Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Information Security Breaches: Privacy Laws and Procedures
Part One of a Two-Part Series
In the good old days, security concerns of tenants could generally be laid to rest simply by recourse to a good locksmith. In those simpler times, and without any association with security matters, landlords and property managers routinely gathered from tenants social security numbers and other information for purposes of protecting the landlord's interests when it came to tracking down miscreant tenants. Because this type of information was not subject to the widening panoply of privacy-related laws that are now becoming ubiquitous across the United States, no special arrangements were typically considered necessary to protect this information, and there was no particular risk or burden imposed on its holder. How things have changed. Nowadays, holding this type of information can constitute a double-edged sword, with any slip carrying with it the possibility of harm to the wielding hand.
For this reason, landlords and property managers must be aware of the risks inherent in gathering certain tenant-related information and the steps needed to comply with the burgeoning privacy protection laws. While most commercial operators are now generally becoming more mindful of the need to maintain legally protected private information as confidential, it is likely that many landlords and managers are not yet fully versed in certain of the steps that must be taken, both upon discovering that information security has been breached and prior to a breach.
Recent breaches of security surrounding legally protected personal information have been numerous. Some instances, like the incident involving ChoicePoint, have been significant and well publicized. The Privacy Rights Clearinghouse, a nonprofit consumer organization, estimates that close to 94 million records containing sensitive personal information have been involved in security breaches during the past two years. Among the potential consequences of security breaches, identity theft ranks high in terms of the devastation that can result to the persons and entities as to which the sanctity of private information has been compromised. Consequently, because the liability exposure can be high, landlords and property managers are well advised to augment their locksmith relationships with new team members: computer experts, security consultants, and legal counsel that can pragmatically gauge the applicability of privacy protection laws to the operations in question. This two-part article discusses security breach notification and procedures.
Security Breach Notification Laws
In response to security breaches, 34 states have passed security breach notification laws that cover the notification that a business must make in the event of a breach of security of its system with respect to computerized personal information. Of these states, the following 27 states have enacted security breach notification laws: California, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Louisiana, Minnesota, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Washington, and Wisconsin. In addition, the following seven states have passed these laws, which were enacted on or after Dec. 31, 2006: Arizona, Hawaii, Kansas, Maine, New Hampshire, Utah, and Vermont. Congress is considering federal security breach notification legislation, and it is anticipated that a federal security breach notification law will be enacted in the coming years. However, until a federal law is enacted that pre-empts the state notification breach laws, compliance with the various applicable state laws is required.
California was the first state to enact a security breach notification law. The California Security Breach Information Act (S.B. 1386) became effective July 1, 2003. Because the California Act serves as the model for a number of the other state notification laws, this article provides a step-by-step analysis of this law. Naturally, readers will need to refer to the state laws that are applicable to them for specific guidance, but reviewing this overview of the pioneering approach taken in California should be helpful for purposes of more readily gaining an understanding of derivative steps taken in other states.
Who is covered? The California law applies to any person or entity that does business in California and owns or licenses computerized data that contain personal information. It is important to note that a business could be deemed to be doing business in California simply by maintaining personal information about a Califor-nia resident. Moreover, a business could own or license computerized data containing personal information that is physically housed outside of California but still be subject to the California law.
What is personal information? Personal information means an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or data elements are not encrypted: 1) Social Security number; 2) driver's license number or state identification card number; or 3) account number, credit card number, or debit card number in combination with any required security code, access code, or password (e.g., a PIN) that would permit access to an individual's financial account.
What is not personal information? Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
What is a security breach? A security breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business.
What is not a security breach? A security breach does not include a good faith acquisition of personal information by an employee or agent of the business for its purpose if the personal information is not used or subject to further unauthorized disclosure.
In the event of a security breach, what is the notification obligation? Following the discovery or notification of a security breach, the business must disclose the security breach to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Moreover, a business that maintains computerized data that include personal information that it does not own needs to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
When must notification be made? Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
By which methods can notification be made? Notification can be provided in any of the following ways: 1) written notice; 2) electronic notice in compliance with the provisions of the Electronic Signatures in Global and National Commerce Act ('E-SIGN'); or 3) substitute notice, if the business demonstrates that (i) the cost of providing notice would exceed $250,000, or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (iii) the entity does not have sufficient contact information. Substitute notice must consist of all of the following: a) e-mail notice when the business has an e-mail address for the subject person or business; b) conspicuous posting of the notice on the Web site page of the business; and c) notification to major statewide media. Alternatively, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the timing requirements described above is compliant if it notifies subject persons in accordance with its policies in the event of a security breach.
The conclusion of this article will discuss security procedures laws.
Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP (e-mail [email protected]) and Randolph M. Perkins, a member of this newsletter's Editorial Board, is a partner in the Real Estate and Corporate Groups of Schiff Hardin LLP (e-mail [email protected]).
Part One of a Two-Part Series
In the good old days, security concerns of tenants could generally be laid to rest simply by recourse to a good locksmith. In those simpler times, and without any association with security matters, landlords and property managers routinely gathered from tenants social security numbers and other information for purposes of protecting the landlord's interests when it came to tracking down miscreant tenants. Because this type of information was not subject to the widening panoply of privacy-related laws that are now becoming ubiquitous across the United States, no special arrangements were typically considered necessary to protect this information, and there was no particular risk or burden imposed on its holder. How things have changed. Nowadays, holding this type of information can constitute a double-edged sword, with any slip carrying with it the possibility of harm to the wielding hand.
For this reason, landlords and property managers must be aware of the risks inherent in gathering certain tenant-related information and the steps needed to comply with the burgeoning privacy protection laws. While most commercial operators are now generally becoming more mindful of the need to maintain legally protected private information as confidential, it is likely that many landlords and managers are not yet fully versed in certain of the steps that must be taken, both upon discovering that information security has been breached and prior to a breach.
Recent breaches of security surrounding legally protected personal information have been numerous. Some instances, like the incident involving ChoicePoint, have been significant and well publicized. The Privacy Rights Clearinghouse, a nonprofit consumer organization, estimates that close to 94 million records containing sensitive personal information have been involved in security breaches during the past two years. Among the potential consequences of security breaches, identity theft ranks high in terms of the devastation that can result to the persons and entities as to which the sanctity of private information has been compromised. Consequently, because the liability exposure can be high, landlords and property managers are well advised to augment their locksmith relationships with new team members: computer experts, security consultants, and legal counsel that can pragmatically gauge the applicability of privacy protection laws to the operations in question. This two-part article discusses security breach notification and procedures.
Security Breach Notification Laws
In response to security breaches, 34 states have passed security breach notification laws that cover the notification that a business must make in the event of a breach of security of its system with respect to computerized personal information. Of these states, the following 27 states have enacted security breach notification laws: California, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Louisiana, Minnesota, Montana, Nebraska, Nevada, New Jersey,
California was the first state to enact a security breach notification law. The California Security Breach Information Act (S.B. 1386) became effective July 1, 2003. Because the California Act serves as the model for a number of the other state notification laws, this article provides a step-by-step analysis of this law. Naturally, readers will need to refer to the state laws that are applicable to them for specific guidance, but reviewing this overview of the pioneering approach taken in California should be helpful for purposes of more readily gaining an understanding of derivative steps taken in other states.
Who is covered? The California law applies to any person or entity that does business in California and owns or licenses computerized data that contain personal information. It is important to note that a business could be deemed to be doing business in California simply by maintaining personal information about a Califor-nia resident. Moreover, a business could own or license computerized data containing personal information that is physically housed outside of California but still be subject to the California law.
What is personal information? Personal information means an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or data elements are not encrypted: 1) Social Security number; 2) driver's license number or state identification card number; or 3) account number, credit card number, or debit card number in combination with any required security code, access code, or password (e.g., a PIN) that would permit access to an individual's financial account.
What is not personal information? Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
What is a security breach? A security breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business.
What is not a security breach? A security breach does not include a good faith acquisition of personal information by an employee or agent of the business for its purpose if the personal information is not used or subject to further unauthorized disclosure.
In the event of a security breach, what is the notification obligation? Following the discovery or notification of a security breach, the business must disclose the security breach to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Moreover, a business that maintains computerized data that include personal information that it does not own needs to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
When must notification be made? Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
By which methods can notification be made? Notification can be provided in any of the following ways: 1) written notice; 2) electronic notice in compliance with the provisions of the Electronic Signatures in Global and National Commerce Act ('E-SIGN'); or 3) substitute notice, if the business demonstrates that (i) the cost of providing notice would exceed $250,000, or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (iii) the entity does not have sufficient contact information. Substitute notice must consist of all of the following: a) e-mail notice when the business has an e-mail address for the subject person or business; b) conspicuous posting of the notice on the Web site page of the business; and c) notification to major statewide media. Alternatively, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the timing requirements described above is compliant if it notifies subject persons in accordance with its policies in the event of a security breach.
The conclusion of this article will discuss security procedures laws.
Melissa J. Krasnow is a partner in the Corporate Group of
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 Opt In
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.