Title: Data Security Breach Notification Requirements GLBA, FTC, FFIEC, Oh My
1Data Security Breach Notification
RequirementsGLBA, FTC, FFIEC, Oh My
- Jonathan D. Jaffe, Esq.
- KL Gates LLP
2Data Security Breach Notification Requirements -
Gramm-Leach-Bliley Safeguards Rule
- The Gramm-Leach-Bliley Act Safeguards Rule (16
C.F.R. Part 314) - Applies to financial institutions that maintain
non-public customer information. - Requires financial institutions to develop,
implement, and maintain a comprehensive
information security program with administrative,
technical, and physical safeguards that are
appropriate to its size and complexity, the
nature and scope of its activities, and the
sensitivity of any customer information at issue.
- There is no explicit data breach notification
requirement in the generally applicable
regulations, although one might be inferred
(e.g., responding to attacks).
3Data Security Breach Laws - Interagency Guidance
- Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and
Customer Notice. - Issued by the OCC, FRB, FDIC, and OTS under the
authority of the Gramm-Leach-Bliley Act. - Applies only to regulated banking/depository
institutions (and their operating subs).
4Data Security Breach Laws - Interagency Guidance
(Cont.)
- At a minimum, an institutions response program
should contain procedures for - Assessing the nature and scope of an incident,
and identifying what customer information systems
and types of customer information have been
accessed or misused. - Notifying its primary Federal regulator as soon
as possible when the institution becomes aware of
an incident involving unauthorized access to or
use of sensitive customer information.
5Data Security Breach Laws - Interagency Guidance
(Cont.)
- Sensitive customer information means a customers
name, address, or telephone number, in
conjunction with the customers social security
number, drivers license number, account number,
credit or debit card number, or a personal
identification number or password that would
permit access to the customers account. - Sensitive customer information also includes any
combination of components of customer information
that would allow someone to log onto or access
the customers account, such as user name and
password or password and account number.
6Data Security Breach Laws - Interagency Guidance
(Cont.)
- Consistent with the Agencies Suspicious Activity
Report (SAR) regulations, notifying appropriate
law enforcement authorities, in addition to
filing a timely SAR in situations involving
Federal criminal violations requiring immediate
attention, such as when a reportable violation is
ongoing. - Taking appropriate steps to contain and control
the incident to prevent further unauthorized
access to or use of customer information, for
example, by monitoring, freezing, or closing
affected accounts, while preserving records and
other evidence. - Notifying customers if the institution determines
that misuse of its information about a customer
has occurred or is reasonably possible.
7Data Security Breach Laws - Interagency Guidance
(Cont.)
- Notice should be clear and conspicuous and should
include - Description of incident
- Type of information
- Measures taken to protect against further access
- Telephone number to call for information and
assistance - Remind customers to remain vigilant over next 12
24 months.
8Data Security Breach Laws - Interagency Guidance
(Cont.)
- Notice should be delivered in manner to ensure
customer can reasonably be expected to receive
it. - Telephone.
- Mail.
- Email, if you have valid email address and the
consumer has agreed to receive communications
electronically.
9Data Security Breach Laws FTC Act
- The Federal Trade Commission Act (15 U.S.C
41-58) - Prohibits unfair or deceptive trade practices
- Even if a company is not a financial
institution subject to the GLBA, the FTC may
bring an enforcement action if it determines that
its data security practices are unfair.
10Data Security Breach Laws FTC Act (Cont.)
- Case Study In the Matter of Reed Elsevier Inc.
and Seisint, Inc. - Reed Elsevier Inc. (REI) sells access to
Lexis-Nexis databases that contain information
regarding millions of consumers and businesses
from public and nonpublic sources, including
motor vehicle records and consumer identification
information from credit reporting agencies. REI
charges customers a fee to search for and
retrieve information from its databases.
11Data Security Breach Laws FTC Act (Cont.)
- Case Study In the Matter of Reed Elsevier Inc.
and Seisint, Inc. - The FTC alleged that REI failed to establish or
implement reasonable policies and procedures
governing the creation and authentication of user
credentials for authorized customers accessing
the databases. The FTC claimed that this failure
was an unfair practice in violation of Section
5(a) of the FTC Act, because it created an
unreasonable risk of unauthorized access. REI
entered into a consent agreement with the FTC
under which it agreed to reform its data security
practices and submit to periodic third-party
auditing.
12Data Security Breach Laws State Data Security
Breach Laws
- State Data Security Breach Notification Statutes.
- Approximately 44 states have enacted a statute
requiring a company to notify state residents if
the security of certain sensitive customer
information is breached. - While there are many commonalities, there are
also many differences. - Faced with applying the laws of 44 states to a
breach that is national in scope. - You need to look at each states law and, as to
each consumer, better practice is to apply the
law of the state in which the consumer resides.
13Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- Most laws apply to sensitive information.
- What constitutes sensitive information varies
by jurisdiction. - In California, personal information is an
individuals first name or first initial and last
name, in combination with any one or more of (a)
SSN (b) DLN or California ID number or (c)
Account number, CCN or DCN in combination with
any required security or access code or password
that would permit access to an individuals
financial account.
14Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- State Data Security Breach Notification Statutes.
- In Nebraska, personal information is defined
similarly to the above, but also includes an
individuals first name or first initial and last
name in combination with (a) a unique electronic
identification number or routing code, in
combination with any required security code,
access code or password or (b) unique biometric
data, such as fingerprint, voice print, or retina
or iris image, or other unique physical
representation.
15Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- Notification requirements also vary by state.
- For example, in New York, the company must not
only notify affected consumers, but also state
law enforcement agencies. - See http//www.ncsl.org/programs/lis/cip/priv/brea
chlaws.htm for list of state data security breach
laws published by the National Conference of
State Legislatures as of December 2008.
16Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- A risk assessment may be necessary to determine
whether notification is necessary. - Some states statutes apply only if the data was
unencrypted, while others (including the federal
banking interagency guidance) have no similar
limitation. - Some states require notification whenever data is
accessed by an unauthorized person, while others
only require notification if the company
determines that the data is reasonably likely to
be misused (immaterial breaches).
17Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- Some states require loss or injury.
- Some states permit the institution to work with
law enforcement agencies before notifying the
consumer, while others impose set time limits. - May be civil or criminal penalties.
- A number of states have no private right of
action.
18Data Security Breach Laws State Data Security
Breach Laws (Cont.)
- Missouri is considering a law that would make the
state the 45th with a breach notice law and the
first to have criminal penalties for a failure to
notify individuals of a data security breach
involving their personal information. - Other states are considering new breach liability
provisions, e.g., a New Jersey bill would
establish retailer liability to banks for
breaches of payment card data and also subject
every entity covered by the states existing data
breach notification law to liability to banks for
breaches of any protected personal information. - Congress is considering - but has yet to enact -
a nationwide law for consumer notification.
19Data Security Breach Laws
- THANK YOU
- Jonathan D. Jaffe, Esq.
- KL Gates LLP4 Embarcadero Center, Suite
1200San Francisco, CA 94111direct
415.249.1023fax 415.882.8220jonathan.jaffe_at_klga
tes.com