A new federal law requires all U.S. financial institutions to notify their customers when a sensitive database breach has occurred. Newly proposed state laws may go even further.
"...when a financial institution becomes aware of an incident... [they] must conduct an investigation and if it appears likely that the information may be misused, it should 'notify the affected customer as soon as possible.'"
There are many laws that mandate information protection, and more than a few that punish breaches. Even general negligence law can be, and has been used to sue those who fail to take reasonable steps to protect confidential information. The problem with all of these laws is the fact that an affected person or regulatory agency must first find out that there has been a breach or deficiency, and then take some kind of regulatory action. Sure, an IT security audit or other regulatory inspection might result in an enforcement action, or a hacker might choose to publicize the fact that they got in. But such circumstances are rare. More often than not, a company discovers either a vulnerability or an exploit, and as part of their incident response plan either corrects the problem or takes Herculean efforts to sweep it under the rug.
SB 1386, which went into effect on July 1, 2003, mandates that companies that do business in California (essentially, companies that have more than minimal contacts with the State) that suffer a breach of an information database containing discrete types of personal information must notify those whose information may have been breached, so they can take steps to minimize the potential for identity fraud and identity theft. Another law, AB 1950, which went into effect on January 1, 2005 mandates that such databases be protected using reasonable means. But by far the 2003 law has been almost seismic in its effect. As a result of the mandatory disclosure law -- limited as it is -- dozens of companies and entities have had to reveal the fact that they were the victims of hackers. Most recently companies like Lexis-Nexus, Bank of America, SAIC, Choicepoint, Loews Hardware, and Seisent have been forced to tell their customers who have been the victims of theft or misdirection of personal information. Databases at universities like Boston College, University of Mississippi, University of California campuses at San Francisco and Berkeley and Santa Barbara and Chico were likewise stolen, lost or compromised.
What made these cases special is not the fact that a breach or other compromise occurred -- it was the fact that we know about them. And we know about them principally because the California law -- limited as it is -- has mandated disclosures. This disclosure requirement has trickled down so that some companies feel compelled to notify their clients or customers of security breaches even when not specifically required to under the law. Other companies read the California law narrowly, and only notify if they have affected California residents whose names and either social security or drivers license number, or account and PIN number are compromised and if the data is not encrypted in some way. Thus, customers of a California company who reside in Nevada are out of luck. One company I know of had a MS Word document with thousands of California customer account numbers stolen, but they took the position that no notice was required because the file had an MS Word password, and therefore was "encrypted."
The California law drives IT security because of the possibility that you might have to fall on your sword and confess to your customers the fact that their data has been breached. The law effectively acts as a strict liability standard for the protection of personal information -- if there has been an actual or potential compromise of the data, you must disclose -- whether or not you were negligent. The best way to avoid disclosure is to avoid the breach in the first place -- and the best way to do that is to have reasonable security procedures, including access control, logging and effective monitoring, encryption of data in transmission and storage -- you know, all the things you wrote to senior management about five years ago, but were denied a budget for because there was no "ROI."
Enter the feds
The California law, by its terms, is limited to companies that do business in California, and to relatively narrow categories of personal information -- and even then only to disclosure to California residents. The final interagency guidelines announced in March of 2005 by the Treasury Department would mandate that all regulated financial institutions have in place information response programs which include incident assessment procedures, identification of potential customer information that may have been accessed or misused, notifying not only the Treasury Department's Financial Crimes Enforcement Network, but also notifying the financial institution's federal regulator and law enforcement agencies. The guidance also notes that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution must conduct an investigation and if it appears likely that the information may be misused, it should "notify the affected customer as soon as possible." The law does allow notification to be delayed upon a written request by an appropriate law enforcement agency. If you can't determine whose information was affected by the breach, essentially you have to notify everybody whose information might have been compromised and which might reasonably be misused.
In many ways, the federal law is broader than the California law, but in many other ways it is narrower. Its scope extends well beyond the Golden State's borders to any financial institution regulated by the OCC, FRS, FDIC or OTS. It requires not only notice but notice as part of an overall response program. It requires securing the data and preserving evidence relating to the incident as part of corrective measures to mitigate harm to the customers. Like the California law it only requires notice if a customer's name, address or telephone number in conjunction with their social security number, drivers license number, credit or debit card number or PIN or password or a combination of these that would allow unauthorized access to the customer's account.
But none of these laws require the entity that suffered the breach to help their customers resolve all their newfound issues. In other words, they don't have to put the customers on the credit fraud watch list (or even offer to do so), give their customers free credit reports, or even to pay the costs of unauthorized charges, account access, or the opening of new accounts resulting from the breach to their systems. We rely on the ordinary civil litigation system to achieve that result. Thus, your financial institution may simply tell you "Good morning -- your account has been compromised, and you are screwed -- have a nice day" and they will have complied with the law.
Thus, California Senator Diane Feinstein has once again introduced S.115, The Notification of Risk to Personal Data Act, which would apply nationwide to all entities that possess personal information, and would provide that "[a]ny agency, or person engaged in interstate commerce, that owns or licenses electronic data containing personal information shall, following the discovery of a breach of security of the system containing such data, notify any resident of the United States whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The statute would permit both federal or state authorities to impose fines and penalties for every day the violation continues, and would permit lawsuits to compensate the data subjects for any loss resulting from the breach of security or failure to notify.
Various states have also proposed laws to mandate disclosure of security breaches of databases containing personal information. Alaska (H.B. 226, S.B. 148, S.B. 149), Arizona (S.B. 1114), Arkansas ((S.B. 1167), California, ( S.B. 433, S.B. 852), Colorado (S.B. 137), Georgia (H.B. 638 H.B. 648; S.B. 230; S.B. 245; S.B. 251) Florida (H.B. 129); Illinois, (H.B. 1633, H.B. 3743, S.B. 209, S.B. 1479, S.B. 1798, S.B. 1799, S.B. 1899) Indiana, (S.B. 503, S.B. 544); Maryland (H.B. 1588 / S.B. 1002); Michigan (S.B. 309); Minnesota (H.F. 1410 / S.F. 1307, H.F. 1805 / S.F. 1805); Missouri, (S.B. 506); Montana (H.B. 732); New Jersey (A.B. 1080, A.B. 2048 / S.B. 2440); New York (A.B. 1525 / S.B. 3141, A.B. 4254 / S.B. 2161, A.B. 5487 / S.B. 3000, A.B. 6688, A.B. 6903 / S.B. 3492, S.B. 2906, S.B. 3494); North Carolina (S.B. 783, S.B. 1048); North Dakota (S.B. 2251); Ohio (H.B. 104, S.B. 89); Oregon (S.B. 626); Pennsylvania (H.B. 1023); Rhode Island (H.B. 5893, S.B. 880); South Carolina (S.B. 669); Tennessee, (H.B. 2170 / S.B. 2220); Texas (H.B. 1527); Virginia (H.B. 2721); Washington (S.B. 6043); and West Virginia (H.B. 2772) are all considering legislation that would mandate disclosure of personal information security breaches, toughen penalties for identity theft, or require that a credit hold be placed on any account holder for whom there may have been a database breach. Many of these laws likewise permit civil or regulatory enforcement, and go well beyond what the proposed federal law provides.
Now, when your credit card company informs you that your credit card itself may have been breached, they issue you a new card. Apart from the minor inconvenience of having to reschedule your automatic payments, you are thankful for the fraud prevention -- for the most part. But when your bank, hospital, doctor's office, hardware store, university, or other organization explains that they have permitted your data to be breached -- AND you have the ability to choose alternatives -- you are very likely to look for a new doctor or hardware store. The best prevention against reporting is to have nothing to report. Try explaining THAT to your manager next time you get a budget request for security or encryption denied.