Publications & Resources

January/February 2008
Focus: Compliance

Data Breach Notification Laws – The Answers on State Law Questions and the Impact of Non-Compliance

By Lisa King

Understanding Identity Data Breach Notification Laws

California ’s Notice of Security Breach Law (Cal. Civil Code 1798.29), enacted in 2002, serves as the benchmark for identity data breach legislation in the U.S. Since then, 40 states have enacted legislation requiring banks and other companies/state agencies to disclose security breaches involving personal information. Although there are clear variations within the states’ breach notification laws, they all share some basic commonalities

Encryption is a key component in determining whether or not data breaches should be communicated to customers. If your bank encounters a breach and customer information was not encrypted or you suspect the data may have been leaked, then you have a responsibility to notify customers that they may have been potentially affected. However, if the data is leaked but the personal information was encrypted, most state breach notification laws will exempt your bank from notifying customers.

Data that is transmitted is commonly encrypted. The Data Accountability and Trust Act also requires encryption of data at rest that is just being stored, such as within a database. It is just as critical to encrypt that information as it is to encrypt data being transmitted. Additionally, you are responsible for notifying customers of potential data breaches if you have customers in a regulated state. Therefore, if you are located in New Mexico (which currently does not have a breach notification law), but you also have customers in Arizona (a state with breach notification laws), then you must notify those customers in Arizona . If you can prove that your customers were not compromised, then you do not have to notify at all.

When to notify customers of security breaches and the penalties for non-compliance also vary from state to state. A state-by-state summary of identity data breach notification laws, compiled by the Dallas law firm of Scott & Scott LLC, can be found at: http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf. It outlines: the states that require customer notification of data breaches; the time period within which customers must be notified; and exemptions for encrypted personal information, criminal investigations, publicly available information and immaterial information.

Financial Repercussions of Data Breaches

Failure to adhere to data breach laws can result in large fines being levied against your bank. Consider the lesson learned from ChoicePoint, a consumer data broker that suffered an enormous security breach in 2004 because of its security and record-handling procedures. More than 163,000 consumers were compromised. ChoicePoint settled Federal Trade Commission charges by paying $10 million in civil penalties and another $5 million in “consumer redress” – funds set aside to make reparations to consumers who were negatively impacted by the breach.

Recovery can also be costly, a lesson learned by TJX Companies, the retailer that operates T.J. Maxx and Marshalls. After the company suffered a major customer data breach in December 2006, resulting in 94 million accounts compromised, it took an after-tax charge of $118 million for Q2-2007 to cover current and potential costs arising from the data breach. According to estimates by Gartner, Inc., TJX will have spent $125 million pre-tax dollars on security improvements, both before and after the breach (in addition to the costs TJX already incurred to cover current and future legal costs and consulting fees).

Proactive Measures to Protecting Data

According to a study by the U.S. Secret Service and CERT (Computer Emergency Readiness Team), 78 percent of network attacks are committed by insiders (as was the case in the 2005 bank security breach involving bank employees from Bank of America, Wachovia, Commerce Bancorp and PNC Financial Services Group who illegally sold account information that affected 676,000 customers).

You can take a practical but critical step to prevent data loss and avoid financial repercussions by implementing access controls – both internally and externally. Some of those access controls can include:

Encrypt both transmitted data and data at rest
Limit who has access to personally identifiable information within your bank - role-based access
Do regular reviews of user access levels
Monitor critical systems where key information is housed
Monitor access modifications, deletions, etc.
Keep records and appropriate logs/activities
Ensure that computer systems are hardened by best practices adopted by any one of your preferred organizations like ISO (International Organization for Standardization or NIST (National Institute of Standards and Technology)
Conduct regular independent audits
Maintain strong HR controls – security awareness training for employees and social engineering tactics training
Continue to do background checks on employees (frequently and not just initially)

Having technology in place that can block outbound malicious traffic is also a best practice for protecting customer data. If an employee takes a laptop home, gets the computer infected with malware, then tries to plug back into the corporate network, you want to be able to prevent that outbound infected data from escaping. In addition to the latest operating system and application security patches, intrusion prevention systems and well-maintained spam filters can help prevent data breaches.

Lisa King is Public Relations Manager for SecureWorks in Atlanta, Ga. She can be reached at lking@secureworks.com. SecureWorks is a WIB-endorsed Value & Income Program Partner (VIP).