Information Security Breaches: Privacy Laws and Procedures

Part Two of a Two-Part Series

Part One of this series discussed security breach notification laws. The conclusion addresses security procedures laws.

In addition to the California security breach notification law, California was the first state to enact a security procedures law (A.B. 1950), which became effective Jan. 1, 2005. This law requires that a business implement and maintain reasonable security procedures and practices to protect personal information. A few other states, namely 1) Arkansas, 2) Nevada, 3) Rhode Island, and 4) Texas, also have enacted security procedures laws. In addition, Utah has passed such a law, which became effective Jan. 1, 2007. Again, for purposes of the utility of any overview, and because this California law also serves as the model for a number of the other state laws, a step-by-step analysis of this law is also set out here for consideration by landlords and managers.

Who is covered? The California law applies to any business that owns or licenses personal information about a California resident.

Who is not covered? The California law does not cover two types of record holders: 1) a business that is regulated by state or federal law that provides greater protection to personal information; and 2) a business that is either a Health Insurance Portability and Account-ability Act entity, a health care entity, or a financial institution.

What is the security procedures obligation? Businesses covered by the California Act must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

What is the third-party security procedures obligation? A business that discloses personal information about a California resident under a contract with a nonaffiliated third party must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

What is personal information? Personal information is defined the same as under the California security breach notification law, except that medical information is cited as an additional data element.

Federal Trade Commission Involvement

While there is no specific federal security procedures law, the Federal Trade Commission has weighed in by seeking to punish information security breaches. The standards for security-related procedures that the FTC considers appropriate have been described in a number of recent cases. By way of example, a significant case in this area was brought against BJ's Wholesale Club in 2005. The FTC charged that BJ's failure to provide reasonable security for sensitive customer information was an unfair act or practice in violation of '5 of the Federal Trade Commission Act because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.

The FTC alleged that BJ's: 1) failed to encrypt consumer information when it was transmitted or stored; 2) stored the information longer than it had a need to do so; 3) stored the information in files that could be accessed using commonly known default user IDs and passwords; 4) failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and 5) failed to use measures sufficient to detect unauthorized access to the networks. The settlement order that resolved this case requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards and to obtain regular third-party professional audits of this program for compliance with the FTC Order and with bookkeeping and record-keeping requirements. The FTC Order is in effect for a 20-year period. In the Matter of BJ's Wholesale Club, Inc.,File No. 042 3160, June 16, 2005.

Conclusion

As is the case in many other operational areas, information maintenance is becoming increasingly regulated. Landlords and property managers must take three steps to avoid costly violations. First, the relative utility of information to be gathered and maintained must be balanced against the burdens and risks associated with possessing the information. Second, appropriate internal policies and systems must be created to fulfill mandatory security requirements. Third, a plan must be established to provide requisite notification and otherwise address incidents of security breaches. For each of these steps, careful reference to applicable local and developing federal law is essential.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP (e-mail [email protected]) and Randolph M. Perkins is a partner in the Real Estate and Corporate Groups of Schiff Hardin LLP (e-mail [email protected]).

Part Two of a Two-Part Series

Part One of this series discussed security breach notification laws. The conclusion addresses security procedures laws.

In addition to the California security breach notification law, California was the first state to enact a security procedures law (A.B. 1950), which became effective Jan. 1, 2005. This law requires that a business implement and maintain reasonable security procedures and practices to protect personal information. A few other states, namely 1) Arkansas, 2) Nevada, 3) Rhode Island, and 4) Texas, also have enacted security procedures laws. In addition, Utah has passed such a law, which became effective Jan. 1, 2007. Again, for purposes of the utility of any overview, and because this California law also serves as the model for a number of the other state laws, a step-by-step analysis of this law is also set out here for consideration by landlords and managers.

Who is covered? The California law applies to any business that owns or licenses personal information about a California resident.

Who is not covered? The California law does not cover two types of record holders: 1) a business that is regulated by state or federal law that provides greater protection to personal information; and 2) a business that is either a Health Insurance Portability and Account-ability Act entity, a health care entity, or a financial institution.

What is the security procedures obligation? Businesses covered by the California Act must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

What is the third-party security procedures obligation? A business that discloses personal information about a California resident under a contract with a nonaffiliated third party must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

What is personal information? Personal information is defined the same as under the California security breach notification law, except that medical information is cited as an additional data element.

Federal Trade Commission Involvement

While there is no specific federal security procedures law, the Federal Trade Commission has weighed in by seeking to punish information security breaches. The standards for security-related procedures that the FTC considers appropriate have been described in a number of recent cases. By way of example, a significant case in this area was brought against BJ's Wholesale Club in 2005. The FTC charged that BJ's failure to provide reasonable security for sensitive customer information was an unfair act or practice in violation of '5 of the Federal Trade Commission Act because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.

The FTC alleged that BJ's: 1) failed to encrypt consumer information when it was transmitted or stored; 2) stored the information longer than it had a need to do so; 3) stored the information in files that could be accessed using commonly known default user IDs and passwords; 4) failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and 5) failed to use measures sufficient to detect unauthorized access to the networks. The settlement order that resolved this case requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards and to obtain regular third-party professional audits of this program for compliance with the FTC Order and with bookkeeping and record-keeping requirements. The FTC Order is in effect for a 20-year period. In the Matter of BJ's Wholesale Club, Inc.,File No. 042 3160, June 16, 2005.

Conclusion

As is the case in many other operational areas, information maintenance is becoming increasingly regulated. Landlords and property managers must take three steps to avoid costly violations. First, the relative utility of information to be gathered and maintained must be balanced against the burdens and risks associated with possessing the information. Second, appropriate internal policies and systems must be created to fulfill mandatory security requirements. Third, a plan must be established to provide requisite notification and otherwise address incidents of security breaches. For each of these steps, careful reference to applicable local and developing federal law is essential.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP (e-mail [email protected]) and Randolph M. Perkins is a partner in the Real Estate and Corporate Groups of Schiff Hardin LLP (e-mail [email protected]).