|
Wolff & Samson PC
Counsellors At Law Corporate and Securities Attorneys David M. Hyman and Russel D. Francisco of Wolff & Samson discuss information and security issues under state and federal law with emphasis on the Gramm-Leach-Bliley Act, New York's law on information security breaches and New Jersey's identity theft statute. Identity theft and breach of information security have become two major business challenges in the new millennium, as vast quantities of sensitive, personal information are now vulnerable to criminal interception and misuse. Accordingly, information security and identity theft have emerged as critical issues for financial institutions and other businesses that possess customers' sensitive, personal data. This article discusses information security issues under federal and state laws. The article briefly discusses general obligations under the Gramm-Leach-Bliley Act, the federal statute governing a financial institution's duties to safeguard customer data. The focus of the article, however, is a financial institution's obligations under the New York State Information Security Breach and Notification Act and the New Jersey Identity Theft Prevention Act, which set forth notification requirements for businesses that experience a breach in their information security. The article also discusses emerging trends in identity theft litigation as well as pending congressional action. Finally, the article outlines best practices for businesses that wish to strengthen their information security policies and procedures. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, is the federal statute that governs a financial institution's retention, use and disclosure of customer records and information. 1 GLB sets forth a financial institution's privacy obligations to its customers (Section 6801) and its duties concerning the safeguarding of customers' personal information (Sections 6802- 03). Section 6805 of GLB entrusts enforcement of its privacy rules to the Federal Trade Commission, which has promulgated regulations(http://www.ftc.gov/ogc/stat3.htm). Generally, GLB prohibits disclosure of private customer records and information and prescribes "safeguarding" obligations for all financial institutions. 15 U.S.C. § 6802(a). There are specific, enumerated exceptions to the general prohibition on disclosure of private customer records and information as follows: • When the financial institution "clearly and conspicuously discloses to the consumer" that the information may be disclosed to a non-affiliated third party, and the consumer is given an opportunity to direct that the information not be disclosed (Section 6802[b][1]); • Disclosure to a non-affiliated third-party "to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services," provided that the financial institution "fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information" (Section 6802[b][2]); • When disclosure is "necessary to effect, administer or enforce a transaction requested or authorized by the consumer" (Section 6802[e][1], [e][1] [A], [C]; • When disclosure is in connection with "maintaining or servicing the consumer's account" (Section 6802[e][1)][B]); • When disclosure is "with the consent or at the direction of the consumer" (Section 6802[e][2]); • "To protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction," including "required institutional risk control" (Section 6802[e][3]); • To "persons holding a legal or beneficial interest relating to the consumer" or to "persons acting in a fiduciary or representative capacity on behalf of the consumer" (Section 6802[e][3][D], [E]); • To "insurance rate advisory organizations" and other people or entities "assessing the institution's compliance with industry standards" (Section 6802[e][4]; • To the financial institution's "attorneys, accountants and auditors" (Id.); and • To the extent "specifically permitted or required under other provisions of law" (Section 6802[e][5], [6], [8]). One other noteworthy exception to GLB's privacy and disclosure rules is when customer records and information are disclosed: in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit. 15 U.S.C. § 6802(e)(7). Assuming that the financial institution has policies and procedures in place for the safeguarding of customer records and information, the business is in compliance with GLB. Theft, loss or other unauthorized access to that information, however, is not covered by GLB or the FTC regulations. To fill the significant gaps left by GLB, states recently began enacting legislation that protects consumers whose private information has been compromised. 2 New York Statute In December 2005 New York enacted the New York State Information Security Breach and Notification Act. For businesses, the law is codified at N.Y. Gen. Bus. Law § 899-aa. It covers two types of information: • "Personal information": any information that, because of name, number, personal mark or other identifier, can be used to identify such natural person; and • "Private information": any information that contains one or more of the following: Social Security number; Driver's license number; or Account number, credit or debit card number. N.Y. Gen. Bus. Law § 899-aa(1)(a)-(b). Under this statute the business must disclose "any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization." N.Y. Gen. Bus. Law § 899-aa(2). 3 The notification must be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement." Thus, law enforcement properly may require the business to delay or restrict the information contained in the notification. N.Y. Gen. Bus. Law § 899-aa(4). Failure to adhere to the notice requirements of the statute subjects a business to injunctive relief and civil penalties (maximum $150,000). N.Y. Gen. Bus. Law § 899-aa(6). Other Required Notifications In addition to notifying customers upon compromise of the protected information, the business also must notify three state agencies: the Attorney General's Office, the Consumer Protection Board, and the New York State Office of Cyber Security & Critical Infrastructure Coordination. A form is available online for use when notifying these New York agencies (http://www.oag.state.ny.us/consumer/tips/securitybreachReportForm.pdf). Moreover, if more than 5,000 customers are affected by the breach, the business must notify the three major consumer reporting agencies: Equifax, TransUnion and Experian (http://www.oag.state.ny.us/consumer/tips/id_theft_law.html). Legislative History New York State Sen. Charles J. Fuschillo, the Republican who introduced the bill, issued an introducer's memorandum that said the law was designed "to notify people of an unauthorized acquisition of their private information." S. 3492A, N.Y. State Introducer's Memorandum in Support, at 1 (2005). The memo cited two specific past instances in which consumers were not notified of breaches of information security. The examples involved ChoicePoint, a large personal information aggregating firm, and the DSW shoe outlet, whose customers' credit card information was stolen in 2004-05. Id. at 2. The focus of the New York statute is the protection of source material, the places from which personal information may be obtained. Fuschillo's memo states:
Id. Fuschillo then takes a harsh tone toward failure to notify customers:
Id. at 2-3. He further notes the following without further explanation:
Id. at 3 The legislative history of the Information Security Breach and Notification Act expressly states that the law is based on a California statute passed in 2003. Id. at 3. New York's version is lifted nearly verbatim from California's. New York, however, provides greater protection. 4 New Jersey Statute New Jersey enacted the Identity Theft Prevention Act, N.J. Stat. Ann. § 56:8-163, in January 2006. The law generally provides the same notification requirements as New York's statute. Specifically, financial institutions in New Jersey must notify customers when it is discovered that the confidentiality or security of the customers' nonpublic personal information has been "compromised in any way." 5 Significantly, the New Jersey act, unlike New York's, requires that the financial institution "reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information and any misuse of such information," including fees the customer incurred in taking corrective actions. Other Required Notifications New Jersey additionally requires businesses to notify State Police of any breach in information security. N.J. Stat. Ann. § 56:8-163(c)(1). Who Must Notify Customers New York Law Section 3 of New York's identity theft statute says:
N.Y. Gen. Bus. Law § 899-aa(3). If a financial institution does not own the stolen data, but rather is a safe-keeper of the data, its sole obligation under the statute is to notify the owners of the breach. Upon such notification, the owners' affirmative duty to notify their customers is triggered under the statute:
N.Y. Gen. Bus. Law § 899-aa(2). New Jersey Law New Jersey's identity theft statute is even more direct:
N.J. Stat. Ann. § 56:8-163(b). Other States As of July 36 states (including New York and New Jersey) have passed identity theft statutes protecting consumers. The National Conference of State Legislatures maintains a Web site that collects and provides links to all enacted nationwide legislation regarding information security and identity theft: • 2007 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2007.htm • 2006 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2006.htm • 2005 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2005.htm • 2002-04 Legislation: http://www.ncsl.org/programs/lis/privacy/idt-legis.htm Introduced Federal Legislation In May the Senate Judiciary Committee approved two competing bills, S. 495 and S. 239, that require businesses to notify individuals if their personal data is breached. BNA Privacy & Sec. Law Rep., Vol. 6, No. 19, at 739 (May 7, 2007). Vermont Democrat Patrick Leahy and Republican Arlen Specter of Pennsylvania are co-sponsoring S. 495, a comprehensive data breach notification law that includes criminal penalties. Id. at 739-40. California Democrat Dianne Feinstein is sponsoring S. 239, a streamlined bill that features identical consumer notification provisions as S. 495, but does not address criminal penalties. Both bills provide "tough civil penalties against companies that fail to safeguard sensitive consumer data or provide breach notice" of "up to $1,000 per individual per day of violation, capped at $1 million" per individual, "unless willful or intentional conduct is involved." Id. at 739. The main focus of the debate will be the "risk of harm threshold that places limits on when notification is required." Id. In other words, Congress is debating the standard that will dictate when a business must provide notification and when notification is not required. If either bill is passed, the law would preempt all 36 state data breach notification laws that have been enacted nationwide. Id. Best Practices for Businesses The Federal Trade Commission, which is charged with the enforcement of GLB, gives businesses general guidance on how to properly notify customers of any compromise of their personal information (http:// www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.pdf). The information includes a useful form letter. General Considerations The following is an informal checklist of steps a business should take when facing a breach emergency: • Ascertain number of customers affected • May be required to inform credit bureaus of unauthorized access (e.g., New York) • May have to advise customers to issue fraud alerts • Make contact with law enforcement agency investigating the theft. • Make sure law enforcement is aware of identity theft component of crime • Ascertain whether law enforcement wants to delay customer notification • What information should/should not be included in notice, consistent with needs of criminal investigation • Notify any other affected businesses. • Designate contact/point persons within the company. • Set up a call center. • Talking points • FAQs • Set up a Web page • FAQs • Notice letter to customers. Consider including the following: • Describe clearly what the company knows, including all known details • Consistent with needs of law enforcement • Describe actions taken to remedy breach • Phone number and/or Web site address • What additional actions customer can take to protect themselves • Provide phone numbers, web addresses • Educate customers about identity theft • Law enforcement contact, if acceptable to law enforcement Contents of Notice New York businesses have some flexibility regarding what to disclose about the details of the breach of security. New York's statute requires only the following information to be included in the notice to customers:
N.Y. Gen. Bus. Law § 899-aa(7) (Exhibit A). New Jersey's statute is silent on the contents of the notification letter. The guidelines provided by the FTC regarding the contents of the notice letter, which, among other things, advises businesses to provide all known details about the breach, are recommendations only. Indeed, the agency's Web site states that businesses should "check federal and state laws or regulations for any specific requirements." Potential Exposure At this time, there is limited -- but steadily growing -- case law nationwide concerning a financial institution's exposure to liability as a result of compromised personal information. As one New York court noted:
Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887, 888 (N.Y. Sup. Ct., New York County 2004). In the handful of relevant cases, however, liability does not easily attach to a business entity charged with failing to safeguard personal information. See Jones v. Commerce Bank N.A., 2007 WL 672091 (S.D.N.Y. Mar. 6, 2007); Giordano v. Wachovia Sec., 2006 WL 2177036 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank N.A., 420 F. Supp. 2d 1018, 1019 (D. Minn. 2006); Guin v. Brazos Higher Educ. Serv. Corp., 2006 WL 288483, *1 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, 2005 WL 2465906, *1 (D. Ariz. Sept. 6, 2005). The surviving causes of action in these cases generally sound in negligence, breach of contract and breach of fiduciary duty, 6 but most do not survive summary judgment because the plaintiffs are found to lack proof of injury, or, even if they have suffered an injury, the plaintiffs cannot adequately demonstrate that their injury was proximately caused by the defendant's failure to safeguard the confidential information. Significantly, a number of these cases overcame initial motions to dismiss and proceeded to discovery, but the vast majority did not survive at the summary judgment stage. Discussion No Injury A recent decision from the New Jersey federal court, Giordano v. Wachovia Securities, involved a financial institution, Wachovia Securities, that lost a report in the mail containing personal customer data. Wachovia learned that the package containing the report "was damaged during shipment and, pursuant to the carrier's [UPS'] procedures, was destroyed." Id. at *1. Wachovia further informed its customers that there was "no evidence of theft" of the report and that there was no evidence that the "report has been obtained by a third party." Id. The plaintiff nevertheless filed a class-action lawsuit against Wachovia and UPS, alleging negligence, invasion of privacy and breach of the duty of confidentiality. Id. at *2. Without reaching any of the merits of the case, the court dismissed the suit, finding that the plaintiff lacked standing:
Id. at *4 (emphasis added). Similarly, in Forbes v. Wells Fargo Bank, computers containing personal information of Wells Fargo customers were stolen from the offices of Regulus, a service provider hired by Wells Fargo to generate monthly statements for the bank's customers. 420 F. Supp. 2d at 1019. After the computers were stolen, Wells Fargo notified all potentially affected customers of the theft and offered them services relating to identity theft protection. Id. After receiving this notice, and although there had been no indication that the information on the computers had been accessed or used, plaintiffs brought suit against Wells Fargo for breach of contract, breach of fiduciary duty and negligence. They based their suit on the theory that Wells Fargo negligently allowed Regulus to keep customers' private information without adequate security. The Minnesota federal court granted Wells Fargo's motion for summary judgment, saying: "A plaintiff may recover damages for an increased risk of harm in the future if such risk results from a present injury and indicates a reasonably certain future harm. Alone, however, the threat of future harm, not yet realized, will not satisfy the damage requirement." Id. at 1020 (internal citations omitted) (emphasis added). Though the plaintiffs alleged that they spent time and money monitoring their credit, the court found that "their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized. In other words, the plaintiffs' injuries are solely the result of a perceived risk of future harm." Id. at 1021. In Guin v. Brazos Higher Education Service Corp., the plaintiff alleged that the student loan servicing firm negligently permitted an employee to keep personal information on a laptop that was subsequently stolen from the employee's home office. 2006 WL 288483, *1. The laptop contained personal customer data, but it was impossible to determine which customers' information was saved on the hard drive when the laptop was stolen. Id. at *1. Accordingly, Brazos gave notice to all its 550,000 customers that some of their personal information "may have been inappropriately accessed by the third party." Id. at *2. After receiving this notice, and without any proof that his personal information had been misappropriated, the plaintiff, who had acquired a loan through Brazos, filed an action against the company for negligence. Id. at *3. In determining whether there had been a breach of duty, the parties agreed that GLB established a duty for Brazos to protect the security and confidentiality of customers' personal information. 7 Id. However, the court held that Brazos did not fail to comply with GLB because the statute does not prohibit working with sensitive data on a home office computer. Id. at *4. Next, noting that "a plaintiff must suffer some actual loss or damage in order to bring an action for negligence" and that "the threat of future harm not yet realized will not satisfy the damage requirement," the court found that the plaintiff failed to prove injury. Id. at *5. Since the plaintiff was unable to show that his information was actually on the laptop when it was stolen or that his personal information was accessed by the burglars or was "transferred, possessed, or used with the intent to commit, aid or abet any unlawful activity," the court held that he failed to show that he was a victim of identity theft or sustained any other injury. Id. at *6. The trend of dismissals based upon the above principles continues in the most recent decisions. See Kahle v. Litton Loan Servicing, 2007 WL 1461790, *7 (S.D. Ohio May 16, 2007) (granting summary judgment to defendant because "any injury of plaintiff is purely speculative"); Randolph v. ING Life Ins. & Annuity Co., 2007 WL 565872, *5 (D.D.C. Feb. 20, 2007) (granting defendant's motion to dismiss and stating that plaintiffs' "allegation that they have incurred or will incur costs in an attempt to protect themselves against their alleged increased risk of identity theft fails to demonstrate an injury that is sufficiently 'concrete and particularized' and 'actual or imminent"'); Bell v. Acxiom Corp., 2006 WL 2850042, *2 (E.D. Ark. Oct. 3, 2006) ("Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement."); Key v. DSW Inc., 2006 WL 2794930, *1 (S.D. Ohio Sept. 27, 2006) ("Plaintiff has failed to allege that she has suffered an injury-in-fact and therefore has not met the constitutional requirements for standing."). No Proximate Causation Even in cases where a plaintiff has been able to prove an actual injury, summary judgment has been granted where the plaintiff is not able to prove proximate causation. For example, in Jones v. Commerce Bank, the plaintiff, who held a checking account at Commerce Bank, was the victim of identity theft. 2007 WL 672091, *1. Specifically, the plaintiff discovered that $1,860 was withdrawn from her account and transferred to another account that was fraudulently opened in her name. Id. After investigating the incident, Commerce credited the $1,860 back into the plaintiff's account. Id. The plaintiff then sued Commerce for negligence, breach of fiduciary duty, intentional and negligent infliction of emotional distress, commercial bad faith, consumer fraud, and breach of contract. Id. The court granted Commerce's motion to dismiss the claims of negligence, breach of fiduciary duty and breach of contract. However, discovery proceeded on the remainder of plaintiff's claims. Id. At the conclusion of discovery, the court granted Commerce's motion for summary judgment as a result of the plaintiff's failure to prove proximate cause, and the judge denied the plaintiff's motion to reconsider the ruling:
Id. at *3 (internal quotation marks and citations omitted) (emphasis added). The court also rejected plaintiff's de facto res ipsa loquitur theory:
Id. at *4 (emphasis added). In Stollenwerk v. Tri-West Healthcare Alliance, the office of Tri-West, a company managing a health insurance program, was burglarized, and computer hard drives containing Mark Brandt's personal information were stolen. 2005 WL 2465906, *1. Soon thereafter, his personal information was used to open unauthorized credit accounts in his name. Brandt and two other people whose information was on the hard drives, Michael Stollenwerk and Andrea DeGatica, filed suit against Tri-West for negligence. 8 Tri-West moved for summary judgment, arguing that Stollenwerk and DeGatica had not shown that they suffered any injury and that Brandt failed to show a causal connection between the theft of the hard drives and the fraudulent use of his personal information. Id. at *2. Stollenwerk and DeGatica argued that they suffered an injury because, as a result of the exposure of their personal information, they purchased a credit monitoring system. They also relied upon the opinion of an expert who described their injury as "an increased risk of experiencing identity fraud for the next seven years." Id. at *5. Applying the standard for medical monitoring cases to identity theft, 9 the court concluded that the plaintiffs could not satisfy the standard because they were unable to provide evidence that the personal information on the computers was exposed to the thieves. Id. at *4-5. Significantly, the court added that nothing in this case suggested that the data itself, rather than the hardware on which it was stored, was the thieves' target. Id. at * 5. As to Brandt, whose personal information was actually used to open unauthorized credit accounts, the court agreed that the case nevertheless should be dismissed because he was unable to show a causal connection between the theft of the computers and the unauthorized credit accounts. Despite Brandt's assertion that he has never transmitted his personal information on the Internet and that he shreds all mail concerning credit applications, the court held: "Standing alone, plaintiff Brandt's evidence that the burglary preceded the incidents of identity fraud does not allow a reasonable jury to infer that the burglary caused the incidents of identity fraud. Such a conclusion would be the result of speculation and conjecture, not a reasonable inference." Id. at *7. Accordingly, the court granted the defendant's motion for summary judgment. Cases Surviving Dispositive Motions There are few cases where a plaintiff's claims against a financial institution based upon compromised personal information have survived dismissal after motion practice. These cases differ factually from the ones cited above because not only have the plaintiffs been able to show that they suffered an injury, but they also have been able to show that the injury was proximately caused by the defendant's breach of duty. Furthermore, these cases involve specifically targeted data, rather than stolen hardware that happened to contain personal information. 10 For example, in Daly v. Metropolitan Life Insurance Co., plaintiff Sara E. Daly submitted an insurance application containing her personal information to Met Life. 4 Misc. 3d at 887. Subsequently, her personal information was stolen by a janitor employed by a maintenance company hired by Met Life's landlord. Daly had become aware that her personal information had been compromised when she received a call seeking to verify information for a credit card for which she had not applied. After contacting credit agencies, Daly learned that her personal information had been used to create numerous fraudulent accounts. Upon determining the identity of the thieves, Daly filed suit against Met Life, alleging negligence and seeking damages for compromising her personal line of credit. Met Life sued the building owner and the janitorial service, then moved for summary judgment, arguing that Daly failed to establish how Met Life was negligent in maintaining her confidential information and that she failed to show that she suffered damages that were caused by Met Life. Noting that Met Life had a duty to protect Daly's personal information and that there was no case law on point since this was a matter of first impression in New York, the court denied Met Life's motion because there were questions of fact regarding the precautions taken by Met Life to protect personal information and regarding the amount of damages. Id. at 893-894. Potential New Cause of Action in New York for Breach of Information Security The New York Court of Appeals' recent ruling in Thyroff v. Nationwide Mutual Insurance Co., 8 N.Y. 3d 283 (N.Y. 2007), may open the door to a new cause of action in the state based upon the breach of information security. In Thyroff the U.S. Court of Appeals for the 2nd Circuit certified a question to the New York high court, asking "whether the common-law cause of action of conversion applies to certain electronic computer records and data." Id. at 284. The state court held:
Id. at 292-93. Plaintiffs in New York may now add conversion to their list of counts when filing suit against a defendant for the breach of the security of their private electronic information. Conclusion Upon learning of a breach of information security, businesses should act immediately to prepare to notify their customers. In so doing, businesses should at once contact law enforcement to report the breach and begin coordinating with law enforcement concerning customer notification. Management must learn all relevant facts, maintain contact with law enforcement and make all necessary preparations to notify customers of the breach. Businesses in this position have found it useful and effective to retain not only legal counsel for the necessary legal guidance, but also crisis management firms to handle the potentially sensitive customer relations issues. Management must ascertain all mandatory legal requirements, which, as demonstrated above, can vary from state to state. Such legal requirements also may vary from state to state depending upon who maintained and lost the protected information, so obtaining able counsel becomes crucial to the process. Breach of information security is a serious challenge for any business, but it is a manageable crisis. Information flow, organization, dependable employees and reliable advice are a must for any management team facing such an emergency. It may also serve businesses to think ahead and prepare policies and procedures designed to pool the necessary resources and personnel to handle such a crisis.
© |