The Legal Risk - What Your Organization Will Suffer

In the event of just one Data Breach:

• Data Breach Notification Costs
• Identity Thefts against innocent customers, employees, clients, students, etc.
  
• ID Theft Victim Recovery Costs
  
• Devastating Public Relations Nightmares
• Substantial Jury Awards / Civil Liability
• Fines & Penalties
  
• Mandatory Audits Required by Government Agencies
  
• Crippling Attorney Fees & Legal Costs
• Skyrocketing Insurance Premiums
• Disruption of Daily Business
• Employee Time to Resolve Id Theft Problems
  
• Ruined Customer Relations

JURY AWARDS / CIVIL LIABILITY

* Connecticut to sue Accenture Ltd. for treating
personal identity information “like scrap paper”.

- Bizjournals.com, September 2007

Bell v. Michigan Council - Jury award = $275,000.
Each Plaintiff awarded $21,153.00.

* NOTE - Damages were for mental suffering . . . victims didn't need to show any out-of-pocket costs for recovery.

Equifax - Workplace Id Theft Victim awarded $351,000

Sporn v. Home Depot- Workplace Identity Theft victim awarded $930,000

Ligand Pharmaceuticals - 14 employees sued for negligence. The company had to settle for over $100,000

FINES/PENALTIES

The FTC is starting to impose fines of $2,000 for each identity that is wrongfully accessed:

Choice Point - Fined $15 Million by FTC
- Fined additional $500,000 by Vermont/43 other states

 

Who's at Risk?

• Businesses and organizations that collect personal identity information are being held accountable not only in the legal courts, but also in the court of public opinion. It's now likely to find newspaper and online accounts of multiple privacy data breach cases being publicized in a single day.

• The spectrum of any type of business suffering data breach liability is broad and varied. No entity is immune. Any organization that acquires personal identity information can be a target.

*As was the case of JP Morgan Chase Bank in New York city - In Sept, 2006 the company was highly praised for being one of 3 companies that were taking the lead in fighting the burgeoning area of workplace identity theft.

But then, in early July, 2007, it is alleged that the bank was caught leaving unshredded documents containing PII in garbage bags in the alleys behind five of their branches in the city.

• Every industry has suffered negative publicity and legal exposure because of privacy data breaches, including:

Major universities; banks and other financial service firms; government agencies; credit reporting agencies; data brokers and clearinghouses; industrial manufacturers; Hospital and other health care providers; software and other high technology companies; entertainment firms; and clothing, fashion and other retailers.

• The following is a representative sample (but be cautioned - this is just a fraction) of workplace privacy data breach cases that have made the news:

Neiman Marcus - Employee personal data was in a file of computer equipment which was stolen from a third-party consultant. Number of Potential Victims = 160,000

Wachovia/Bank of America - Nine insiders steal financial records and re-sell for profit. Number of potential victims = 676,000

Univ of Michigan Credit Union - Paper records containing personal identity info of credit union members stolen from a storage room. Number of potential victims = 5,000

Dai Nippon - Former contract worker of Japanese printing company stole private data on customers from 43 clients.. Number of Potential victims = 9 million

General Motors -Dishonest insider takes co-employees’ personal identity info to commit identity theft. Potential number of victims = 100

DSW Shoe Warehouse - Employee and cutsomer data compromised from more than 100 individual stores. Number of potential victims = 1,400,000

The Laws (and Legislation)

• As a result of the avalanche of headlines about workplace identity theft, and in view of the millions of potential victims, state and federal lawmakers are passing legislation requiring any organization that collects Personal Identity Information (PII) to meet security standards to physically protect private data, along with specific notification procedures to alert those individuals most vulnerable after a workplace identity theft incident.

• The laws that are in place (or are going to be in place) not only establish notification and prevention standards, but also impose harsh penalties on any organization that does not safeguard PII.

• Congress is debating at least three major identity theft bills - reflecting the actions of more than 40 States, which have either enacted or also have pending workplace identity theft legislation.

• California was the first in the nation to enact California Civil Code §1798.81.5, (the Wiggins Act) which requires businesses to:

“Implement and maintain procedures and practices to protect PII from unauthorized access, destruction, use, modification, or disclosure”.

• In 2003, California also enacted the nation's first Breach Disclosure Law, and at least 43 other states, as well as Washington, D.C. and Peurto Rico have passed disclosure laws similar to California's version.

• And while lawmakers are playing catch‑up on the legislative front, other government agencies, such as the FTC, have already imposed serious fines on companies that have suffered a security breach (Choice Point; TJX).

• All of these efforts are intended to require that organizations take reasonable measures to reduce the risks of workplace identity theft and communicate a breach to potentially impacted individuals.

LEGISLATION OVERVIEW

FEDERAL / STATE

WORKPLACE IDENTITY THEFT

BREACH DISCLOSURE LAWS

Federal Jurisdiction

Federal Law - (Pending) ‑ Would model California's landmark Breach Disclosure Law.

The Specter‑ Leahy, Schumer‑ Nelson and Feinstein - Kyl bills all include provisions that would require businesses and government agencies to notify consumers across the country when there has been a breach of personal identity information.

-------------------------------------------------------------------------------

State Jurisdiction (a sampling)

Arkansas Law - S.B. 1167 (signed March, 2005) Act 1526

Overview - Defines PII the same as CA but adds medical information to the list. Other breach notification provisions track CA. Data destruction provisions are identical to existing law in CA, but broader than FTC rules. AG enforcement; no express private right of action.

-------------------------------------------------------------------------------

Connecticut Law - S.B. 650 (signed June, 2005) Public Act 05‑148

Overview - Defines PII the same as CA, and other breach notification provisions also track CA. Provides for "security freeze" by which consumers may freeze credit report. AG enforcement; no express private right of action.

-------------------------------------------------------------------------------

Delaware Law - H.B. 116 (signed June, 2005)

Overview - Defines PII the same as CA but adds medical information to the list. Other breach notification provisions largely track CA. Provides for treble damages.

-------------------------------------------------------------------------------

Florida Law - H.B. 481 (signed June, 2005)

Overview - Defines PII the same as CA. Other security breach notification provisions track CA. Provides various criminal penalties for unauthorized and fraudulent use of PII (defined more expansively than with respect to security breach notification) without consent. Administrative fines. Government agencies exempt from administrative fines.

-------------------------------------------------------------------------------

Georgia Law - S.B. 230 (signed May, 2005)

Overview - PII defined similarly as in CA but also includes passwords or other info sufficient w/o name to get access to PII.  Statute only applicable to "information brokers." No penalties specified for noncompliance.

-------------------------------------------------------------------------------

Illinois Law - H.B. 1633 (Signed June, 2005) Public Act 94‑36

Overview - PII defined as in CA; other security breach notice law provisions largely track CA. Potentially more broadly applicable than CA; applicable to all "data collectors." Violation constitutes unlawful practice under Consumer Fraud and Deceptive Business Practices.

-------------------------------------------------------------------------------

Indiana Law - S.B. 503 (Signed April, 2005) Act 503

Overview - PII defined similarly to CA. Applicable only to state agencies, but otherwise follows CA model of security breach notification. Provides several restrictions on state's ability to obtain and use SSNs.

-------------------------------------------------------------------------------

Louisiana Law - (Signed July, 2005) Act 499

Overview - PII defined as in CA; other security breach notice provisions track CA.

-------------------------------------------------------------------------------

Maine Law - L.D. 1671 (Signed June, 2005)

Overview - PII definition, and security breach notification provisions, track CA. Enforced by Dept. of Professional and Financial Regulation Office of Consumer Credit Regulation. Allows for civil violation remedies.

-------------------------------------------------------------------------------

Minnesota Law - H.F. 2121 (Signed June, 2005) Chapter 167

Overview - PII definition, and substantive provisions governing, notices of security breaches, same as CA. AG enforcement for remedies.

-------------------------------------------------------------------------------

Montana Law - H.B. 732 (Signed April, 2005) Chapter 518

Overview - PII defined more expansively than CA; other security breach notification provisions track CA. A social security number, in and of itself, constitutes personal information. Prevents businesses from printing more than 5 digits of credit card number or expiration date on electronically generated receipts. Records destruction provisions. State may enjoin violations and impose civil penalties.

-------------------------------------------------------------------------------

Nevada Law - S.B. 347 (Signed June, 2005) Chapter 485

Overview - PII is defined more expansively than CA, also including biometric data, utility account numbers, electronic ID numbers, and certain other forms of ID. Notification provisions track the CA statute. Enhances penalties for crimes involving PII committed against older and vulnerable persons; data destruction requirements; requires reasonable security procedures and practices to be followed by owners and licensees of PII; requires business to encrypt all transmissions other than faxes outside of the secure system of the business.

-------------------------------------------------------------------------------

New York Law - A.B. 4254 (Signed August, 2005)

Overview - PII is defined similarly to, but slightly more inclusively than, CA. PII means "personal information," which is defined as "any information concerning a natural person which, because of name, number, symbol, mark or other identifier, can be into used to identify that natural person," plus any one of: SSN; driver's license number or non‑driver identification card number; account number, credit or debit card number, plus PIN or other necessary code. AG enforcement; no express private right of action; AG may enjoin activities; AG may sue on behalf of affected parties for actual damages, including consequential damages. For knowing or reckless violations, violators may be subject to fines of the greater of $5,000 or $50 per failed notification (capped at $150,000).

-------------------------------------------------------------------------------

North Dakota Law - S.B. 2251 (Signed April, 2005)

Overview - PII is defined more inclusively than CA. PII means first name, or first initial and last name, plus any one of: SSN; operator's license number assigned by the DOT, state ID card, bank account, credit card, or debit card number, plus PIN or other necessary code, DOB, mother's maiden name, ID number assigned by employer, digitized or other electronic signature. Criminal penalties for ID theft. AG enforcement; no express right of private action.

-------------------------------------------------------------------------------

Rhode Island Law - H.B. 6191 (Passed July, 2005) Chapter 225

Overview - PII is defined similarly to CA, and security breach notification provisions largely track CA. Contains "Shine the Light" provisions that exactly track CA's. Shine the Light law. Data destruction provisions. Requires the state Dept. of Motor Vehicles to establish regulations governing the sale of information regarding vehicle registrations and information from driver's license files.

-------------------------------------------------------------------------------

Tennessee Law - H.B. 2170 (Signed June, 2005) Chapter 473

Overview - PII definition same as CA; security breach notification provisions also largely track CA. Data  destruction rule. Allows civil remedies, including injunctive relief (state actors exempted from both)

-------------------------------------------------------------------------------

Texas Law - S.B. 122 (Signed June 2005)

Overview - "Sensitive" information defined same as PII in CA; security breach notification provisions includes any one of the following: Requires that reasonable measures be taken to protect sensitive PII; Data destruction provisions; Criminal penalties for ID theft (using a more inclusive definition of PII); AG may enjoin activities; Civil penalties; Provides for equitable relief for ID theft victims, declaration that an individual is an ID theft victim. Provides that ID theft is a deceptive trade practice under Texas' consumer protection laws.

-------------------------------------------------------------------------------

Washington Law - S.B. 6043 Signed (May, 2005) Chapter 368

Overview - PII definition same as CA, as are security breach notification provisions. Allows civil actions for damages and injunctive relief.

* * * * * *

Note: Identity theft laws are constantly being debated, added, and revised at all legislative levels across the country. Be sure to fully review and research all applicable laws which may relate to your organization's activities.

 

Member: