Archive for the ‘Data Breach Notification Law’ Category

Federal Data Breach and Notification Legislation Approved by House Subcommittee

Sunday, October 30th, 2011

Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83

Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

The House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic Data Act (“SAFE Data Act” or “Act”) On July 20, 2011 and it will now move to the full Energy and Commerce Committee for consideration.

The full text of the SAFE Data Act is available here. It applies to all persons and companies subject to the jurisdiction of the Federal Trade Commission (“FTC”) and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code. It does not, however, apply to entities covered by HIPAA and Gramm-Leach Bliley in certain circumstances.

A few other notable highlights of this data privacy and breach notification act are as follows:

  • The proposed SAFE Data Act applies to “personal information” which is defined as a consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).
  • The proposed legislation would preempt State and local laws that impose similar information security or breach notification requirements as to any covered entity and would preempt civil actions under State law for violation of information security or breach notification requirements unless brought by a State official.
  • The SAFE Data Act would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired as well as for notifying the FTC and law enforcement of a security breach.
  • Notification to the FTC is required within 48 hours of discovering an information breach, and notification to consumers “as promptly as possible” but not later than 45 days after discovery of such breach. Notification can be delayed by law enforcement, the National Security Agency, or the Homeland Security Agency if it is determined that such notification will threaten an investigation or national or homeland security. Interestingly, this notification requirement, however, may be circumvented if a covered entity make a “reasonable determination that the breach of security presents no reasonable risk of identity theft, fraud, or other unlawful conduct ….” In this regard, the bill creates a presumption that “no reasonable risk of identity theft, fraud, or other unlawful conduct exists” if the disclosed data is unusable, unreadable, or indecipherable due to encryption or other security technology.
  • Those covered by the proposal would be required to maintain policies and procedures concerning: (1) The collection, use, sale and other dissemination of data containing personal information, (2) A process for identifying reasonably foreseeable vulnerabilities through regular monitoring, (3) For taking preventive and corrective action; and (4) For properly disposing of data containing personal information in electronic and non-electronic form. Additionally, persons who own or possess data containing personal information must also establish a plan for minimizing the amount of personal information they keep.

For more information on this proposed Data Privacy and Breach notification legislation or on similar information security law, please contact Jason Shinn.

Michigan Amends Identity Theft Statute

Thursday, January 6th, 2011

Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83

Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Michigan recently amended its Identity Theft Protection Act. These amendments take effect on April 1, 2011. For a full copy of the amendments, click here.

As to the highlights, the Amendments:

  • Prohibit communicating under false pretenses to request personal identifying information, creating or operating an unauthorized Web page to solicit personal identifying information, or altering a computer or software setting to solicit personal identifying information, with the intent to commit identity theft or another crime, and prohibit the same activities without the element of intent;
  • Provides for increased penalties; and
  • Expands the definition of personal identifying information to include any account password in combination with sufficient information to identify and gain access to a person’s financial account and a person’s automated or electronic signature or biometrics.

There are also severe criminal and monetary penalties available under the amendment, including recovery of actual damages, including reasonable attorney fees or, in lieu of actual damages, reasonable attorney fees plus the lesser of the following:

  • $5,000.00 per violation.
  • $250,000.00 for each day that a violation occurs.

While the recovery of the preceding damages is important, it is no replacement for mitigating the potential risk of a security breach by proactively implementing safeguards for consumer and employee data.