What Would the President's Security Breach Notification Proposal Mean for North Carolina?

Earlier this week, the President announced a new cybersecurity initiative.  The White House explained that:

"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy." 

 

Of course, the President has no legal authority to implement most of his proposals.  The Constitution gives Congress the sole power to introduce and pass legislation.  The President's role is simply to sign or veto a bill once Congress approves.  However, the President's bully pulpit gives him the practical ability to influence Congress' agenda.  The primary purpose of the  President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.

 

As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces.  What we have been told is that the proposal has multiple components.  One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here. 

North Carolina and 45 other states already have a data breach notification law.  This might suggest that there is no need for a nationwide breach notification rule.  Are state breach notification rules inadequate?  Is there a compelling need for nationwide uniformity?  These are important policy questions.  In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act.  This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered.  The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents.  Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach.  The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information."

The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law.  Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or "accesss...in excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach.  Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals."  Encryption might support a presumption that there is no reasonable risk of harm.  However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
    (i) that it had experienced a breach and conducted a risk assessment,
    (ii) the results of the risk assessment,
    (iii) that it had concluded that there was no reasonable risk to individuals; and
    (iv) logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information.  The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule.  In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice.  The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement.  The first priority is almost always to identify and eliminate vulnerabilities.  Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations.  Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay."  However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension. 

Public Notice.  In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach.  Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000.  Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach. 

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies.  Under the North Carolina statute, the threshold for making such a report is 1,000. 

Allocation of Responsibility to Provide Notice.  Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary.  As you can see, the White House proposal differs from existing North Carolina law in a number of ways.  From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions.  (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues. 

What To Do When Your Identity Has Been Stolen: A 10-Step Guide

On several occasions, I've been asked to help individuals whose identities have been stolen.  However, most of the time, it's not cost-effective for a lawyer to handle the majority of the initial steps in responding to the theft of an individual's identity.  Instead, the affected person is usually best advised to handle most of the first steps themselves.*

As a public service, I'm providing the following step-by-step guide for individuals who suspect that credit has been obtained in their name without their consent.  (There are other kinds of identity theft, but credit theft is most common.)  Although the Federal Trade Commission has an a good guide for victims of identity theft, it (i) requires you to read several different webpages instead of just one, and (ii) does not explain the state-law-specific aspects of recovering from identity theft.  This is intended to be a simplified guide for North Carolina residents.

1.  Put a Fraud Alert on Your Credit Report.  Call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report.  (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert.  There will be no cost.  The purpose of a fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.  

You can contact the credit reporting agencies at the following:

• Equifax - 1-800-525-6285, www.equifax.com, P.O. Box 740241, Atlanta, GA 30374-0241;
• Experian - 1-888-397-3742, www.experian.com, P.O. Box 2104, Allen, TX 75013-0949;
• TransUnion - 1-800-680-7289, www.transunion.com, P.O. Box 1000, Chester, PA 19022. 

2.  Order Your Free Credit Reports.  When placing a fraud report, you are entitled to a free credit report from each of the three major credit reporting agencies.  The agency that you call (as instructed in #1 above) will explain your rights and how you can get a free copy of your credit report.  You could also use this form.

3.  Submit an Affidavit to the FTC.  Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can.  Next, you need to put this information into the form of an affidavit (a sworn written statement).  The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at https://www.ftccomplaintassistant.gov/.  When finished, submit the affidavit to the FTC through the website.  Print or save a copy for your records. (Alternatively, you can use this form.)

4.  File a Police Report.  Call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both.  In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule).  File a police report.  (Either they will send an officer to you, or will ask you to come to the station.)  Give the officer a copy of your FTC Identity Theft Affidavit.  Also give the officer a copy of the FTC's official memo to local law enforcement agencies, a copy of which is available here.  Ask to  be given a copy of the police report once it's ready.

 

5.   File an FTC ID Theft Report. Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from attempting to collect debts from you that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).

Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see #6 below). In either case, you should notify all three of the credit reporting agencies.

6.  Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze.   Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze. 

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years.  When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

North Carolina residents are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently.  (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.)  If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes.  Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law.  Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above). 
 

So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity.  My general preference is  the freeze, because it gives you the most control.

 

7.  Review Your Credit Reports and Dispute Errors.  Carefully review your credit reports for errors.  If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.

 

The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.

 

8.  Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (such as a PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed.  Also ask them to stop reporting information relating to the fraud to credit reporting agencies.  As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization.  Here is a sample.  

 

9.  Stop Debt Collectors from Contacting You about Fraudulent Debts.  If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

10. Additional Tips: 

• Remember to record the dates you made calls or sent letters.
• Keep copies of all correspondence in your files.
• A number of sample letters are available here.

I hope you find this guide helpful.  Please feel free to share it with your family, friends, and colleagues.  Although I hope you never need it, I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website, just in case.

___________________

* When the person whose identity has been stolen either (a) lacks the ability to respond themselves, whether due to a disability, age, or otherwise, or (b) is someone whose time is sufficiently valuable that it makes economic sense for them to hire someone else to remedy the situation, a lawyer/paralegal team may be well-position to handle these matters.  Otherwise, it makes sense for the affected person to handle most aspects of resolving a stolen identity, with limited guidance from a knowledgeable lawyer.

IMPORTANT: This blog post is for educational purposes only, and does NOT constitute legal advice.  You should consult with your own attorney about your specific situation.  This blog post does not create an attorney-client relationship, and it will not be updated to reflect changes in law or practices, so you should refer to other sources to ensure you receive the most accurate, up-to-date information.

Why Are the Federal Trade Commission's Privacy and Information Security Expectations Unclear, and Has the FTC Gone Too Far?

One of the most frustrating things about privacy and information security law is the lack of certainty when it comes to acceptable uses and protocols. This piece is intended to explain some of the reasons for the uncertainty, and to highlight a pending case that might shed additional light.

Bills to create nationwide privacy and information security rules seem unable to gain traction in Congress. (Perhaps that will change with the new class of legislators having just been sworn into office.) At present, the United States has no comprehensive privacy statute nor is there a comprehensive set of privacy regulations. Instead, we have a "patchwork" of privacy regulation:
Most privacy laws in the United States are industry-specific and enforced by industry-specific agencies. For example, the federal banking agencies (the FDIC, OCC, FRB, and NCUA) govern financial institutions' handling of financial information, and the Department of Health and Human Services holds healthcare providers responsible for following the health information privacy rules.

At the federal level, the Federal Trade Commission is the agency with the broadest reach to address privacy and information security issues. The FTC has taken the role of filling the gaps left by the patchwork of regulations by pursuing enforcement actions against all sorts of companies for all sorts of privacy-related issues. But from where does the FTC's broad authority over privacy practices come, and how far does it reach? Certain specific federal statutes give the FTC authority over specific issues, like the privacy of children's information on the internet, and credit reports, but what about the FTC's authority over the broad spectrum of privacy-related issues?

The Federal Trade Commission Act prohibits "unfair and deceptive acts and practices in or affecting commerce.” The FTC relies upon this broad language to justify its sometimes aggressive enforcement actions against organizations that do not handle customer information in the way the FTC finds acceptable. For example, the FTC has pursued, and extracted large sums of money from, many website operators and social media platforms that it alleged had failed to carry out the promises those companies had made in their privacy policy statements, on the grounds that such shortcoming were "deceptive acts" (and more recently, also "unfair"). Privacy lawyers have observed that the FTC seems to take a very expansive view of its statutory authority in these contexts, but most companies that have found themselves in the crosshairs of the FTC have settled rather than challenge the FTC's authority (such as Facebook, Twitter and Google, as I've written about here).

Another significant problem with the FTC's broad and ambiguous authority is that the FTC has not been given the explicit authority to write and publish regulations governing privacy and data security generally. As a result, the FTC "regulates by enforcement," meaning the primary way in which we know what will draw the FTC's ire is by looking at the instances in which it has brought enforcement actions in the past and drawing inferences from the court filings and settlement agreements that become public. The obvious problem is that the rules of the game are not given to the players at the outset of the game, and are never made perfectly clear. Only by carefully observing the FTC's public actions and public statements can we begin to infer the kinds of activities that might trigger FTC action. Regulating privacy and information security in this way (after-the-fact punishment based on very broad principles) leaves a lot of room for uncertainty, and many organizations are craving clarity in these areas.

A case pending before the Third Circuit Court of Appeals may result in additional certainty: The FTC brought an enforcement action against Wyndham Hotels following information security lapses by the hotel chain, but Wyndham is fighting back, arguing that the FTC lacks the authority under the FTC Act to bring data security enforcement actions, as well as arguing that the FTC failed to give it fair notice of the security practices the FTC expects. Wyndham further challenges the FTC's claim that its practices were "unfair." (A practice is "unfair" under the FTC Act only if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”)

Because most FTC enforcement actions in this area result in settlement, this is the first time a federal appeals court will be asked to clarify the FTC's role in data security. You can bet privacy and information security lawyers and other InfoSec professionals will be watching this case closely!

In Good Company

It is an honor to see my name among the names of so many fine lawyers across the state in the 2015 "Legal Elite." This year I was listed in the "Business" category, as well as the "Young Guns" category. Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories [of law]?" The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

My sincere thanks go out to all of the lawyers across North Carolina who participated in the peer review process conducted by Business North Carolina magazine. I certainly do appreciate your support. I know that many of you read this blog, and I have the privilege to work with many of you through the North Carolina Bar Association on important issues affecting our state and our profession. I truly appreciate your friendship and trust. I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included). May this new year bring each of you the success and recognition you have earned.