Federalizing Data Security Breach Rules
October 20, 2011 by Bierce & Kenerson, P.C.
Virtually all U.S. states have adopted “data security breach notification” laws to alert individuals and local governmental officials of possible identity theft. In California, victims of such breaches can sue for damages. On September 22, 2011, Senator Richard Blumenthal (Democrat, Connecticut) introduced a draft federal law on data protection: Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong., 1st Sess. It would create a new federal crime of intentionally failing to disclose a security breach. It would also coordinate breach reporting with criminal investigations. It would create federal standards that could effectively supersede state laws on security breach notification and repair of an individual’s identity.
The draft law would apply particularly to financial institutions under the Gramm-Leach-Bliley Act and HIPAA-covered entities. Each would need to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” While the draft law identifies certain criteria for the design, risk assessment and risk management and control, the sufficiency of any security program will depend on the facts and therefore invites litigation.
Scope. Senator Blumenthal, a former prosecutor in Connecticut, would criminalize data security breaches by data brokers who sell access to personally identifiable information (“PII”), especially sensitive PII. The draft bill seeks to achieve several goals:
- to protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach,
- providing notice and remedies to consumers in the wake of such a breach,
- holding companies accountable for preventable breaches,
- facilitating the sharing of post-breach technical information between companies, and
- enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.
Preemption of Conflicting State Laws. Under Section 221(a), the draft federal law would supersede any other federal or state law “relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.” Preemption would not apply to state common law (including liability under trespass, contracts or tort law) for damages caused by a failure to notify an individual following a security breach. Nor would this act pre-empt existing federal laws governing GLB-covered financial institutions or HIPAA / HITECH covered entities or business associates for vendors of personal health information.
However, the remedies of individuals to sue for damages, punitive damages and equitable relief under Section 205 “are cumulative” with any other rights and remedies. This appears to conflict with federal preemption under Section 221(a), a challenge for courts interpreting the statutory text.
Definition of a “Security Breach.” Under the proposed law, the term “security breach” would mean the “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data through misrepresentation or actions that result in, or that there is a reasonable basis to conclude has resulted in:
(i) the unauthorized acquisition of sensitive personally identifiable information; or
(ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.
The term would not include:
(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure;
(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements or the release of information obtained from a public record; or
(iii) any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities.
Legal Standards for Outsourcing by Data Brokers. In governmental procurements involving data brokers, the draft law would establish a standard of care for outsourcing contracts. It would impose “monetary or other penalties” (such as debarment) if a government contractor “knows or has reason to know that the sensitive personally identifiable information being provided is inaccurate, and provides such inaccurate information.” Where the government contractor hires an outsourcing service provider, the data broker must follow some vague standards of “appropriateness” and “reasonableness.” It must:
(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information;
(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and
(C) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements governing the privacy and security of sensitive personally identifiable information.
By using such vague standards, the draft law would invite litigation to identify what meets these standards.
Security Auditing Standards. The proposed law would mandate that federal procurement officers purchasing PII from data brokers should conduct a “privacy impact assessment” and adoptsecurity audit regulations. Of interest, the scope of such regulations would be very broad, an indication of the minimum prudent levels of security auditing in today’s commercial marketplace. For procurements exceeding $500,000, the General Services Administration would need to review the contracts for assessment of the data security program. Such review would apply to all “contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating sensitive personally identifiable information.” [Section 301.]
For such procurements, each federal agency would need to adopt regulations that specify—
(A) the personnel permitted to access, analyze, or otherwise use such databases;
(B) standards governing the access, analysis, or use of such databases;
(C) any standards used to ensure that the sensitive personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency;
(D) standards limiting the retention and redisclosure of sensitive personally identifiable information obtained from such databases;
(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;
(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;
(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;
(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and
(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases.
[Section 303, amending Section 208 of the E-Government Act of 2002, 44 USC 3501 Note.]
“Safe Harbor” from GSA Debarment. The draft law would implement a process for GSA evaluation of security standards. As a “safe harbor,” the data privacy and security program of a data broker would be deemed sufficient if the data broker were to comply with or provide protection equal to “industry standards,” as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such data broker.
Enforcement. The draft law would allow enforcement by State attorneys general, acting for their citizens, and individual victims. The U.S. Attorney General could also enforce. Liability would be capped at $500 per day per individual victim, up to $20 million per incident. Punitive damages would be available for “intentional and willful violation” and for simple failure to adopt a compliant personal data privacy and security program.
Impact on Outsourcing. Companies and their IT outsourcing providers have suffered major security breaches in the past. The draft law lacks clear guidance on what is “adequate” or “sufficient” or “reasonable,” except for a safe harbor that refers to industry standards as blessed by the FTC. The FTC would thereby become a de facto federal data protection authority (“DPA”).
There are benefits in having a uniform law on data protection and security breach. However, this draft does little to add certainty. By adopting a “safe harbor” based on a regulator’s interpretation of “best practices,” the draft law risks depriving prudent data brokers and their outsourced service providers of legitimate defenses to avoid contract penalties in government contracts and in claims by individual victims of identity theft.
Finally, the enforcement structure effectively exposes data brokers and their outsourcing service providers to statutory and punitive damages, and invalidates any contrary arbitration agreement. The law would add significantly to the costs of breaches and will undoubtedly benefit the litigating legal profession.
For related topics:
Data Protection, Privacy and Outsourcing in the U.S.
Outsourcing Law & Business Journal™: January 2009
January 1, 2009 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Vol. 9, No. 1 (January, 2009)
___________________________
1. Identity Theft in 2009: Compliance by Business Owners and Government Agencies under Draft Federal Data Breach Notification Act.
2. Codes of Conduct in the Outsourcing Environment: Practical Scenarios after Wipro Debarment and Raju / Satyam Fraud.
3. Humor.
4. Conferences.
___________________________
1. Identity Theft in 2009: Compliance by Business Owners and Government Agencies under Draft Federal Data Breach Notification Act. Personally identifiable information is the core to the global economy. All businesses, large and small, rely upon information technology, outsourced to external service providers, to process such information for a wide range of uses, including HR payroll and administration, purchase orders, accounting, finance, credit card payments, debt collection, tax compliance, records management, procurement, engineering, market analytics, business intelligence, e-discovery, legal services, and logistics. All businesses must comply with data breach notification laws. In the U.S.,these laws will likely be extended and federalized in 2009. For more information on pending federal legislation as of January 2009, click here for the full article, and, for a copy of the draft 2009 federal Data Breach Notification Act, click here.
2. Codes of Conduct in the Outsourcing Environment: Practical Scenarios after Wipro Debarment and Raju / Satyam Fraud. Implementing lessons learned from Enron and the Sarbanes-Oxley Act, “codes of conduct” have become an integral ongoing concern in supply chain management applicable to employees, suppliers, contractors, consultants, captive affiliates, outsourcers and joint venture partners. When a trusted supplier breaches that code of trust, the enterprise customer needs to identify available remedies and make informed choices about enforcing legal rights and effectively mitigating the risks. This article makes recommendations for best practices in risk management, business continuity planning, disaster recovery, and legal rights and remedies in case of adverse events associated with a breach of a code of conduct or code of ethics due to senior management fraud or innocent “improprieties” that were fully disclosed but not permitted. It takes inspiration from the Raju /Satyam fraud in early 2009 and the debarment of Satyam Computer Servers Ltd., Wipro Technologies and Megasoft Consultants from the World Bank list of eligible contractors for corrupt practices. For the full article, click here.
3. Humor.
Change Control, (n). (1) a majority of voters on election day; (2) lobbyist’s draft legislation to block competitors from changing the rules of the marketplace; (3) Darwinian Evolution of Species, applied to business process transformation; (4) periodic brain dump.
4. Conferences
February 9-10, 2009, 9th Annual e-Services Philippines Conference and Exhibition and Next Wave Cities for Global Sourcing Council’s Multi-National Teleconference in Manila, Philippines and Hoboken, New Jersey. The Global Sourcing Council will join with a session at the 9th Annual eServices Global Sourcing Conference and Exhibition taking place in Manila, The Philippines, to focus on “Next Wave Cities”. In the U.S., this event will take place at the Stevens Institute in Hoboken, New Jersey, beginning at 7PM; refreshments will be served, followed by an international video conference at 8PM. A keynote speaker and panel will be present in each location. The Stevens Institute site will focus on key factors that client companies seek in their sourcing locations. In a bid to be the next e-Services hub, invited cities present their development plans and competitive advantages. Vendors and buyers/influencers will exchange perspectives on current demand and supply requirements; presentations from new eligible locations in the Philippines, Asia and Europe will be given and this conference will provide business matching and lead development opportunities. To register, click here. For more info on the 9th Annual e-Services Philippines Conference and Exhibition, visit their website.
February 10-11, 2009, American Conference Institute (ACI) Reducing Legal Costs, New York, New York. Corporate legal departments are under the gun to reduce costs, and the pressure on them to do so will only mount as the economy struggles. American Conference Institute’s 2nd Annual Corporate Counsel Forum on Reducing Legal Costs has been tailored to provide in-house counsel with the knowledge they need to successfully employ cost-reducing procedures both internally and externally. Don’t miss this unique cross-industry benchmarking forum on keeping legal department costs in check, led by a spectrum of leading companies. For more info, click here.
February 11-13, 2009 NASSCOM Leadership Forum 2009, Mumbai, India. The NASSCOM India Leadership Forum 2009, a milestone event that will mark NASSCOM’s 20th year, will bring under one roof industry leaders, thought gurus, analysts, Government decision makers, academia and IT users from across the world. For the very first time, the global conclave will journey through three key themes-one for each day-to completely transform the experience for delegates. For more info, click here.
February 16-18, 2009 IAOP 2009 Outsourcing World Summit, Carlsbad, California. In its 12th year educating the world’s outsourcing professionals, IAOP™’s 2009 Outsourcing World Summit is a one-of-a-kind opportunity. Come to learn the very latest in how to create competitive advantages for your company through outsourcing. For more info, visit their website.
February 23-24, 2009, American Conference Institute LPO Summit, New York, New York. ACI’s Legal Process Outsourcing Summit is designed for both in-house counsel and law firms who are still evaluating the viability of offshore outsourcing, plus those who already have outsourcing operations in place but who want to stay ahead of the latest industry developments to optimize their business practices. For more info, click here.
February 23-25, 2009, IQPC 6th Annual Procure-to-Pay Summit, Miami, Florida. SSON and IQPC’s Procure-to-Pay series returns with the 6th installment this February! Following the tremendous success of the last events and traction from leaders in the space, the 2-track agenda promises to deliver tools to help bridge purchasing with payables and enable process excellence throughout each and every segment of the P2P cycle, including improving the bottom line, optimizing available resources and managing process change. For more info, click here.
February 26, 2009, Global Services Conference, New York, New York. This year’s theme is “Revisiting Global Sourcing in a Challenging Economy”. The financial crisis and the economic meltdown have put pressure on organizations of all types. In a more globalized world, the dimensions of global engagement have increased and so has the impact. In challenging economic conditions, global sourcing of services throws up new opportunities. The 2009 Global Services Conference will have expert discussions around how customers of business and technology services can revisit their global sourcing strategies to tap into these opportunities. In a jam-packed day filled with thought-leaders, peer discussions, workshops and real-world case studies, the 2009 Global Services Conference breaks new ground in providing content to help executives determine how to establish business value in outsourcing engagements. Global Services will also present the findings of its annual Global Services 100 research study at an awards and cocktail reception. Click here for more info.
March 22-26, 2009, IQPC’s 13th Annual Shared Services Week, Orlando, Florida. SSON’s Shared Services Week™ is the community event for all levels of Shared Services professionals around the globe. With over 900+ past attendees from 22+ countries each year, it is the “Can’t Miss” event for everyone involved with shared services. In it’s 13th year, the event is bigger than ever! We have added additional tracks, more expert speakers, a larger exhibit hall and new content. Experience the most renowned Shared Services conference ever and take away key insights you will learn no where else. Network with experts in the industry and create contacts for life. Receive a 30% discount when you register by using code IUS_OSL_#3. Call 1-800-882-8684 or visit us online.
April 27-29, 2009, IQPC’s 7th Annual e-Discovery Conference, San Francisco, California. Join this year’s conference to learn more about managing the process of electronic discovery files and to explore options that are available for this task. Proactive e-discovery solutions are more critical to legal departments yet the solutions for costs, implementation, and management are still widely unknown. This conference will provide strategies for e-discovery success including proactive strategies for record management; global privacy issues, data security laws, regulations; specific cost control options; judicial perspective; and cutting edge software solutions. For more info, click here.
May 5-6, 2009, 7th Annual HRO World TM Conference & Expo at NY HR Week ™ , New York, New York. Hear from the HR outsourcing industry’s most respected practitioners, analysts and vendors. Register by April 10 with Source code HROL and save $100. Register here online or call 1-800-727-1227.
May 18-20, 2009, 6th Annual HR Shared Services & Outsourcing Summit, Denver, Colorado. The 6th Annual HR Shared Services Summit is the most important event of the year for HR leaders seeking to re-align their services with the strategic requirements of the business. This successful event brings together senior HR leaders in an exciting interactive forum, delivering best practice case studies aimed at optimizing every stage within the HR transformation process. Given historic economic conditions, it’s more important than ever that HR leaders exploit the dramatic economies of scale that are available to them through shared service structures. And for more mature companies – those that have already made the transition to an HR shared service model – there is an urgent need to re-align the kinds of services they offer with increasingly tough business challenges. Click here for more info.
******************************************
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: webmaster@outsourcing-law.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: publisher@outsourcing-law.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2009, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.