The majority of these breaches resulted from either the theft of laptop computers containing sensitive information or Web site hacking, according to the Privacy Rights Clearinghouse.
Under a law passed during the 2005 state legislative session, as of January 1 of this year, Minnesota businesses that own or license personal information must disclose in writing any computer security breach if an unauthorized person acquired, or is reasonably believed to have acquired, access to the personal information. Previously, most Minnesota businesses were not required to notify individuals if their personal information had been stolen.
New requirements
The new Minnesota law applies to any person or business that does business in this state if the person or business owns or licenses any personal information belonging to a Minnesota resident. The notification requirement applies only to the improper acquisition of “computerized data” and not to information on paper records.
“Personal information” is defined as a person’s first name or initial along with their last name, combined with any one of the following: a Social Security number; a driver’s license number or Minnesota state ID number; or an account number or credit card number with a security code that would permit a person to access the account.
The affected person must be notified in writing of the security breach. In addition, if a security breach affects more than 500 people in a single incident, the company must provide notice to all national consumer-reporting agencies, such as Equifax and Experian, within 48 hours. The Minnesota attorney general is charged with enforcing this law, which doesn’t include an explicit right for individuals to bring a civil suit.
Businesses covered under the Health Insurance Portability and Accountability Act (HIPAA) and financial institutions covered under the Gramm-Leach-Bliley Act (GLBA) are exempt from the new Minnesota law. However, these businesses may be subject to the unique reporting requirements of HIPAA and GLBA. At the time of this writing, there is talk among legislators that this exemption may be closed.
Currently, there is no federal law that applies to all security breaches involving personal information, although several competing bills currently before the U.S. Congress seek to change that. Federal law does, however, prohibit “unfair” and “deceptive” trade practices generally. Further, industry-specific laws such as HIPAA and GLBA may require covered businesses to provide notice of security breaches involving personal information.
Today, more than 23 states, including North Dakota, California, New York, Texas and Illinois, have passed laws similar to Minnesota’s. The state laws vary as to what constitutes a breach, whether any security breach or only a computer breach is covered, the type of notice required, and the legal remedies available.
Unlike Minnesota’s law, a number of other states allow civil suits for damages, attorney fees and civil penalties. As challenging as it is, Minnesota businesses operating in these other states are responsible for complying with their laws.
Costly violations
For years the Federal Trade Commission (FTC) has held that if a business makes a specific privacy or security promise in its own privacy policy, it is an illegal “deceptive trade practice” for that business to violate its own policy.
For example, in 2004 Petco Animal Supplies Inc. paid to settle a claim brought by the FTC alleging that Petco engaged in a deceptive trade practice. In its privacy policy, Petco claimed that protecting customer information “is our No. 1 priority and your personal information is strictly shielded from unauthorized access.” In fact, however, the FTC said, Petco failed to take fairly basic security measures to protect customer information, including credit card information, from hackers.
The FTC’s approach to privacy and security issues grew more expansive and aggressive in the 2005 case of BJ’s Wholesale Club. As a result of what the FTC called BJ’s failure to encrypt or take other common security measures with its customer credit card data, unauthorized individuals copied the data and ran up fraudulent charges.
BJ’s had not made any security or privacy promises in a privacy policy or similar document. In its complaint against BJ’s, the FTC took the position that even though BJ’s did not make any privacy or security promises, it was nevertheless an illegal and “unfair” trade practice to fail to take minimal reasonable security measures.
How to protect
All businesses, even those not in heavily regulated industries such as health care or finance, should:
• implement reasonable physical, electronic and procedural security measures to protect all sensitive data including customer data;
• perform a self-audit to ensure the business complies with its own privacy and security policies; and
• prohibit or limit employees from downloading personal information onto portable devices such as laptops and Blackberry devices that are easily lost or stolen.
In the event of a security breach, a business’s top priority should be to address the immediate technical issues, close the breach, and minimize any further loss or exposure of sensitive data. The company should also preserve evidence of the breach and consider contacting the police or FBI as well as its insurance company.
Once the breach has been sealed, the business should consider its legal obligations. First, the businesses should determine whether Minnesota’s or any other state’s security breach disclosure law applies.
A business’s own privacy policy and past enforcement actions by the FTC may also shape a company’s legal response. Even if a business is not legally required to disclose a security breach, consider whether customer relations or other factors weigh in favor of letting your customers know.
If you choose this path, work with legal counsel to ensure your notice satisfies all the applicable requirements and does not aggravate your situation, by defaming others or unnecessarily admitting liability where none may exist.
