WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS22374 February 2, 2009 Congressional Research Service Report RS22374 Data Security: Federal and State Laws Gina Marie Stevens, American Law Division January 12, 2007 Abstract. Security breaches involving electronic personal data have come to light largely as a result of the California Security Breach Notification Act, a California law that went into effect in 2003. In response to frequently occurring breaches of personal data, many states passed laws that would require companies to notify persons affected by such security breaches. By December 2006, 34 states had enacted data security laws. Numerous data breach notice and data security bills were considered in the 109th Congress, but not passed. This report provides a discussion of federal and state data breach notice and data security laws. Order Code RS22374 Updated January 12, 2007 Data Security: Federal and State Laws Gina Marie Stevens Legislative Attorney American Law Division Summary Security breaches involving electronic personal data have come to light largely as a result of the California Security Breach Notification Act, a California law that went http://wikileaks.org/wiki/CRS-RS22374 into effect in 2003. In response to frequently occurring breaches of personal data, many states passed laws that would require companies to notify persons affected by such security breaches. By December 2006, 34 states had enacted data security laws. Numerous data breach notice and data security bills were considered in the 109th Congress, but not passed. This report provides a brief discussion of federal and state data breach notice and data security laws. The security of personal information and risks to data are paramount concerns addressed in federal and state law, legislation, and regulations. The public disclosure of breaches of customer databases in 2005 heightened interest in the business and regulation of data brokers.1 Data brokers collect personal information from public and private records and sell this information to public and private sector entities for many purposes, from marketing to law enforcement and homeland security purposes.2 Recent data security breaches illustrate (1) the risks associated with collecting and disseminating large amounts of electronic personal information, (2) the increased visibility of data security breaches as a result of consumer notice requirements, and (3) the potential risk of harm or injury to consumers from identity theft crimes (e.g., credit card fraud, check fraud, mortgage fraud, health-care fraud, and the evasion of law enforcement). One result of the highly publicized breaches of personal data security has been a new focus on establishing 1 "In particular, two types of businesses exist in this industry: (1) `individual reference services providers' (IRSPs), which sell `profiles' and other reports containing confidential personal information about individuals; and (2) `marketing list brokers,' which sell lists of names, mailing addresses or electronic mail addresses of individuals, grouped by characteristics, conditions, circumstances, traits, preferences or mode of living." Federal Trade Commission, Individual Reference Services: A Federal Trade Commission Report to Congress (Dec. 17, 1997), available at [http://www.ftc.gov/os/1997/12/irs.pdf]. 2 CRS Report RS22137, Data Brokers: Background and Industry Overview. CRS-2 security standards for safeguarding customer information3 and imposing security breach notification obligations on entities that own, possess, or license sensitive personal information. Although no single federal law governs data brokers, other statutes and regulations may be applicable. A review of the laws regulating the use and disclosure of information collected by information brokers appears in CRS Report RL33005, Information Brokers: Federal and State Laws, by Angie A. Welborn. In the late 1990s, the Federal Trade Commission (FTC) endorsed self-regulation for the information broker industry as an alternative to comprehensive federal privacy regulation.4 The FTC also endorsed industry adherence to a set of principles promulgated by the Individual References Service Group (IRSG) to address most of the concerns associated with the increased availability of nonpublic information.5 Some of the largest information brokers that disclosed data security breaches in 2004 and 2005, such as Axicom and Choicepoint, had signed on to the IRSG principles for the protection of nonpublic information. Federal Data Security Standards. Certain sectors are currently subject to legal obligations to protect sensitive personal information. These obligations were created, in http://wikileaks.org/wiki/CRS-RS22374 large part, through the enactment of federal privacy legislation in the financial services, health-care, government, and Internet sectors. Federal regulations that support federal privacy laws impose obligations on covered entities, requiring them to implement information security programs that protect personal information.6 The Department of Veterans Affairs Information Security Act of 2006 requires the Veterans Administration (VA) to implement agency-wide information security procedures, including limiting access to sensitive information.7 The law also requires the VA to include data security requirements in all contracts with private-sector service providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Secretary of Health and Human Services to issue a rule to implement security 3 Consumer data broker ChoicePoint, Inc., which in 2005 acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, recently agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional until 2026. U.S. v. ChoicePoint Inc. (D. Ct. for the Northern District of Georgia, Atlanta Division), FTC File No. 052-3069 (Jan. 26, 2006), available at [http://www.ftc.gov/opa/2006/01/choicepoint.htm]. 4 CRS Report RL30322, Online Privacy Protection: Issues and Developments, by Gina Stevens. 5 Individual Reference Services Industry Principles (Dec. 15, 1997), available at [http://www.ftc.gov/os/1997/12/irsappd.pdf]. 6 Thomas J. Smedinghoff, The New Law of Information Security: What Companies Need To Do Now, 22 The Computer & Internet Lawyer 9 (Nov. 2005). 7 P.L. No. 109-461 (Dec. 22, 2006). CRS-3 standards for health information.8 The HIPAA Security Standards Rule, which went into effect in April 2005, requires health-care-covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic-protected health information; to protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and to protect against any unauthorized uses or disclosures of such information.9 The Children's Online Privacy Protection Act of 1998 (COPPA) requires an owner or operator of a website or online service directed to children, or any operator that collects or maintains personal information from a child, to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.10 The FTC's Safeguards Rule, issued to implement provisions of the Gramm-Leach-Bliley Act of 1999 (GLBA), requires financial institutions to have an information security plan that contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal consumer information.11 Interagency guidance issued by the federal banking regulators to implement provisions of the Gramm-Leach-Bliley Act of 1999 requires covered entities to implement information security programs to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security or integrity of such http://wikileaks.org/wiki/CRS-RS22374 information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.12 The Federal Information Security Management Act of 2002 requires federal government agencies to provide information security protections for agency information and information systems to provide integrity, confidentiality, and availability.13 Under the Federal Trade Commission Act, the Commission is empowered, among other things, to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.14 Using its authority under Section 5, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' 8 P.L. 104-191, tit. II, subtitle f, § 262, 110 Stat. 2025, 42 U.S.C. §§ 1320d et seq.; see CRS Report RS21505, Compliance with the HIPAA Medical Privacy Rule, by Gina Marie Stevens. 9 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164 (Feb. 20, 2003); see CRS Report RL30620, Health Information Standards, Privacy, and Security: HIPAA's Administrative Simplification Regulations, by C. Stephen Redhead. 10 15 U.S.C. § 6501 et seq., 16 C.F.R. Part 312; see CRS Report RL31408, Internet Privacy: Overview and Pending Legislation, by Marcia S. Smith. 11 Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information, 16 C.F.R. Part 314. 12 Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision); see CRS Report RS20185, Privacy Protection for Customer Financial Information, by M. Maureen Murphy. 13 44 U.S.C. § 3541 et seq.; see CRS Report RL32357, Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives, by John Moteff. 14 15 U.S.C. §§ 41-58. CRS-4 personal information. In BJ's Wholesale Case, the FTC developed and imposed security procedures pursuant to its jurisdiction over unfair and deceptive trade practices.15 The settlement requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ's to obtain an audit from a qualified, independent third-party professional that its security program meets the standards of the order and to comply with standard bookkeeping and record-keeping provisions. Federal Data Breach Notification Standards. The imposition of security breach notification obligations on entities that own, possess, or license sensitive personal information is a relatively new phenomenon. As discussed below, California was the first jurisdiction to enact a data breach notification law in 2002. Subsequently, numerous federal and state bills emerged to impose notification requirements on entities that collect sensitive personal information. Both the Response Program Guidelines issued in March 2005 by the federal banking regulators to interpret the requirements of the GLBA16 and the Security Guidelines require implementation of a response program to address unauthorized access to or use of http://wikileaks.org/wiki/CRS-RS22374 customer information maintained by a financial institution or its service provider that could result in substantial harm or inconvenience to any customer, and require disclosure of a data security breach if the covered entity concludes that "misuse of its information about a customer has occurred or is reasonably possible."17 Pursuant to the guidance, substantial harm or inconvenience is most likely to result from improper access to "sensitive customer information."18 At a minimum, an institution's response program should contain procedures for (1) assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; (2) notifying its primary federal regulator when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information; (3) consistent with the Agencies' Suspicious Activity Report 15 In the Matter of BJ's Wholesale Club, Inc., File No. 042 3160 (Sep. 23, 2005), available at [http://www.ftc.gov/os/caselist/0423160/0423160.htm]; see also note 3, infra. 16 Section 501(b) required the Agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to (1) ensure the security and confidentiality of customer information, (2) protect against any anticipated threats or hazards to the security or integrity of such information, and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. 15 U.S.C. 6801. 17 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part 30 (OCC), 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision), 70 Fed. Reg. 15736 - 15754 (March 29, 2005). 18 "Sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number." 70 Fed. Reg. 15736-15754 (Mar. 29, 2005). CRS-5 ("SAR") regulations, notifying appropriate law enforcement authorities; (4) taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information (e.g., by monitoring, freezing, or closing affected accounts and preserving records and other evidence); and (5) notifying customers when warranted. Customer notice may be delayed for a law enforcement criminal investigation. The Department of Veterans Affairs Information Security Act of 2006 requires the VA to issue interim regulations providing for notice to veterans in case of breach of their personal data.19 The law was enacted to respond to the breach of the personal data of 26.5 million veterans.20 The VA is required to notify law enforcement and certain congressional committees when a data breach occurs. If unauthorized access to sensitive personal information occurs, the VA must perform a risk analysis. If this reveals a "reasonable risk" for misuses of the information, the VA is required to notify those affected and provide free credit monitoring services. State Data Breach Notification Laws. The first data security law was enacted in California in 2002. S.B. 1386, the California Security Breach Notification Act,21 requires entities to notify customers of security breaches involving their personal http://wikileaks.org/wiki/CRS-RS22374 information. California requires a state agency, or any person or business that owns or licenses computerized data that includes personal information, to disclose any security breach of data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. A "breach of the security of the system" is defined by the California law as the "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: Social Security Number, driver's license number, credit card or debit card number, or a financial account number with information such as PIN numbers, passwords, or authorization codes that could gain access to the account. California provides three exemptions to the notification requirement: for personal information in encrypted form; for criminal investigations by law enforcement; and for breaches that are either immaterial or not "reasonably likely to subject the customers to unauthorized disclosure of personal information." California requires notice be given in the "most expedient time possible and without unreasonable delay," either in writing or by e-mail. If a company can show that the cost of notification will exceed $250,000, that more than 500,000 people are affected, or that an individual's contact information is unknown, notice may be given through media outlets. Since enactment of the California breach notification law, major data security breaches have been disclosed by several of the nation's largest information brokerage firms, retailers, universities, and federal and state government agencies.22 The security 19 P.L. No. 109-461 (Dec. 22, 2006). 20 See CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala. 21 Cal. Civ. Code § 1798.82. 22 See generally CRS Report RL33199, Personal Data Security Breaches: Context and Incident (continued...) CRS-6 breaches disclosed in 2005 tended to involve either the creation of fraudulent accounts, stolen laptops or computers, hacking, compromised passwords, insider or employee theft, or lost or misplaced discs or back-up tapes. In response to numerous disclosures of security breaches and public concern, and in the absence of a comprehensive federal data security or data breach notification law, many states have enacted laws requiring consumer notice of security breaches of personal data. The majority of states have introduced or passed bills that would require companies to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality, and integrity of data.23 As of December 2006, 34 states had enacted data security laws.24 The two predominant themes are consumer notification requirements in the event of a data breach and consumer redress. A chart highlighting differences in selected major provisions of the state data breach notification laws was compiled by BNA.25 Most of the statutes cover private entities and government agencies. The states also impose obligations on service providers to notify the owner or licensor of the data of a breach that occurs. Many of the state laws follow the basic framework of the California breach notification law. The majority of state laws apply to electronic or computerized data only. Notice provisions http://wikileaks.org/wiki/CRS-RS22374 addressed by the states include description of triggering events, consideration of the level of harm or the risk of misuse that triggers notification, recipients of notification, timing of notice, method of notification, and content of notice. In addition, state laws include exemptions for entities that are regulated under federal privacy laws (e.g., the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, or the Interagency Guidelines); expanded definitions of "personal information"; notification requirements to consumer reporting agencies for customers affected by security breaches of personal information; civil penalties for failure to promptly notify customers of a security breach; requirements for the implementation of information security programs; creation of a private right of action to recover actual damages from businesses for failure to notify customers of a security breach in a timely manner; providing consumers the right to place a credit freeze on their credit report; restrictions on the sale and use of social security numbers; and enhanced criminal penalties for identity fraud. 22 (...continued) Summaries, by Rita Tehan (Table 1 summarizes selected data security breaches since 2000). 23 Thomas J. Smedinghoff, Security Breach Notification -- Adapting to the Regulatory Framework, 21 The Review of Banking & Financial Services 115-124 (Dec. 2005). 24 Alabama, Alaska, Arizona, California, Colorado, Delaware, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Utah, Vermont, Virginia, West Virginia, and Wisconsin. 2006 Breach of Information Legislation, National Conference of State Legislatures at [http://www.ncsl.org/programs/lis/CIP/priv/breach06 .htm]; see also 50 State Surveys: Financial Services Security Breach Legislation (West 2005); "New Data Security Laws Take Effect in Several States," 75 U.S. Law Week 2388 (Jan. 9, 2007). 25 "State Breach Notice Laws Have Similarities, But Significant Differences Require Attention," 89 BNA Analysis & Perspective 176 (Aug. 12, 2005) (hypertext "Links to Text of State Data Security Breach Consumer Notification Laws" chart included on p. 180).