Information Security Obligations

The following 34 states enacted security breach notification laws: Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tenn- essee, Texas, Utah, Vermont, Washington, and Wisconsin. In addition, Michigan passed such a law with an effective date of July 2, 2007. It is important to note that Congress is considering federal security breach notification legislation, and it is anticipated that a federal security breach notification law will be enacted in the coming years. But until a federal law is enacted that pre-empts the state notification breach laws, compliance with the various applicable state laws is required.

California was the first state to enact a security breach notification law. The California Security Breach Information Act (S.B. 1386) became effective July 1, 2003. Since the California law serves as a model for a number of the other state laws, this article discusses the California law. In practice, it is necessary to refer to all state laws that are applicable to a specific situation.

Application. The California law applies to a company that does business in California and owns or licenses computerized data that contain personal information. A company could be deemed to be doing business in California merely by maintaining personal information about a California resident. Also, a company could own or license computerized data containing personal information that is physically located outside of California, but still be subject to the California law.

Definition of personal information. Personal information means an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or data elements are not encrypted: 1) Social Security number; 2) driver's license number or state identification card number; or 3) account number, credit card number, or debit card number in combination with any required security code, access code, or password (e.g., a PIN) that would permit access to an individual's financial account. But publicly available information that is lawfully made available to the general public from federal, state, or local government records does not constitute personal information. It is important to note that this definition is substantially similar to the definition of personal information under the California security procedures law. The difference is that medical information is not included under the definition of personal information.

Definition of security breach. A security breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the company. However, a good faith acquisition of personal information by an employee or agent of the company for its purpose if the personal information is not used or subject to further unauthorized disclosure is not a security breach.

Notification of security breach. Following the discovery or notification of a security breach, the company must disclose the security breach to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Moreover, a company that maintains computerized data that include personal information that it does not own needs to
notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person. Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Notification can be provided in any of the following ways: 1) written notice; 2) electronic notice in compliance with the provisions of the Electronic Signatures in Global and National Commerce Act ('E-SIGN'); or 3) substitute notice, if the company demonstrates that (a) the cost of providing notice would exceed $250,000; (b) the affected class of subject persons to be notified exceeds 500,000; or (c) the entity does not have sufficient contact information. Substitute notice must consist of all of the following: 1) e-mail notice when the company has an e-mail address for the subject person or business; 2) conspicuous posting of the notice on the Web site page of the business; and 3) notification to major statewide media.

Alternatively, a company that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the timing requirements described above is compliant if it notifies subject persons in accordance with its policies in the event of a security breach.

Federal Securities Law

A public company must consider whether to disclose a security breach in its reports with the Securities and Exchange Commission ('SEC'). While there is no specific obligation to disclose a security breach under federal securities law, there are reasons for doing so, and there is precedent.

Securities Exchange Act of 1934. The disclosure controls and procedures of a public company must be designed to ensure that information required to be disclosed by the public company in its SEC reports under the Securities Exchange Act of 1934 (1934 Act) is accumulated and communicated to its management, including its chief executive officer and its chief financial officer, to allow for timely decisions regarding required disclosure. Disclosure controls and procedures mean controls and other procedures that are designed to ensure that information required to be disclosed by the public company in its SEC reports is recorded, processed, summarized, and reported within the requisite time periods.

A public company files periodic and current reports with the SEC to provide material information about the public company. Material information is information that a reasonable investor would consider important in making an investment decision. Additional considerations concerning the disclosure of a security breach include regulatory requirements and public relations.

A prominent example of the disclosure of a security breach in SEC reports is ChoicePoint regarding the above-referenced breach that was made in a current report on Form 8-K under the heading for information that is not specifically required to be disclosed but that the public company deems to be of importance to security holders. ChoicePoint also disclosed in this current report that it was the subject of inquiries by various regulators, including the SEC, the Federal Trade Commission, and state attorneys general. ChoicePoint made subsequent disclosures about this matter in its periodic and current reports.

It is interesting to note that the SEC inquiry related to trading in ChoicePoint stock by the chief executive officer and the chief operating officer. The 1934 Act and the rules promulgated thereunder and the insider trading policy of a public company prohibit trading by officers and directors in the stock of a public company on the basis of material nonpublic information. A security breach before disclosure could constitute material nonpublic information.

Stock Exchange Rules. In addition to its SEC reporting considerations, a public company must take into account the stock exchange rules regarding the disclosure of material news (e.g., New York Stock Exchange and NASDAQ), if applicable.

Conclusion

Disclosures about security breaches are becoming more numerous, resulting in part from the recent enactment of various state security breach notification laws. As more public companies suffer security breaches and are required to make these notifications, they will need to consider whether to make disclosures in their SEC reports and comply with federal securities law and any applicable stock exchange rules. Accordingly, a public company should make sure that its privacy and securities law compliance procedures and practices are consistent.

Next month's final installment will detail how enforcement and penalties vary under state security breach notification laws in the event of a violation.

Part One of this series addressed security procedures and practices, and document destruction. This month's installment addresses security breach notification.

The Privacy Rights Clearinghouse estimates that more than 100 million records containing sensitive personal information have been involved in security breaches. This nonprofit consumer organization has tracked these breaches on its Web site (www.privacyrights.org) beginning with the significant and well-publicized ChoicePoint breach in February 2005. As a result, more than two-thirds of states enacted security breach notification laws governing the notification that a company must make in the event of a security breach. This article outlines the requirements for providing notification of a security breach under state security breach notification laws by any company and the factors that a public company needs to take into account regarding whether to disclose a security breach under federal securities law.

State Security Breach Notification Law

The following 34 states enacted security breach notification laws: Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tenn- essee, Texas, Utah, Vermont, Washington, and Wisconsin. In addition, Michigan passed such a law with an effective date of July 2, 2007. It is important to note that Congress is considering federal security breach notification legislation, and it is anticipated that a federal security breach notification law will be enacted in the coming years. But until a federal law is enacted that pre-empts the state notification breach laws, compliance with the various applicable state laws is required.

California was the first state to enact a security breach notification law. The California Security Breach Information Act (S.B. 1386) became effective July 1, 2003. Since the California law serves as a model for a number of the other state laws, this article discusses the California law. In practice, it is necessary to refer to all state laws that are applicable to a specific situation.

Application. The California law applies to a company that does business in California and owns or licenses computerized data that contain personal information. A company could be deemed to be doing business in California merely by maintaining personal information about a California resident. Also, a company could own or license computerized data containing personal information that is physically located outside of California, but still be subject to the California law.

Definition of personal information. Personal information means an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or data elements are not encrypted: 1) Social Security number; 2) driver's license number or state identification card number; or 3) account number, credit card number, or debit card number in combination with any required security code, access code, or password (e.g., a PIN) that would permit access to an individual's financial account. But publicly available information that is lawfully made available to the general public from federal, state, or local government records does not constitute personal information. It is important to note that this definition is substantially similar to the definition of personal information under the California security procedures law. The difference is that medical information is not included under the definition of personal information.

Definition of security breach. A security breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the company. However, a good faith acquisition of personal information by an employee or agent of the company for its purpose if the personal information is not used or subject to further unauthorized disclosure is not a security breach.

Notification of security breach. Following the discovery or notification of a security breach, the company must disclose the security breach to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Moreover, a company that maintains computerized data that include personal information that it does not own needs to
notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person. Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Notification can be provided in any of the following ways: 1) written notice; 2) electronic notice in compliance with the provisions of the Electronic Signatures in Global and National Commerce Act ('E-SIGN'); or 3) substitute notice, if the company demonstrates that (a) the cost of providing notice would exceed $250,000; (b) the affected class of subject persons to be notified exceeds 500,000; or (c) the entity does not have sufficient contact information. Substitute notice must consist of all of the following: 1) e-mail notice when the company has an e-mail address for the subject person or business; 2) conspicuous posting of the notice on the Web site page of the business; and 3) notification to major statewide media.

Alternatively, a company that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the timing requirements described above is compliant if it notifies subject persons in accordance with its policies in the event of a security breach.

Federal Securities Law

A public company must consider whether to disclose a security breach in its reports with the Securities and Exchange Commission ('SEC'). While there is no specific obligation to disclose a security breach under federal securities law, there are reasons for doing so, and there is precedent.

Securities Exchange Act of 1934. The disclosure controls and procedures of a public company must be designed to ensure that information required to be disclosed by the public company in its SEC reports under the Securities Exchange Act of 1934 (1934 Act) is accumulated and communicated to its management, including its chief executive officer and its chief financial officer, to allow for timely decisions regarding required disclosure. Disclosure controls and procedures mean controls and other procedures that are designed to ensure that information required to be disclosed by the public company in its SEC reports is recorded, processed, summarized, and reported within the requisite time periods.

A public company files periodic and current reports with the SEC to provide material information about the public company. Material information is information that a reasonable investor would consider important in making an investment decision. Additional considerations concerning the disclosure of a security breach include regulatory requirements and public relations.

A prominent example of the disclosure of a security breach in SEC reports is ChoicePoint regarding the above-referenced breach that was made in a current report on Form 8-K under the heading for information that is not specifically required to be disclosed but that the public company deems to be of importance to security holders. ChoicePoint also disclosed in this current report that it was the subject of inquiries by various regulators, including the SEC, the Federal Trade Commission, and state attorneys general. ChoicePoint made subsequent disclosures about this matter in its periodic and current reports.

It is interesting to note that the SEC inquiry related to trading in ChoicePoint stock by the chief executive officer and the chief operating officer. The 1934 Act and the rules promulgated thereunder and the insider trading policy of a public company prohibit trading by officers and directors in the stock of a public company on the basis of material nonpublic information. A security breach before disclosure could constitute material nonpublic information.

Stock Exchange Rules. In addition to its SEC reporting considerations, a public company must take into account the stock exchange rules regarding the disclosure of material news (e.g., New York Stock Exchange and NASDAQ), if applicable.

Conclusion

Disclosures about security breaches are becoming more numerous, resulting in part from the recent enactment of various state security breach notification laws. As more public companies suffer security breaches and are required to make these notifications, they will need to consider whether to make disclosures in their SEC reports and comply with federal securities law and any applicable stock exchange rules. Accordingly, a public company should make sure that its privacy and securities law compliance procedures and practices are consistent.

Next month's final installment will detail how enforcement and penalties vary under state security breach notification laws in the event of a violation.