OUTSOURCING LAW

Insights on Effective Outsourcing from Bierce & Kenerson, P.C.

Home About Us Selecting Your Attorney Sponsors Careers Register Survey Contact Us Store Contribute an Article
 

Subscribe to Our
Newsletter:
Please Enter your
E-mail:  

Text  HTML
AOL

Search Site:  



EVENTS
 Seminars & Conferences

OUTSOURCED MANAGED
SERVICES
 Call Centers
Service Level Management
Human Resources
Engineering
Debt/Tax Collection
Information Technology (IT)

WHITE PAPERS
Business Process Transformation:
Legal and Business Issues in Business Renewal and Sourcing Strategy

 COMMUNITIES
Customer's Environment
Service Provider's Environment
Consultant's Role
Lawyer's Role

BUSINESS TOPICS
 What is Outsourcing?
Why Should We Outsource?
When Not to Outsource
Definitions / Glossary
F.A.Q.S.
 Economics
Basic Principles
Getting Started (New Service Providers)
Getting Started (Enterprise Customers)
Types of Outsourced Processes
Decision-making Process
Life Cycles / Phases
Deal Structures
Pricing
Best Practices
Failed Deals
Advanced Strategies
Trends
Venture Capitalists and Outsourcing
Business and Legal Factors
 Unique Circumstances; Deal Timing
Viability

 LEGAL TOPICS
Risk Management
Battle of Forms
Intellectual Property
Privacy Law
Human Resources
Taxation
 Legislation
Compliance
Disputes
Litigation
Bankruptcy
International
Corporate Governance and Sarbanes-Oxley Act

 RESOURCES
 Humor in Outsourcing
Articles
Experts
Links
Newsletter
Case Studies
Press Room
SITE TOOLS
 Search
Translate
Contact Us

SITE RULES
 Privacy Policy
Terms of Access and Use
Client's Bill of Rights
Client's Confidential
Communications

 

Identity Theft Laws Affecting Outsourcing:
What Employers, Enterprises and Service Providers Need to Know in 2006

© 2006 William B. Bierce.  All rights reserved.

    Data integrity is the cornerstone of an information society.  Millions of Americans have been the subject of the risk of identity theft.  Losses of personal data can arise due to negligence, poor management, extortion and hacking.  From 2005 to 2006, the number of security lapses has inspired different types of legislation at the federal, state and local levels, including pending comprehensive federal legislation that would pre-empt affected state legislation.  This article reviews new legislation in New York and at the federal level and offers a perspective on the future threats and opportunities for enterprise customers, business process service providers and anyone submitting personal information to government for compliance with laws.

    Opportunities and Challenges for Outsourcing Lawyers.  These new laws impose seek civil and criminal penalties for lax security in data processing involving non-public personal data.  Compliance issues are now greater than ever. BPO service providers will need to ensure proper data handling, and enterprise customers hiring outsourcers will need to conduct careful due diligence.  A "flight to quality" will likely occur, as the best, most technologically secure service providers will continue to gain new business.  Security as a service will blossom, to help enterprises manage their own internal risks as well.

            For sourcing managers, lawyers and compliance officers at both enterprise customers and global service providers, data privacy issues are presenting new challenges.  In addition to more stringent civil and criminal penalties, new privacy laws are creating a patchwork of conflicting laws.  Conflicts are emerging between  

  • public policies favoring retention and record keeping for audit, control and discovery in litigation (failing which sanctions could include a direction to the jury to disregard a party’s defense that would have been supported by the “lost” or destroyed documentary evidence); and
  • public policies favoring destruction of personal data; and
  • public policies favoring business (to limit liability from errors in data handling) and those favoring consumers (to enable class actions and remediation for new privacy torts).

Conflicts of law due to conflicting policies and different laws can generate Force Majeure excuses for non-performance.  The lack of uniformity hurts business, but the lack of privacy also hurts business by eroding confidence.  

In the internal assessment, planning and vendor selection phases, privacy rights should be considered in defining processes suitable to the risks involving privacy and security breaches.  Encryption and security deserve greater scrutiny by all persons handling personal data.  

At the bargaining table, the need to identify and allocate contractual liabilities in the face of such conflicts of law will spark a frank and open debate between enterprise customers and service providers on how their relationship should be structured and managed to manage the privacy compliance risks.  An experienced outsourcing lawyer can help mitigate, manage and allocate risks.

    International Trade Regulation: Coming up Short.  The World Trade Organization agreements protect trade secrets better than they protect "personal, non-public information."  There is no WTO agreement, except perhaps for the General Agreement on Trade in Services, for the protection of such information as a valid subject for multinational trade regulation.  Even that agreement expressly reserves the rights of Member states to be free from any multilateral obligation "to require any Member to furnish any information, the disclosure of which it considers contrary to its essential security interests."    GATS, Art. Ibis, Sec. 1(a).

    This anomaly arises from the fact that the WTO (and its predecessor the General Agreement on Tariffs and Trade, or GATT) originated in the pre-Information Age, where trade meant trade in goods.   The Doha Round (from 2001 through its scheduled end in 2006) has focused on trade in agricultural goods and does not focus on identity theft or privacy rights.  

We recognize that under WTO rules no country should be prevented from taking measures for the protection of human, animal or plant life or health, or of the environment at the levels it considers appropriate, subject to the requirement that they are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where the same conditions prevail, or a disguised restriction on international trade, and are otherwise in accordance with the provisions of the WTO Agreements. Doha WTO Ministerial Declaration 2001, MINISTERIAL DECLARATION WT/MIN(01)/DEC/1 (20 November 2001), adopted on 14 November 2001.

In short, the WTO comes up short in setting standards for data protection.

    Federal Law Enforcement.  More than 27 million Americans having suffered some loss of privacy on their identity in 2003 according to FTC estimates. In response, on May 10, 2006, President Bush signed an executive order creating a multi-agency Identity Theft Task Force.  The Executive Order calls for research on particular subject matters, such as criminal law enforcement or private sector education and outreach.

    The President's order underscored three basic enforcement policies:

(a) increased aggressive law enforcement actions designed to prevent, investigate, and prosecute identity theft crimes, recover the proceeds of such crimes, and ensure just and effective punishment of those who perpetrate identity theft;

(b) improved public outreach by the Federal Government to better (i) educate the public about identity theft and protective measures against identity theft, and (ii) address how the private sector can take appropriate steps to protect personal data and educate the public about identity theft; and

(c) increased safeguards that Federal departments, agencies, and instrumentalities can implement to better secure government-held personal data.

This law enforcement strategy may involve significant opportunities for supporting  services in the fields of prevention, education and remediation.  Participation of business process service providers will follow the carrot-and-stick model, with some new services being offered for profit, and some old services (any BPO process that involves personal data) becoming more regulated.  

    Federal Laws.  Unlike the European Union Data Protection Directive, U.S. federal legislation adopts a piecemeal approach to the protection of unpublished personal information.  

    EU Data Protection Principles.  The EU data protection principles, adopted in 1995  under Directive 95/94/EC, are becoming a reality as pending U.S. federal legislation seeks to adopt various core European data protection principles:

  • limiting use of personal data to stated purpose;

  • maintaining data accuracy;

  • retaining data only as needed for processing;

  • transparency of the uses and methods of processing of personal data;

  • security and confidentiality;

  • rights of access, rectification, deletion and objection;

  • special security for sensitive data (such as health data);

  • opt-out rights for personal data used for marketing purposes;

  • limiting "automated decisions" on creditworthiness or other business use of personal data unless there is a contractual basis or statutory protection.  

    Protection of Data by Data Class of Individual and Types of Data.  This lack of coordination is well known. 

  • One law (HIPAA) protects "protected health information" of individuals as medical patients and insureds.

  • Another law (GLB) protects consumer information submitted to financial services, insurance and broker-dealer companies in connection with financial matters. 

  • Another law (the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transaction Act) protect Social Security numbers and other non-public information relating to the finances of individuals.

  • Other laws, such as those governing Social Security and income taxation, protect Social Security numbers, tax records and other documents submitted to the government for use in administering the laws. 

    This lack of coordination continues in Congress as of June 2006.  Pending legislation would protect (or add to protections of) the following particular classes of individuals and data:

  • drivers' licenses;

  • voter registration cards;

  • telephone calling records;

  • financial data;

  • health information, including drug addiction treatment records;

  • military personnel and veterans of military service;

  • income tax refunds for individual taxpayers;

  • any "source of information or include any information that could reasonably be expected to lead to the discovery of the identity of such a source" (i.e., undercover government agents and informants), HR 3323, 109th Cong., 2nd Sess.);

  • personal information of the deceased; and

  • immigration records.

    Protection against Deceptive Practices.  The Federal Trade Commission already has a number of rules governing deceptive trade practices in connection with personal information.  

    Protection of Bank Computers.  Federal criminal law protects data gathered and used by regulated financial institutions.  18 U.S.C. 1830.

    Protection of Governmental Databases.  While general federal laws exist to protect the confidentiality of government records, pending legislation would treat the government as a service provider, forcing its agencies to notify individuals of security breaches.  Thus, under proposed

If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a reasonable investigation, or notification under paragraph (2), that a significant risk of identity theft exists as a result of a breach of security of the system of such agency or person containing such data, the agency or person shall notify any individual whose sensitive personal information was compromised if such individual is known to be a resident of the United States.

Under this proposal, "sensitive personal information" would be very easily breached because of the broad definition to mean:

          "(i) an individual's first and last name;
          (ii) the individual's address or telephone number; and
          (iii) the individual's social security number, the individual's driver's license number or equivalent State identification number, or the individual's financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, if the data element under this clause is not encrypted or redacted and is linked to the information described in clauses (i) and (ii);"
The definition would not include--
          (i) any list, description, or other grouping of individuals (and publicly available information pertaining to them) that is derived without using any sensitive personal information; or
          (ii) publicly available information that is lawfully made available to the general public from Federal, State or local government records.

The agency would need to notify the individual of the security breach and provide "a toll-free telephone number or website that individuals can utilize for further information and assistance."  [Draft] Notification of Risk to Personal Data Act, S. 1326, 109th Cong., 2nd Sess.

    Pending Comprehensive Legislation. 

    Federal Criminal Law: CSECCDPA. On June 22, 2006, the House of Representatives issued its Report no. 109-522 on the proposed Cyber-Security Enhancement and Consumer Data Protection Act of 2006, HR 5318, 109th Cong., 2nd Sess. ("CSECDPA").  As the culmination of about 18 months of legislative debate on criminal abuses of personal data and hundreds of draft laws, this proposed law would;

  • broadly define "personal electronic records";

  • create a new federal crime regime for abuses including "cyber-extortion" (new 18 USC 1039(a)), applicable to any data processor or data storage provider:

    • "Whoever owns or possesses data in electronic form containing a means of identification (as defined in [18 USC] section 1028), having knowledge of a major security breach of the system containing such data maintained by such person, and knowingly fails to provide notice of such breach to the United States Secret Service or Federal Bureau of Investigation, with the intent to prevent, obstruct, or impede a lawful investigation of such breach, shall be fined under this title, imprisoned not more than 5 years, or both."

  • create new causes of action by individuals under the Racketeer-Influence and Corrupt Organizations Act ("RICO"), including a provision for triple damages and liability for attorneys' fees of victims of identity theft who can sue anyone engaged in cyber-crime ("relating to fraud and related activity in connection with computers") in interstate or international commerce of the United States in respect of their personal information;

  • impose a nationwide duty to disclose security breaches to law enforcement authorities where the breach poses a "significant risk of identity theft," with provisions to

    • supersede and pre-empt "competing" state and local laws on notification of such breaches;

    • limit the private right of action against records managers until an injunction has been imposed and the injunction is breached.

If a records manager is accused of violating this law, encryption would be a defense:

"If the data in electronic form containing a means of identification involved in a suspected breach has been encrypted, redacted, requires technology to use or access the data that is not commercially available, or has otherwise been rendered unusable, then there shall be a presumption that the breach has not caused a significant risk of identity theft. Such presumption may be rebutted by facts demonstrating that the encryption code has been or is reasonably likely to be compromised, that the entity that acquired the data is believed to possess the technology to access it, or the owner or possessor of the data is or reasonably should be aware of an unusual pattern of misuse of the data that indicates fraud or identity theft.'.

    Federal Civil Law:  DATA Act.  The Data Accountability and Trust Act ("DATA") Act, H.R. 4127, 109th Cong., 2nd Sess., seeks to "protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach."   This proposed law would require federal authorities to regulate data collection and storage.  Under mandated regulations, the government would

      require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information, or contracts to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration--
        (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
        (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
        (C) the cost of implementing such safeguards.

    This law would impose the adoption of internal policies and procedures.  In turn, administration of such policies and procedures could be the subject of an outsourcing service for compliance.  Such policies and procedures would include, at a minimum:

        (A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.
        (B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.
        (C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data , which shall include regular monitoring for a breach of security of such system.
        (D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.
        (E) A process for disposing of obsolete data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable.  Id, Sec. 2(a)(2).

    This proposed law would require "information brokers" to register with, and be regulated, by the Federal Trade Commission, and to disclose to the FTC and each U.S. citizen every security breach of such citizen's personal information.  The Act would define `information broker' as "a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity."

    For outsourcing service providers,

 In the event of a breach of security by any third party entity that has been contracted to maintain or process data in electronic form containing personal information on behalf of any other person who owns or possesses such data , such third party entity shall be required only to notify such person of the breach of security. Id., Sec. 3(b)(1).

    The act spells out the means for direct notification to the affected persons of security breaches, which may include e-mail in certain cases.   Substitute notification, using e-mails, websites and/or publicity in the news media, would apply to cases where the affected information collector  owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals, and direct notification is not feasible due to "excessive cost to the person required to provide such notification relative to the resources of such person," under regulations to be issued, or lack of sufficient contact information for the individual required to be notified.  Id, Sec. 3(d).

    Enactment of this draft legislation remains a matter of debate.  The existing private right of action for an injured individual to sue the data collector or processor for the identity theft losses would be overruled under this draft law.  California residents would lose this right.

    Financial Data Protection Act of 2006.  Under the "Financial Data Protection Act of 2006," which is part of the proposed DATA Act, the Fair Credit Reporting Act would be amended to impose the same notice requirements on consumer reporting agencies.  Such consumer reporting agencies would need to comply with new regulations providing for the proper disposal of sensitive financial personal information.

    Preemption or No Preemption? Take Your Pick.  The impact of this federal law on state laws would be somewhat unique.  It would preempt any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly

      (1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2 [on information security]; and
      (2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.
It would also prohibit any person other than the Attorney General of a State from bringing a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of the Act.  Expressly excluded from the preemption would be the enforcement of any State consumer protection law by an Attorney General of a State.   Also, the Act would not preempt State trespass, contract, or tort law; or other State laws to the extent that those laws relate to acts of fraud.

As a result, enactment of this draft law remains open to debate.  The bill adopts the "half-pregnant" theory of law: there is absolute preemption for covered state laws governing information security and notification of security breach, but no protection from other claims.  The "preemption" principles are riddled with exceptions.  Litigation could be expected to help define the differences.  The federal law could have effectively no preemption, leaving a false sense of security for enterprises and the BPO service providers.

    Destruction of Paper Documents.  In addition, the Federal Trade Commission would conduct a study on the practicality of requiring a standard method or methods for the destruction of obsolete paper documents and other non-electronic data containing personal information by persons engaged in interstate commerce who own or possess such paper documents and non-electronic data.

    New York Laws on Privacy.  New York has adopted several laws to combat identity theft:

  • The Disposal of Personal Records Act, signed June 9, 2006.
    • A "business person" or its contactor (an outsourcing service provider must properly dispose of a record containing personal identifying information unless the such business person, or other person.
    • Proper disposition  requires one of the following
      • shredding the record before the disposal of the record; 
      • destroying the personal identifying information contained in the record; 
      • modifying the record to make the personal identifying information unreadable; or 
      • taking actions consistent with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access to the personal identifying information contained in the record. 
    • A civil penalty of up to $5,000 could apply for each occurrence.
    • Multiple acts arising out of the same incident or occurrence constitute a single violation. 
    • "Due diligence" in an attempt to properly dispose of such records.  See new Section 339-h of the General Business Law.
  • The New York Consumer Report Security Freeze Law, which permits an individual to freeze (suspend) his or her consumer reports to prevent others from gaining access to it.
    • Several exceptions apply, including disclosures of consumer reports in connection with buying the consumer's debt instruments and, as a special service provider, "a deposit account information service company, which issues  reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution."  See new Section 380-t of the General Business Law.
  • New York Information and Security Breach Act, signed in December 2005.
    • New York businesses incurring security breaches of personal, non-public information must notify the State's Attorney General and affected New York residents of such breaches.
    • Failure to comply can result in a civil penalty of up to $150,000.
    • Unlike California's similar law, there is no private right of action against the business.

New Best Practices against Identity Theft: Threats and Opportunities.  

        More Detailed Prevention.   An ounce of prevention is worth a pound of cure.  A full program includes suitable detailed contractual clauses (and ongoing contract administration) for:

  • identifying the roles and responsibilities of the service provider and the enterprise service provider to protect protected personal information;
  • educating people (including service provider employees) about phishing and other security breaches is important;  
  • security planning, monitoring and audits;
  • suitable insurance coverages;
  • eliminating ways to copy or retain personal information not necessary to one's own business;
  • effective remedies in case of security breaches.

Responding to this new legal framework, an outsourcing lawyer can recognize these preventive measures and recommend detailed wording and compliance programs.  Sourcing advisors can identify possible other measures as well.

        Employment Benefits: Identity Restoration.   As noted in a Wall Street Journal article on May 24, 2006 [M.P. McQueen, "Employers Offer Help Fighting ID Theft"], counseling services to assist employees (or anyone) who are victims of identity theft has become a new employee benefit offered by some leading employers including Rite Aid (drug stores), Reed Elsevier PLC (publisher) and Qwest Communications International.  As a new workplace benefit, ID resolution services help employees protect themselves, reduce employee distractions and improve worker productivity.  Another impetus lies in the employer's fear of a potential backlash by employees who might believe that the identity theft came from lax employer protections.

Further reading:

    New York Disposal of Personal Records Act
    Draft U.S. Federal Data Accountability and Trust Act of 2006
    Draft U.S. Federal Cyber-Security Enhancement and Consumer Data Protection Act of 2006
    Draft U.S. Federal Notification of Security Breach Act
    Data Processing Principle
    Privacy Law

1048

posted 2006-06-27

Home SEARCH TRANSLATE REGISTER PRIVACY POLICY TERMS OF ACCESS AND USE Contact Us
Copyright 2001-2007 by Outsourcing Law Global  LLC. All rights reserved.  Attorney Advertising