1 / 33

Global Best Practices - Consumer Protection and Data Breach Notification I nternet Governance Forum Rio de Janeiro Brazi

Global Best Practices - Consumer Protection and Data Breach Notification I nternet Governance Forum Rio de Janeiro Brazil November 2007. Organized By: Internet Governance Task Force (IGTF) Committee on Cyberspace Law Section of Business Law American Bar Association

Donna
Download Presentation

Global Best Practices - Consumer Protection and Data Breach Notification I nternet Governance Forum Rio de Janeiro Brazi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Global Best Practices - Consumer Protection and Data Breach NotificationInternet Governance ForumRio de Janeiro BrazilNovember 2007 Organized By: Internet Governance Task Force (IGTF) Committee on Cyberspace Law Section of Business Law American Bar Association http://www.abanet.org/dch/committee.cfm?com=CL320061

  2. May we briefly introduce ourselves?

  3. Outline • Background • Why this Topic? • Relation to IGF themes of Security and Access • Basics • The who, what, when and how • Remedies • Statutory and regulatory • Contract • Tort • Reports and References

  4. Background - Why This Topic? • The incidence of data breaches and compromise of consumer data is rising globally • The Privacy Rights Clearing House maintains a Chronology representing the approximate number of "records" containing personal information that have been compromised due to security breaches in the US since January 2005. • Number of "records" is not necessarily the same as number of "individuals" affected since some individuals may be the victims of more than one breach. • The total as of November 7, 2007 is at least 215,979,650http://www.privacyrights.org/ar/ChronDataBreaches.htm#2 • A breach “in” a jurisdiction may compromise identities of persons in many jurisdictions

  5. Background - Why this topic? • Many jurisdictions around the world are debating/considering adopting specific laws on data breach notification • See Reports and References below regarding Canada, Australia, NZ and UK • See extensive Canadian materials at website of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) the University of Ottawa, Faculty of Law, Common Law Section http://www.cippic.ca/en/ • In the US at least 35 states have enacted legislation requiring companies and/or government agencies to disclose data breaches involving personal information. • See list of State Security Breach Notification Laws as of January 9, 2007 at http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm • Even if new law is not adopted, liability may lie under common and civil law for breach of duty and breach of contract • Others argue that a data breach notice obligation is necessarily implied in the county’s data protection law

  6. Background - Why this topic? • Individual European countries have specific laws on data breach notification. For example, • Mandatory report to data commission - Norway • Consumers have the right to make an access request if they believe they are in a class affected by a data breach and the company must respond within a short time period - Hungary, Malta, Sweden and Germany • EU Commission has just released a proposed Directive as part of its review of the EU regulatory framework for electronic communications network and services • Proposal to require notification of security breaches by network operators and ISPs • Limited to companies in the telecommunications sector • See comments on the predecessor consultative document in Reports and References below

  7. Background - Why this topic? • The operative provision in the new proposed Directive is as follows: “In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available communications services in the Community, the provider of publicly available electronic communications services shall, without undue delay, notify the subscriber concerned and the national regulatory authority of such a breach. The notification to the subscriber shall at least describe the nature of the breach and recommend measures to mitigate its possible negative effects. The notification to the national regulatory authority shall, in addition, describe the consequences of and the measures taken by the provider to address the breach.”

  8. Background - Why this topic? • It is clearly intended that the generality of the foregoing will be supplemented with “guidance.” • The proposed new Directive also states: “In order to ensure consistency in implementation of the measures referred to [above], the Commission may, following consultation with the European Electronic Communications Market Authority (hereinafter referred to as “the Authority”), and the European Data Protection Supervisor, adopt technical implementing measures concerning inter alia the circumstances, format and procedures applicable to information and notification requirements referred to in this Article

  9. Background - Why this topic? • Requirement that all US federally regulated financial institutions provide data breach notification in appropriate cases • See Selected Reports and Reference below • Memo M-07-16 dated May 22, 2007 from the Executive Office of the President orders all Departments and Agencies "to develop and implement a breach notification policy within 120 days." See http://www.dhs.gov/xlibrary/assets/privacy/privacy_attachment6_OMB07-16.pdf

  10. Basics - What is information is covered in general? • Personal information (PI), but how defined? • A common approach is: An individual’s first name or first initial and last name, in combination with any one or more of national ID number, drivers license number, medical information or financial account number, combined with any required security or access code or password that would permit access to an individual’s financial account. • Variations abound • Mother’s maiden name • Employer-assigned number • Digitized or other electronic signature

  11. Basics - What is information is covered in general? • Any unique biometric data associated with the person • Financial account numbers or credit or debit card numbers even without the required access code • Catch-all provisions such as any information that can be used to identify a natural person or PI could be used to commit identity theft or other forms of fraud • Computerized only? Paper too? • Most specific US laws apply to electronic PI only • Note that EU Data Protection Directive applies to paper records containing PI if they are in a “system”

  12. Basics - What exceptions? • Encrypted PI • How strong? Defined in terms of key length, the algorithm used or both? • Redacted PI? • e.g., card number stored as 6886 9486 ****** • PI otherwise altered by any method or technology so as to be unreadable by unauthorized persons? • Computer locked? • E.g., dual authentication from token and password • But hard drive can be removed • Certain publicly available information, but what certain public information?

  13. Basics - What triggers the notice obligation? • A common approach is: Where covered PI was, or is reasonably believed to have been, acquired by an unauthorized person • What happens when you don't know whether it was "acquired"? Is acquired the same as accessed? • Some statutes cover an acquisition that compromises the “integrity” of PI • Is a notice obligation triggered if the data is simply erased or corrupted?

  14. Basics - What triggers the notice obligation? • The absence of evidence is not evidence of absence • Skilled hackers can erase their steps in your system • They can disguise destination of downloaded data • Suppose hardware containing the PI is just “lost” • This may be the hardest technical issue • In the end you may not be able to establish with confidence what happened

  15. Basics - Exception to notice obligation • No notice obligation unless there is a “reasonable likelihood” of “X” • X = • Substantial risk of identity theft or fraud • Substantial harm? • Harm? • Inconvenience? • Who determines? • This exception is hardest legislative problem • It is the basic cause of the inability of US Congress to adopt a federal law on the subject • See Report GAO-07-737 US Government Accountability Office in Reports and References below

  16. Basis - To whom does notice obligation apply? • Who • Owner of PI? • Controller of PI? • Processor of PI? • Licensee of PI? • Data broker? • Any person or entity that held the PI and whose security was breached? • Exception for specialized rules for governments, financial institutions, health care providers, etc? • What priority among them in fulfilling notice obligation? • May “owner” or “controller” by contract shift obligation to give notice to processor or licensee? • Distinguish responsibility to see that notice is given and from obligation to give notice • Application in outsourcing context • What are the liabilities interse? • See also “Jurisdiction” below

  17. Basics - To whom must/should/may notice be given? • Individual • Regulator • Law enforcement authority • Credit reporting agencies • Credit card issuer • Combination? • Required sequence? • E.g., Law enforcement first and individuals later if required

  18. Basics - How must/may/should notice be given? • Form • Mailed notice to individual • Set as default (CA) • E-mail • Telephone • Georgia, Illinois, Washington • Fax • Indiana • Public Notice via media (print, radio, television) • Available when cost of individual notice exceeds some amount? • Available when not all addresses are known or current? • Website • Conspicuous posting requirement? • Combination • How handle updates?

  19. Basics - What must/may the notice say? • General description of what happened? • What personal information is involved? • What has been done to protect the PI from further unauthorized acquisition? • What will be done to assist individuals, such as a contact telephone number, preferably toll-free, for more information and assistance? • How to contact credit reporting agencies?

  20. Basics - What must/may the notice say? • What individuals can do to protect themselves from further exposure, such as how to effect a security freeze on his or her credit report? • Thirty-nine states and the District of Columbia have laws requiring the credit bureaus to enable consumers to protect their credit files with a security freeze See http://www.consumersunion.org/campaigns/learn_more/003484indiv.html Right to receive a police report on incident? • Contact information for relevant government agencies? • Other sources of relevant information and guidance? • How to get updated information? • Other?

  21. Basics - How soon must notice be given? • Duty of prompt investigation? • Notice in fixed time? • E.g., not later than 45 days (Florida) • As soon as practicable? • California Rule: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement …, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

  22. The Basics - Jurisdiction – Cross Border and Federalism • How do notification regimes work cross border and in a federal system? • Suppose the data breach occurs: • on a server in your foreign subsidiary? • because a laptop with PI on it goes missing in a foreign • Suppose the data breach occurs in the your country but the PI relates to foreign citizens • Can jurisdiction A require entities in jurisdictions B, C and D to give notice to citizens/residents of jurisdiction A when the compromised data was held by citizens of jurisdictions B, C, D etc. • Must the covered entity be “doing business” in A or is it enough that the PI was PI of a citizen of A • Does national law preempt sub-national law?

  23. Remedies – Who enforces? • National government • Functional or specialized regulator • State/provincial government • Fines civil remedies available? If so, what? • Private right of action? • In whom? • In contract? • In tort (negligence)? • Both? • Class action permitted? • What is the measure of damages. If any?

  24. Remedies – Info Security Standards • Most remedies raise the issue of what information security standards the data holder is held to in contract or in tort • An important standard in the US is Payment Card Industry Information Data Security Standards (PCIDSS) see http://usa.visa.com/merchants/risk_management/cisp.html • Requires all “merchants” (i.e. anyone accepting credit card payments) to implement the PCI DSS • Standard Requirements Scaled to Annual Transaction Volume • Reporting Obligation set forth at “What To Do If Compromised”

  25. Remedies – Info Security Standards • If the issuing association determines that an entity has been deficient or negligent in reporting or investigating the loss of information, issuing association may: • Fine the merchant or its agent • Impose restrictions on the merchant or its agent, or • Permanently prohibit the merchant or its agent from participating in programs of issuing association • However, PCIDSS is sector specific • If not these standards, what standards? • ISO/IEC 17799? • NIST 800 Series? (set of documents that describe US federal government computer security policies, procedures and guidelines) • HIPAA Security Standards (standards applicable to medical information) • Safeguards Rule of US Federal Trade Commission (sets standards for safeguarding customer information by those subject to FTC jurisdiction under the Gramm-Leach-Bliley Act) See http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.html

  26. Remedies – Info Security Standards • California law AB 1950 • First state to impose a general information security standard on businesses that maintain PI • Effective on January 1, 2005 • Effectively a companion bill to SB 1386 • Requires businesses that own or license PI about California residents to implement and maintain reasonable security procedures and practices • Note jurisdiction issue - imposes a national security standard • Exemption financial institutions, or entities governed by HIPAA privacy rules • Define of "reasonable security measures" says only "procedures and practices appropriate to the nature of information to protect the personal information from unauthorized access, destruction, use, modification or disclosure” • Also, businesses that disclose personal information to nonaffiliated third parties must contractually require those entities to maintain reasonable security procedures

  27. US Litigation triggered by notice • Potential of Consumer or Other Notification to Trigger Tort & Other Civil Liability. See • Bell et al. v. Michigan Council 25 of the AFL-CIO, No. 246684, Wayne County Michigan Court of Appeals, February 15, 2005. • Guin v. Brazos Higher Education Service Corp., Inc., Civ. No. 05-668 (RHK/JSM) (U.S.D.C., D. MN, Feb. 7, 2006). • FTC v. Designer Shoe Warehousehttp://www.ftc.gov/opa/2005/12/dsw.htm • FTC v BJ’s Wholesaler Clubhttp://www.ftc.gov/opa/2005/06/bjswholesale.htm

  28. US Litigation triggered by notice • Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007) See detailed discussion at http://www.klgates.com/newsstand/Detail.aspx?publication=3966 • Pisciotta et al v. Old National Bancorp http://www.ca7.uscourts.gov/fdocs/docs.fwx?submit=rss_sho&shofile=06-3817_024.pdf

  29. The Mother of All Cases - TJX • In January 2007 the TJX Companies Inc, a Massachusetts based retailer with 2,500 stores, disclosed a security breach • TJX disclosed in filings with the U.S. Securities and Exchange Commission that at least 45.7 million credit and debit card numbers from customers in the United States, Britain and Canada were stolen • Largest single data breach to date at 45.7 million • Suit against TJX by multiple financial institutions that are seeking class action status. Banks claim that the breach actually affected 94 million separate card holder accounts • Lawsuits and investigations by the U.S. Federal Trade Commission and the Attorneys General of several states • Investigation by Canadian privacy commissioners and report concluding that TJX failed to take adequate measures to protect card holder data • Proposed settlement of consumer class action lawsuits that include credit and ID theft monitoring services and forms of reimbursement for affected individuals

  30. Selected Reports and References • Australian Law Reform Commission Discussion Paper 72 Review of Australian Privacy Law ( see Chapter 47) http://www.austlii.edu.au/au/other/alrc/publications/dp/72/ • Introduction to Privacy Breach Notifications - Information Paper to accompany draft Privacy Breach Guidance Material. Office of the New Zealand Privacy Commissioner, August 2007 www.privacy.org.nz/filestore/docfiles/560990.doc • Recommended Practices on Notice of Security Breach Involving Personal Information - California Department of Consumer Affairs, Office of Privacy Protection February 2007. http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf • Approaches to Security Breach Notification: A White Paper Canadian Internet Policy and Public Interest Clinic (CIPPIC) based at the University of Ottawa - January 2007. www.cippic.ca/documents/bulletins/BreachNotification_9jan07-web.pdf

  31. Selected Reports and References • Canadian Parliamentary Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) May 2007 http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?COM=10473&Lang=1&SourceId=204322 • Truste Security Guidelines 2.0 November 2005 Contains extensive checklist on notification practices http://www.truste.org/pdf/SecurityGuidelines.pdf • Gramm-Leach-Bliley Act Security Breach Notification Rule: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, available at: www.occ.treas.gov/consumer/Customernoticeguidance.pdf • Comment of US FTC on EU Framework proposal http://useu.usmission.gov/Dossiers/Internet_Telecoms/Dec2006_FTC_Comments.asp

  32. Selected Reports and References • Comment of Software & Information Industry Association (SIIA) on EU Framework proposal www.siia.net/govt/docs/pub/SIIA_TemplateResponse_20061026.pdf • House of Lords report, "Personal Internet Security," at UK Parliament site http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf • Report GAO-07-737 US Government Accountability Office - Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown June 2007 http://www.gao.gov/new.items/d07737.pdf • California Data Breach law ( SB 1386) http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  33. THANK YOU FOR YOUR ATTENTION QUESTIONS? COMMENTS?

More Related