1 / 18

Data Security Breach Notification Requirements GLBA, FTC, FFIEC, Oh My

Data Security Breach Notification Requirements - Gramm-Leach-Bliley Safeguards Rule. The Gramm-Leach-Bliley Act Safeguards Rule (16 C.F.R. Part 314)Applies to financial institutions" that maintain non-public customer information".Requires financial institutions to develop, implement, and mainta

keran
Download Presentation

Data Security Breach Notification Requirements GLBA, FTC, FFIEC, Oh My

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Data Security Breach Notification Requirements GLBA, FTC, FFIEC, Oh My Jonathan D. Jaffe, Esq. K&L Gates LLP

    2. Data Security Breach Notification Requirements - Gramm-Leach-Bliley Safeguards Rule The Gramm-Leach-Bliley Act Safeguards Rule (16 C.F.R. Part 314) Applies to “financial institutions” that maintain non-public “customer information”. Requires financial institutions to develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. There is no explicit data breach notification requirement in the generally applicable regulations, although one might be inferred (e.g., “responding to attacks”).

    3. Data Security Breach Laws - Interagency Guidance Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Issued by the OCC, FRB, FDIC, and OTS under the authority of the Gramm-Leach-Bliley Act. Applies only to regulated banking/depository institutions (and their operating subs).

    4. Data Security Breach Laws - Interagency Guidance (Cont.) At a minimum, an institution’s response program should contain procedures for: Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.

    5. Data Security Breach Laws - Interagency Guidance (Cont.) Sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.

    6. Data Security Breach Laws - Interagency Guidance (Cont.) Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence. Notifying customers if the institution determines that misuse of its information about a customer has occurred or is reasonably possible.

    7. Data Security Breach Laws - Interagency Guidance (Cont.) Notice should be clear and conspicuous and should include: Description of incident Type of information Measures taken to protect against further access Telephone number to call for information and assistance Remind customers to remain vigilant over next 12 – 24 months.

    8. Data Security Breach Laws - Interagency Guidance (Cont.) Notice should be delivered in manner to ensure customer can reasonably be expected to receive it. Telephone. Mail. Email, if you have valid email address and the consumer has agreed to receive communications electronically.

    9. Data Security Breach Laws – FTC Act The Federal Trade Commission Act (15 U.S.C §§ 41-58) Prohibits “unfair” or “deceptive” trade practices Even if a company is not a “financial institution” subject to the GLBA, the FTC may bring an enforcement action if it determines that its data security practices are “unfair”.

    10. Data Security Breach Laws – FTC Act (Cont.) Case Study – In the Matter of Reed Elsevier Inc. and Seisint, Inc. Reed Elsevier Inc. (“REI”) sells access to Lexis-Nexis databases that contain information regarding millions of consumers and businesses from public and nonpublic sources, including motor vehicle records and consumer identification information from credit reporting agencies. REI charges customers a fee to search for and retrieve information from its databases.

    11. Data Security Breach Laws – FTC Act (Cont.) Case Study – In the Matter of Reed Elsevier Inc. and Seisint, Inc. The FTC alleged that REI failed to establish or implement reasonable policies and procedures governing the creation and authentication of user credentials for authorized customers accessing the databases. The FTC claimed that this failure was an unfair practice in violation of Section 5(a) of the FTC Act, because it created an unreasonable risk of unauthorized access. REI entered into a consent agreement with the FTC under which it agreed to reform its data security practices and submit to periodic third-party auditing.

    12. Data Security Breach Laws – State Data Security Breach Laws State Data Security Breach Notification Statutes. Approximately 44 states have enacted a statute requiring a company to notify state residents if the security of certain sensitive customer information is breached. While there are many commonalities, there are also many differences. Faced with applying the laws of 44 states to a breach that is national in scope. You need to look at each state’s law and, as to each consumer, better practice is to apply the law of the state in which the consumer resides.

    13. Data Security Breach Laws – State Data Security Breach Laws (Cont.) Most laws apply to sensitive information. What constitutes “sensitive information” varies by jurisdiction. In California, “personal information” is an individual’s first name or first initial and last name, in combination with any one or more of: (a) SSN; (b) DLN or California ID number; or (c) Account number, CCN or DCN in combination with any required security or access code or password that would permit access to an individual’s financial account.

    14. Data Security Breach Laws – State Data Security Breach Laws (Cont.) State Data Security Breach Notification Statutes. In Nebraska, “personal information” is defined similarly to the above, but also includes an individual’s first name or first initial and last name in combination with: (a) a unique electronic identification number or routing code, in combination with any required security code, access code or password; or (b) unique biometric data, such as fingerprint, voice print, or retina or iris image, or other unique physical representation.

    15. Data Security Breach Laws – State Data Security Breach Laws (Cont.) Notification requirements also vary by state. For example, in New York, the company must not only notify affected consumers, but also state law enforcement agencies. See http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm for list of state data security breach laws published by the National Conference of State Legislatures as of December 2008.

    16. Data Security Breach Laws – State Data Security Breach Laws (Cont.) A risk assessment may be necessary to determine whether notification is necessary. Some states’ statutes apply only if the data was unencrypted, while others (including the federal banking interagency guidance) have no similar limitation. Some states require notification whenever data is accessed by an unauthorized person, while others only require notification if the company determines that the data is reasonably likely to be misused (immaterial breaches).

    17. Data Security Breach Laws – State Data Security Breach Laws (Cont.) Some states require loss or injury. Some state’s permit the institution to work with law enforcement agencies before notifying the consumer, while others impose set time limits. May be civil or criminal penalties. A number of states have no private right of action.

    18. Data Security Breach Laws – State Data Security Breach Laws (Cont.) Missouri is considering a law that would make the state the 45th with a breach notice law and the first to have criminal penalties for a failure to notify individuals of a data security breach involving their personal information. Other states are considering new breach liability provisions, e.g., a New Jersey bill would establish retailer liability to banks for breaches of payment card data and also subject every entity covered by the state’s existing data breach notification law to liability to banks for breaches of any protected personal information. Congress is considering - but has yet to enact - a nationwide law for consumer notification.

    19. Data Security Breach Laws THANK YOU Jonathan D. Jaffe, Esq. K&L Gates LLP 4 Embarcadero Center, Suite 1200 San Francisco, CA 94111 direct: 415.249.1023 fax: 415.882.8220 jonathan.jaffe@klgates.com

More Related