In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay tuned.
Record Retention — It’s Not Just For…
For failing to preserve records, Morgan Stanley is paying $15 million to the SEC and a number of other regulators under an agreement reached with the SEC’s Division of Enforcement. Although any such settlement requires approval of the Commission, and Morgan Stanley is still in settlement discussions with the NASD. If you recall, last year Morgan Stanley ended up paying $1.57 billion resulting from a lawsuit in which much of the attention was devoted not merely to its inability to produce documents, but also because the judge concluded that Morgan Stanley’s conduct was knowing, in bad faith and deliberate.
The $15 million current fine, the highest ever imposed for a firm’s inability to retain and produce records, may have been the result of the SEC’s belief that an agreement relating to document retention previously agreed upon, was not being complied with.
Security Breaches Causing Headaches — Take Two Notices and Call Us in the Morning
Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!
Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.
When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.
Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.
As you can imagine, the laws and regulations are complex—containing numerous exceptions, alternatives and defined terms—as is how they apply to individual incidents and companies. Just as significantly, these laws are changing and evolving and increasing all the time. Shouldn’t you have a plan for dealing with the possibility that a breach of security might affect you? Do you know what your obligations and responsibilities are if a security breach occurs—to consumers? to law enforcement officials? to consumer credit reporting agencies? Do you have an information security and privacy policy that takes these things into account and do you know if it makes a difference? Rimon does. Call us and we can help you before a potential threat becomes a regulatory nightmare. We can help you identify policy and procedural requirements, keep you up to date on changing compliance requirements and new legislation and regulation, and provide guidance so you are prepared if a problem arises.
While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.
Why-Fi??
In New York’s Westchester County, legislators are proposing a new law to compel commercial businesses (including home offices) that have an open wireless access point to have the “network gateway server” fitted with a firewall to block intrusions. Under the proposed legislation, not only may “public Internet access” not be provided without a gateway server equipped with a firewall, but any business or home office that stores personal information as well must install a server with a firewall—even if the wireless connection is encrypted and not open to the public. Publicly available Internet access sites would have to post a sign: “You are accessing a network which has been secured with firewall protection. Since such protection does not guarantee the security of your personal information, use discretion.” Come on.
Ro’bots’ Are So Yesterday–It’s Just ‘Bots’ Now
Want some scary statistics for Halloween? In the first six months of 2005, the average number of “phishing” e-mails went from about 3 million to more than 5½ million, according to the Symantec, distributor and licensor, among other things, of firewall and virus protection software. Phishing, in case you’ve missed the news, is a scam which uses e-mail to spoof legitimate businesses such as banks and airlines, and attempts to entice you to enter personal data which can then be used by criminals. “Update your account” or “Your Security May Have Been Compromised and We Need You to Verify Your Password” are typical messages, often accompanied by logos and names that appear to be all too real.
Symantec also discovered 1,862 new software vulnerabilities, over the six month period—almost all moderate to high security threats and 60 percent were in Web-based applications. Symantec also found that the average number of denial-of-service attacks jumped from 119 to 927 a day during the first half of 2005. Why the increase? Personal computers are being overwhelmed with “bots”—penetrating vulnerabilities in personal computer software that allow the hackers—online criminals—to remotely control home computers. Not convinced? By monitoring customers and their networks the numbers of active bots more than doubled from 4,348 to 10,352 bot computers. The SANS Internet Storm Center, a not-for-profit organization that tracks hacking trends, detects an average of 260,000 bots each day that are out there looking for computers that are vulnerable to attack. No longer limited to “denial of service” attacks by triggering junk data to attack—and ultimately overwhelm—a legitimate website, these bots now are beginning to be used to generate SPAM and malicious code.
No Security—-That’s Unfair!
At least that’s what the FTC thinks. They charged BJ’s Wholesale Club with failing to maintain adequate computer security—it is the first time the FTC has used Section 5(a) (the section that says if you engage in an unfair or deceptive act, or practice in or affecting commerce, it’s unlawful). The FTC cited failures to encrypt consumer information, storing sensitive computer information for a needlessly long time in files with common or default passwords, and lax measures regarding prevention of unauthorized access, detection and security investigations: The complaint alleged that when taken together, BJ’s failed to provide legally adequate security for sensitive consumer information. The Chairman of the FTC has called for Congress to enact legislation requiring notification to consumers if there is significant identity theft risk, and has asked Congress to consider extending the Gramm-Leach-Bliley Safeguards Rule currently applicable to financial institutions, to non-financial institutions.
Adware? Spyware? Aware? Beware? Do You Care?
Intermix Media has reportedly agreed to pay $7.5 million to settle a lawsuit filed by the New York Attorney General, and if true, this represents the largest fine in a consumer online privacy action to date. In addition to agreeing to hire a Chief Privacy Officer, Intermix must agree to stop distributing its adware/spyware and redirect programs which the NYAG alleged were downloaded to consumers’ personal computers with inadequate notice, and then hidden to make it difficult to remove. Besides the annoyance which consumers rail about, often such hidden programs can be part of more elaborate identity theft and security breaches, sometimes without the knowledge of the company that created them. The lawsuit’s primary claims were false advertising and deceptive business practices under New York’s General Business Law statutes.
Identity Theft Again?
Most of you have read about the security issues that have confronted LexisNexis and ChoicePoint, and each day we learn more news about more systems and databases that have been or may have been compromised. Here’s a secret, “Google hacking” is easier. It’s a term used to describe the simple act of using publicly available search engines (no, not only Google) to find information that criminals and wrong-doers can use.
Several months ago, The Wall Street Journal reported that some security experts held a contest to demonstrate how good Google hacking can be—they limited contestants to using only Google’s search engine and in less than one hour they unearthed enough information to perpetrate financial fraud on about 25 million people—including useful combinations of names, birth dates, credit card and social security numbers. In one such experiment, a team of contestants found a directory of more than 70 million social security numbers—all belonging to individuals who are no longer alive.
Yahoo! and Google and similar search engines are not the problem – these folks are continuously refining and fine tuning their search capabilities and adding more information. Why? Because we demand it; we like it; we want it. It is helpful; useful; convenient. So how do we balance the desire to have more and better information more easily available, with the need to protect our people, our customers, our society from abuses and improper use of such information? I don’t know. I do know that Rimon has literally dozens of lawyers who can help you with privacy, information security, terms of use and guidelines; can alert you to regulatory and legal issues; and can provide you with solutions to your problems, even when the simple answers are not always easy to find. Let us help you. Have an information security issue? Privacy compliance problem? Fraud or security breach? Now’s the time—before you are part of the problem.
Spyware Out of the News and Into the Congress
Most of you know “spyware” as pesky programs that install themselves on your computer – often tacked on to programs you intend to install – that do everything from tracking online browsing habits to stealing passwords and getting at sensitive data on your computer. But what about those programs that automatically download and patch your software or update your anti-virus definitions, or cookies that enable sites you visit to recognize you and customize your experience? Of course, you have also heard of “adware” -programs that trigger the delivery of online advertising (did I say pop-ups?) that target consumer preferences and activities.
Confused by the distinctions and attempts to sort out the definitions? There is clearly a legislative drive to prohibit programs from being installed on consumers’ computers without consent or knowledge and at least three spyware bills are winding their way through the U.S. Congress. Although it is unlikely a bill could reconcile the differences and reach the President for signature this session, there is clearly impetus to “do something,” and interests on all sides are lining up to shape the contours of legislation so as not to do away with all those “good” programs!
Confused about the definitions or worried Congress might get it wrong—or just wondering who cares? Pay attention. Much of the utility and appeal of the Internet is interactivity. Browsers and websites interact. Navigational tools and features which make browsing more efficient, reduce time, and provide a more customized – thus more useful—experience, are based on useful programs working in the background and which are helpful and desirable, if properly used—”properly” being the operative issue. If worded too broadly, legislation could prohibit tools that make sense. Imagine every advertiser, website owner, merchant and search engine being required go to every user with a new consent (“opt-in”) form! How will legislation be enforced if the website owner is in another jurisdiction? Need to follow this issue? Want to know more? Want to your voice heard? Call Rimon—we can help.
Privacy Policies to be Required by California on All Commercial Websites
California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.
California’s Online Privacy Protection Act of 2003 becomes effective July 1, 2004, and applies to commercial website owners and online services that collect and maintain “personally identifiable information” from a “consumer” residing in California. This will likely apply to all businesses selling goods or services online in the United States. To comply, among other things, the privacy policy must identify the categories of information collected; third parties who have access; how a consumer may review and correct information; and how consumers will be notified of changes in the policy. The statute also requires website owners to “conspicuously post” a privacy policy on their websites. A website owner can satisfy the requirement by posting the policy on its home page or by providing a hyperlink from that page to the policy. The link must include the word “privacy” and meet certain case, type size, font, or contrasting colors or marking requirements that call attention to the link and the policy. Online service providers must use “reasonably accessible means” to make its policy available.
This act is a good reason for businesses to review existing privacy, website and online practices. Re-examine privacy promises and consider liability waivers. If you have not yet adopted a privacy policy, now is the time to do so!