court’s decision addressed several aspects of breach of privacy law, including right to private action in security breach claims and claims for enhanced potential for identity theft absent evidence of property loss or the fact that identity theft has actually occurred.

Forbes v Wells Fargo Bank, 420 F. Supp. 2d 1018 (D. Minn. 2006)
In Forbes v. Wells Fargo Bank, the court granted Wells Fargo’s motion for summary judgment because plaintiffs failed to demonstrate that they suffered damages as a result of their personal information being stolen from defendant’s possession. The court held that “the threat of future harm, not yet realized, will not satisfy the damage requirement” of a negligence claim under Minnesota law. The court noted that plaintiff’s personal information was stolen; however, it was not misused. The possibility of future misuse was not sufficient to sustain plaintiff’s claim. Additionally, in dicta, the court noted that identity theft does not occur until one uses “the identity information of another to commit, aid or abet any unlawful activity.” Therefore, merely stealing a computer that contains the personal information of another cannot constitute identity theft, under Minnesota law, until the computer thief demonstrates an intent to misuse the personal information contained on the stolen computer.

Cooper v. Federal Aviation Administration, No. C-07-1383 (N.D. Cal., Aug. 28, 2008)
http://online.wsj.com/public/resources/documents/cooper.pdf
In Cooper v. FAA, a district court in the Northern District of California granted defendants’ motion for summary judgment because plaintiff failed to demonstrate that he had suffered actual damages, which is necessary in stating a claim brought pursuant to the Privacy Act. The court explained that there is a circuit split with regard to whether the Privacy Act allows recovery only for proven pecuniary harm or whether the Act also permits recompense for “generalized mental injuries, loss of reputation, embarrassment or other non-quantifiable injuries.” For example, the Eleventh Circuit has held that a plaintiff must show that it has suffered economic losses, whereas the Fifth Circuit has held that proven mental injuries satisfy the requirement that plaintiff suffer actual damages. This court stated that although the Ninth Circuit has not interpreted the Privacy Act’s requirement that the plaintiff suffer actual damages, the Ninth Circuit has held, with regard to actions against the government pursuant to other Federal laws, plaintiffs cannot demonstrate actual damages unless there is evidence of economic loss. However, the court did note that plaintiff in this case presented facts sufficient to demonstrate that various government agencies illegally disclosed and shared plaintiff’s personal information and it appeared as though the disclosures were intentional or willful. Therefore, should plaintiff appeal this decision, the court encouraged plaintiff to demonstrate the he has suffered actual pecuniary damages.

Quicklinks

Support

Quicklinks

For Students

Resources

Security Breach Notification Laws Resources

Highlights

Legislation

Data Security Surveys

Data on Security Breach and Identity Theft

Policy Discussions

Notable Caselaw