Data Security Breach Notification Requirements GLBA, FTC, FFIEC, Oh My

1
Data Security Breach Notification
RequirementsGLBA, FTC, FFIEC, Oh My

• Jonathan D. Jaffe, Esq.
• KL Gates LLP

2
Data Security Breach Notification Requirements -
Gramm-Leach-Bliley Safeguards Rule

• The Gramm-Leach-Bliley Act Safeguards Rule (16
  C.F.R. Part 314)
• Applies to financial institutions that maintain
  non-public customer information.
• Requires financial institutions to develop,
  implement, and maintain a comprehensive
  information security program with administrative,
  technical, and physical safeguards that are
  appropriate to its size and complexity, the
  nature and scope of its activities, and the
  sensitivity of any customer information at issue.
  
• There is no explicit data breach notification
  requirement in the generally applicable
  regulations, although one might be inferred
  (e.g., responding to attacks).

3
Data Security Breach Laws - Interagency Guidance

• Interagency Guidance on Response Programs for
  Unauthorized Access to Customer Information and
  Customer Notice.
• Issued by the OCC, FRB, FDIC, and OTS under the
  authority of the Gramm-Leach-Bliley Act.
• Applies only to regulated banking/depository
  institutions (and their operating subs).

4
Data Security Breach Laws - Interagency Guidance
(Cont.)

• At a minimum, an institutions response program
  should contain procedures for
• Assessing the nature and scope of an incident,
  and identifying what customer information systems
  and types of customer information have been
  accessed or misused.
• Notifying its primary Federal regulator as soon
  as possible when the institution becomes aware of
  an incident involving unauthorized access to or
  use of sensitive customer information.

5
Data Security Breach Laws - Interagency Guidance
(Cont.)

• Sensitive customer information means a customers
  name, address, or telephone number, in
  conjunction with the customers social security
  number, drivers license number, account number,
  credit or debit card number, or a personal
  identification number or password that would
  permit access to the customers account.
• Sensitive customer information also includes any
  combination of components of customer information
  that would allow someone to log onto or access
  the customers account, such as user name and
  password or password and account number.

6
Data Security Breach Laws - Interagency Guidance
(Cont.)

• Consistent with the Agencies Suspicious Activity
  Report (SAR) regulations, notifying appropriate
  law enforcement authorities, in addition to
  filing a timely SAR in situations involving
  Federal criminal violations requiring immediate
  attention, such as when a reportable violation is
  ongoing.
• Taking appropriate steps to contain and control
  the incident to prevent further unauthorized
  access to or use of customer information, for
  example, by monitoring, freezing, or closing
  affected accounts, while preserving records and
  other evidence.
• Notifying customers if the institution determines
  that misuse of its information about a customer
  has occurred or is reasonably possible.

7
Data Security Breach Laws - Interagency Guidance
(Cont.)

• Notice should be clear and conspicuous and should
  include
• Description of incident
• Type of information
• Measures taken to protect against further access
• Telephone number to call for information and
  assistance
• Remind customers to remain vigilant over next 12
  24 months.

8
Data Security Breach Laws - Interagency Guidance
(Cont.)

• Notice should be delivered in manner to ensure
  customer can reasonably be expected to receive
  it.
• Telephone.
• Mail.
• Email, if you have valid email address and the
  consumer has agreed to receive communications
  electronically.

9
Data Security Breach Laws FTC Act

• The Federal Trade Commission Act (15 U.S.C
  41-58)
• Prohibits unfair or deceptive trade practices
• Even if a company is not a financial
  institution subject to the GLBA, the FTC may
  bring an enforcement action if it determines that
  its data security practices are unfair.

10
Data Security Breach Laws FTC Act (Cont.)

• Case Study In the Matter of Reed Elsevier Inc.
  and Seisint, Inc.
• Reed Elsevier Inc. (REI) sells access to
  Lexis-Nexis databases that contain information
  regarding millions of consumers and businesses
  from public and nonpublic sources, including
  motor vehicle records and consumer identification
  information from credit reporting agencies. REI
  charges customers a fee to search for and
  retrieve information from its databases.

11
Data Security Breach Laws FTC Act (Cont.)

• Case Study In the Matter of Reed Elsevier Inc.
  and Seisint, Inc.
• The FTC alleged that REI failed to establish or
  implement reasonable policies and procedures
  governing the creation and authentication of user
  credentials for authorized customers accessing
  the databases. The FTC claimed that this failure
  was an unfair practice in violation of Section
  5(a) of the FTC Act, because it created an
  unreasonable risk of unauthorized access. REI
  entered into a consent agreement with the FTC
  under which it agreed to reform its data security
  practices and submit to periodic third-party
  auditing.

12
Data Security Breach Laws State Data Security
Breach Laws

• State Data Security Breach Notification Statutes.
• Approximately 44 states have enacted a statute
  requiring a company to notify state residents if
  the security of certain sensitive customer
  information is breached.
• While there are many commonalities, there are
  also many differences.
• Faced with applying the laws of 44 states to a
  breach that is national in scope.
• You need to look at each states law and, as to
  each consumer, better practice is to apply the
  law of the state in which the consumer resides.

13
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• Most laws apply to sensitive information.
• What constitutes sensitive information varies
  by jurisdiction.
• In California, personal information is an
  individuals first name or first initial and last
  name, in combination with any one or more of (a)
  SSN (b) DLN or California ID number or (c)
  Account number, CCN or DCN in combination with
  any required security or access code or password
  that would permit access to an individuals
  financial account.

14
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• State Data Security Breach Notification Statutes.
• In Nebraska, personal information is defined
  similarly to the above, but also includes an
  individuals first name or first initial and last
  name in combination with (a) a unique electronic
  identification number or routing code, in
  combination with any required security code,
  access code or password or (b) unique biometric
  data, such as fingerprint, voice print, or retina
  or iris image, or other unique physical
  representation.

15
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• Notification requirements also vary by state.
• For example, in New York, the company must not
  only notify affected consumers, but also state
  law enforcement agencies.
• See http//www.ncsl.org/programs/lis/cip/priv/brea
  chlaws.htm for list of state data security breach
  laws published by the National Conference of
  State Legislatures as of December 2008.

16
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• A risk assessment may be necessary to determine
  whether notification is necessary.
• Some states statutes apply only if the data was
  unencrypted, while others (including the federal
  banking interagency guidance) have no similar
  limitation.
• Some states require notification whenever data is
  accessed by an unauthorized person, while others
  only require notification if the company
  determines that the data is reasonably likely to
  be misused (immaterial breaches).

17
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• Some states require loss or injury.
• Some states permit the institution to work with
  law enforcement agencies before notifying the
  consumer, while others impose set time limits.
• May be civil or criminal penalties.
• A number of states have no private right of
  action.

18
Data Security Breach Laws State Data Security
Breach Laws (Cont.)

• Missouri is considering a law that would make the
  state the 45th with a breach notice law and the
  first to have criminal penalties for a failure to
  notify individuals of a data security breach
  involving their personal information.
• Other states are considering new breach liability
  provisions, e.g., a New Jersey bill would
  establish retailer liability to banks for
  breaches of payment card data and also subject
  every entity covered by the states existing data
  breach notification law to liability to banks for
  breaches of any protected personal information.
• Congress is considering - but has yet to enact -
  a nationwide law for consumer notification.

19
Data Security Breach Laws

• THANK YOU
• Jonathan D. Jaffe, Esq.
• KL Gates LLP4 Embarcadero Center, Suite
  1200San Francisco, CA 94111direct
  415.249.1023fax 415.882.8220jonathan.jaffe_at_klga
  tes.com