By Michael K. Lindsey and John R. Sabatini
Legal Aspects of Data Security
As the daily headlines remind us, weaknesses or outright flaws in corporate computer systems can be exploited by sufficiently sophisticated hackers-whether motivated by animosity, curiosity, ego, or financial benefit. And as demonstrated by the ChoicePoint scandal in 2005, in which a Nigeria-based brother-and-sister team posing as a legitimate business obtained personal and credit information for thousands of individuals, even ostensibly routine business dealings can threaten a company's data security.
ChoicePoint may have become the unfortunate model for the problem of data security, but its sale of private financial information to the fraud ring affected only 100,000 people. That incident was dwarfed by the recent theft of personal information of 26.5 million veterans maintained by the federal Department of Veteran Affairs (VA). A department analyst took home electronic data-including names, Social Security numbers, and dates of birth of veterans and some spouses-and a laptop containing the stored data was stolen when the analyst's home was burglarized. Though ChoicePoint paid the Federal Trade Commission a $15 million civil penalty for its transgressions, the VA's costs to provide just credit-watching services for all of the affected veterans will likely be a significant multiple of that amount.
Federal law concerning data security has been limited so far, but both the Sarbanes-Oxley Act of 2002 (15 U.S.C. §§ 7201 and following) and Securities and Exchange Commission rules promulgated under it address the issue. And California recently blazed a trail by passing new laws specifically designed to establish fundamental data security standards and procedures. To date, 25 other states have followed that lead. In addition, certain traditional legal concepts, including negligence, may be invoked in response to data security breaches.
The Sarbanes-Oxley Act, the much-publicized congressional response to the massive corporate-fraud scandals at Enron and other companies, amended federal securities laws by requiring new financial disclosures by publicly held corporations. The changes were intended to increase the flow of information and rekindle confidence in the marketplace. Contained in the Act is an obligation for corporate management to assess and report on a company's data security policy for financial information.
Specifically, section 404 of the Act obliquely requires publicly held corporations to prepare annual reports that contain "internal control reports," which "state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting" and assess the effectiveness of such controls. (15 U.S.C. § 7262.) Although the meaning of "internal control structure" was initially unclear, subsequent SEC rules define it as a process implemented by company management to provide "reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company's] assets that could have a material effect on the financial statements." (17 C.F.R. § 240.13a-15(f)(3).)
In other words, Sarbanes-Oxley flatly requires corporate management to adopt a data security policy for financial information
and report the policy's effectiveness in annual public filings. Although there are no formal guidelines as to what is adequate in any given case, it is best to err on the side of robust data protection in designing security controls. This is all the more important given the Act's goal of shining a public spotlight on any data-policy shortcomings and the extreme consequences for misstatements by corporate management. Penalties include imprisonment of up to 20 years and a fine of up to $5 million for "willful" misrepresentations.
Aside from Sarbanes-Oxley, federal law is not completely silent on data security. For example, the Fair Credit Reporting Act (15 U.S.C. §§ 1681 and following) limits the purposes for which personal information on consumers can be distributed without consent. The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501 and following) requires website operators to maintain reasonable procedures to protect personal information gathered from children. The Health Insurance Portability and Accountability Act (42 U.S.C. §§ 201 and following) requires applicable entities to adopt reasonable safeguards to protect the privacy of health information. And through regulations adopted by the FTC, the Gramm-Leach-Bliley Act (12 U.S.C. §§ 1811 and following) requires financial institutions to implement reasonable safeguards for personal information on consumers. Although these federal authorities do not dictate general data security standards, compliance is critical for companies subject to the statutes.
Under California's data security laws, which have been widely emulated by other states, businesses that own or license personal information about residents of California must maintain "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." (Cal. Civ. Code § 1798.81.5(b).) And the law covers personal information of any California resident, not just customer information, not just businesses located within California, and not just information in computerized form.
The information protected by the law is the combination of a person's first name or initial and last name with one or more of the following: Social Security number; driver's license number; account, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or information about an individual's medical history, medical treatment, or diagnosis by a health care professional. (Cal. Civ. Code § 1798.81.5(d)(1).)
The law extends to such information only if the name or data elements are not encrypted or redacted. It does not, however, specify any particular type or level of encryption. In addition, the statute does not apply to information that is lawfully made available to the public from government records.
Unfortunately, the law provides no real guidance on what constitutes "reasonable" security. Apparently, the Legislature left that for courts and standard-setting organizations such as the California Office of Privacy Protection to define. However, an earlier California law requires businesses to destroy consumers' personal information that they no longer intend to retain by shredding, erasing, or making it otherwise unreadable. (Cal. Civ. Code § 1798.81.) Also, businesses that disclose personal information about California residents to their nonaffiliated business partners must contractually require those partners to implement their own reasonable safeguards. (Cal. Civ. Code § 1798.81.5(c).)
In any event, security measures that may be sufficient for some kinds of information and some kinds of businesses may not be sufficient for others. Also, security standards may evolve over time, particularly as technology advances.
California's other innovation was to require that, in the event of a security breach affecting computerized data, a business must notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Cal. Civ. Code § 1798.82(a).) A security breach is defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. As with the law imposing the general security standard, it does not matter whether the breached records are located in California, or even if the affected company has offices in California. The personal information covered by the law is essentially the same as in the other statute, except that medical information is excluded. (Cal. Civ. Code § 1798.82(e).)
The required notification must be made "in the most expedient time possible." And written notice can be sent to a physical address or, if the recipient consented consistent with the federal E-SIGN Act (15 U.S.C. § 7001), via electronic means such as email. (Cal. Civ. Code § 1798.82 (a) and (g).) If the cost of notification would exceed $250,000, the affected class of notice recipients would exceed 500,000 people, or the affected business has insufficient contact information, notice can be provided by substitute notice. Substitute notice requires the affected company to disclose the breach via written notice to known addressees, conspicuous posting on the company's website, and by notice via major statewide media outlets.
Other Legal Principles
In addition to the laws concerning data security, certain traditional legal principles may be applied in the event of information security failures. Examples include breach of contract and negligence, as well as administrative remedies under the Federal Trade Commission Act and state equivalents.
Breach of contract. Contractual obligations to maintain the confidentiality of certain information may provide recourse to parties whose personal information is misappropriated while in the hands of a contracting party. Self-imposed data security obligations may also arise from corporate website privacy policies, which frequently pledge to handle user information securely and confidentially.
Negligence. As with any other action or omission, data security breaches can be the predicate for liability under a classic negligence theory. More specifically, if a company fails to exercise due care despite a reasonably foreseeable harm and commensurate duty to protect personal information, the company may be liable for negligence. In fact, some such civil tort claims have already arisen.
In 2005, for example, a Michigan state appellate court upheld a jury finding of negligence. The plaintiffs were union members, each of whom had been required to submit Social Security numbers and other information to the union. The union's treasurer took the data home, where it was stolen and later misused by the treasurer's daughter. The appellate court affirmed a jury award of $275,000. (Bell v. Mich. Council 25, 2005 Mich. App. LEXIS 353.)
The FTC Act and state equivalents. The FTC and state authorities can initiate enforcement actions concerning data security, provided such actions fall within the scope of the respective authorities. For example, under section 5(a) of the FTC Act, which makes it unlawful for a person to engage in any "unfair or deceptive acts or practices in or affecting commerce," the FTC has taken action against companies that failed to live up to their own privacy policies posted on their websites and other public commitments to data security. Generally, the FTC holds the position that statements about security must be substantiated by evidence that a company has taken adequate steps to prevent security breaches that would be reasonably foreseeable.
Accordingly, in early 2002, the FTC settled charges with Eli Lilly & Co. arising out of the disclosure of personal information collected from consumers who participated in an email reminder service for Prozac. The claim arose because Lilly sent emails to all of its subscribers, which meant the email addresses of all 670 Prozac reminder subscribers could be viewed by all other subscribers as well. The settlement agreement required Lilly to take a variety of steps to enhance its internal standards for privacy protection, and a multistate agreement by state attorneys general mirrored those terms. (In the Matter of Eli Lilly & Co., No. C-4047, settled 7/25/02.)
Suggestions for Data Security
Current legislation provides only minimal pragmatic guidance for data security. In creating data security policies, however, companies should consider the following specific tasks.
Limit the information collected and stored. Collect the minimum amount of information necessary for business purposes and keep such information only as long as necessary.
Limit access to data. Useful security controls include technological elements such as passwords, network firewalls, and tracking systems to limit access and record data manipulation, but physical elements also, such as using secure locations and placing locks or other antitheft devices on computer equipment. In addition, implement policies concerning employees' data access and use-including, for example, rules about taking information home or remotely accessing it by computer.
Encrypt data. Certain types of information should be encrypted when stored or transmitted. A minimum level to comply with California law would be encryption for either the name or data elements of personal information. Ideally, both aspects of such information should be encrypted.
Audit personal information. Regularly audit all stored information, particularly sensitive personal information such as names, addresses, Social Security numbers, financial information, account numbers, and medical information. Such audits should confirm the nature, location, ownership, and extent of protection of such data. Review security plans at least annually.
Centralize and make uniform. Ideally, sensitive information should be stored as centrally as possible so it can be controlled. Such information should be subject to uniform security mechanisms to avoid confusion and errors.
Monitor security. Implement comprehensive security-monitoring programs to discover and remedy security breaches as quickly as possible. In addition, closely monitor employee access to higher-risk personal information.
Develop notification procedures. Develop and document specific notification procedures to use in the event of a security breach. Such procedures should provide appropriate protocols for discovering whether a breach has occurred, and if so, determining the scope of the breach and reporting it to the appropriate persons. This may help avoid the expense and embarrassment of substitute notice.
Respond to breaches. In the event of data security breaches, immediately terminate any unauthorized access and take action to prevent any further loss. Affected individuals should be sent notice as soon as possible, particularly given the California legislation's intent of enabling individuals to mitigate the damage from possible identity theft. Notice letters should describe the incident that occurred, the information jeopardized, and the response to the breach-including any assistance the company will provide to affected individuals.
Review third-party agreements. Review third-party agreements concerning the ownership, licensing, collection, use, outsourcing, processing, storage, maintenance, and transmission of personal information. Pay particular attention to contract provisions dealing with security measures, encryption, disclosures, compliance with applicable law, notices, indemnification, and limitations of liability. Third-party vendors should also be required to adopt appropriate security-monitoring and notification programs.
Michael K. Lindsey (firstname.lastname@example.org) is a partner at the Los Angeles office of Paul Hastings, concentrating on intellectual property, cyberlaw, and trade regulation. John R. Sabatini (email@example.com) is an associate at the firm, focusing on intellectual property, data privacy, and general corporate law.