• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

State Law Will Require Firms to Notify Customers of Data Security Breaches

Posted on: Monday, 12 June 2006, 21:00 CDT

By Patricia Sabatini, Pittsburgh Post-Gazette

Jun. 13--Don't be surprised if some day soon you get a letter with this disturbing news: A thief has swiped a computer file with your name, Social Security number or other personal financial data hoping to steal your identity and run up big bills in your name.

On June 22, Pennsylvania's Breach of Personal Information Notification Act takes effect, requiring companies to notify state residents if their sensitive personal data has been lost or stolen, exposing them to the risk of identity theft. The goal is to give Pennsylvanians an early warning so they can monitor their financial records for suspicious transactions and take steps to limit the damage.

Experts say such security breaches have gone on for years, but consumers largely were kept in the dark until a rash of state laws were enacted across the country requiring companies to fess up.

So far, there are 30 states with security breach notification laws in force or scheduled to take effect. The vast majority of the statutes were enacted in the last year and a half in the wake of high-profile security lapses at companies such as data broker ChoicePoint. At the federal level, a number of proposals aimed at combating ID theft are being debated, including breach notification.

"You rarely see any issue sweep state legislatures that fast," Reed Smith attorney Mark Melodia said in a recent presentation on security breach litigation at the Duquesne Club, Downtown. "It's been an amazing, wildfire spread."

Under Pennsylvania's law, businesses could notify consumers about a breach by letter or telephone, or by e-mail if there is a prior business relationship with the company. State agencies also are covered by the law but financial institutions are exempt, as long as they are in compliance with federal regulations.

If more than 175,000 people were affected or if notification would cost more than $100,000, all affected consumers could be notified by e-mail as long as the company also posted a notice on its Web site and informed major statewide media.

If the breach affected more than 1,000 people, national credit reporting agencies also would have to be notified.

Notification is required if a company "reasonably believes" a breach has or will cause loss or injury.

Consumer advocates have criticized Pennsylvania's reasonability trigger, saying it gives companies too much room to decide not to disclose a breach.

But Reed Smith's Mr. Melodia doesn't see it that way. Because of the lack of case law on the issue, companies have been playing it safe, he said.

Even if the breach doesn't fit the exact definition under a particular state law, "the vast majority of our clients have decided to give notice anyway," Mr. Melodia said.

"If you don't give notice, if you made a conscious choice not to -- take it from a litigator, that is a problem. It starts to smack of punitive damages."

The harshest state law should become "the defacto standard," he said.

"Just because Pennsylvania's law has been talked about as being more business friendly, that's irrelevant to you unless you are totally local with all local clients," Mr. Melodia said.

At the same time, companies are facing a "damned if you do, damned if you don't" dilemma, he said.

Companies that choose not to give notice could be sued by the state attorney general's office for violation of Pennsylvania's consumer protection laws. On the other hand, issuing a breach notice is akin to giving lawyers "an engraved invitation" to file a negligence suit, he said.

"How often do businesses have to send out a letter saying we messed up? That letter is gold" for plaintiffs' lawyers, he said.

While companies typically have been offering a free year of credit monitoring to consumers affected by a privacy breach, plaintiffs have been seeking lifetime coverage, Mr. Melodia said.

The good news for companies, he said, is that in situations where no ID theft has occurred, those cases haven't succeeded.

BATTLING BREACHES

The Pittsburgh-based law firm Reed Smith offers these dos and don'ts for companies concerned about data security breaches:

--Review customer and investor communications and don't overpromise on privacy. Businesses that promise too much are setting themselves up for a breach of contract lawsuit, Reed Smith attorney Mark Melodia said.

--Inventory the personal information you keep and share.

--Assign responsibility for data security to the highest levels. Make data security a priority for the board and senior management.

--Consider the widest practical use of encryption. State security breach laws don't require disclosure of stolen data if it is encrypted.n Destroy documents with no remaining business use.

--Train and certify employees on data security.

--Restrict access to personal information, especially Social Security numbers; secure electronic devices.

--Implement an incident response plan. If someone loses a company laptop, who takes action?

--Audit compliance regularly.

--Review security breach insurance coverage.

-----

To see more of the Pittsburgh Post-Gazette, or to subscribe to the newspaper, go to http://www.post-gazette.com.

Copyright (c) 2006, Pittsburgh Post-Gazette

Distributed by Knight Ridder/Tribune Business News.

For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.

CPS,

Source: Pittsburgh Post-Gazette

More News in this Category