Data Risk Governance

Exploring the intersection between information security, privacy, technology and the law.

Information Security Law

Information Security & Privacy Law

Title: Why Federal Legislation Is Needed To Protect the Personal Information of the American Citizen

By C. Matt Sorensen

© Matt Sorensen, 2010-2011. All Rights Reserved.

TABLE OF CONTENTS


1. Introduction  4

A.    Importance of Personal Information  4

B.     The Need for Personal Information In Commerce & Government  4

C.    Collection of Personal Information   5

D.    Storage, Transmission and Processing of Personal Information   6

E.     Data Breach  7

F.     Data Breach Statistics  9

G.    Harms Incurred As A Result Of Compromised Personal Information   9

2.     Example Data Breaches  11

A.    TJX Companies  11

B.    Hannaford Brothers Supermarkets  13

C.    Heartland Payment Systems  14

D.    ChoicePoint  15

E.    Minnesota State Employee Data Breach  15

3.     Duty To Protect Sensitive Data  18

A.    Sensitive data must be protected by those who possess it  19

B.     The Problem of Externalities  20

C.    Data Protection Laws and Regulations: Establishing a Duty to Meet A Standard of Due Care For Information Protection  21

1.     An Emerging Standard  22

2.     International Laws and Principles  23

a.     European Union Privacy Standards  23

b.     PIPEDA  24

c.     APEC Privacy Framework  25

3.     United States Federal Laws and Regulations  25

a.     Privacy Act of 1974  25

b.     Computer Fraud and Abuse Act (CFAA) 26

c.     Identity Theft and Assumption Deterrence Act 28

d.     Identity Theft Enforcement and Restitution Act 29

e.     Gramm-Leach-Bliley Act (GLBA) 29

f.      HIPAA   32

g.    Sarbanes Oxley  36

4.     Federal Trade Commission Regulation and Enforcement 37

5.     Private Contract – Payment Card Industry  38

6.     State Law  39

D.    Governance and Information Security Frameworks  42

1.     Corporate Governance & Enterprise Risk Management 43

2.     Information Security Standards  44

a.     FFIEC IT Examination Handbook, Information Security Booklet 44

b.     ISO 27002  45

c.     NIST SP-800 Series  46

d.     BITS Framework  47

E.     A Resulting Standard of Due Care  49

4.     CURRENT RECOURSE FOR CONSUMERS IS INSUFFICIENT TO ENCOURAGE DATA CUSTODIANS TO MEET STANDARD OF DUE CARE  50

A.    The Duty of Care Extends Beyond the Plain Terms of the Statute  50

1.     Guin v. Brazos Higher Education Services  50

B.     Common Law Negligence Is Hit or Miss, Usually Miss  54

1.     Ruiz v. Gap  54

2.     In Re Hannaford Bros. Co. Customer Data Security Breach Litigation  54

3.     Bell v. AFSCME  55

5.     A New Federal Information Protection Statute Is Needed  57

A.    Promote Desired Behavior by Data Custodians  57

B.     Preemption of State Law  58

C.    Amendment of Federal Law  58

D.    Private Right of Action   60

E.     A Statutory Duty of Care – Negligence Per Se  61

1.     Injury In Fact 61

2.     Prohibited Conduct 61

3.     Class of Persons  63

6. Conclusion  63


1. Introduction

A.  Importance of Personal Information

In the modern era, personally identifying information has become a passkey to every imaginable service necessary for survival.  A century and a half ago one needed only to have a name and a good reputation to receive a line of credit with a local merchant. Today one needs to provide a name, birthday, social security number, two forms of government issued identification* (which in turn include additional unique identifiers within a state, such as a drivers license number, a birth certificate number or marriage license number.) a known address, credit bureau scores (often three or more), parents or siblings names, and an employers name and contact information.

State-issued licenses, education and health records, commercial contracts and financial accounts all require the divulgence of our most unique and identifying personal information. This information is collected by both private and public entities alike and is duplicated and redundantly stored in hundreds and even thousands of databases across the world.

B.  The Need for Personal Information in Commerce & Government

Identification and authentication of oneself is necessary in order to verify our identity to those who render services to us. The faster and easier the authentication process, the more economical it is for the service provider and convenient for us.  We need to be able to distinguish ourselves from the other three hundred million Americans, especially when it comes to government services.

Virtually all forms of government services are reliant on the use of the Social Security Number for identification and eligibility of the recipient. Likewise, many companies and educational institutions rely on the Social Security Number as a unique identifier for customers and students.

The need for personal information in government and commerce is insatiable. As our nation’s economy and population have grown, so has the need to uniquely identify each consumer or citizen. It is customary when buying any non-food item to be asked for one’s phone number – a unique identifier used to track purchasing habits, to correlate a person to other bits of information gleaned from public records and other useful information in the high-dollar targeted marketing industry.

Two industries where personal information and the protection thereof are particularly acute are finance and health care. Both industries collect valuable personal information and are subject to federal regulations[1] regarding the privacy and security of personal information.

While both government and industry issue and collect unique personal identifiers, it is in the realm of commerce that consumers feel particularly under siege. The unauthorized disclosure of personal or health information can result in loss of privacy and financial harm. For purposes of this discussion the injury in focus is the theft and use of personal information by criminals to commit financial fraud.   This narrow aspect of the larger problem of loss of personal privacy neatly frames the discussion concerning the protection of our personal information by public and private entities.

C.  Collection of Personal Information

Of all the personal information affixed to the identity of a United States citizen, the Social Security Number is the most ubiquitous. The Social Security Number has become a de facto national identification number.[2] When used in conjunction with the owner’s name and birthday, the Social Security Number is used by virtually all finance companies to determine eligibility for consumer credit accounts and loans. The use of the social security number may be convenient for both merchant and customer. The merchant doesn’t have to create a unique identifier for the customer and the customer need only remember one identifier for use with a wide variety of service providers and merchants. However, the use of a single, ubiquitous identifier renders the Social Security Number vulnerable to theft and misuse.[3]

D.  Storage, Transmission and Processing of Personal Information

Because of our decentralized, private economic system, each merchant maintains a unique customer list, usually in the form of a large database containing customer name, contact information and often the customer’s birthday and social security number. The personal information is collected at a point of sale or at the outset of the customer relationship. The information is stored in databases  owned and operated by collecting organization. To maximize the usefulness of the information, the collecting organization placed the database on a computer network to facilitate accessibility of the information for the organizations employees. Often, the information is stored within a database located on a computer network owned and operated by a third-party service provider. In order to be useful, the information must be accessed or retrieved from the database, transmitted across a company’s internal information networks, and presented to end users, typically employees of the collecting organization. Sometimes, the information is transmitted across public networks, such as the Internet.

When one considers how many times the average person answers a request for personal information in his or her lifetime, it can easily run into the thousands. It is conceivable that the average consumer’s personal information is stored in hundreds if not thousands of databases owned and operated by both the government and private enterprise.

E.  Data Breach

It is during the storage and transmission of personal information that it is exposed to a variety of threats. Vulnerabilities in software, technology configuration, business processes or human behavior, create opportunities that allow threats to manifest, resulting in data breaches.[4] A data breach occurs when important information is viewed, used or possessed by an unauthorized individual. Whether intentional or accidental, the result of a data breach is the same: unauthorized persons have accessed personal information of a customer or consumer and can use it for criminal purposes.

Data breaches occur in a variety of ways and not all data breaches are accomplished via technical means. Americans discard large volumes of direct mailings and other unwanted documents and paperwork. Often these papers contain vital information including account numbers, social security numbers, birthdays, etc. A brief perusal of a household’s trash can yield valuable information about a head of household, a mortgage holder, or a recipient of government benefits.  This low-tech attack may be one of the easiest methods for a person simply looking for a handful of social security numbers or other information, with which to attempt fraudulent transactions.

Data might be lost when a perpetrator overhears a co-worker talking on the phone to the Human Resources department, revealing the social security number and birthday of a dependent.  Employees in doctor’s offices have been known to pilfer the personal information of patients.[5]

However, many of the largest data breaches are accomplished via technical means. When stealing millions of credit card numbers or social security numbers, it is simply too cumbersome to cart of the reams of paper necessary to contain that much information. Common scenarios for attacking a company’s information assets include war driving and exploitation of vulnerable websites. War driving occurs when hackers sit in parking lots outside company buildings and attempt to intrude on corporate networks by intercepting wireless network signals. Attackers also scour company websites for vulnerabilities. A decade-old method of retrieving data from corporate databases through vulnerable websites is called “SQL-Injection” where attackers place database queries in website fields designed for other purposes, such as to collect a name, address or email address. When the attacker submits the information, the website processes the database query and reveals the requested information to the attacker. These attacks were used with success in some of the example data breach scenarios below.

F.  Data Breach statistics

The Privacy Rights Clearinghouse estimates that since January 2005, over 340 million personal information records containing sensitive personal information have been involved in security breaches in the United States.[6] Identity theft was the number one consumer compliant in 2008, consisting of 28% of all consumer complaints to the FTC.[7] Of all types of identity theft, the following were most prevalent: credit card fraud (20%), government documents/benefits fraud (15%), employment fraud (15%), phone or utilities fraud (13%), bank fraud (11%) and loan fraud (4%).[8] On average, companies in the United States suffer two data breach incidents each year.[9]

The Identity Theft Resource Center[10] recorded 492 data breaches in the year 2009 alone, exposing nearly 225 million records.[11]

G.  Harms incurred as a result of compromised personal information

  1. Identity Theft and Financial Fraud

Identity theft occurs when a person uses the personal identifiers of another person, essentially assuming the identity of the victim, in order to obtain services that would otherwise be unavailable to the perpetrator. Identity theft is defined as “the co-option of another person’s personal information (e.g., name, Social Security number, credit card number, passport) without that person’s knowledge and the fraudulent use of such knowledge.”[12]

Once attackers obtain the personal information of unsuspecting citizens, they can use the data to impersonate the victim, usually a more credit-worthy individual. Popular targets of identity theft are older Americans who commonly have large amounts of equity in, or outright ownership of their homes, and have accumulated retirement nest eggs. This may be one reason that the states reporting the highest rate of identify theft incidents are Arizona, California and Florida, due to large populations of older, winter residents.[13] Typical instances of identity theft for financial gain include the opening of credit card accounts, purchase of property on credit, or simply the use of payment information for illicit purchases. Perpetrators may open lines of credit, receive credit cards, open accounts with public utilities, and enter into contracts for wireless communications services.

Another goal of identity thieves is to obtain health services. Veterans can be subject to impersonation at VA hospitals. Perpetrators may submit false Medicare claims or falsely claim Social Security benefits. Criminals may use false names and social security numbers, and driver’s licenses when arrested, causing police reports and criminal records to be falsely attributed to innocent people.

“The consequences of being a victim may be extensive, including lost credit worthiness, criminal charges . . .  unpaid bills and civil law actions against [victims] for purchases [they] did not make, lost jobs and denied [job]opportunities . . . [C]orrecting . . . personal information may take years, and hundreds of hours.”[14]

Perpetrators of identity theft range from single, rouge individuals to international organized crime syndicates.[15] In 2008, Irving Escobar, a nineteen-year old Florida resident, pleaded guilty to charges of organized scheme to defraud, and was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.[16]

“A criminal investigation conducted by the Gainesville Florida Police Department and the Florida Department of Law Enforcement revealed a complex operation that was using counterfeit [credit and debit] cards with stolen . . . card data. Leading the operation, Escobar coordinated the use of these cards to purchase gift cards at Wal-Mart or Sam’s Club. The defendants then redeemed these gift cards to purchase jewelry and electronic equipment – a modern-day version of money laundering. Authorities estimated a total loss of $3 million could be attributed to Escobar and his co-defendants on a nationwide scale. He was arrested in March of 2007.”[17]

2. Example Data Breaches

A. TJX Companies

“In July 2005, a hacker sitting in the parking lot of a Marshalls store in Minnesota used a laptop and a telescope-shaped antenna to steal at least 45.7 million credit and debit card numbers from a TJX Companies Inc. database.”[18] Data stolen included credit card information, customer names and customer driver’s license information.[19] The hacker also obtained “military and state identification numbers, which are often the same set of digits as the individual’s social security number[.]”[20] Not until 18 months later in January 2007 did TJX Companies publicly acknowledge the severe data breach. It was later proven to be the largest data theft up until that time.[21]

“Information stolen from the systems of . . . retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials . . . learned of the breach, according to Florida law enforcement officials.”[22] Personal information stolen from the custody of TJX Companies was later used to commit financial fraud. Stolen TJX data was included in the fraud conducted by Irving Escobar, noted above.[23]

In 2008, federal authorities charged Albert “Segved” Gonzalez and ten other co-conspirators with crimes including conspiracy, computer-intrusion, fraud and identity theft.[24] Gonzalez and the co-conspirators were allegedly behind well-publicized data breaches including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.[25] Those charged included persons living in countries such as China, Belarus, Ukraine and Estonia, reflecting the international nature of computer crimes and the black market for illicit personal information. Gonzalez is expected to serve up to 25 years in prison.[26]

B. Hannaford Brothers Supermarkets

In 2008, Hannaford Brothers Supermarket Chain, of Portland, Maine suffered a massive data breach of 4.2 million credit and debit card numbers.[27] By the time the breach was discovered, the stolen data had already been used to perpetuate financial fraud on over 1,800 accounts. The breach was discovered in part after the Massachusetts Bankers Association disclosed that MasterCard and Visa had warned as many as 70 banks in Massachusetts about a large data breach at a major retailer, and the association urged consumers to monitor their accounts.[28]

Hannaford described the attack “[i]n a letter delivered to the Massachusetts Attorney General . . . [stating] that hackers planted malware, either remotely or in person, on [computer] servers.”[29] The sophisticated attack relied on illicit computer programs installed and running on servers within the Hannaford network, which captured credit and debit card data as it was transmitted for processing.  Albert Gonzalez was later linked to this data breach.[30]

The Hannaford data breach is noteworthy because unlike TJX Companies, where the initial data breach was caused by poorly secured wireless networks, Hannaford was the subject of several successful security audits. Ironically the same day the company was alerted to the breach, they were certified PCI-compliant by an independent third-party.[31]

C. Heartland Payment Systems

In January of 2009, Heartland Payment Systems of Princeton, New Jersey, was alerted by Visa and Mastercard of suspicious transactions tied to Heartland’s operations.[32] Unlike other large data breach victims, Heartland was not a merchant of consumer products.  Heartland’s core business is to provide credit and debit card transaction processing for merchants. Companies like Heartland are an attractive target to cyber criminals because payment processors may process the card transactions for hundreds or thousands of retailers, gas stations, franchise stores, etc. The type and quantity of data collected and processed by a payment processor offers a large, attractive target for criminals capable of stealing the data.

By June of 2009, Heartland surpassed the record for the largest data breach in history. Over six hundred financial institutions reported card information compromises due to the Heartland breach.[33] Thirty-one separate class-action lawsuits against Heartland, were consolidated and heard in the Southern District of Texas.[34] Most of the plaintiffs were financial institutions suing for the costs of reissuing credit cards and writing down fraudulent transactions.

The criminal investigation into Heartland tied the TJX Companies hacker, Albert Gonzalez to the crime against Heartland. In Gonzalez’ federal indictment, the total number of consumer card numbers stolen between Heartland and Hannaford was 130 million.[35]

D. ChoicePoint

In early 2005, data aggregator[36] ChoicePoint began notifying California residents of a data breach, pursuant to California SB-1386.[37] Ultimately over 163,000 consumers had their personal information, including social security numbers, birthdays, and credit reports, compromised by a phony ChoicePoint customer.[38] ChoicePoint was cited by the Federal Trade Commission for failing to properly authenticate and validate customers. The data thieves ultimately committed at least 800 instances of identify theft with the information purchased from ChoicePoint.  In October, 2009 ChoicePoint was fined $275,000 by the FTC for a security lapse in a database that exposed the personal information of 13,750 people.[39]

E. Minnesota state employee data breach

In the United States the Social Security Number is also the primary identifier used by employers to validate a worker’s eligibility to work.

“To comply with the Immigration Reform and Control Act of 1986[40] (IRCA), all U.S. employers must verify the employment eligibility and identity of all employees hired to work in the United States after November 6, 1986 by completing Employment Eligibility Verification forms (Form I-9) for all employees, including U.S. citizens.”[41]

The Department of Homeland Security (DHS) operates a system called E-Verify, “an Internet-based system that allows an employer, using information reported on an employee’s Form I-9, Employment Eligibility Verification, to determine the eligibility of that employee to work in the United States.”[42] The DHS works jointly with the Social Security Administration in operating the E-Verify program.[43] E-Verify is entirely reliant on the Social Security Number, the key to unlocking the door to employment in the United States. E-Verify does not replace the I-9 Employment Eligibility Verification Form, rather it enhances the verification process.[44] Participation in E-Verify is mandatory for government contractors but is otherwise voluntary for private industry.[45]

On January 7, 2008 Minnesota Governor Tim Pawlenty signed Executive Order 08-01, mandating the use of the Department of Homeland Security’s E-Verify program, for all new state employees and any company contracting with a state agency.[46] Other states have similar requirements.[47] State administrative officials delayed implementation of the E-Verify program out of concern for the security and privacy of employee personal information.[48]

In 2009, the state of Minnesota entered into a contract with Bellaire, Texas-based Lookout Services, to process state employees through the E-Verify program, for $1.50 per name.[49] Sometime on or prior to Friday December 11, 2009, Minnesota Public Radio (MPR) reporter Sasha Aslanian accessed the Lookout Services website and was allegedly able to view the personal information of over 500 Minnesota state employees who had been run through E-Verify by Lookout Services.[50] The MPR reporter claims that the information exposed to the public on Lookout Services’ website included state employee names, addresses, birthdays, and social security numbers, and required no password or encryption software in order to view.[51] Lookout Services has denied wrongdoing, has filed a lawsuit against the state of Minnesota for breach of contract, and has threatened to sue Minnesota Public Radio for accessing the data on the Lookout Services website.[52] MPR denies any wrongdoing.

If the allegations against Lookout Services are true, it would be another example of poor information security practices by a company failing to properly secure personal information of their customers. This would be a particularly egregious mistake by Lookout Services as their core business depends on their ability to keep such information private.

The data breach alleged by MPR differs from the typical classic financial data breach scenario in three important regards. First the breach was not caused by the state of Minnesota but by a third-party service provider. Second, the data and the purposes for which it was being processed were not for financial purposes but were for employment verification. Third, the compromise of the information was allegedly entirely done without any malice or intent. The information was supposedly available on Lookout Services website, viewable by any visitor to the site.

Regardless of how much security is in place to protect sensitive personal information, any collection, retention, storage and processing of sensitive personal information, regardless of purpose, risks exposure to unauthorized parties. The end result could possibly be financial fraud or other form of identity theft. However, there is much a data custodian can to do minimize this risk.

3. Duty To Protect Sensitive Data

A. Sensitive data must be protected by those who possess it.

As citizens in the age of information, we have no choice but to divulge our unique identifiers. The sharing of our personal information is mandatory in order to engage, and be a member of society. Without our personal information we cannot work, purchase the necessities of life, or even obey the law, such as by filing our annual tax returns. By divulging our personal information to government and private entities we are forced into a relationship of trust. We trust those who receive our information to safeguard it, thereby preventing the types of breaches previously discussed.  Perfect security over personal information cannot be attained without never disclosing personal information and a complete and total withdrawal from society altogether.

Crime will always exist and  identity theft will remain an opportune crime for the foreseeable future. Because of these threats, and because we will continue to be required to divulge our sensitive information, we must actively manage the risk posed by these threats. While we may never eliminate identity theft entirely, we can and should expect a certain degree of care to be taken by those to whom we entrust our sensitive personal information. We can expect that when reasonable steps are taken to safeguard our information, it will be less likely to be compromised.

Parents of young children spare no effort to keep their children safe from harm. Children are taught how to safely cross the street, how to obtain help when a parent is not near, and how to recognize dangerous situations. Parents certainly understand the impossibility of eliminating all threats to their children completely. However, by following a manageable number of precautions and safeguards, the risk of harm to children falls to acceptable levels and the family unit is able, in most cases, to safely engage society.

So it is with the care and protection of our sensitive information. We are subject to the consequences of our own decisions. If we routinely discard our personal information, un-shredded into the household trash, or if we routinely leave our mailbox full of mail for days at a time, we are creating opportunities for bad actors to come into possession of our personal information. We take precautions when the threats are numerous: we do not leave children unattended in shopping malls. We don’t take precautions when threats are scarce: there just aren’t that many people dumpster diving residential recycling bins. We can and should expect custodians of our personal information to be cognizant of the threats to the information they possess and to take precautions to protect it when we can’t.

1. Corporate Duty to Safeguard Personal Information

Corporations that collect, store and use our personal information have a duty to safeguard it. The duty of corporate directors to ensure the organization functions within the law to achieve its purposes, is well established in American jurisprudence. Further, corporate directors have a duty to monitor the enterprise’s internal controls over fraud, financial reporting and data protection. The U.S. Supreme Court has provided a line of cases establishing the duty of corporate directors to monitor: “The standard for assessing a director’s potential personal liability for failing to act in good faith in discharging his or her oversight responsibilities has evolved beginning with our decision in Graham v. Allis-Chalmers Manufacturing Company, through the Court of Chancery’s Caremark decision to our most recent decision in Disney.” – Stone v. Ritter (911 A.2d 362).

The Delaware State Supreme Court explained the duty to monitor in the case In Re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996): Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability-creating activities within the corporation, as in Graham or in this case . . . only a sustained or systematic failure of the board to exercise oversight-such as an utter failure to attempt to assure a reasonable information and reporting system exists-will establish the lack of good faith that is a necessary condition to liability.

The duty is explained in further detail below.

B. The Problem of Externalities

In theory, we pay for the protection of our personal information because the cost of doing business and operating government is passed on to consumers and taxpayers. Unfortunately, it isn’t that simple. Recent advances in information security theory have been made by leveraging economic[53] and psychological concepts to explain some of the intractable problems faced by security experts. The economic incentive to protect information may not be readily apparent to those custodians of sensitive personal information. In fact, it may not exist at all.

An externality is an economic concept that describes situations where a transaction creates a cost (or benefit) for a third party not involved in the transaction. An externality occurs when “[t]he people who could protect a system are not the ones who suffer the costs of failure.”[54] The cost of a data breach may be squarely focused on the victim whose data was compromised. Thus, there may be no economic incentive for custodians to go to great lengths to protect information when a breach of that information’s confidentiality results in no financial harm to the custodian.[55]

Because of these externalities that are passed on to third parties, particularly victims of identity theft, free market forces are less likely to achieve a desired effect of creating economic incentives for good information security practices. Because “protecting individual privacy remains an externality for many companies . . . basic market dynamics won’t work to solve the problem. Because the efficient market solution won’t work, we’re left with inefficient regulatory solutions.”[56] Indeed, getting data custodians “to internalize [externalities] can be done one of two ways: Regulation—you mandate it—or liability—you make them pay for harms they cause others.”[57]

C.  Data Protection Laws, and Regulations: Establishing a Duty To Meet a Standard Of Due Care For Information Security

Based on the number of individual data breaches and the number of sensitive records exposed each year, it is safe to say that both public and private institutions are hemorrhaging private, sensitive information into unauthorized hands. Custodians of information must take responsibility for the sensitive information in their possession and must be held accountable for failing to meet a standard of due care for protecting information. This enforcement can be accomplished either by the regulatory regime, by threat of punitive damages and civil suit by the subjects who own the compromised information, or both.

The statutory and regulatory environment for protecting information is an industry-specific and context-sensitive patchwork of state and federal laws that are insufficient to create and encourage private and public entities to apply the appropriate safeguards to protect personal information.

  1. An Emerging Standard

The concept of tying the myriad data protection requirements found in a wide variety of laws, regulations, and contractual requirements into a comprehensive duty of care was set forth by attorney and author Thomas Smeddinghoff in his book “Information Security Law: The Emerging Standard for Corporate Compliance.”[58] Other authors have also recognized a duty of care over the protection of information.[59] Unfortunately, in order to be fully recognizable, the duty of care must be pieced together from a variety of sources. Laws and regulations may overlap different types of entities in different industries and jurisdictions. The following section provides an overview of the major sources of duty to protect sensitive information. The applicability of each of the following sources will vary for each custodian; therefore, no single standard of care can be distilled and applied universally.

1. International Laws and Principles

a.  European Union Privacy Standard

The United States has been both criticized[60] and applauded[61] throughout the 2000’s for failing to enact universal privacy regulations such as those found in Europe. “[European n]ational laws come in several flavors, and emanate from varied traditions. But taken together, they are the backbone of a basic European principle: Privacy is a human right.”[62]

At the heart of European Union data privacy protection law lies Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data[63], known more commonly as Directive 95/46/EC. It was enacted to improve the free flow of information within the EU, to fuel economic growth, and also provides high standards of data protection for personal data processed within, and transferred outside of EU member countries.[64] Each of the EU member states have amended prior, or passed new legislation in order to come into conformity with Directive 95/46/EC.  Article 25 of the Directive requires member states to work jointly with the EU Commission in assessing the privacy of third countries and ensure privacy safeguards in those countries are commensurate with the Directive.[65] Further, data is prevented from being transmitted to third countries found to be lacking in data protection measures.[66]

After unsuccessfully lobbying the United States for two years to implement laws consistent with the Directive, the EU Commission struck an agreement with the U.S. Department of Commerce (DOC) in 2000, approving the Safe Harbor Privacy Principles proposed by the U.S. Government.[67] U.S. companies seeking Safe Harbor certification do so via the administration of the US Dept. of Commerce and under the authority of The Commission of European Communities.[68] “Safe Harbor” is a self-certification process that requires the U.S. company to publicly commit to adherence with seven safe harbor principles aligned with the Directive’s privacy principles:[69] Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.[70]

b. PIPEDA

Passed in the late 1990’s, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s analog to the EU Directive 95/46/EC. Rather than take a country by country approach in comparing privacy safeguards, PIPEDA places the burden on the data sharing parties to ensure sufficient privacy controls are in place.

“[U]nder PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC [Office of the Privacy Commissioner of Canada] can investigate complaints and audit the personal information handling practices of organizations.”[71]

c. APEC Privacy Framework

Asia Pacific Economic Corporation (APEC) has 21 member states, including the United States. The APEC Committee on Electronic Commerce has created the APEC Privacy Framework. The Framework’s purpose is to:

“[P]romote a consistent approach to information privacy protection, to avoid the creation of unnecessary barriers to information flows and to remove impediments to trade across APEC member economies. The Framework provides technical assistance to APEC economies that have not addressed privacy from a regulatory or policy perspective.”[72]

The nine principles within the Framework are: Preventing Harm, Notice, Collection Limitation, Uses of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability.[73]

1. United States Federal Laws and Regulations

a. Privacy Act of 1974

The Privacy Act of 1974[74] is a code of information protection governing Administrative agencies of the Executive branch of the United States government. Enacted at the dawn of the computer age, the bill was introduced to address concerns of information databases in the hands of the federal government. Within the Act, conditions are set forth under which private, personal information of United States citizens can be shared with any other persons or agencies.[75] The Act sets forth the conditions of disclosure,[76] and provides a right to each citizen to review and correct their personal information contained in agency records.[77] The Act codifies several of the principles[78] found in international privacy standards, and grants a private right to bring a civil action against the agency that fails to meet the requirements of the Act.[79] The Act allows prevailing Plaintiffs awards of attorney’s fees so that litigation cost will not be a bar against private citizens in enforcing their privacy rights against the federal government.[80] The Act also criminalizes willful disclosure of protected information by agency employees.[81] While the Privacy Act is narrowly scoped to govern only the actions of the administrative state and provides many exceptions to its provisions, it is an important check against government power and remarkable and foresightful piece of legislation, considering it was enacted in 1974.[82]

b. Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act[83] was enacted in 1984 to criminalize computer crimes not covered under then existing law.[84] Over the years the CFAA has been amended numerous times to expand its scope from protecting mostly government computer systems to covering any computer used in interstate commerce, and to add civil remedies available to injured parties.[85] The CFAA criminalizes the intentional access of a “protected computer,” that results in the obtaining of any information,[86] the distribution of malicious software that causes damage to a computer or its function,[87] an attempt to defraud[88] or extort.[89]A protected computer is defined as “any computer used by, or affecting a financial institution or the U.S. government, or any computer used in interstate commerce.”[90] With the expansive reach of e-commerce spanning the United States, this definition can cover almost any computer engaged in online commerce or any computer used to support a business engaged in interstate commerce.  The CFAA does not allow injured parties in civil suits to seek legal costs.

It is important to note that in order to be a protected computer under § (e)(2) a computer merely must be used in interstate commerce. There is no requirement that a computer be protected in the sense of having information security controls or countermeasures against unauthorized access.[91]

The CFAA is important in the present consideration of an emerging standard of care for information security, not because of any overt requirement of protected parties contained within the Act, but for its requirement of actual harm requisite for any civil remedy. The CFAA sets a $5,000 threshold for the value of the unauthorized computer use,[92] or the value of the information obtained.[93] Courts consider a variety of factors in calculating the $5,000 threshold.[94] Thus, civil damages are awarded under the CFAA only after a Plaintiff claiming harm has made the requisite showing. The type and manner of this showing is instructive when considering new legislation to compensate victims of identity theft due to negligent data handling practices.[95]

It has been well-demonstrated that employees who are aware of corporate policies regarding computer access restrictions, violate the CFAA when using otherwise authorized access to perform unauthorized actions.

c. Identity Theft and Assumption Deterrence Act

The Identity Theft and Assumption Deterrence Act of 1998[96] criminalizes knowingly producing or creating actual or false identification documents or authentication features.[97] Authentication features are defined as,

“any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified[.]”[98]

The scope of the Act limits the identification documents that “[are] or appears to be issued by or under the authority of the United States[.]”[99] The language of the act tracks closely to physical objects to be used in the identification and in some cases, authentication of citizens. The Act on its face does not apply to computerized credentials such as unique identifiers, passwords, security tokens, encryption keys or other digital records used to identify or authenticate. The use of another’s authentication credentials to access a protected computer might be covered by the Computer Fraud and Abuse Act, however the protection given to physical identity documents should be extended to digital credentials.

The Act instructs the Federal Trade Commission to establish a central repository for identity theft complaints and to provide victim assistance and consumer education.[100]

d. Identity Theft Enforcement and Restitution Act

The Identity Theft Enforcement and Restitution Act[101] was signed into law in September 2008. The Act amended provisions of the Computer Fraud and Abuse Act,[102] to eliminate the interstate nexus requirement and the $5,000 threshold for injury, for crimes committed related to identity theft. The Act also amended the restitution provisions of 18 U.S.C. 3663 to provide victims of the identity theft crimes[103] set forth in the Identity Theft and Assumption Deterrence Act, with restitution for their time spent in clearing records and recovering from damage.[104] Under these provisions, the victims would be compensated by the convicted Defendant, not by the entity whose negligence, or lack of due care, was a factor in the data breach leading to the identity theft.

e. Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, repealed the Glass-Steagall Act of 1932, which required the separation certain types of financial companies from banking holding companies. Part of the Act requires financial institutions to protect the nonpublic personal information of customers from disclosure.[105] The Act requires financial institutions to disclose privacy notices to all customers,[106] and provide a means for customers to opt out of the sharing of information with third parties.[107] The Act also required the several financial industry regulatory agencies to implement rules consistent with the provisions of the Act.[108]

It is § 6801, “Protection of Non-Public Personal Information” that contains the most sweeping provisions, by requiring each regulatory agency to:

“[E]stablish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards

(1) to insure the security and confidentiality of customer records and information;

(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”[109] (emphasis added).

These requirements fall directly upon the information security program of a financial organization. The administrative, technical and physical safeguards are sweeping and expansively interpreted by regulators to include everything from the physical security of buildings and data centers, to the types of encryption used during online banking sessions. The Act criminalizes pretexting, or the act of obtaining information under false pretenses.[110] Pretexting is a common tactic whereby criminals call a company pretending to be someone else in order to obtain non-public information.

The financial industry regulators[111] jointly issued the Interagency Guidelines Establishing Information Security Standards in response to the GLBA requirement to promulgate rules for the protection of customer information. The Office of the Comptroller of the Currency, the primary regulator over the large national banks, promulgated the Interagency Guidelines in Appendix B of 12 C.F.R. Part 30. The Interagency Guidelines are somewhat misnamed as they are mandatory and enforced by the financial institution’s primary regulator.[112] In implementing the goals and types of safeguards specified in the Act, the Guidelines require the development of a written information security program that includes the three types of controls specified in the Act: administrative, technical and physical controls.[113] Each bank must report annually to the Board of Directors on the status of the information security program.[114]

Perhaps most onerous of all, the Guidelines require a risk assessment[115] designed to: “identify reasonably foreseeable internal and external threats” to customer information,[116] assess the likelihood and potential damage of these threats,[117] and to assess the effectiveness of a wide variety of information security controls.[118] Under the requirements of the Interagency Guidelines, we find one of the more advanced set of requirements for custodians of personal information in the United States. GLBA is particularly significant not because it afford recourse or a private right of action to injured parties but because of the extensive obligations and regulatory oversight imposed upon the financial industry.

1)      GLBA Data Breach Notification

The Interagency Guidelines Establishing Information Security Standards includes a provision to implement a notification program to notify customers, regulators and law enforcement officials of data breaches.[119] The regulations promulgated to implement the response program have been codified as Supplement A to Appendix B of 12 C.F.R. Pt. 30. “[E]very financial institution should . . . develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems” regardless of whether the breach occurs in the financial institution’s own computer systems or those hosted by third party service providers.[120]

f.  HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a massive piece of legislation that originally had nothing to do with privacy of personal health information. The Act instructs the Department of Health and Human Services (DHHS) to promulgate security and privacy standards to implement “standards with respect to the privacy of individually identifiable health information.”[121] HIPAA rules contain two major sets of requirements known as the Privacy Rule and Security Rule, respectively, applicable to covered entities consisting of a health plan,[122] a health care clearinghouse,[123] or any health care provider who transmits health information in electronic form under a covered transaction.[124]

1)      HIPAA Security Rule

The Security Rule requires covered entities to ensure:

“the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits;[125] protect against any reasonably anticipated threats or hazards to the security or integrity of such information;[126] protect against any reasonably anticipated uses or disclosures of such information;[127] and to ensure compliance by its workforce.”[128]

The covered entity is required to adhere to the implementation specifications for each rule[129] or document why applicable rules are not reasonable or appropriate and select alternative controls.[130] A covered entity must also establish an ongoing monitoring function to ensure the safeguards are effective and make adjustments to the safeguards as needed.[131]

Like the rules promulgated by the financial industry regulators under GLBA, the HIPAA Security Rules are classified under Administrative, Technical and Physical safeguards.[132] Administrative safeguards include mandates to implement and maintain an information security policy framework. The organization must appoint a senior information security officer who must oversee the framework.[133] The framework must include a risk assessment process to determine the potential risks and vulnerabilities to the protected information in the possession of the covered entity.[134] The risk assessment must result in the implementation of controls to reduce the risks identified,[135] including monitoring and detective controls[136] and sanctions against employees found to be in violation of the security policies.[137] The remaining Administrative controls cover information security awareness and training for employees,[138] incident monitoring and response procedures,[139] employee access policies and procedures[140] and business continuity and contingency planning.[141]

Physical controls required include facility entrance and access controls,[142] the mode and manner of physical computer workstation access, including access to physical storage media.[143]

Technical controls include the following: logical access controls to computer systems,[144] including authentication controls,[145] audit controls enabling the human or system review of activity and access records for unauthorized activity,[146] integrity controls to protect protected information from improper alteration or destruction,[147] and encryption controls to protect sensitive information in transit over (presumably public) networks.[148]

2)      HIPAA Privacy Rule

Protected health information under HIPAA is restricted from disclosure except under enumerated circumstances spanning the bulk of the HIPAA Privacy Rule.[149] Allowed disclosures include those made to the patient, to medical personnel for treatment, payment of health care operations, and a variety of other situations specified in § 164.502.[150] When making allowable disclosures, the covered entity must disclose only the minimum amount of information necessary to satisfy the purposes of the request.[151] Patients are allowed to request restrictions on how a covered entity may share their information, subject to a few exclusions.[152] Patients may also request copies of the protected health information and request updates to inaccurate information.[153] Similar to the GLBA requirements over financial institutions, covered entities under HIPAA must provide notice of their privacy policies and information on how personally identifiable health information will be used and shared.[154]

3)      HIPAA Breach Notification Rule

As of September 23, 2009, breaches of sensitive health information protected under HIPAA must be reported to the Secretary of the Department of Health and Human Services.[155] A covered entity must also “notify each individual whose unsecured protected health information has been, or is reasonably believed . . . to have been, accessed, acquired, used, or disclosed as a result of [a] breach.”[156] The covered entity must also notify local media outlets within the state or jurisdiction, of any breach over 500 records.[157]

g. Sarbanes Oxley

The impact of Sarbanes Oxley on information technology has been discussed ad infinitum since the passage of the Act in 2001, and will not be discussed here. Sarbanes Oxley mandated that the SEC promulgate rules for implementing the provisions of the Act. The SEC released their rules effective August 2003[158]. Of particular interest is the SEC’s declaration that a commonly known standard for corporate governance and internal control, known as COSO, is an acceptable framework upon which to base corporate governance activities.[159] Although the Sarbanes-Oxley Act is only applicable to SEC registrants, the applicability of corporate governance and the use of frameworks like COSO should not be limited to public companies. COSO will be discussed in more detail below.[160]

4. Federal Trade Commission Regulation and Enforcement

The Federal Trade Commission (FTC) has assumed the role of the primary privacy overseer at the federal level. The Identity Theft and Assumption Deterrence Act of 1998[161] “directed the Federal Trade Commission to establish the federal government’s central repository for identity theft complaints and to provide victim assistance and consumer education.”[162] Under provisions of the FTC Act the FTC may file lawsuits, seek injunctions against companies, regardless of industry, for privacy and security violations. Two primary statutes that underpin the FTC’s authority to enforce information security and privacy are 15 U.S.C. § 45, regulating unfair and deceptive trade practices generally, and 15 U.S.C. § 52, which governs false advertising.[163] The FTC has the following to say about its activities in the information security and privacy area:

“A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act[164], which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.”[165]

The FTC has brought numerous actions against companies that have failed to fulfill promises made in privacy statements regarding the security and privacy of consumer information.[166]

5. Private Contract – Payment Card Industry

The Payment Card Industry Security Standards Council is an industry group formed to manage and maintain security standards, including the Data Security Standard (DSS), which was created by the Council to ensure the security of payment card information. The sensitive data involved in card transactions are: primary account number, cardholder name, expiration date, and PIN (Personal Identification Number) information.[167]

Founding members of the Council include Mastercard Worldwide, Visa Inc., American Express, Discover Financial Services, and JCB International.[168] The intent of the DSS is to ensure that card transactions occurring across multiple private and public networks are subject to end-to-end transaction security. The payment card industry consists of Card Issuers, Card Holders, Merchants, Acquirers, and Card Associations.[169] The obligations between these entities are the basis of a “web of contracts” that establish the liability of each of the participating parties. [170] Through these contractual obligations, the PCI DSS information security requirements are mandated and enforced. From the collection of card information at a point of sale, transmission through the merchant’s systems to the acquiring bank’s systems, then on to the card issuer, the PCI DSS requirements attempt to ensure sufficient security safeguards are in place on the card data from beginning to the end of a card transaction. Enforcement of the security requirements is done by the card associations and through a certification process of each association member. The certification process is conducted by Qualified Security Assessors (QSA), who audit member’s systems and networks to ensure the mandatory controls are in place. Certification does not guarantee that an organization will not suffer a data breach, as several PCI-certified organizations have suffered data breach incidents.[171]

6. State Law

State laws governing information security and privacy can be grouped in three broad categories: data breach notification laws, data encryption laws and laws based on the PCI DSS standard.

As of December 9, 2009 forty-five states and the District of Columbia had enacted a data breach notification law.[172] States without a data breach notification law are Alabama, Kentucky, Mississippi, New Mexico and South Dakota. The first state to lead off with a law of this type was California in 2003, with California SB-1386, which requires disclosure to any California resident “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”[173] Most state data breach laws require notice under circumstances similar to those of the California law. “Certain laws expressly state that they only apply to unencrypted data and others define personally identifiable data as identifying data that is unencrypted.”[174] Some states include medical information in their definitions of personal information.[175] Accordingly, companies must understand the requirements of each state and the conditions under which each state’s citizens must be notified. The causes of action also vary by state. California’s law provides a private right of action.[176] Minnesota’s data breach notification law allows only the state attorney general to enforce the law.[177]

Data breach notification laws enable consumers to take precautions against identity theft, but not all records lost in a breach result in actual identity theft. To assist victims of data breach, some states require notification of credit reporting bureaus of data breaches of 1,000 or more people.[178] The statutes are primarily designed to protect consumers but do not provide any incentive for data custodians to securely handle data beyond the threat of bad publicity.

The second category of state laws deals with encryption of sensitive information. The flagship law among the states was the Nevada Data Encryption Law.

“Nevada’s 2005 security breach law was the first to require businesses to encrypt electronic records containing personal information. The Nevada law, which went into effect Oct. 1, 2008, prohibits companies in Nevada from transmitting personal information belonging to a customer outside of secure company networks unless the data are encrypted.”[179]

The Nevada law[180] does not apply to personal information stored on laptops; interesting, considering that laptop loss and theft is one of the highest causes of data breach notifications.[181] Other states include laptops and other mobile storage devices in their encryption statutes and regulations. The Massachusetts encryption law requires the encryption of the personal information of state citizens, on laptops and other portable devices.[182] The deadline for compliance with the Massachusetts encryption regulation is March 1, 2010.[183] The encryption requirements in many states are found within the breach notification laws.

States are beginning to take one additional step in protecting personal information by codifying portions of the PCI DSS, or even mandating PCI compliance outright. A 2009 law was passed in Nevada, Senate Bill 227, which repeals the prior statute mandating the use of encryption of personal information, and adds a new section to the state law found in Ch. 603A of the Nevada Code, “Security of Personal Information.” The new Nevada law mandates PCI compliance for any “data collector”[184] accepting card payments.[185] In Minnesota, the legislature passed a law several provisions similar to the PCI DSS.[186] The Minnesota law prohibits the storage of sensitive card data stored on the magnetic stripe of payments cards, including primary account number, cardholder name, expiration date, and PIN information.[187] The Minnesota law provides a private right of action for card issuers to recoup costs of reissuing and protecting compromised data from the entity violating the law, and suffering a breach.[188] The Minnesota law provides no private right of action to consumers whose data is exposed in a breach incident.

D. Governance and Information Security Frameworks

Information security frameworks[189] are codes of practices that aid information security practitioners in control identification, planning and selection. Much in the same way that the Generally Accepted Accounting Principles provide the accounting industry with a consistent, vetted and sound framework upon which accounting and audit practices are based, information security frameworks function as structural support for any information security program. The SEC also regulates public companies in part, based on GAAP. In the same way, federal and state regulators with information security oversight leverage information security principles and frameworks.

1. Corporate Governance & Enterprise Risk Management

COSO[190] and COSO Enterprise Risk Management[191] are arguably the highest-level control frameworks in a business enterprise, in terms of comprehensiveness. Other, more specific, frameworks can be considered to nest beneath COSO principles, providing more definition and clarity to information governance and particularly information security governance. Out of a recognition of a need for a more complete and relevant corporate governance framework that included the concepts of information security and privacy governance, the National Cyber Security Summit Task Force, recommended the following:  “The Committee of Sponsoring Organizations of the Treadway Commission (COSO) should revise the Internal Controls-Integrated Framework so that it explicitly addresses information security governance.”[192]

Further support for considering information security an essential part of corporate governance can be found in the Business Roundtable’s 2005 publication, The Principles of Corporate Governance.[193] In stating the responsibilities of a board of directors the Business Roundtable states,

“As part of its oversight function, the board should designate senior management who will be responsible for business resiliency. The board should periodically review management’s plans to address this issue. Business resiliency can include such items as business risk assessment and management, business continuity, physical and cyber security, and emergency communications.” (emphasis added).

2. Information Security Standards[194]

a. FFIEC IT Examination Handbook, Information Security Booklet[195]

The Federal Financial Institutions Examination Council (FFIEC) [196] is “a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by [the federal financial regulatory agencies].”[197] The FFIEC publishes the “Information Technology Examination Handbook”[198], which is used by financial  regulators in executing audits of information technology and systems of financial institutions. The requirements within the Handbook are found in multiple booklets, one of which is the “Information Security Booklet.”[199] In the hands of an experienced government regulator, such as an OCC or FTC examiner, the requirements in the Information Security Booklet provide a baseline against which a financial institution subject to the GLBA, can be evaluated. The “Information Security Booklet” attempts to provide a high level, comprehensive overview of the major types of information security controls one would necessarily expect to be operating effectively within a financial institution. The types of controls are not limited in applicability to just financial institutions, and are derived from the same prinicples underpinning all major information security frameworks.

b. ISO 27002

The International Standards Organization (ISO)[200] has published a robust standard for information security governance, classified under the 27000 series of standards. ISO is currently developing ISO 27002 sets forth the major categories of information security controls. Companion standards in the 27000 series cover information security management[201], information security risk management[202] and information security metrics.[203] These standards are proprietary but are produced by one of the premier standards organizations in the world. The standards are available for purchase on the ISO website.[204] The ISO 27002 standard is described by ISO as establishing,

“[G]uidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. . .  [The standard] is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.”[205]

Organizations that collect, store and process personally identifiable information from consumers can compare their existing information security programs and controls to the ISO 27002 standard to identify missing controls and other procedural weaknesses. When used in conjunction with the other standards in the 27000 series, an organization can develop and maintain a robust information security program that would meet and likely exceed the standard of due care over the protection of sensitive information.

c. NIST SP-800 Series

Another important source for information security controls guidance is furnished by the National Institute of Standards and Technology (NIST). NIST operates the Computer Security Resource Center,[206] through which NIST has published the 800-Series of Special Publications (SP-800) on computer security.[207] Many federal government entities are required by law to comply with the NIST security standards known as Federal Information Processing Standards (FIPS). Other documents like the Special Publications are meant to provide recommendations and guidance. SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations” is one such standard. [208] In some cases, the provisions of SP 800-53 become obligatory, when called for by a standard, such as in the case of FIPS 200. FIPS 200 requires agencies to determine the security category of a federal information system and then subsequently apply customized controls per the SP 800-53 standard.  Like the ISO 27002 standard, SP 800-53 proscribes a wide, categorical system of controls that should be in place to form a robust and layered information security program.

d. BITS Framework

During the past two decades, a variety of business models have emerged and matured as ways to save data processing costs. Third-party outsourcing offers companies the ability to attain the economies of scale associated with focusing on a core competency. Third-party data processors whose core competency is data processing, may serve the data processing needs for a wide variety of customers, large corporations and small business alike. Examples include the offering a simple application services over the Internet, such as an online tax preparation program. Large, complex exampes of outsourcing are the outsourcing an entire data center. More recently, companies like Google, Amazon and Microsoft, each having invested billions in their data processing capabilities and infrastructure, sell computer processing environments that run applications on an as-needed basis, with capacity changing according to business needs and sales cycles.[209]

When companies choose to outsource data processing to a third party, they typically perform information security due diligence on the third party to ensure that the data given to the processor will be protected. A very common standard for third party assurance is the SAS 70,[210] which “provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors.”[211]

Service provider organizations routinely obtain a SAS 70 report that attests to the effectiveness of their controls. Over time, companies began to desire more assurance than that provided by the SAS 70, in no small part due to criticism of the SAS 70,[212] so companies began doing their own due diligence on service providers. In the financial services industry, the GLBA mandated that financial institutions oversee service provider arrangements.[213] This has led to an onslaught of audit activity for service providers who are continually audited by their customers virtually non-stop. In an attempt to standardize the requirements for meeting a standard of information security due care, an organization known as BITS as attempted to standardize the assessment of third-party service providers.[214] BITS is a non-profit organization that developed the “BITS Framework for Managing Technology Risk for Service Provider Relationships.”[215] Within the BITS Framework two tools were developed to ensure service providers had implemented controls in conformance with the ISO 27002 standard for information security controls. The first tool is called Standardized Information Gathering Questionnaire (SIG), which is a template based on the ISO 27002 standard, and specifies the expected information security controls that should be in place at the service provider organization. The second tool is the Agreed Upon Procedures (AUP), which serve as testing procedures meant to validate the effectiveness of the controls specified in the SIG.[216]

E. A Resulting Standard of Due Care

Based on the above primary sources of law and secondary sources, an expectation of data protection by data custodians has emerged.[217] The international privacy standards provide the perceived rights that individuals have in their own information, choice in how that information is used, access to correct erroneous information and causes of action against those who violate those rights by misusing, misappropriating or disclosing information to unauthorized entities. Several of the federal laws, HIPAA and GLBA in particular, hold forth broad and non-specific requirements that require information security governance and oversight of information entrusted to third parties. The numerous state laws add additional facets to the standard of due care, such as data breach notification, data encryption and even adherence to the PCI standard. Protection of certain types of data, particularly card holder data, and personally identifiable financial and health information must be protected from disclosure and in some cases should not be collected or stored at all.

Information security governance entails protecting information within a corporation or company by integrating all the necessary components: management oversight by the board of directors, the appointment of a chief privacy and / or information security officer, risk management processes, including the performance of periodic risk assessments to ascertain threats, vulnerabilities and other risks to sensitive information assets, and the deployment and maintenance of effective controls and safeguards designed to mitigate the risks to an acceptable level.

4. CURRENT RECOURSE FOR CONSUMERS IS INSUFFICIENT TO ENCOURAGE DATA CUSTODIANS TO MEET STANDARD OF DUE CARE

A. The Duty of Care Extends Beyond the Plain Terms of the Statute

1. Guin v. Brazos Higher Education Services

This is an exemplary case showing the difficulty of proving injury in fact, and the insufficient understanding of the real duty of care inherent in the GLBA.  The Minnesota District Court failed to find duty, breach and injury in a claim of negligent data loss in Guin v. Brazos Higher Educ. Service Corp., Inc.[218]

Defendant, a student loan processor, allowed an employee named Wright to receive, store and analyze databases of student loan borrowers, which data included personally identifiable information. Wright’s home was burglarized and the laptop computer holding the borrower information was stolen. Per FTC guidelines and the California data breach notification statute[219] Defendant sent a breach notification letter to all of it’s 550,000 customers, including Plaintiff. The Plaintiff did not find any indication that a third party had accessed his personal information and had not experienced any instance of identity theft or any other type of fraud involving his personal information. To Brazos’s knowledge, none of its borrowers had experienced any type of fraud as a result of the theft of Wright’s laptop.

Plaintiff brought a common law claim of negligence against Defendant on behalf of all customers of Defendant whose information was lost.  Plaintiff’s complaint included allegations that Defendant owed “him a duty to secure [his] private personal information and not put it in peril of loss, theft, or tampering,” and Defendant’s “delegation or release of Plaintiff’s personal information to others over whom it lacked adequate control, supervision or authority was a result of Defendant’s negligence….”  As a result of such conduct, Plaintiff allegedly “suffered out-of-pocket loss, emotional distress, fear and anxiety, consequential and incidental damages.”

In order to establish that the Defendant owed Plaintiff a duty, Plaintiff asserts that the Gramm-Leach-Bliley Act[220] requires Defendant “to protect the security and confidentiality of customers’ nonpublic personal information.” The Court and the Defendant agreed with both the applicability of GLBA and that a statutory duty of care existed. Plaintiff argued that Defendant “breached the duty imposed by . . . GLB[A]” by (1) “providing Wright with [personal information] that he did not need for the task at hand,” (2) “permitting Wright to continue keeping [personal information] in an unattended, insecure personal residence,” and (3) “allowing Wright to keep [personal information] on his laptop unencrypted.”  The Court found that Defendant had not breached its duty.

The problem here is the GLBA is not sufficient to hold the company liable for negligent data handling practices by merely allowing customer personal information to be carried by an employee on a laptop computer, outside the physical security of Defendant’s offices. On this point, it is not as clear as the court makes it sound. The FFIEC Information Security Booklet[221] states “Financial institutions should maintain the security of media while in transit or when shared with third parties.  Policies should include . . . [u]se of encryption for transmission or transport of sensitive information[.]”[222]

Considering that of the many hundreds of data breaches documented since 2005,[223] most of them have been caused by unencrypted data on a lost or stolen laptop,[224] the time for a heightened duty is here. In fact, the duty for financial institutions has been in place since the publishing of the Information Security Booklet, and the regulators reliance on the “Information Security Booklet. The Guin court simply was not familiar enough with the details of an otherwise obscure information security standard to know that it indeed applied in this case.  Indeed, in the information economy, where personal information forms a literal currency and corporate asset, where portable electronic media can run into the hundreds of gigabytes worth of storage, loss and theft of vast quantities of personal information is not only possible, it is likely. But even more importantly, it is foreseeable.  Therefore, this foreseeable threat is of the type contemplated by the drafters of the GLBA and the Interagency Guidelines. Precautions should be taken to render data  unreadable and inaccessible when stored on portable storage media such as memory sticks (thumb drives), and laptop computers. This can be accomplished relatively easily and inexpensively with data encryption products.

A better outcome would be that the Guin court had correctly determined that Brazos breached its duty to its customers by placing customer identifiable information on a mobile device. In considering the culpability of Defendant in its failure to properly protect sensitive data on a laptop computer, it is irrelevant that the Guin court correctly found that Plaintiff suffered no actual compensable injury. The importance of this case is that the court wrongly found no breach of duty in Defendant’s actions, not that the Court correctly found that Defendant was not negligent. The case stands for the proposition that better legislation is needed to articulate the standard of care data custodians should be held to. The common law negligence requirement of injury can and should remain a a difficult hurdle for common law negligence claims. The focus of such legislation should be on the encouragement of reasonable data protection practices and not on compensation of those who’ve suffered no injury.

The problem facing the Guin court was that the standard of care applicable in these types of cases is not sufficiently clear in the law. The GLBA statute doesn’t specify a specific requirement to encrypt sensitive information on portable media. Neither do the regulations promulgated by the several regulatory agencies in response to the Act.[225] However, the major information security frameworks do indeed contain such provisions.[226] By containing a private right of action, a federal data protection statute can lead to damage awards against negligent data custodians on behalf of a class of injured persons defined in the statute.

B. Common Law Negligence Is Hit or Miss, Usually Miss

The Guin case is typical in negligence claims for data breach, in that the Plaintiff did not recover in part, because he failed to prove a legally-cognizable injury.

1. Ruiz v. Gap

The case of Ruiz v. Gap Inc.[227] is a seminal case that stands for the proposition that absent actual financial harm, no injury is found when personal information is compromised in a data breach resulting from a data custodian’s negligence. Plaintiff was a prospective job applicant who completed a job application form for the Gap, Inc. Defendant and it’s third party service provider, Vangent, Inc. processed the application. Vangent subsequently suffered a theft of two laptop computers from its premises. One of the laptop computers contained unencrypted personal information of 750,000 Gap job applicants.[228]

Ruiz claimed his injury resulted from “an increased risk of identity theft” and that damages consisted of actual and future expenditures of time and money, to protect himself from the Defendant’s negligence.  The judge granted Defendant’s motion for summary judgment, holding that the risk of future identity theft “does not rise to the level of appreciable harm necessary to assert a negligence claim[.]”[229] Further, the court held that the recognition of such harm would pose both floodgate concerns and too steep an evidentiary burden on the Plaintiff.

2. In Re Hannaford Bros. Co. Customer Data Security Breach Litigation

The case of In Re Hannaford Bros. Co. Customer Data Security Breach Litigation[230] stemmed from the loss of grocery store Hannaford Bros. data breach discussed above.[231] A class of customers was certified and pursued a variety of claims against Hannaford, including common law negligence. In assessing the state common law elements of negligence, the judge found that not all members of the class suffered a legally cognizable harm. The judge held that sufficient harm had occurred if a customer of the Defendant suffered an unauthorized charge to a credit or debit card account as result of the data breach. If such was the case,  the Defendant was liable to reimburse it. However, where the negligence did not produce a direct financial loss, the Defendant was not liable:

“Collateral consequences-for example, the customer’s fear that a fraudulent transaction might happen in the future, the consumer’s expenditure of time and effort to protect the account, lost opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships-then the merchant is not liable.”

3. Bell v. AFSCME

In an atypical negligence case, the court did find that sufficient injury had been demonstrated in Bell v. Michigan Council 25 of the American Federation of State, County and Municipal Employees.[232] The thirteen named Plaintiffs were 911 operators employed by the city of Detroit and were members of the Defendant union, AFSCME. The Defendant maintained member records including social security numbers, driver’s license numbers and pension numbers. The daughter of the union secretary was convicted on criminal charges stemming from identity theft of union members. A notebook was found in her bedroom, containing the personal information of the Plaintiffs, along with a record of services and products obtained using the Plaintiffs’ personal information. After a jury returned a verdict for the Plaintiffs in the amount of $275,000 collectively, Defendants appealed. The Michigan Court of Appeals upheld the verdict finding that the union owed its members a duty of care in protecting union member’s personal information.

The Defendants argued that they owed no duty to Plaintiffs to protect their information from the unforeseeable actions of a third party, the union secretary’s daughter. The Court applied a test[233] to determine that Defendant did owe Plaintiffs a duty to protect their sensitive information from third parties. The court upheld the jury’s determination that Defendants breached their duty. The Court also found sufficient damages caused by Defendant:

“[P]laintiffs in this case testified to more than a feeling of frustration. Each had spent numerous hours trying to correct the problems created by the identity theft, which left their collective credit in ruins. Plaintiffs produced concrete examples of the aggravation and anguish suffered by detailing their experiences of trying to purchase cars, homes, furniture or phone service and the resultant humiliation of being turned down for credit. Accordingly, plaintiffs presented sufficient evidence to create a question for the jury regarding their mental damages.”[234]

A dissenting opinion called into question the prudence of such an expansion of general negligence law into the realm of identity theft when neither the legislature nor the Michigan Supreme Court had done so.[235] Consequently, it is for this very reason expressed by the dissent that a federal information protection law should express an intention to protect individuals from the harms of identity theft, and create a negligence per se cause of action.

5.  A New Federal Information Protection Statute Is Needed

A federal data protection statute should accomplish three goals: Promote desired behavior by data custodians; preempt state law to relieve the burden on interstate commerce; and provide a private cause of action against negligent data custodians, allowing injured consumers to more easily recover.

A. Promote Desired Behavior by Data Custodians

Returning to the discussion about externalities, remember that many data custodians lack an economic incentive to improve information security because the benefits of doing so would primarily benefit the data subjects, rather than the custodian. Likewise, the damages suffered due to a data breach are suffered by the data subjects and to a lesser degree by the data custodian. The primary reason for legislating the desired behavior is to require data custodians to internalize the costs of poor information security and resultant data breaches. Again, getting data custodians “to internalize [externalities] can be done one of two ways: “[r]egulation . . .or liability[.]”[236]

Another important component of a federal data protection law would be the augmentation of expected corporate governance to include information protection. Insofar as the Sarbanes-Oxley Act and the associated regulations, required corporate governance practices based on a model like COSO, a federal data protection law should require agency-creation of enhanced governance models that include data protection governance, or should adopt ancillary frameworks to guide enterprises in considering information protection as a matter of corporate governance.

Civil penalties provide an economic incentive to improve information security.  To facilitate the recourse available to victims of data custodian negligence, the federal statute should establish the heretofore discussed duty of care as a negligence per se cause of action.

B. Preemption of state law

The present situation with numerous state laws, each varying in their definition of protected data and scope of prohibited conduct, has many calling for a unified federal data breach law. The situation brings to the forefront the 1959 Supreme Court decision concerning state regulation of truck mud flaps.[237] When the varying nature of regulations on the type of mud flaps allowed in each state caused an undue burden on interstate commerce, the Supreme Court struck down onerous state mud flap laws.  The data breach, data encryption and PCI-type state statutes may be fast approaching a ripe issue for a federal consolidation for the sake of relieving a burden on interstate commerce.

C. Amendment Of Federal Law

The statute could simply require that each data custodian adhere to the control frameworks listed above, subject to existing obligations based on industry-specific statutes. For example, financial services companies, federally-funded educational institutions, and HIPAA “covered entities” could continue to adhere to their existing obligations under their respective laws.[238] The new data protection statute should amend those laws (or call on regulators to promulgate rules) to clarify the appropriate types of standards and control frameworks necessary to form the basis on the requisite information security program. The amendments should also include appropriate causes of action where lacking.

For example, the FTC Act and enforcement rules could be modified to more clearly delineate regulated conduct.[239] The Identity Theft and Assumption Deterrence Act should be amended to extend protection to digital and virtual identifiers and authenticators, such as user IDs, passwords and digital certificates.[240] The Identity Theft Enforcement and Restitution Act should be amended to extend culpability for instances of identity theft beyond the criminal perpetrator to the contributory negligent data custodian, who’s lack of due care created the vulnerability leading to the identity theft. The Gramm-Leach-Bliley Act should be amended to provide both a private right of action for injured financial consumers and a directive to financial institutions to adopt a standard framework of information security controls, in lieu of a risk assessment. The new law should require entities collecting and retaining sensitive personal information to adopt some form of corporate governance, including the use of an information security framework. The law should permit both civil causes of action and criminal violations.

The regulatory state may continue to enforce the respective industries as they previously have under existing data protection law. The Department of Health and Human Services would continue to oversee and enforce appropriate data handling practices in the health care industry, the financial regulators and Department of Education would continue to police their industries respectively. The FTC would have a more clearly defined responsibility beyond the present “unfair and deceptive” trade practices.

D.  Private Right Of Action

The standard of due care over the protection of sensitive information has evolved over a relatively short period of time in terms of the common law. The technology that enables both the possession by vast quantities of data, and the attacks by unauthorized data thieves have advanced quickly over the past three decades.

It should come as no surprise that consumers who’ve suffered the loss of their personal information while in possession of negligent data custodians, have little recourse. The odds of a successful common law negligence claim in such a situation is low, absent demonstrable, cognizable injury to the consumer.

“The failure of post-breach lawsuits illustrates how little the data breach notification laws do to compensate victims of data breach. Courts are reluctant to classify immediate post-breach costs as harms. Even with more serious later harms that exploit breached data, the difficulty of showing cause-in-fact makes it nearly impossible for those harmed to recover from the organization whose mishandling of data predicated the problem.” [241]

Perhaps this is as it should be, for the common negligence does not reward those who have suffered no harm. However, data breach notification statutes are designed to allow consumers to more quickly identify instances of fraud. The notification itself is somewhat unnerving, inflicting some modicum of emotional distress. Furthermore, consumers are more likely to purchase credit monitoring services, purchase credit bureau services and suffer loss of time spent in monitoring their credit reports. Many data custodians routinely offer victims of data breach a one year paid subscription to a credit monitoring service.

The addition of private cause of action in a federal law will allow plaintiffs who have actually suffered harm to more easily establish claims without the hurdles of common law negligence claims.

E.  A Statutory Duty of Care – Negligence Per Se

“An actor is negligent if, without excuse, the actor violates a statute that is designed to protect against the type of accident the actor’s conduct causes, and if the accident victim is within the class of persons the statute is designed to protect.”[242] From the above examples of data breaches of sensitive, personal information, it is clear that organizations taking control of such information be accountable for its protection. A federal law must define nature of the injuries caused by data breach events, define the conduct that causes these types of data breaches, and also identify the class of persons subject to protection.

1. Injury In Fact

The types of harms befalling a consumer whose personal information is compromised due to a data breach include: identity theft, fraud, costs associated with heightened credit monitoring and emotional distress caused by knowing one’s personal data has fallen into criminal hands. [243]

2. Prohibited Conduct

A prior analogy likened the duty of care for the protection of data by a data custodian to the duty of care shown by a day care provider to the children in its custody. There are many facets of the duty of care when caring for children, including: ensuring age-appropriate toys, removal of electrical and choking hazards, establishing a secure physical perimeter to keep children on the premises, and establishing access controls to ensure no strangers can enter the facility. Likewise, the duty of care over personal information requires measures to be taken to ensure access is controlled, intruders are kept out, that data is accounted for and protected when in public locations.

For example, many reported data breach events have occurred because companies failed to correct for known issues with web applications that accept user input, such as fields for name, address, phone, user ID, etc. Attackers discovered that they could place malicious computer instructions in these fields and click the submit button, causing the computer to execute the instructions, resulting in unintended consequences such as gaining elevated access or even disclosure of private data. These “SQL Injection” attacks have been long known and documented. For a company of any size to collect personal information through the Internet with an application that suffers from a SQL Injection vulnerability, could be considered to have done so negligently. The aforementioned information security standards all require some kind of vulnerability assessment of IT systems. Common types of assessments performed specifically for Internet applications would identify the existence of an SQL Injection vulnerability, allowing the application owner to take corrective action.

The SQL Injection vulnerability is just one example of hundreds of potential scenarios requiring information technologists and security professionals to demonstrate due care in discovering and correcting vulnerabilities to sensitive information. The federal statute would not need to be so prescriptive. The nuances of vulnerabilities to data and the permutations of data breach root causes are effectively managed by adhering to an accepted information security standard discussed above.

Not every root cause of a data breach can be foreseen. It is expected that data breaches will always occur, because no security system is perfect. As long as the Internet is used for commerce, and as long as personally identifiable information is required to engage in commerce, we will witness periodic data breach events. The goal of a unified federal statute establishing a minimum standard of due care is not to eliminate all instances of data breach or attain a perfect level of security. Rather, the purpose of establishing the minimum standard of care is to allow consumers and citizens a measureable standard of behavior that can be analyzed under principles of tort law. Secondarily, the rate of data breach incidents should predictably decrease, provided that the security standards are applied by data custodians and remain current with emerging threats.

3.  Class of Persons

The FTC is the primary enforcer of acceptable data protection practices under its authority to ensure fair trade practices. Any American citizen who engages in commerce can fall under the protection of the FTC Act.

A federal law will seek to include any citizen of the United States who discloses private, personal information to a private entity.  Many federal statues already accomplish this.

6. Conclusion

Until our society can function without universal identifiers that are used across multiple industries and contexts, the citizenry will be dependent on the custodians of our personal information to preserve its security. The diligence of data custodians in adhering  to well-known and accepted codes of information protection will be the best defense against data breach and identity theft. In addition to the reputational risk faced by those who negligently handle such data, the law must evolve by providing citizens a private right of action to seek compensation from negligent data handlers. The current landscape of international, federal and state law, coupled with private contractual frameworks and information security and privacy frameworks, establish a fundamental duty of care that applies to safeguarding personally identifiable information.  A new federal law is needed to regulate data handling practices, to provide consistency and uniformity across multiple industries, to preempt the rapidly multiplying state data breach notification laws, and to adopt additional provisions requiring personal data encryption. The United States Congress should also act to provide citizens with a private right of action to seek damages against negligent data custodians by creating a negligence per se cause of action and statutorily defined damages.

[1] See fn. 105,121, infra.

[2] http://www.americanchronicle.com/articles/view/3911 Last accessed June 25, 2010.

[3] While rampant use of the SSN is still widespread, efforts to curb its use have been somewhat successful. “In Arizona, major universities can no longer use the SSN as the student identifier. In Colorado, as of July 2003, public and private post secondary institutions were required to establish protections for the SSN and discontinue its use as the primary student identifier. New York and West Virginia prohibit all public and private schools from using the SSN as a primary identifier. Kentucky law allows students to opt-out of use of the SSN as student identifier.” http://epic.org/privacy/ssn/#introduction. Last accessed June 25, 2010.

[4] “A threat is the potential for a particular threat-source to successfully exercise a particular vulnerability. A vulnerability is a weakness that can be accidentally triggered or intentionally exploited.”  National Institute of Standards and Technology (NIST), Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems, July 2002; available at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf, last accessed June 25, 2010.

[5] See http://media.mgnetwork.com/sls/extras/KarenJonesDoc.pdf, last accessed June 25, 2010.

[6] Id.

[7] Source: The Consumer Sentinel Network Data Book for January – Decmeber 2008. Available at http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008.pdf, last accessed June 25, 2010.  The Consumer Sentinel Network (CSN) is a “secure online database” of consumer complaints made to the FTC, Better Business Bureaus, the Internet Crime Complaint Center, the U.S. Postal Inspection Service, and the National Fraud Information Center, among others. The information is made available over the Internet to law enforcement agencies to assist in investigations. The FTC publishes statistics from the CSN annually in the CSN Data Book.

[8] Id. See also “Official Identity Theft Statistics” available at http://www.spendonlife.com/guide/identity-theft-statistics, last accessed June 25, 2010.

[9] “Third Annual ESI Trends Report,” p. 10, Kroll Ontrack, 2009. Available at http://www.krollontrack.com/library/esitrends3_krollontrack2009.pdf, last accessed June 25, 2010..

[10] The Identity Theft Resource Center is a San Diego-based non-profit founded in 1999 that provides free guidance to victims of identity theft. The ITRC provides victim assistance, educational programs, and information to both law enforcement agencies and government entities. See http://www.idtheftcenter.org.

[11] Identity Theft Resource Center, 2009 Breach List. Available at http://www.idtheftcenter.org/ITRC%20Breach%20Report%202009.pdf, last accessed June 25, 2010.

[12] See http://wordnetweb.princeton.edu/perl/webwn?s=identity%20theft, accessed on December 15, 2009.

[13] See fn. 7, supra

[14] Identity Theft Resource Center, Corporate Overview, available at: http://www.idtheftcenter.org/artman2/uploads/1/ITRC_Corp._Overview_20091007.pdf , accessed December 30, 2009.

[15] Identity Theft: The Crime of the New Millennium, Sean B. Hoar, Asst. U.S. Attorney, District of Oregon; U.S. Department of Justice, U.S. Attorney’s USA Bulletin, March 2001, Vol. 49, No.2; available at http://www.justice.gov/criminal/cybercrime/usamarch2001_3.htm, accessed December 28, 2009.

[16] Florida Attorney General Bill McCollum News Release, Ringleader of ID Theft Operation Sentenced to 5 Years In Prison; available at http://myfloridalegal.com/__852562220065EE67.nsf/0/3D930E6715D0935D85257355005143E9?Open&Highlight=0,irving,escobar, accessed December 28, 2009.

[17] Id.

[18] Matwyshyn, Andrea M., Harboring Data: Information Security, Law, and the Corporation, p. 3, citing Jeweallap, Mark, Record Number of Data Breaches in 2007, available at:  http://www.msnbc.msn.com/id/22420774, last accessed December 28, 2009.

[19] 6 PVLR 107, Privacy and Security Law Report, Bureau of National Affairs (BNA), January 22, 2007.

[20] http://www.cbronline.com/news/tjx_hack_is_biggest_ever

[21] See fn. 6, supra

[22] Evan Schuman, Stolen TJX Data Used in $8M Scheme Before Breach Discovery, eWeek.com, March 31, 2007; available at http://www.eweek.com/c/a/Database/Stolen-TJX-Data-Used-in-8M-Scheme-Before-Breach-Discovery, accessed December 28, 2009.

[23] See fn.7, supra

[24] U.S. Dept. of Justice Press Release 08-689, available at http://www.justice.gov/opa/pr/2008/August/08-ag-689.html, accessed December 28, 2009.

[25] Id.

[26] Kim Zetter, Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases, Wired.com; available at http://www.wired.com/threatlevel/2009/12/gonzalez-guilty-plea-heartland/, last accessed December 28, 2009.

[27] Supermarket Data Breach Affects 4.2 Million Accounts, The Boston Globe, March 17, 2008, available at http://www.boston.com/business/ticker/2008/03/supermarket_dat.html, accessed December 28, 2009.

[28] Id.

[29] Dan Kaplan, Hannaford Tells Regulators How Breach Happened, April 1, 2008, SC Magazine.com, available at http://www.scmagazineus.com/hannaford-tells-regulators-how-breach-happened/article/108569/, accessed December 28, 2009.

[30] See fn. 24, supra.

[31] Payment Card Industry (PCI) information security standard and certification process is a jointly operated data security compliance program required by MasterCard, Visa and other members of the PCI consortium; See § III.C.5 infra.

[32] http://www.privacyrights.org/ar/ChronDataBreaches.htm, accessed December 29, 2009.

[33] Id.

[34] Id.

[35] U.S. Dept. of Justice Press Release, #09-810, August 17, 2009. Available at: http://www.justice.gov/criminal/cybercrime/gonzalezIndic.pdf, accessed December 29, 2009.

[36] Data Aggregation is a multi-billion dollar industry in the United States. Data aggregators gather information about citizens and aggregate that data into profiles which are formatted and sold to customers ranging from government to private enterprise. The data can include biographical, economic, employment, financial, educational and demographic information. Much of the data is gleaned from public information sources or purchased. Customer’s of data aggregators use the information to tailor marketing plans, vet potential employees and determine credit worthiness. Two large data aggregators are ChoicePoint and Acxiom. See also “Comments of Beth Givens, Director [Privacy Rights Clearing House,] to Federal Trade Commission Workshop, held March 13, 2001” (outlining the data gathering methods and techniques used by data aggregators, and calling for FTC oversight of data aggregators and additional consumer protections.)

[37] California SB-1386 was a California state law enacted to mandate the notification of consumers of a data breach of their personal information. Also known as the California Security Breach Information Act, California SB-1386 was passed and modified Cal. Civ. Code § 1798.29 (applicable to government agencies) and § 1789.82 (applicable to persons and businesses). Similar versions of the act have been enacted in 44 other states and the District of Columbia. See fn. 173 infra.

[38] United States v. ChoicePoint Industries, Inc., Complaint for Civil Penalties, Permanent Injunction and Other Equitable Relief, Civil Action 1:06-cv-00198-GET, Jan. 30, 2006. Available at: http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf, accessed December 29, 2009.

[39] http://www.privacyrights.org/ar/ChronDataBreaches.htm, accessed December 29, 2009.

[40] 18 U.S.C. 1324a

[41] United States Citizenship and Immigration Services website, http://www.uscis.gov/portal/site/uscis/menuitem.5af9bb95919f35e66f614176543f6d1a/?vgnextoid=1914c9676d006110VgnVCM1000004718190aRCRD&vgnextchannel=838e2f8b69583210VgnVCM100000082ca60aRCRD, accessed December 27, 2009.

[42] United States Department of Homeland Security, http://www.dhs.gov/files/programs/gc_1185221678150.shtm, last accessed 12/27/2009.

[43] Id.

[44] “Once the Form I-9 is complete, the employer enters certain information from the Form into the E-Verify system. The Social Security Administration (SSA) and Department of Homeland Security (DHS) databases then compare this information to millions of existing records to determine whether the information supplied by the employee matches the information in the SSA and DHS databases.” E-Verify Requirements For Contractors, Michael Best & Friedrich LLP, available at http://www.mbopartners.com/components/CMS/files/E-Verify%20White%20Paper%20MBO%20Partners.PDF, last accessed December 27, 2009.

[45] United States Citizenship and Immigration Services, E-Verify Homepage, http://www.uscis.gov/portal/site/uscis/menuitem.eb1d4c2a3e5b9ac89243c6a7543f6d1a/?vgnextoid=75bce2e261405110VgnVCM1000004718190aRCRD&vgnextchannel=75bce2e261405110VgnVCM1000004718190aRCRD, accessed December 30 2009.

[46] http://minnesota.publicradio.org/display/web/2009/12/11/security-breach/, accessed December 27, 2009; See also Minnesota Executive Order 08-01, Requiring Use of E-Verify for Newly Hired Employees In the Executive Branch, available at:  http://www.governor.state.mn.us/priorities/governorsorders/executiveorders/2008/PROD008598.html, accessed December 27, 2009.

[47] “Colorado and Georgia already have laws in effect that require all companies who contract with public entities there to use E-Verify. In Arizona, a state immigration law went into effect on January 2, 2008, that requires all employers in the entire state to sign up for E-Verify.” Scott W. Wright,  Partner Fagre & Benson, LLP, “`Minnesota Governor Issues Executive Order Requiring State Contractors To Certify Compliance With Immigration Laws” Jan. 29, 2008, available at http://www.faegre.com/showarticle.aspx?Show=5480, last accessed December 27, 2009.

[48] See fn. 46, supra.

[49] Id.

[50] Id.

[51] Id.

[52] Bob Collins, “MPR To Be Named In Data Lawsuit”  available at: http://minnesota.publicradio.org/collections/special/columns/news_cut/archive/2009/12/mpr_to_be_named_in_data_lawsui.shtml, accessed on December 30, 2009.

[53] The Workshop on Economics and Information Security (WEIS) is an annual conference currently in its eighth year. More information can be found at http://weis09.infosecon.net/, accessed December 30, 2009.

[54] Bruce Schneier, “Economics and Information Security” available at: http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html, accessed December 30, 2009.

[55] It should be noted that a private firm’s reputation is often harmed by bad publicity resulting from a data breach. However, a quick scan of companies suffering a major data breach in recent years reveals no company that was actually put out of business as a result.

[56] Bruce Schneier, “The ‘Hidden Cost’ of Privacy” Schneier on Security, available at: http://www.schneier.com/blog/archives/2009/06/the_hidden_cost.html, accessed December 30, 2009.

[57] Jim Harper, Government-Run Cyber Security? No Thanks.” CATO Institute, TechKnowlege Newsletter, Issue #123, March 13, 2009. Available at: http://www.cato.org/tech/tk/090313-tk.html, accessed December 30, 2009.

[58] Published by ITG Governance, Ltd., October, 2008.

[59] See Wendy Leibowitz, “Information Security Duty of Care Evolving” Bureau of National Affairs, Inc. Electronic Commerce & Law Report, Vol. 11, No. 9, March 1, 2006; See also Donn Parker, “Making the Case For Replacing Risk-Based Security” ISSA Journal, May 2006, p. 6.

[60] “In the United States, the US Privacy Coalition (including EPIC) is launching the campaign to urge the US Government to support the Council of Europe Privacy Convention and has proposed a resolution for the U.S. Senate.” Council of Europe Privacy Convention, Electronic Privacy Information Center (EPIC), available at: http://epic.org/privacy/intl/coeconvention/

[61] Sonia Arrison, “Privacy Perspectives from Europe” CNET.com, October 23, 2002, available at http://news.cnet.com/2010-1069-962993.html, accessed December 30, 2009.

[62] Bob Sullivan, “’La Difference’ Is Stark in E.U., U.S. Privacy Laws” MSNBC.com, available at: http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/, accessed December 30, 2009.

[63] Council Directive 95/46, Art. 25, 1995 O.J.( L 281) (EC), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

[64] Daniel J. Solove, et al. Information Privacy Law, p. 900 (2nd Ed. 2006).

[65] See fn. 19 supra.

[66] Id. Art. 26.

[67] Safe Harbor Privacy Principles, U.S. Dept. of Commerce, July 2000, available at http://www.export.gov/safeharbor/eg_main_018236.asp, accessed December 30, 2009.

[68] For more information see Matt Sorensen, “Transfer Mechanisms from the European Union to Non-Member Countries” available at http://datariskgovernance.com/state-statutes/european-union-data-privacy-directive-9546ec/ accessed December 30, 2009.

[69] 2000/520/EC, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML, accessed December 30, 2009.

[70] Safe Harbor Privacy Principles, U.S. Dept. of Commerce, July 2000, available at http://www.export.gov/safeharbor/eg_main_018236.asp, accessed December 30, 2009.

[71] Office of the Privacy Commissioner of Canada, “Guidelines For Processing Personal Data Across Borders” available at http://www.priv.gc.ca/information/guide/2009/gl_dab_090127_e.cfm, accessed December 30, 2009.

[72] APEC, Electronic Commerce Steering Group, Accomplishments. Available at: http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.html, accessed December, 30 2009.

[73] APEC Information Privacy Principles, APEC Privacy Framework, Part III. Available at: http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.MedialibDownload.v1.html?url=/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.0001.File.v1.1, accessed December 30, 2009.

[74] 5 U.S.C. 552a

[75] Id. § 552a(b).

[76] Id. § 552a(b).

[77] Id. § 552a(d).

[78] Id. § 552a(e).

[79] Id. § 552a(g)(1).

[80] Id. § 522a)(g)(3)(B).

[81] Id. § 522a)(g)(i).

[82] For more information see “The Privacy Act of 1974,” Electronic Privacy Information Center, available at http://epic.org/privacy/1974act/ accessed December 30, 2009.

[83] 18 U.S.C. 1030.

[84] Andrew B. Serwin, “Information Security and Privacy” Vol. 1, § 3:1, West Publishing, 2008.

[85] Id.

[86] 18 U.S.C. 1030(a)(2).

[87] Id. (a)(5).

[88] Id. (a)(6).

[89] Id. (a)(7).

[90] Id. (e)(2).

[91] See Continental Group, Inc. v. KW Property Management, LLC 622 F. Supp.2d 1357 (S.D. Fla. 2009), holding that because a computer was connected to the Internet, it was sufficiently within the CFAA definition of a protected computer.

[92] 18 U.S.C. 1030(a)(4).

[93] Id. (c)(B)(3).

[94] Andrew B. Serwin, “Information Security and Privacy” Vol. 1, § 3:7, (West Publishing, 2008) (“[I]ntangible property, including confidential data, can constitute a thing of value under the CFAA, thus supporting a violation of [18 U.S.C.] § 1030(a)(4)” and also “[A] party that obtains complete control of a network that contains data ‘possesses’ that data at that time whether a copy is downloaded or not.” citing U.S. v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001)).

[95] See § 5, infra.

[96] 18 U.S.C. 1028.

[97] 18 U.S.C. 1028 (a)(1).

[98] Id. (d)(1).

[99] Id. (c)(1).

[100] Pub.L. 105-318, § 5, Oct. 30, 1998, 112 Stat. 3010

[101] PL 110-326, 2008 HR 5938.

[102] 18 U.S.C. 1030.

[103] 18 U.S.C. 1028(a)(7) and 18 U.S.C. 1028A(a).

[104] 18 U.S.C. 3663(b)(6).

[105] 15 U.S.C. 6801-6809.

[106] Id. 6803.

[107] Id. 6802. It should be noted that some information sharing in the normal course of business is unavoidable and customers must be notified in the privacy notice that such sharing will occur, even if a customer may not opt out of the sharing without foregoing the services of the financial institution.

[108] Id. 6804-6805.

[109] Id. 6801(b), 6801(b)(1-3).

[110] Id. 6821.

[111] Office of the Comptroller of the Currency (OCC), Federal Depository Insurance Corp. (FDIC), Office of Thrift Supervision (OTS), Federal Reserve System, National Credit Union Administration (NCUA).

[112] See 16 C.F.R. 313 for FTC catch all version of the Interagency Guidelines.

[113] 12 CFR Pt. 30, App. B(II)(A).

[114] Id. (III)(A).

[115] See Appendix A for a discussion on the effectiveness of risk assessments in the information security context.

[116] Id. (III)(B)(1).

[117] Id. (III)(B)(2).

[118] Id. (III)(B)(3), (III)(C).

[119] 12 C.F.R. 30, App. B III(C)(1)(g). (Each bank shall adopt measures  “that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.)

[120] 12 C.F.R. 30, App. B, Supp. A(II).

[121] 42 U.S.C. 1320d-2.

[122] 45 C.F.R. 164.104(a)(1).

[123] Id. (a)(2).

[124] Id. (a)(3).

[125] 45 C.F.R. 306(a)(1).

[126] Id. (a)(2).

[127] Id. (a)(3).

[128] Id. (a)(4).

[129] 45 C.F.R. 306(d)(2) (stating that the security rules contained in §§ 164.308, 310, 312, 314, and 316 must meet required implementation specifications.)

[130] Id. (d)(3).

[131] Id. (e).

[132] See 45 C.F.R. 164.310, 164.312 and 164.314, respectively.

[133] 45 C.F.R. 164.308(a)(2)

[134] 45 C.F.R. 164.308(a)(1)(ii)(A).

[135] 45 C.F.R. 164.308(a)(1)(ii)(B).

[136] Id. (ii)(D).

[137] Id. (ii)(C).

[138] 45 C.F.R. 164.308 (a)(5)(i).

[139] Id. (6)(i).

[140] Id. (4)(i).

[141] Id. (7)(i).

[142] 45 C.F.R. 164.310(a)(1).

[143] 45 C.F.R. 164.310(b-d). (“Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. (45 C.F.R. 164.304); electronic media commonly includes USB storage devices, also known as “thumb drives,” recordable CD and DVD disks, and external hard drives.)

[144] 45 C.F.R. 164.312(a)(1).

[145] Id. 312(d).

[146] Id. (a)(2).

[147] Id. (c)(1).

[148] Id. (e)(2)(ii)

[149] 45 C.F.R. 164 Subpart E.

[150] 45 C.F.R. 164.502(a).

[151] Id. 502(b)(1).

[152] 45 C.F.R. 164.522.

[153] 45 C.F.R. 164.524.

[154] 45 C.F.R. 164.520.

[155] 45 C.F.R. 164.408.

[156] 45 C.F.R. 164.404.

[157] 45 C.F.R. 164.406.

[158] “Final Rule: Management’s Report On Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports” Securities and Exchange Commission, available at: http://www.sec.gov/rules/final/33-8238.htm, accessed January 7, 2010; See also 17 C.F.R. 210, 228, 229, 240, 249, 270 and 274.

[159] See Id., (stating that “In response, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) (footnote omitted) undertook an extensive study of internal control to establish a common definition that would serve the needs of companies, independent public accountants, legislators and regulatory agencies, and to provide a broad framework of criteria against which companies could evaluate the effectiveness of their internal control systems. In 1992, COSO published its Internal Control — Integrated Framework. (footnote omitted) The COSO Framework defined internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in three categories–effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. COSO further stated that internal control consists of: the control environment, risk assessment, control activities, information and communication, and monitoring. The scope of internal control therefore extends to policies, plans, procedures, processes, systems, activities, functions, projects, initiatives, and endeavors of all types at all levels of a company.”)

[160] For more information about how Sarbanes Oxley indirectly requires effective information security controls, see “Sarbanes Oxley: Information Security’s Unlikely Advocate” by the author, available at: http://www.giac.org/certified_professionals/practicals/gsec/3962.php, accessed January 7, 2010.

[161] 18 U.S.C. 1028. as amended by Pub.L. 105-318, § 5, Oct. 30, 1998, 112 Stat. 3010.

[162] Howard Beales, Prepared Statement of the Federal Trade Commission On Identity Theft: Prevention and Victim Assistance. Comments before the Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee, June 24, 2003. Available at: http://www.ftc.gov/os/2003/06/030624idthefttestimony.htm, accessed on January 1, 2010.

[163] Andrew B. Serwin, “Information Security and Privacy” Vol. 2, § 26:5, (West Publishing, 2008).

[164] 15 U.S.C.45.

[165] “Enforcing Privacy Promises: Section 5 of the FTC Act.” FTC website, available at http://www.ftc.gov/privacy/privacyinitiatives/promises.html, accessed January 1, 2010.

[166] See “Safeguards Rule: Enforcement” available at: http://www.ftc.gov/privacy/privacyinitiatives/safeguards_enf.html, accessed January 10, 2010.

[167] “Navigating PCI DSS, Understanding the Intent of the Requirements v1.2, Oct. 2008. available at https://www.pcisecuritystandards.org/index.shtml, FAQ section. Accessed January 1, 2010.

[168] Id.

[169] See “Card Processing Basics” Bank of America Merchant Services, available at: http://www.bankofamerica.com/small_business/merchant_card_processing/index.cfm?template=card_processing_basics, accessed January 1, 2010.

[170] James T. Graves, Minnesota’s PCI Law, 34 Wm. Mitchell L. Rev.3, 1115, 1129 (2008).

[171] See Hannaford Supermarkets data breach above, fn. 27; See also Angela Moscaritolo, “Was Forever 21 wrongly certified PCI-compliant?” SC Magazine, Oct. 3 2008, available at: http://www.scmagazineus.com/was-forever-21-wrongly-certified-pci-compliant/article/118739. Accessed January 1, 2010; See also “PCI-DSS Compliance Does Not Always Guarantee Security” August 7, 2009, available at http://www.infosecurity-magazine.com/view/3094/pcidss-compliance-does-not-always-guarantee-security. Accessed January 1, 2010.

[172] National Conference of State Legislatures, State Security Breach Notification Laws, as of December 9, 2009, available at http://www.ncsl.org/default.aspx?tabid=13489. Accessed January 1, 2010.

[173] Cal. Civ. Code § 1798.82; California SB-1386 was a California state law enacted to mandate the notification of consumers of a data breach of their personal information. Also known as the California Security Breach Information Act, California SB-1386 was passed and modified Cal. Civ. Code § 1798.29 (government agencies) and § 1789.82 (persons and businesses). Similar versions of the act have been enacted in 46 states. See fn. 37 supra.

[174] Andrew B. Serwin, “Information Security and Privacy” Vol. 1, § 21:1, para. 2. (West Publishing, 2008).

[175] Id.

[176] Cal. Civ. Code § 1798.96.

[177] Minn. Stat. 325E.61, subdiv. 6.

[178] Andrew B. Serwin, “Information Security and Privacy” Vol. 1, § 21:1, para. 3. (West Publishing, 2008).

[179] Pam Greenburg, “Encryption Is Latest Effort To Ensure Data Privacy,” National Conference of State Legislators, December 2009. Available at: http://www.ncsl.org/default.aspx?tabid=17767, accessed January 1, 2010.

[180] 2009 Nevada S.B. 227, effective January 1, 2010.  This Senate Bill repeals the prior state law requiring encryption of certain types of personal information and mandates PCI compliance for any merchant that takes a card transaction.

[181] See Serwin, “Information Security and Privacy” Vol. 1, § 21:3.

[182] Mass. Gen. Laws ch. 93H, Sec 3 (2007);  201 Mass. Code Regs. 17.04(5) (2009).

[183] Fn. 179, supra.

[184] “Data collector” means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”  Nev. Rev. Stat. § 603A.030.

[185] Nevada S.B. 227, § 1.1 (2009). Available at: http://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf. Accessed January 1, 2010.

[186] Minn. Stat. § 325E.64 (2009).

[187] Id. Subdiv. 2.

[188] Id.

[189] See fn. 195, 200, 207, 215 infra.

[190] See fn. 159, supra.

[191] “[The COSO (ERM) Enterprise Risk Management] framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. The guidance introduces an enterprise-wide approach to risk management as well as concepts such as:  risk appetite, risk tolerance, portfolio view.” Available at http://www.coso.org/-ERM.htm, accessed January 7, 2010.

[192] Recommendation #5 of “Information Security Governance: A Call To Action” available at http://www.cyber.st.dhs.gov/docs/Information Security Governance- A Call to Action (2004).pdf, accessed January 7, 2010. The recommendation has not been acted upon.

[193] “Principles of Corporate Governance,” Reviewing Management’s Plans for Business Resiliency, Business Roundtable, 2005. Available at: http://www.businessroundtable.org/sites/default/files/2005.11.02%20CorporateGovPrinciples.pdf, accessed January 7, 2010.

[194] In researching this article the author investigated the status of a previously available standard known as “Generally Accepted Information Security Principles” or GAISP. The Generally Accepted Information Security Principles (GAISP) were developed by volunteers as overseen by the Information Systems Security Association[194] (ISSA). In a 2003 press release, the chairman of the then newly formed committee to lead GAISP development stated,  “With the GAISP, we are creating a unified methodology that any organization will be able to follow to protect critical information resources and comply with international standards and regulations.”  Unfortunately it appears that the GAISP effort has been abandoned with ISSA removing all traces of it from its website (See www.issa.org). The latest version of GAISP is available at http://all.net/books/standards/GAISP-v30.pdf, accessed January 9, 2010.

[195] Available at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm, accessed January 7, 2010.

[196] “About the FFIEC,” available at http://www.ffiec.gov/about.htm,  accessed January 7, 2010.

[197] See fn. 111, supra.

[198] Available at http://www.ffiec.gov/ffiecinfobase/index.html, accessed January 7, 2010.

[199] Available at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm, accessed January 7, 2010.

[200] http://www.iso.org.

[201] ISO 27001.

[202] ISO 27005.

[203] ISO 27004.

[204] See fn. 200, supra.

[205] ISO 27002:2005 Abstract, available at http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50297.  “[The standard] contains best practices of control objectives and controls in the following areas of information security management: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; [and] compliance.”

[206] See http://csrc.nist.gov/, accessed January 9, 2010.

[207] See http://csrc.nist.gov/publications/PubsSPs.html, accessed January 9, 2010.

[208] Id., A new revision will be finalized in 2010. The current state revision 3 and the previous revision 2 are available on the NIST website.

[209] This practice is also known as Cloud Computing and is the subject of much scrutiny regarding the security and privacy of the outsourcing arrangements. See David Navetta,“Legal Implicaitons of Cloud Computing” available at: http://www.infolawgroup.com/2009/08/tags/security/legal-implications-of-cloud-computing-part-one-the-basics-and-framing-the-issues/, accessed January 10, 2010.

[210] Statement on Auditing Standard (SAS) #70, published by the American Institute of Certified Public Accountants (AICPA) sets forth the audit requirements necessary to receive a certification by a CPA firm that a data processing environment will ensure complete, accurate and available information. See “SAS No. 70, Service Organizations, available at: http://infotech.aicpa.org/Resources/Assurance+Services/Standards/SAS+No.+70+Service+Organizations.htm, accessed January 9, 2010.

[211] Id.

[212] See NDB LLP, “SAS 70 Audit Complaints” available at: http://www.sas70.us.com/what-is/criticism-of-sas70-audits.php, accessed January 9, 2010.

[213] 12 C.F.R. 30, Pt. B, III(D).

[214] BITS is not an acronym. BITS was created by the Financial Services Rountable (www.fsround.org); See http://www.bitsinfo.org/about.html, accessed January 9, 2010.

[215] Available at http://www.bitsinfo.org/downloads/Publications%20Page/2009Framework.pdf, accessed January 9, 2010.

[216] The SIG and the AUP can be downloaded from a BITS-sponsored website: http://www.sharedassessments.org/, accessed January 9, 2010.

[217] See fn. 58, supra.

[218] Guin v. Brazos Higher Educ. Service Corp., Inc., unpublished opinion per curiam of the District of Minn., issued [February, 7, 2006] (Docket No. CIV. 05-668 RHK/JSM)

[219] See fn.173, supra.

[220] See fn. 105, supra.

[221] See fn. 195, supra.

[222] “Data Security, Transit,” FFIEC Information Technology Examination Handbook, Information Security Boolet, 2006. Available at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm, accessed January 7, 2010.

[223] See fn. 32, supra.

[224] Id., The author performed a keyword search on the list of data breaches and observed the most common root cause of the reported data breaches was laptop loss/theft.

[225] See each agency’s version of the Interagency Guidelines Establishing Information Security Standards: Federal Reserve (12 C.F.R. 208, App. D2); Office of the Comptroller of the Currency (12 C.F.R. 30, App. B); Federal Depository Insurance Corp. (12 C.F.R. 364, App. B); National Credit Union Administration (12 C.F.R. 748, App. A); Office of Thrift Supervision (12 C.F.R. 570, App. B). See also Federal Trade Commission (16 C.F.R. 314).

[226] See BITS SIG G.20.14; See also FFIEC IT Security Booklet, “Data Security, Handling and Storage, page 74; ISO 27002:11.7.1 Mobile Computing and Communications; ISO 27002:10.8.3 Physical Media in Transit; BITS AUP G.14.

[227] 622 F.Supp.2d 908.

[228] Id.

[229] Id.

[230] 613 F.Supp.2d 108 (D. Maine, 2009).

[231] See § 2.B, supra.

[232] Bell v. Michigan Council 25 of the American Federation of State, County and Municipal Employees, unpublished opinion per curiam of the Court of Appeals, issued February 15, 2005 (Docket No. 246684).

[233] Murdock v. Higgins, 217 N.W.2d 458 (1994), (setting forth a test to determine whether a duty-imposing special relationship exists between two parties, such that one owes the other a duty to protect it from third parties.)

[234] Bell v. Michigan Council 25 of the American Federation of State, County and Municipal Employees, at 6, unpublished opinion per curiam of the Court of Appeals, issued February 15, 2005 (Docket No. 246684).

[235] Id. at 10.

[236] Jim Harper, Government-Run Cyber Security? No Thanks.” CATO Institute, TechKnowlege Newsletter, Issue #123, March 13, 2009. Available at: http://www.cato.org/tech/tk/090313-tk.html, accessed December 30, 2009.

[237] Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520 (1959), addressing the difficulty of transportation companies meeting state mud flap requirements of varying specificity. The case centered on an Illinois statute that required a certain type of mud flap that would have been illegal in the state of Arkansas. The Court found that the competing state laws created an undue burden on interstate commerce and struck down the Illinois law.

[238] See fn. 105 supra; See fn. 121; See fn. 164, respectively.

[239] See 20 U.S.C. § 1232g; See also 34 CFR Part 99.

[240] See fn. 96, supra.

[241] James T. Graves, Minnesota’s PCI Law, 34 Wm. Mitchell L. Rev.3, 1115, 1128 (2008).

[242] Restatement 3d Torts § 14.

[243] See § I.G.1, supra.

    1. International Laws and Principles

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.