SECURITY BREACH NOTIFICATION: The Full Risk Perspective



From PLI’s Course Handbook

Tenth Annual Institute on Privacy and Data Security Law

#19129

11

The realities of security breach notification

Jody R. Westby

Global Cyber Risk LLC

► The LEGAL landscape

The privacy tsunami -- created by ChoicePoint’s admission in 2005 that it had inadvertently sold personal data on 145,000 individuals to a criminal ring posing as a small business -- continues. At the present time, forty-four states plus the District of Columbia, Puerto Rico, the Virgin Islands, and one municipality (New York City) have enacted security breach notification laws. Variances in state security breach notification laws – and the continuing enactment of new laws – have created a complicated and costly patchwork of compliance requirements for businesses.

On the federal level, numerous bills have languished in Congress since 2005 as industry and consumer groups battled over risk triggers for notification, leaving businesses without the certainty they seek regarding how to handle security breaches. As a result, federal breach requirements are showing up piecemeal in various pieces of legislation. The first breach notification requirement for federal agencies and government contractors was included in the Veterans Affairs Information Security Act[1] (“VA Act”). In addition to notification, the VA Act also requires the VA to provide credit protection services in accordance with regulations issued by the Secretary of Veterans Affairs.[2] The regulations also address notification, data mining, fraud alerts, data breach analysis, credit monitoring, and identify theft insurance.[3] The second federal requirement for notification was in the recently enacted (February 17, 2009) HITECH Act provisions in the economic stimulus bill.[4] The HITECH Act provisions apply to covered entities under the Health Insurance Portability and Accountability Act and requires notification in the event of a breach of protected health information (PHI). The HITECH Act also requires business associates, vendors, and certain third-party service providers of covered entities to notify covered entities and/or individuals in the event of a breach.[5]

In addition to statutory requirements, the Office of Management and Budget (“OMB”) issued a Memorandum in 2007 that directs all government agencies and departments to develop and implement a breach notification policy.[6] The likely risk of harm and the level of impact of the breach will determine when, what, how, and to whom notification should be given. Factors to be considered in the likely risk of harm includes the nature of the data elements breached, the likelihood the information is accessible and usable, the likelihood the breach may lead to harm, and the ability of the agency to mitigate the risk of harm. Breaches subject to notification include paper and electronic data. Agencies are given leeway to implement more stringent measures than those set forth in the Memorandum. Notification can be provided commensurate with the number of people affected and the urgency with which they need to receive notice. The OMB Memorandum also sets forth security requirements, such as the use of encryption and the deployment of two-factor authentication to control remote access to systems containing PII.[7]

The financial regulatory authorities also issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“Interagency Guidance”), which is deemed to be mandatory.[8] The Interagency Guidance serves as the regulatory agencies’ compliance guidance on (a) Section 501(b) of the GLBA, and (b) their previously issued Interagency Guidelines Establishing Information Security Standards (Security Guidelines).[9] The Guidance on Response Programs explains that the regulatory authorities expect a financial institution’s information security program, required under the Security Guidelines, to include a response program. The Guidance applies to “customer information” that is “nonpublic personal information” maintained by or on behalf of a financial institution.

The European Union (“EU”)[10] and several foreign countries, such as Canada,[11] Britain,[12] Australia, and New Zealand[13] are also considering or being urged to consider laws governing security breach notification and identity theft. Unlike the U.S. approach, the European Commission Directive has proposed that only communications providers be required to notify customers and regulators of breaches to personal data. At present, the Directive on privacy and electronic communications only requires providers to notify customers of security risks, not security breaches.[14] The Commission’s proposal requires providers to notify the National Regulatory Agency of security breaches that result in the loss of personal data and/or that may cause an interruption in service. They also must notify the customer of breaches that result in the loss, modification or destruction of, or unauthorized access to the customer’s personal data.

EU Member States also have been active in this area. Authorities in the U.K., for example, have taken a tough stance against financial security breaches. Although there was no notification requirement, financial regulators fined a British financial institution $1.9 million for its failure to adequately respond to the theft of a laptop containing sensitive customer data. Authorities explained that they intended to send a message to industry that they should take these kinds of security breaches very seriously.[15]

As breaches continue to rise, privacy organizations and consumer groups have become more organized and vocal about PII disclosures, making security breach stories a favorite of the media. Compilations of data on breaches have increased the awareness of both the public and legislators to the risks of identity theft. For example, the Privacy Rights Clearinghouse has maintained a chronology of breaches since ChoicePoint on their Web site which lists breaches that exposed individuals to identity theft and qualified for disclosure under state notification laws. To date, nearly 256 million records containing PII have been breached.

All of these factors have converged to create a complicated scenario for corporations. The array of legal, operational, technical, and policy issues surrounding security breach notification have significantly increased risks to companies who have security breaches. From the technological side, solutions must be deployed to encrypt data, detect breaches, track online activities, and control access. Management policies define the culture of an organization and are an essential element in mitigating damages to reputation and financial loss. Operational controls and processes determine the course of action an organization takes in the heat of the moment when a breach occurs. This paper will analyze each of these areas and provide information, analysis, and insights into managing the risks accompanying security breaches and meeting notification requirements.

► The LEGAL & REGULATORY Perspective

The legal/regulatory framework is driving the security breach issue and forcing technical, operational, and policy changes that are impacting cyber security programs. Although California enacted the first security breach notification law and has been a leader in privacy nationally, the other 43 states that have enacted notification laws did not enact mirror images of California’s law. Therefore, these state statutes have become a maze of state credit freeze, identity theft, and security breach notification laws with varying requirements.

What Data Is Covered By Breach Laws?

The information that can trigger a state breach notification requirement – usually generically referred to as personally identifiable information (“PII”) – can vary. Usually, it involves a person’s first and last name (or the first initial and last name) plus

• a social security number or

• Drivers license or state identification number or

• Financial account number, credit or debit card number (some states also require the PIN or access code to have been breached if they are needed for access to the account).

• California has extended its breach notification requirements to unauthorized acquisition or use of medical or health insurance information.

In the area of PII, however, it is always prudent to consider public expectations with respect to the privacy of personal data. Following the letter of the law may not be enough if customers expect more than the law allows. These public expectations have been shaped, in part, by the definition of PII developed by the European Union, the U.S. Federal Trade Commission, financial regulators, and professional organizations, and these may reach well beyond the notification threshold of state laws.

At the outset, it is important to understand that PII is not clearly defined or universally agreed upon. The Federal Trade Commission, for example, has defined personal information as:

[I]nformation from or about an individual including, but not limited to: (a) first and last name; (b) home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name that reveals an individual’s email address; (d) a telephone number; (e) a Social Security Number; (f) a persistent identifier, such as a customer number held in a “cookie” or a processor serial number, that is combined with other available data that identifies an individual; or (g) any information that is combined with any of (a) through (f) above.[16]

Within the context of the U.S. Safe Harbor Privacy Principles, PII is defined as “[D]ata about an identified or identifiable individual that are within the scope of the [Directive 95/46/EC of the European Parliament], that is received by a U.S. organization from the European Union, and recorded in any form.”[17] The EU Data Protection Directive has a broad definition of PII, bringing many types of information not referenced by the FTC. It defines “personal data” as:

[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.[18]

The definition of PII offered by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) aligns more closely with the EU Directive:

Personally identifiable information is defined as any information relating to an identified or identifiable individual. Such information includes, but is not limited to, the customer's name, address, telephone number, social security/insurance or other government identification numbers, employer, credit card numbers, personal or family financial information, personal or family medical information, employment history, history of purchases or other transactions, credit records and similar information. Sensitive information is defined as personally identifiable information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual preferences.

Financial regulators threw in an additional twist with the term “sensitive customer information” (“SCI”) that is covered by the Interagency Guidance. SCI includes a customer’s name, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes data that will enable a person to log on to or access a customer account, such as a username and password.[19]

The VA Act defines “sensitive personal information” even broader:

Any information about the individual maintained by an agency, including the following:

(A) Education, financial transactions, medical history, and criminal or employment history.

(B) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records.[20]

For purposes of this paper, all data subject to notification shall be referred to as PII.

What Is a Security Breach?

Beyond determining whether data is within the scope of a breach law, what constitutes a security breach that could trigger a notification requirement also varies between laws. Some state laws consider a security breach to have occurred if the PII is actually acquired.[21] Other laws consider access to the data enough to constitute a security breach.[22] Most state security breach notification laws apply only if the PII was unencrypted. Some state laws only apply if illegal use or misuse of the information has occurred or is reasonably likely to occur.[23] In certain states, this must be determined by an investigation.[24] Even if a breach has occurred, several states exempt entities from notification requirements if an investigation reveals there is no reasonable likelihood of harm to the person whose PII was accessed or acquired.[25]

Who Does the Law Apply To?

State laws are also inconsistent with respect to what entities are subject to security breach notification requirements. Some laws apply to individuals, businesses, and public sector agencies.[26] Other state laws apply only to individuals and businesses, excluding public sector entities; some apply to “any person;” and others apply only to information brokers or exempt entities subject to the Gramm-Leach-Bliley Act (GLBA).

When and How is Notice Given?

When notification must be given is also unclear. Most states followed California’s lead and require that notification be given in “the most expedient time possible” and “without unreasonable delay.” Other states, such as Florida and Connecticut, require notification within a certain number of days from the discovery of the breach. The form of notice can also vary. Most laws are modeled after California and allow notice to be given in written or electronic form, although some state laws allow notice by telephone. Mass notices via email, websites, and major media may be given if extremely large numbers of records are involved and the cost of notification is significant. Most states allow notification to be delayed if law enforcement believes notification may disrupt or impede an investigation.[27] In addition to consumer notification, some state laws also require the entity that suffered the breach to notify law enforcement, consumer reporting agencies, or other potentially affected parties.[28]

Federal Notification

The VA Act requires notification to individuals found to be “subject to a reasonable risk for the potential misuse of any sensitive personal information.” The HITECH Act requires notification within 60 days of the breach. The Interagency Guidance requires notification “as soon as possible,” but allows delays if notification could interfere with a criminal investigation. The OMB Memorandum does not set a specific threshold for notification, leaving it up to case-by-case analysis based on likelihood of harm and level of risk. Notification is to be “without unreasonable delay” but with exceptions for law enforcement investigations and national security considerations.

In light of the patchwork compliance requirements associated with state security breach notification laws, it is no wonder that Congress has been pressured by businesses to enact a federal law that will preempt state compliance obligations. Under state laws, most businesses have to meet the highest ceiling, lest they risk headlines over non-compliance in the most rigorous jurisdictions. As Harriet Pearson, Chief Privacy Officer of IBM, noted:

[I]f you are doing business across the country, basically, I don’t think you are going to sit down and [say], “Well, if it happened in Arkansas versus… California, I am going to use radically different standards.”[29]

Thus, from the legal perspective, risks abound with respect to security breach notification requirements. Organizations, therefore, would be prudent to ensure they have effective enterprise security programs in place that can accommodate the complexity of their compliance requirements and enable them to be prepared in the event of a breach.

► The Policy Perspective

The President’s Task Force on Identity Theft (Task Force) was established in May 2006 and charged with developing a strategic plan to make the federal government’s efforts in countering identity theft more effective and efficient. The resulting report, Combating Identity Theft: A Strategic Plan, sets forth four broad policy changes and provides a number of recommendations that, if implemented, could help reduce breaches of PII and facilitate the notification process. The suggested policy changes are:

• Federal agencies should reduce the unnecessary use of Social Security numbers;

• National standards should be established (1) to require private sector entities to safeguard the personal data they compile and maintain, and (2) to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;

• Federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and

• A National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

• The Task Force’s recommendations were multidisciplinary, global in scope, and numerous. Only one of them, however, directly addressed security breach notification and even then without providing any specificity: Establish national standards extending data protection safeguards requirements and breach notification requirements.

This shortcoming is significant and provides no clear guidance to Congress on sorting out the various legislative provisions in the pending legislation.

The Federal Trade Commission (“FTC”) has taken aggressive action against identity theft and has endeavored to assist and protect consumers from the resulting fraud, expense, and time burdens. The FTC’s division of Privacy and Identity Protection has prepared valuable information for businesses regarding how to notify law enforcement, other affected businesses, and customers of breaches, including a model letter for notifying consumers that their PII has been breached.[30] Instead of focusing on exceptions or triggers, the FTC encourages notification. Its “Facts for Business” document on complying with the GLBA Safeguards Rule advises businesses to consider “notifying customers, law enforcement, and/or businesses in the event of a security breach.”[31]

The FTC also has authority to enforce the Fair Credit Reporting Act (FCRA), which gives victims of identity theft the right to obtain certain documents and transaction records from businesses. Although not a notification requirement, it does involve the release of certain corporate information to consumers following a breach.

Beyond providing information to consumers, other laws apply to the destruction of PII. The FTC enforces the Fair and Accurate Credit Transactions Act (FACTA), which directed the financial regulatory agencies to promulgate a rule on the proper disposal of consumer information. The resulting Disposal Rule applies to people and organizations that use consumer reports. These reports contain PII and must be disposed of according to reasonable and appropriate disposal practices. The disposal of PII is important because security breaches can occur from information that has not been properly destroyed, triggering notification requirements.

These federal policy initiatives by the financial regulatory agencies, the FTC, and OMB offer valuable guidance to private sector organizations on how to manage risks associated with breaches of PII.

► The Managerial & Operational Perspective

The managerial and operational aspects of security breach notification are central to compliance and risk management. The tone at the top regarding privacy of PII, compliance with security breach notification laws, and protection of reputation and financial resources in the event of a breach are critical to the effectiveness of any security program. They set the direction for operational policies and procedures that control day-to-day operations and help mitigate liabilities.

Examples of managerial and operational policies that are essential in managing the risks associated with security breaches of PII include:

• An organizational commitment to respect the privacy of PII and comply with legal requirements.

• A requirement that awareness training and targeted training regarding compliance with policies and procedures be ongoing.

• A commitment by management that only the minimum PII will be collected and that it will be destroyed as soon as practicable.

• A commitment to cross-organizational communication and cooperation and the establishment of an organizational structure that enables this to happen.

• A pledge from management to establish and sustain an enterprise security program that incorporates privacy and cybercrime considerations.

• A commitment from management to allocate adequate resources for privacy and security programs.

• An organizational commitment to engage in public-private sector cooperation to counter cybercrimes and privacy breaches.

• A clear requirement from management that the organization have a well-developed and tested response plan that includes preservation of evidence and interaction with law enforcement, crisis communications, customer notification, and investor and employee communications.

Operational risks occur on the front line when employees, contractors, business partners, or others do not have policies and procedures to guide their actions and when controls are lacking to detect violations, anomalies, or inadequate performance. Security breach notification laws have impacted businesses in every industry sector and of every size. Regardless of sector or size, however, one common fault is the failure to plan in advance for a breach. The President’s Identity Theft Task Force reported that an April 2006 cross-industry survey concluded that only 45% of large U.S. multinational corporations had a formal process for handling security violations and data breaches.[32] Responding on the fly is always risky; it is especially so with respect to the breach of PII that is subject to so many security breach compliance requirements.

Adding to the risk is the fact that security breaches come in many scenarios:

• Lost or stolen laptops, thumb drives, personal digital assistants, cell phones, wireless devices, and CDs;

• Employees who engage in stealing, disclosing, selling, or improperly using corporate data or posting it to websites;

• Hackers who access or steal data;

• PCs that are discarded with unsanitized or wiped hard drives;

• Data that is improperly disposed of;

• Data that is acquired through peer-to-peer software; and

• Backup or archival tapes that are lost or stolen.

The California Department of Consumer Affairs’ Office of Privacy Protection (Privacy Office) has published Recommended Practices on Notice of Security Breach Involving Personal Information, which provides valuable guidance on the prevention of breaches, appropriate notifications, and responses. The Privacy Office suggests the following practices can help prevent breaches:

• Collect the minimum amount of PII necessary and retain it for the minimum amount of time necessary;

• Inventory records systems, critical computing systems, and storage media and identity those containing PII;

• Classify PII in records systems according to sensitivity;

• Use appropriate physical and technical safeguards to protect PII (particularly higher risk PII, including paper records);

• Pay more attention to higher-risk PII on laptops or portable storage devices or appliances;

• Promote awareness of security and privacy policies and procedures through ongoing employee communications and training;

• Require that service providers and partners who handle PII comply with security policies and procedures;

• Use intrusion detection technology and procedures to ensure rapid detection of unauthorized access to higher-risk PII;

• Use encryption in combination with host protection and access controls to protect higher-risk PII;

• Dispose of records and equipment containing PII in a secure manner; and

• Review security plans at least annually or when there is a material change in operations that could affect the security of PII.[33]

Response and notification involve multiple compliance requirements. Entities suffering a data breach may be required to notify state agencies, credit reporting bureaus, law enforcement, business partners, and individuals. Responses are best handled by a team of people with clearly assigned roles and responsibilities who have worked through response scenarios and are prepared to manage a situation.[34] Initially, at the time a breach occurs, it is important to safeguard computer logs and other evidentiary data that may be needed to prosecute the perpetrator or defend the reasonableness of the company’s security program. The organization must determine exactly what PII was involved in the breach, find out whether part or all of it was encrypted, ascertain whether the breach was caused by an insider or an external actor, and make some initial determinations regarding the likelihood of harm as a result of the breach and whether notification is actually required. Each of these pieces of information must be protected and many of them may be shared among the response team members.

A well-rehearsed communications plan is one of the most important elements of an effective response. Organizations should determine in advance who will speak to employees and the board, who will handle press inquiries, who will interact with regulators and law enforcement, who will prepare the notification, who will speak to analysts and shareholders, and who will work with law enforcement. The coordination of these communications must be managed. The timing of the notification is also important. Generally, it is within 45 days of the date the breach was discovered, unless it is delayed at the request of law enforcement. What the company will offer victims of a breach must also be considered. Some experts have noted that, over time, a sort of “standard” notification package has developed which is offered to victims at the time of notification. This usually includes free credit monitoring services, free annual credit reports, and information regarding placing a fraud alert on the victim’s credit files.[35]

When notification is given, the California Privacy Office recommends that notice letters contain:

• A general description of the breach and what type of information was involved

• What measures have been taken to protect the person’s PII from unauthorized access or acquisition in the future

• What the organization will do to assist victims

• Information regarding what the individual can do to protect themselves from identity theft

• Contact information for helpful agencies and information on resources.

The Privacy Office also recommends that the language of the notice be simple and clear, avoiding jargon and technical language. Good layout to improve readability and highlight informational points in the notice is recommended. The Office suggests that the notice be sent by first class mail or, alternatively, by email. If large numbers of individuals are involved or the cost of notification is more than $250,000, California recommends that notice be posted on the organization’s website, sent through major media, and sent by email.[36]

In managing notification issues, it is also important to take into account public perception. Although an event may not have triggered a notification, it may be prudent to notify individuals anyway, lest their expectation of privacy give way to fury over not being informed, damaging the reputation of the firm or causing other negative consequences. Respected privacy expert Lisa Sotto of Hunton & Williams notes that:

Privacy issues are hot button social issues that often transcend mere legal compliance. Indeed, the risk to an organization’s reputation and revenues often far exceeds the risk associated with non-compliance with breach laws. As a result, organizations responding to a breach should focus on doing the right thing as opposed to doing only those things that are required by the law.[37]

► The Technical Perspective

Obviously, numerous technical considerations come into play with security breaches. Often, it is the breach of a technical control that enables a person to acquire or access protected data. In developing a response plan, it is important to take into account the types of technical issues that are involved in a breach of PII so they can be appropriately addressed through the organization’s enterprise security plan, policies, and procedures. Clearly, identity management and access control technologies are important tools in managing risks associated with PII. In addition, monitoring and anomaly detection software can help detect unauthorized activity and record the actions taken. Steganography detection software can help block unauthorized transmissions of PII outside an organization.

These tools are especially important in preventing PII breaches by insiders. Effective firewall and malware detection technologies are critical to maintaining a perimeter around digital assets and blocking unauthorized access from outside an organization.

No technology, however, is as prominently tied to a security issue as encryption is to security breach notification. Under most laws, encrypted data is not subject to notification requirements when breached. Encryption technologies that meet the National Institute of Standards and Technology’s Advanced Encryption Standard (AES) are recommended.[38]

Authentication and authorization controls are increasingly important in protecting against breaches of PII. The Federal Financial Institutions Examination Council issued guidance on Authentication in an Internet Banking Environment, recommending that two-factor authentication be used for Internet-based products and services. Increasingly, two-factor authentication is being accepted as a best practice in preventing unauthorized access to systems and data.[39] As identity theft continues to rise, this trend will continue, eventually usurping single-factor authentication altogether.

Security breach notification laws have significantly raised awareness regarding the importance of effective enterprise security programs that combine legal, technical, managerial, and operational considerations. The headlines on security breaches have gotten the attention of executives unlike any amount of talking, coaxing, explaining, or cajoling about the need for enterprise security programs and adequate funding. The FTC has once again taken a leadership position in wedding privacy and security by issuing tips to reducing risks on computer systems and privacy to data. Measures for effective security include:

• Identifying internal and external risks to the security, confidentiality, and integrity of customer PII;

• Designing and implementing safeguards to control the risks;

• Periodically monitoring and testing the safeguards to be sure they are working effectively;

• Adjusting the security plan according to the results of testing, operational changes, or other circumstances that might impact information security;

• Overseeing the information handling practices of service providers and business partners who have access to the personal information;

• Considering all the relevant areas of operation, including employee management and training; information systems (including network and software design); information processing, storage, transmission and disposal, and contingencies (including detecting, responding, and preventing system failure); and

• Taking into account new vulnerabilities and leading causes of security risks (including web application security vulnerabilities).[40]

Other technical aspects to security breach notification risk management include the various services that are springing up to assist victims of identity theft. Numerous companies, including the credit bureaus, offer an array of technologies and/or services that monitor credit reports and manage identities.

► Conclusion

The confusion around how to counter identity theft has resulted in an array of state laws that inconsistently define PII and mandate notification to individuals based upon differing criteria. At the federal level, notification requirements apply onto to data held by the Veterans Affairs and PHI. The FTC and OMB, in the meantime, have actively taken on identity theft and security breach notification issues.

The legal risks and headlines associated with breaches of PII require managerial and operational policies that accommodate breach compliance requirements and mitigate risks. The California Privacy Office has published excellent guidance for businesses on notification practices. In planning ahead regarding how to handle breaches, it is important to develop a communications plan and consider what benefits the organization will offer to individuals whose PII has been breached. Legal requirements, however, should not be the sole guide post; meeting the customer’s or public’s perception of privacy may be just as important – if not more important – than the legal requirements in terms of managing risk. Technical tools are available to help prevent, detect, and respond to breaches. Technological considerations will impact policies and procedures, however, and must be woven into the organization’s enterprise security program. Today, it is almost impossible for any business to operate without collecting PII, making it essential that companies understand their compliance requirements and remain alert to new laws that continue to surface, both in the U.S. and abroad.

-----------------------

[1] The Veterans Benefits, Health Care, and Information Technology Act of 2006, Title IX, Veterans Affairs Information Security Act, Pub. Law 109-461, Dec. 22, 2006.

[2] 38 U.S.C. § 5724(b).

[3] Id.

[4] American Recovery and Reinvestment Act of 2009, H.R. 1, Health Information Technology for Economic and Clinical Health Act, § 13001, et. seq., 111th Cong., 1st Sess., Feb. 17, 2009.

[5] Heidi Echols, Maura Ward, Karen Sealander, Bernadette Broccolo, Stephen Bernstein, “HITECH Act: Analysis of Policy Implications, Requirements of Health IT Stimulus Provisions,” Bureau of National Affairs, Privacy & Security Law Report, Vol. 8, No. 9, March 2, 2009, 344-357 at 347.

[6] Clay Johnson, III, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” Executive Office of the President, Office of Management and Budget, M-07-16, May 22, 2007, xlibrary/assets/privacy/privacy_attachment6_OMB07-16.pdf.

[7] Id.

[8] “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” Part III of Supplement A to Appendix, 12 C.F.R. Part 30 (OCC); Supplement A to Appendix D-2, 12 C.F.R. Part 208 (Fed. Reserve System); 12. C.F.R. Part 364 (FDIC); 12 C.F.R. Part 568 (OTS); 70 Fed. Reg. 15736-15754 (Mar. 29, 2005).

[9] “Interagency Guidance Establishing Information Security Standards,” 69 Fed. Reg. 77,610 (Dec. 28, 2004), .

[10] Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation, COM(2007) 698 final, Nov. 12, 2007, eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0698:FIN:EN:PDF.

[11] “CIPPIC calls for data security breach notification law,” Digital Copyright Canada, Jan. 9, 2007, .

[12] Robert Westervelt, “UK group pushes for stiff data security breach laws, , Oct. 4, 2007, ; SA Mathieson, “UK should introduce data breach notification law, say Lords,” InfoSecurity, Aug. 10, 2007, .

[13] Consultation paper – Draft Voluntary Information Security Breach Notification Guide, The Office of the Privacy Commissioner (Australia), Apr. 2008, .

[14] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Off. J. of the European Parliament and of the Council, L 201/37, .

[15] U.K. Regulator Sets First Data Security Fine: Bank Will Pay $1.9 Million Over Laptop Theft,” Privacy & Security Law Report, Bureau of National Affairs, Vol. 6, No. 8, Feb. 19, 2007 at 287-88.

[16] See In the Matter of Microsoft Corp., File No. 012 3240, Agreement Containing Consent Order (Consent Order accorded final approval on Dec. 20, 2002), .

[17] Safe Harbor Privacy Principles, U.S. Dep’t of Commerce, July 21, 2000, .

[18] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L. 281/31, Nov. 23, 1995, .

[19] 12 C.F.R. part 40.

[20] 38 U.S.C. § 5727(19).

[21] For example, Arkansas, California, Colorado, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Minnesota, Montana, Nevada, New York, North Dakota, Tennessee, Texas, Washington, and Oklahoma.

[22] For example, Arizona, Connecticut, and Vermont.

[23] For example, Hawaii, Idaho, Indiana, Kansas, Maine, Nebraska, New Hampshire, New York City, North Carolina, and Utah.

[24] For example, Maine, Nebraska, and New Hampshire.

[25] For example, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Kansas, Louisiana, Maine, and Michigan.

[26] For example, Arizona, Arkansas, California, Colorado, Idaho, Michigan, New Hampshire, and Tennessee.

[27] “Security Breach Notifications: a State and Federal Law Maze,” Gibson, Dunn & Crutcher, July 27, 2005, .

[28] For example, Colorado, Florida, New York, and Ohio.

[29] Jaikumar Vijayan, “Q&A: IBM Executive on Breach Notification Laws, Data Security Push,” The Privacy Advisor, International Assn. of Privacy Professionals, Vol. 6, No. 7, July 2006.

[30] “Information Compromise and the Risk of Identity Theft: Guidance for Your Business,” Facts for Business, Federal Trade Commission, .

[31] “Financial Institutions and Customer Information: Complying with the Safeguards Rule,” Facts for Business, Federal Trade Commission, .

[32] President’s Task Force Report at 35 (citing Ponemon Institute LLC, Benchmark Study of European and U.S. Corporate Privacy Practices, Apr. 26, 2006 at 16).

[33] Recommended Practices on Notice of Security Breach Involving Personal Information, California Dept. of Consumer Affairs Office of Privacy Protection, Feb. 2007 at 9-10, (hereinafter “California Recommended Practices”).

[34] James Christiansen, “Avoid a Meltdown: Reacting to a Security Breach,” , .

[35] Lisa J. Sotto and Aaron P. Simpson, “A How-To Guide to Information Security Breaches,” Privacy & Security Law Report, Bureau of Nat’l Affairs, Vol. 6, No. 14, April 2, 2007 at 559-562 (hereinafter “Sotto and Simpson”).

[36] California Recommended Practices at 11-13.

[37] Sotto and Simpson at 562.

[38] See Federal Information Processing Standard 197, National Institute of Standards and Technology, Nov. 2001, .

[39] “Authentication in an Internet Banking Environment, Federal Financial Institutions Examination Council, Aug. 8, 2001, .

[40] “Security Check: Reducing Risks to your Computer Systems,” Facts for Business, Federal Trade Commission, .

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download