Data Security, Destruction and Encryption Leads the Way for States in 2010

Posted on January 26, 2010 by Jason C. Gavejian

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

  • The Florida and Michigan laws would amend personal data destruction rules for companies.
  • The New York law would mandate data security and encryption measures.
  • The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
  • The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
  • The Kansas law would require state agencies to engage in periodic network security reviews.
  • The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

While we have highlighted the main points of each of the proposed laws, a more detailed analysis of the laws put forth in Michigan, Florida, and New York is set forth below. 

Michigan

The new Michigan data destruction bill would ease existing personal data disposal requirements outlined in the state's Identity Theft Protection Act mandating that companies and agencies removing information from a database destroy only “unencrypted, unredacted personal information” and only such personal information related to state residents.

Another bill would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement and identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule.   Companies that have complied with the federal Red Flags Rule would be exempt from the state law.

Michigan is also considering various other measures which would establish an Identity Theft Commission; make technical changes to the law; add misleading a law enforcement or court official about one's identity to the list of violations of the law; and authorize the state attorney general to seek civil fines of up to $10,000 per incident for identity thieves.

Michigan is also considering a bill which would make businesses and agencies that adopt comprehensive data security safeguards to protect personal data in any form immune from civil liability for damages due to data breaches. The proposed law would provide breach liability immunity in an effort to encourage entities to adopt such safeguards.

Florida

Florida has introduced bills (S.B. 586 and H.B. 279) which would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. In addition, state agencies would also be required to submit samples of allegedly sanitized storage media to an independent third party vendor to verify the destruction of the personal data. 

New York

A New York data security bill would establish a general encryption standard as a safe harbor for entities seeking to avoid giving breach notice to individuals under the state's data breach notice law. The bill, would also require businesses and state agencies to: Implement and maintain reasonable security safeguards, appropriate to the nature of the information, to prevent unauthorized access to or unauthorized destruction, use, modification, or disclosure of the private information.

Unlike the data security regulations issued under Massachusetts breach notification law, the N.Y. bill does not authorize the promulgation of rules, but rather sets out the encryption standard in the text of the proposed law.The bill would also mandate notification of certain breaches to the state attorney general. Another New York bill would provide tax breaks for businesses that invest in data security.
Tags: , , , , , , , , , , , , , ,

The Red Flags Are Coming

Posted on October 28, 2009 by Jason C. Gavejian

Reports indicate that identity theft is the fastest growing crime in the United States. In fact, the FTC lists identity theft as the most reported crime for 2008. Identity thieves use personally identifying information of unsuspecting individuals to open new accounts and misuse existing accounts, creating havoc for individuals and business and costing millions of dollars. To help slow the frequency of these offenses, the federal government passed the Fair and Accurate Credit Transactions Act of 2003 (PDF).

Under the FACT Act, a number of federal agencies, including the FTC, the federal bank regulatory agencies, and the National Credit Union Administration, issued regulations (“Red Flags Rules”) requiring financial institutions and creditors to develop and implement written identity theft prevention programs to detect, prevent, and mitigate instances of identity theft. These programs must be designed to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” The FTC has broadly interpreted the term “creditors” to include professionals such a lawyers and doctors. However, the U.S. House of representatives passed H.R. 3763 which would exclude from the meaning of “creditor” any health care practice, accounting practice, or legal practice with 20 or fewer employees. Currently, this Bill awaits action by the Senate.  Similarly, a federal judge in the U.S. District Court for the District of Columbia recently ruled that the FTC cannot force practicing lawyers to comply with the red flags, holding that she had a problem concluding that Congress intended to regulate lawyers when these statutes were enacted. 

Given the November 1, 2009 enforcement date, and the unresolved definition of "creditor," businesses of all sizes and industries will need to take immediate steps to develop a comprehensive strategy for compliance with the Red Flag Rules. Here is helpful information for the Red Flag Rules and small businesses.

Update:  Since the publishing of this post, the FTC has again extended the enforcement date to June 1, 2010.  Additionally, the U.S. District Court for the District of Columbia upheld the American Bar Association's challenge to the Rule and the opinion enjoins the FTC from enforcing the Rule against lawyers. 

Tags: , ,