Data Security: Corporate Best Practices Alert

Date: Oct 27, 2005

Around the world, one of the fastest-growing crimes is the crime of identity theft. This reality, coupled with major security breaches reported in the U.S. since the beginning of the year, has increased attention to the issue of data security and resulted in adoption of new laws and proposed laws. Beginning with the high-profile ChoicePoint data breach in January, the Privacy Rights Clearinghouse, a public interest group that advocates in favor of consumer privacy rights, has kept a list of breaches and estimates that over 50 million consumer records have been exposed. See http://www.privacyrights.org/ar/ChronDataBreaches.htm. Reasons for data breaches vary, but include hacking, theft (by a trusted insider or incident to stealing computers, laptops, etc.), lost back-up tapes, and compromised passwords or other security failures, among others. With this volume of consumer data at risk, and the attendant potential that consumers, employees or others will be victims of identity theft, 20 U.S. states now have adopted legislation mandating notification of security breaches, modeled on a California law. Bipartisan support for preemptive federal security breach notification law is growing.

A legal obligation to adopt reasonable information security procedures exists in a variety of laws around the world, such as the EU Data Directive (Directive 95/46), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Security also comes into play with respect to transborder data flows and offshoring. Transfers of personal information outside the EU under Directive 95/46 are restricted to countries with "Adequate" (as determined by the European Commission) data protection unless the transfer falls under one of the exceptions of Article 26 of the Directive. U.S. companies may be deemed to have "Adequate" Data Protection by meeting the requirements and voluntarily complying with the Safe Harbor provisions negotiated between the EU and U.S. (where security is a recognized component), entering into approved contracts, or, potentially, adhering to binding corporate rules, a corporate code of conduct or practice. The security element (including practices such as encryption) has been a discussion point with Data Protection Administrators at national level in the context of contracts governing transborder data flows. The security of personal information is also a concern in Canada.

In addition, a security obligation is included in sectoral U.S. privacy laws as well as state laws. These include, at the federal level, the Childrens Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLB) governing financial privacy, and the Health Information Portability and Accountability Act (HIPAA). At the state level in the U.S., it includes two important California laws, SB 1386, which requires notification of security breaches, and AB 1950, which establishes a general duty of security. Both laws apply to companies "doing business' in California that collect or use information on California residents. Twenty states now have enacted some version of legislation that requires companies to notify citizens in their states about breaches of security affecting their personal data. A significant number allows for a private right of action, which is a feature of the California legislation. Federal legislation, most with preemption provisions, are also being considered. S. 1326, a bill sponsored by Senator Jeff Sessions (R-AL) has passed both the Commerce and Judiciary Committees, and a significant bill co-sponsored by Senator Arlen Specter (R-PA) and Senator Pat Leahy (D-VT), as well as other bills, are being considered. House legislation has been introduced as well.

"Security" is not only a recognized component of privacy in U.S. sectoral laws, and is increasingly likely to be the topic of federal legislation, it is also accepted as one of the "fair information practice principles" or FIPPS in the U.S. In addition, the security element is implicit in some of the recognized principles of privacy, such as accuracy, limiting use, disclosure and retention, and the like.

Failure to adopt security precautions is leading to new liability exposures for companies, and it is safe to say that there is a developing duty to maintain security in the U.S. even in the absence of an overarching federal security law. Recent Federal Trade Commission (FTC) enforcement action, for example, suggests that the Commission now views failure to maintain the security of consumer data, including credit card data, is an unfair practice under Section 5 of the Federal Trade Commission Act (FTCA). Consequently, a developing general obligation to maintain security exists in the U.S., and that federal legislation in this area is increasingly likely this year. While such an obligation exists under other laws, the unique liability landscape in the U.S. suggests that action by state Attorneys General, the FTC and perhaps others to enforce security obligations, as well as private litigation in this area, will increase.

All companies should carefully review their existing security policies or adopt a comprehensive security policy if one is not currently in place. The elements should include:

  • adoption of a security policy;
  • designation of responsible personnel;
  • data mapping;
  • assessment of physical, technical and administrative controls;
  • disaster recovery and back-up;
  • risk assessments/audits;
  • employee training;
  • contractual protections; and
  • procedures to update and review the policy and effectiveness of the security program.

Please contact privacy@khlaw.com for more information or if your company needs assistance in this rapidly evolving area.