Navigating Some Uncertain Waters in Michigan's New Security Breach Notification Law
Source: Privacy & Data Security Law Journal
Prior to February of 2005, most people never gave much thought to security breaches nor really considered how a breach could impact their lives. That changed when ChoicePoint, a data aggregator, provided notice to 35,000 California residents that data thieves had been allowed to access their records.1 Within a week's time, ChoicePoint acknowledged that 145,000 individuals across the country had been impacted,2 and ultimately admitted that 163,000 individuals' information had been involved.3 The dust hadn't even settled on this news when Bank of America announced that it had lost backup tapes with information on 1.2 million customers, followed in short succession by announcements of data breaches at a number of other organizations, including LexisNexis, Boston College, the Georgia Department of Motor Vehicles and DSW/Retail Ventures.4 Based on public disclosures beginning in January of 2005, the Privacy Rights Clearinghouse estimates that there have been more than 158 million records containing sensitive personal information involved in security breaches.5
Why were these security breaches suddenly showing up in the news? It was not just because newspaper editors one day suddenly decided that these were newsworthy events. Rather, it was a change in the law that allowed the information to become publicly available. California was the first state to enact a security breach notification law, which went into effect in July 2003.6 This law required ChoicePoint to disclose its security breach to California residents.7 As the media continued to report more security breaches during the following weeks, it became apparent that security breaches were happening at a greater rate than anybody expected. Many states rushed to enact their own versions of a notification statute.8
By January 2007, 35 states had enacted security breach notification laws.9 In general terms, these laws can be separated into three groups: (1) those that require notification when an unauthorized person has accessed personal information,10 (2) those that require notification when there has been unauthorized access unless the data holder determines that misuse of the information or harm is unlikely to result from the breach,11 and (3) those that require notification only if there is unauthorized access and the data holder determines that misuse or harm is likely to occur.12
Michigan's law is the 35th to be enacted and took effect on July 2, 2007.13 This new law takes the second approach described above, requiring notification unless the database owner determines that harm is unlikely. The law is not without its flaws. Given the difficulty of determining whether harm is unlikely, most database owners who discover a security breach will likely end up having to provide notification. Moreover, the law does not even seem to require a database owner to conduct any type of reasonable investigation of suspicious activity in order to determine whether a security breach has occurred. While other laws may fill in this gap, this is a puzzling oversight for what is essentially a consumer protection law.
Despite the flaws in the statute, organizations that have information about Michigan residents should take the time to understand the law. Moreover, this is also a good opportunity to examine security practices, as the best way to avoid liability under the statute is to avoid security breaches in the first place. Even though the new statute does not specify any technical or physical requirements for security, the underlying assumption behind notification statutes is that a database owner will take appropriate precautions to protect information if it has to disclose its failure to do so. Not only does the database owner receive adverse publicity in the event of a disclosed security breach, it may also face costly regulatory investigation and class-action lawsuits.14 Sound security practices may be a cheap investment compared with these costs.
DETERMINING WHETHER A DUTY TO NOTIFY ARISES
Michigan's new security breach notification law broadly applies to all "persons" and "agencies" with "data" who discover a "security breach."15 "Persons" include individuals, partnerships, corporations, limited liability companies, associations, or other legal entities.16 "Agencies" include departments, boards, commissions, agencies, authorities, or other units of Michigan state government, including institutions of higher education, but excluding circuit, probate, district, or municipal courts.17
Although the application of the law is broad, it is fairly specific as to the information at issue. "Data" means computerized "personal information," which is a first name or first initial and last name of a Michigan resident linked to at least one of three key data elements:
- a social security number;
- a driver's license number or state personal identification card number; or
- a demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code or password that would permit access to any of the resident's financial accounts.18
Under these definitions, the statute imposes no duty to notify if a breach involves only paper records. Moreover, electronic databases of mailing addresses or consumer profiles that lack one of the three key data elements also fall outside the scope of the statute.
A duty to notify arises only if there has been a security breach. A "security breach" occurs if there is unauthorized access and acquisition of data that compromises the security or confidentiality of personal information that the database owner maintains as part of a database of personal information regarding multiple individuals.19 Although the term "database" is not defined, unauthorized access to a single record not part of a more extensive database would presumably not trigger a duty to notify. The statute also has an exception for unauthorized access by an employee or other individual if (1) the employee or other individual acted in good faith in accessing the data, (2) the access was related to the activities of the agency or person, and (3) the employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.20 Thus, if an employee in the course of performing his or her job duties inadvertently pulls up the wrong record from an electronic database, notification will not be required as long as there is no misuse of the data.
The new statute recognizes that encryption may protect the data even if there is a security breach. A duty to notify arises only if the information (a) was unencrypted and unredacted personal information, or (b) the personal information was encrypted but accessed by a person with unauthorized access to the encryption key.21 Information is considered redacted if it has been altered or truncated to no more than four sequential digits of a driver's license number, state personal identification card number or account number; or to no more than five sequential digits of a social security number.22 The statute does not set specific requirements as to the level of encryption that must be used, but does define "encrypted" in terms of "low probability" of being readable or usable.23 Thus, using a low level of encryption that is easily cracked is unlikely to qualify as "encrypted."
Finally, the statute does not require notification if the database owner can establish that the breach is not likely to cause substantial loss or injury to or result in identity theft with respect to one or more Michigan residents.24 In determining whether the breach is likely to cause harm, the statute requires that the database owner act with the care an ordinarily prudent database owner in like position would exercise under similar circumstances.25 Thus, once a database owner determines that a security breach has occurred, the owner cannot conclude that harm is unlikely without a reasonable investigation.
THE NOTIFICATION OBLIGATION
Under the new Michigan law, once a duty to notify arises, the database owner must provide notification "without unreasonable delay."26 The statute provides two exceptions to this rule: (1) while taking measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database (provided that notice is given without unreasonable delay once these measures have been carried out), and (2) if a law enforcement agency determines and advises the database owner that providing notice will impede a criminal or civil investigation or jeopardize homeland or national security (provided that notice is given without unreasonable delay once the law enforcement agency determines that notice will no longer impede the investigation or jeopardize homeland or national security).27 These two exceptions suggest that the database owner should be counting the time in days, rather than weeks, when determining the proper time frame for notification.
The statute provides options for providing notice to those Michigan residents whose information is at risk. The notice may be a traditional paper notice, electronic notice or telephone notice, provided that the various requirements of the notice are met.28 When the costs of providing notice are high, the statute also allows for a substitute form of notice.29 All forms of notice must comply with the statute's content requirements.30
The simplest rule deals with delivery of a written, paper form of notice. For this kind of notice, the statute simply requires that the database owner send notice to the recipient's postal address as stated in the database owner's records.31 The law does not seem to impose any obligation to try to verify whether the information is still up-to-date.
To provide electronic notice, the statute requires the database owner to satisfy one of three alternative sets of conditions. Under the first alternative, the recipient must have expressly consented to receive electronic notice.32 Thus, a consumer, as part of a purchase transaction, could sign a document in which the consumer provides his or her e-mail address and consents to electronic notification of a security breach. A second option permits electronic notification if the database owner has an existing business relationship with the recipient that includes periodic electronic mail communications and the database owner reasonably believes that it has the recipient's current e-mail address.33 Under this particular test, a business with an internal e-mail system should be able to use that system to alert its employees of a security breach involving employee data.34 However, delivering an e-mail message to a retiree or other individual outside of the e-mail system is more problematic, as information on e-mail addresses may not be as reliable.
The third alternative for e-mail notice applies to a database owner that conducts its business primarily through Internet account transactions or on the Internet.35 The statute allows the database owner in this situation to rely on the e-mail address in its records.
The third method of providing notice is by telephone.36 The statute permits this method only if telephone notice is not otherwise prohibited by state or federal law.37 Also, the notice cannot use a recorded message in whole or in part.38 Finally, either the individual must have expressly consented to receive notice by telephone or the person is given notice by mail or e-mail if telephone contact is not made with the recipient within three business days of the initial attempt.39 Under these requirements, it appears that the database owner must have an actual conversation with the recipient, as messages left on an answering machine would apparently violate the prohibition on use of recorded messages.
If the cost of providing notice in writing, electronically or by telephone would exceed $250,000, or if the number of Michigan residents to be notified exceeds 500,000, then the database owner can rely on a substitute form of notice.40 To achieve substitute notice, the database owner must do each of the following: (1) provide electronic notice to all residents for whom the database owner has an e-mail address; (2) if the database owner has a Web site, post a conspicuous notice about the data breach on the Web site; and (3) notify major statewide media, which must include a telephone number or a Web site address that a person may use to obtain additional assistance and information.41 The regulations also provide an alternative method of notice for a public utility, which may include a notification sent in conjunction with the monthly billing statement.42 The statute also sets forth content requirements for the notice. Every notice must clearly and conspicuously communicate the following information:
Describe the security breach in general terms;
Describe the type of personal information involved in the unauthorized use or access;
If applicable, describe what the database owner providing the notice has done to protect the data from further security breaches;
Include a telephone number where the recipient may obtain assistance or additional information; and
Remind the recipient of the need to remain vigilant for incidents of fraud and identity theft.43
In some instances, the statute also requires the database owner to notify consumer reporting agencies of the breach.44 The notification must include information on the total number of notices sent out to Michigan residents and the timing of those notices. Notification of consumer reporting agencies is not required if the breach involved 1,000 or fewer Michigan residents or the database owner is subject to Title V of the Gramm-Leach-Bliley Act.45
The notification provisions outlined above apply to the database owner.46 The law recognizes that sometimes the database is maintained by a service provider or other third party. When this other party learns that a security breach has occurred, its duty under the statute is simply to provide notification to the database owner.47 Thus, regardless of whether the database owner maintains the database or has a third party maintain the database, it is the database owner who will ultimately be held accountable for providing notice to Michigan residents of a security breach.48 When contracting with a third party who will maintain the database, database owners should ask probing questions about the third party's security practices and should consider including contractual promises regarding such security practices.
Finally, the law recognizes that some database owners may be subject to notification requirements under the privacy regulations of the Health Insurance Portability and Accountability Act, or HIPAA, or under financial institution regulations. In those cases, compliance with those regulations will be deemed compliance with the new notification law.49
CONSEQUENCES OF FAILING TO PROVIDE NOTICE
Failure to provide a notice of a security breach can be costly under the new Michigan notification law. If a database owner knowingly fails to timely provide notice, the Michigan Attorney General or a prosecuting attorney may seek a civil fine of up to $250 for each individual letter that the database owner failed to send.50 The statute caps aggregate liability arising from any one security breach at $750,000.51 Moreover, the database owner may still be subject to civil remedies under other state or federal laws.
Recognizing that phishers and other scammers often make claims of security breaches as an inducement to obtain personal information from unsuspecting victims, the new law makes a fraudulent notice of a security breach a misdemeanor punishable by up to 30 days in prison and/or a fine of up to $250 for each violation.52
The new notification law also includes a requirement that once personal information concerning an individual is removed from a database, the database owner must destroy that information if it is not being retained for some other legitimate purpose.53 A person who fails to destroy the information may be guilty of a misdemeanor punishable by a fine of up to $250.54 Destruction requires shredding, erasing or otherwise modifying the data so that it cannot be read, deciphered, or reconstructed through generally available means.55 The regulations also clarify that a person who is subject to and in compliance with any federal law concerning the disposal of records containing personal identifying information will be considered in compliance with the new law.56
JUDGMENT CALLS UNDER THE NEW LAW
As noted above, the new law does not always require notification, particularly if the information was encrypted (assuming the encryption key was not compromised) or if the data owner determines that harm or identity fraud is unlikely to occur.57 Of course, whether a database owner will be able to make such determinations is fairly problematic. Assuming that a database owner even recognizes that a data breach has occurred, how will it be able to determine whether there is a significant risk of harm to individuals? This would likely require being able to determine who improperly accessed the information and then determining his or her motive. If the improper access was an inside job, it may be possible for an organization to identify the culprit and reach some kind of reasonable conclusion; but if the breach resulted from an external hack, it may be extremely difficult for an organization to reach any sort of conclusion as to the hacker's motivation.
Thus, in the event of a security breach, the database owner will have to make some decisions as to whether notification is required. The following scenarios demonstrate some of the judgment calls a database owner might have to make in order to determine whether notification is required under Michigan's new law.
Loss of Computer Backup Tapes
Suppose that XYZ Company uses Reliable Shipping Company to ship backup tapes to an off-site storage facility. One day, some of the tapes do not arrive. An investigation determines that Reliable Shipping cannot account for one of the boxes that it picked up from XYZ. Does XYZ have a duty to notify?
Because notification is unnecessary if XYZ reasonably determines that harm or identity fraud is unlikely, there are a number of factors to take into account, such as whether the tapes were simply misdelivered to someone with no interest in their contents, are simply lost somewhere in a Reliable warehouse, or if this was a targeted theft by someone specifically interested in the contents of the tapes. It may be impossible, however, to draw any firm conclusions on this issue, especially in the short time frame that the statute seems to contemplate for notification.58
The first place that XYZ may want to start is to determine what information was on the missing tapes. If the tapes did not have any personal information on them (i.e., social security numbers, driver's licenses, bank account/credit card numbers, etc.), then there will be no duty to provide notification.
If the tapes did have personal information, then XYZ should determine whether the content was encrypted and how likely it is that any individual currently in possession has the encryption key. Again, this may turn on how likely it is that this was a targeted theft, but if XYZ has trained its employees to follow good security practices, it may be reasonable to assume that whoever currently has the tapes does not have the encryption key. XYZ will want to evaluate where information on the encryption keys is stored and whether there has been an unauthorized access to that information.
If the information was not encrypted, XYZ may simply not have enough information from its investigation to reasonably conclude that harm or identity fraud is unlikely. Given the potential penalties for failure to notify, XYZ may simply decide to err on the side of caution and send out a notification letter.
An Employee Has a Laptop Computer Stolen
Suppose that ABC Company has an employee who travels a lot. One day, the employee's laptop is stolen from his car. Should ABC provide notification to anyone?
Again, the first place to start is to determine what information was on the computer. Hopefully, ABC Company has a good inventory system and can determine what information is stored on the computer. It may very well be that the computer does not have any personal information on it, in which case ABC will not have any duty to notify.
If the computer does have personal information, then the next question will be whether it was encrypted. If it is encrypted, has the employee memorized the encryption key, or had he written it on a Post-itTM note stuck to the computer or in one of the compartments of the computer storage bag? Furthermore, has he been discreet when entering the key while working in public areas? If the employee has been properly trained on and has followed good security practices, ABC might reasonably conclude that notification is not necessary.
If the computer was not encrypted, there might still be a question as to whether the individual who stole the computer has any interest in the information or is more interested in simply making a quick sale on the computer. But even if the thief doesn't appreciate the value of the information on the computer, whoever ultimately ends up with the computer (or its hard drive) might. Unless ABC can recover the computer and determine whether the data has been accessed, ABC will probably want to err on the side of providing notice.
A Hacker Penetrates Firewall
The president of LMN Company arrives at work one day to find his IT director waiting to talk to him. It turns out that overnight a hacker penetrated LMN's firewall. Does LMN have to provide notice?
If LMN has audit trails in place that enable it to assess whether the hacker successfully accessed any of the files, then LMN may be able to determine that the hacker never found the information or could not access the files because they were encrypted. In that case, no notification will be necessary.
If the hacker did access the files, then there may still be a question as to the hacker's motive: Was the hacker simply trying to prove that he or she could access the system or was the hacker hoping to profit from his or her excursion through LMN's computer system? While at one point it may have been true that most hackers were high school or college students who were simply trying to demonstrate that they could penetrate information systems, more and more hackers are part of an organized criminal organization looking for financial gain.59 Unless LMN can identify the hacker and learn what his or her true motivation was, LMN will likely decide to provide notice.
Employee Convicted of Identity Fraud Crime
The human resources manager of QRS Company discovers that Jane Doe, an employee in the HR department, has been convicted of an identity fraud crime. After having some discussions with the local police and prosecutor, the HR manager determines that the evidence used to convict Jane Doe did not involve any information from QRS, but the HR manager is understandably nervous about the fact that the employee had access to personal information about QRS's employees. Is there any duty to notify?
In order to determine its potential duty to notify, QRS must determine whether there was any unauthorized access of the information. If the company has appropriate audit trails in place, it may be able to determine how active Jane Doe had been in accessing files. If audit trails show that she had been accessing an unusual number of files, this could indicate there had been unauthorized access of personal information. In that case, given Jane Doe's recent conviction of an identity theft crime, it would be difficult for QRS to reasonably argue that there was little likelihood of harm or identity theft. QRS Company would probably decide to treat this as a security breach requiring notice to its employees.
On the other hand, if audit trails show that Jane Doe seemed to be only accessing files to perform normal duties, then QRS could reasonably conclude that there had not been a security breach. Should QRS notify its employees anyway? Even if audit trails do not show any unusual activity, it could be that Jane Doe was able to misappropriate personal information from paper documents (which would not give rise to a duty to notify under the Michigan statute), or that she would take information only when she had a legitimate reason to access an electronic file. If it later turns out that QRS employees are victims of identity theft, employees may very well discover that the company knew about Jane Doe but failed to warn its employees, which could leave employees feeling betrayed. Even if not legally required, QRS may want to inform its employees when it first learns of Jane Doe's conviction so as to maintain good employee relations.
Computer Services Company Hosting Data Suffers Security Breach
QRS Company is a small manufacturer of specialty dolls that also sells its products through its Web site. Because it runs a lean operation, QRS has outsourced a lot of its computer operations to Price-Conscious Computing Company. The president of QRS has just received an e-mail from Price-Conscious informing him that a hacker penetrated the Price-Conscious firewall and accessed the QRS customer database, which includes credit card numbers for every transaction ever conducted on the Web site. Assuming that neither QRS nor Price-Conscious can determine the identity or motivation of the hacker, who has a duty to notify?
Unless the contract between QRS and Price-Conscious called for a different arrangement, under the Michigan notification law, the only obligation that Price-Conscious has is to notify QRS. It is then up to QRS to notify its customers about the breach.60 While Michigan law requires notification of only Michigan residents, QRS will also have to look at the laws of the other states (and possibly other countries) in which its customers reside to determine the full extent of its notification duty and the content of the notification letters.
When contracting for hosting services in the future, QRS will want to make sure that it asks detailed questions about the hosting company's security practices. Moreover, it may even want to include specific language in the contract addressing security practices and respective responsibilities of QRS and the hosting company in the event of a breach. But at the end of the day, no hosting service that plans to be around for a long time will be willing to sign an agreement under which it will take responsibility for every and any security breach, as it is simply not economically feasible to protect against every potential security breach.
WILL DELIBERATE IGNORANCE BE A DEFENSE?
The analyses above assumed that the hypothetical database owners experiencing security breaches had in place appropriate audit trails and other tools that would permit them to determine that a breach had occurred. But even with active monitoring, it is quite possible that a security breach will go undetected. The statute is quite specific in requiring discovery or notification of the breach before triggering any kind of notification obligation.61 Thus, failure to identify the breach will be a defense to liability under the statute.
But what if a company hasn't put in place the tools to detect whether a security breach has taken place? Or what if a company deliberately decides not to investigate unusual activity because it would rather not know if there has been a security breach?
While the statute requires a database owner to act with due care when determining whether harm is likely to result from a security breach, the statute does not impose a similar duty to take reasonable action or adopt reasonable controls in order to determine whether a security breach has occurred.62 If read literally, the statute would seem to permit a database owner to simply fail to implement controls to identify suspicious behavior or to even blatantly ignore suspicious behavior.63 In fact, if a database owner can remain blissfully ignorant of a security breach, the database owner could not be convicted for "knowingly" failing to give notice.64 This seems an odd result for a law that is ostensibly meant to be a consumer protection law.
Database owners, however, should not take much comfort in this apparent gap in the statute, as prosecutors may be able to fill the gap by relying on other statutes that may also be implicated by the security breach. For example, the Michigan Social Security Number Privacy Act65 also protects social security numbers. Under this act, a database owner is required to have a policy that "ensures to the extent practicable the confidentiality of the social security numbers."66 While perhaps not an explicit requirement to implement controls that could detect a security breach, this mandate arguably contains an implicit requirement to have such controls in place; otherwise, a database owner could not "ensure" that the records remain confidential.
Moreover, the notification law does not affect the availability of any civil remedy.67 Thus, individuals could potentially sue for damages resulting from a failure to notify. While there is currently no such case law under Michigan law, the Michigan court of appeals, in an unpublished opinion, has found that an organization could be held liable for failing to have adequate policies in place to prevent identity fraud. In Bell v. Local 1023,68 a labor union had an employee who was responsible for maintaining an accurate membership list. The union allowed the employee to take work home, including enrollment records that included social security numbers. The employee's daughter was eventually arrested and convicted for playing a role in misappropriating union members' identities. Those union members who were victims of identity theft then sued the union for negligence.
In defending the negligence claim, the union argued that it could not be held liable for negligence because it had no duty to protect the records. The court, however, rejected this argument. The court found that as a union, the defendant was like a fiduciary with a duty to act in the best interest of its members. This included a duty to protect confidential information about its members, which the union was in the best position to protect.
The court also rejected the argument that identity theft was not a foreseeable consequence. The court noted that while the risk of identity theft may have been low as recently as a decade ago, today the risk was all too commonplace. The court explained:
The crime of identity theft has been gaining momentum in recent years due to the accessibility of identifying personal information, mainly through computer use. In the past, the risk of harm stemming from a worker taking home sensitive information may not have been great. However, with the advancements in technology, holders of such information have had to become increasingly vigilant in protecting such information and the security measures enacted to ensure such protection have become increasingly more complex. As demonstrated by the problems plaintiffs faced after their identities had been appropriated, the severity of the risk of harm in allowing personal identifying information to be taken to an unsecured environment is high.69
Because the union did not have policies and procedures in place to ensure the security of information leaving its premises, the court of appeals ruled that the trial court properly presented the question of negligence to the jury.
The ruling in Bell is an unpublished opinion and therefore not binding precedent in Michigan. Moreover, the ruling relied upon a finding that the union had a fiduciary-like relationship with its members, which may not be true for most database owners who hold information about customers or employees. Even in the absence of a fiduciary-like relationship, however, a court could reasonably find that statutes such as the Michigan Social Security Number Privacy Act and Michigan's new security breach notification act create a standard of care under Michigan law that requires a database owner to take reasonable steps to detect and investigate suspicious activity that could indicate a security breach had occurred.
As demonstrated by the Bell decision, such a ruling would not be much of a stretch. Moreover, a court in North Carolina has made a similar ruling involving medical records protected by privacy and security regulations promulgated under HIPAA. In Acosta v. Byrum,70 the plaintiff brought an action for negligent infliction of emotional distress related to her psychiatrist's failure to control access to medical records. The plaintiff alleged that the treating psychiatrist negligently shared his access code to medical records with an office assistant, who then accessed the plaintiff's records and shared them with third parties. While HIPAA does not provide a private cause of action for violation of its privacy or security regulations, the court found that the plaintiff could cite to HIPAA as evidence of the standard of care. Similarly, a victim of identity theft could argue that a database owner who fails to implement sufficient controls to detect a security breach has also violated a standard of care established by the Michigan Social Security Number Privacy Act or Michigan's new security breach notification law.71
Putting aside the questions of potential legal liability, an organization that fails to have in place adequate controls to detect a security breach is exposing itself to a high degree of risk. Most organizations not only have personal information about employees and customers on their computers but also sensitive financial information, business plans and even intellectual property. An organization that doesn't take steps to control and monitor access to such sensitive information is vulnerable to fraud and theft, which could threaten its very survival. The benefit of potentially avoiding a duty to notify under the Michigan statute may simply not be worth the cost of missing a potentially disastrous security incident.
Moreover, estimates relating to the costs of a security breach suggest that inadequate security practices increase the cost of a security breach. While the discovery, response and notification costs are estimated to be around $50 per record (including costs for legal fees, mailing notification letters, calls to individual customers, call center costs and discounted product offers), lost productivity, increased public attention, regulatory issues and contractual obligations can raise the cost of a data breach to more than $300 per record.72Poor security practices increase the risk of regulatory penalties that may also carry additional security and audit requirements, loss in a company's customer base, and an obligation to pay restitution, which could drive the costs per record even higher. Sound security practices will probably seem affordable in comparison with such costs.
TECHNICAL AND PROCEDURAL SUGGESTIONS
In light of the potential costs associated with a security breach, a database owner should put in place security best practices that enable detection, quarantine, and mediation of data threats. This will not only enable notification after a security breach event but also may prevent such breaches from happening in the first place. The following is a brief discussion of some basic security practices that all database owners should consider.
Control Where the Data Is Stored
In order to reduce the risk of a security breach that triggers notification, an organization must identify all locations where personal information resides, including nontraditional areas. As information storage costs have fallen, it has become cheaper and more convenient to simply store information. Workforce members store data not just on approved and controlled network drives and storage areas, but also in locations often outside of technical controls and safeguards—such as portable universal serial bus, or USB, drives; personal digital assistants or PDAs; smart cell phones; and remote computers that connect to the company's system via remote virtual private network, or VPN connections. Photocopiers and fax machines often have hard drives that store images of every document copied or transmitted. Voice over IP systems also may store unexpected amounts of data. While these devices are convenient, they result in duplication of data in places outside of the defined logging and detection capabilities of normal daily technology controls.
Once an organization has determined where information is stored, it should seek to recall as much information as possible into controlled and monitored devices. The fewer places that sensitive information is stored, the fewer the vulnerabilities that must be dealt with. Strictly monitor and control any data stores that cannot be recalled. Just as importantly, train the workforce to properly handle and store sensitive information--especially information that should never be saved on personal storage devices. A detailed security education program can substantially reduce the risk of a security breach.
Also keep in mind that control is important throughout the entire life cycle of the physical storage device--including its final decommissioning. Simply deleting files or reformatting will not prevent the next owner of the device from recovering sensitive information that had been stored on the device. The best way to prevent the information from being recovered by someone else is to physically destroy the media.
Retain Less Information
Not only should an organization control where information is stored, it should also determine whether it is possible to keep less of it. Once an organization starts to examine its data collection practices, it often finds that more information is captured than needed, and then retained longer than necessary. For example, credit card information rarely needs to be stored in a fully readable format and there may not be any point in retaining the information once the transaction has been successfully completed. Keeping less information means that there is less that can be misappropriated.
Limit Access to Information
Identity theft is as much a crime of opportunity as it is a technical exercise. Therefore, reducing the ability to access information will also reduce an organization's risk. This means knowing which data is sensitive and then restricting access to only those who have a need to use the data.
Because some information needs greater protection and, conversely, some information simply doesn't warrant high levels of protection, an organization should implement a document classification system. Under such a system, the organization will assign a classification to information ranging from information in the public domain (which needs no protection) to highly sensitive information that only a small group of employees may be able to access (which needs the highest level of protection). Under such a classification system, the personal information at issue under Michigan's new security breach notification law would be assigned a classification that permits access by only those who have a need to use the information.
In addition to classifying the information, the organization must identify which individuals or job positions legitimately require access to the information, and then set up its information system with logical controls that permit only authorized individuals to access the information. These rights may even change during the course of a day, as certain individuals may legitimately need to access critical information during normal business hours but would have no reason to access the same information during the middle of the night. Before giving an individual access rights to sensitive information, the organization should also consider performing a background check or screening for criminal background or severe financial debt.
Implement a Risk-Based Security Standard
Once a company has consolidated its data and defined who may access the data, it can implement a risk-based system to cost-effectively control the risk of a security breach. A number of such standards are available, including the current HIPAA security standards, Sarbanes-Oxley § 404 compliance requirements, Payment Card Industry Cardholder Information Security Program guidelines, Gramm-Leach-Bliley security standards and National Institute of Standards and Technology recommendations.73
A key component of these standards is a detailed risk analysis that examines current infrastructure, data sets, and personnel procedures to evaluate the actual exposure to both internal and external threats. Once risks are identified, the organization can prioritize which risks to address immediately, which ones to address as it upgrades hardware and software and which risks it will tolerate. These standards also address strong password technology, appropriate intrusion prevention technology, and configuration of detailed logging and monitoring procedures for critical and sensitive data stores. Ultimately, the organization will use the standard to develop a full comprehensive security plan that provides protection and monitoring of sensitive information during access, transport, and storage.
Use Encryption and Secure Transmissions
As noted above, portable storage devices are becoming more and more popular. As the number of portable storage devices that an organization's workforce uses increases, the risk also increases that such a device storing personal information (or other sensitive information that the organization would rather not see become public) will be lost or stolen. As noted above, Michigan's security breach notification law will not require notification if the information was appropriately encrypted (assuming that the data thief has not obtained the encryption key). Encryption, therefore, can significantly control the risk of loss, especially when combined with training on good password protection practices.
Similarly, information transmitted via an insecure media such as public e-mail or internal local area network, or LAN, may be misdelivered or even intercepted. Employees should be trained on how to encrypt personal information and other sensitive data before attaching it to e-mail. Also, workforce members accessing system resources from remote locations should use virtual private networks, or VPNs, or similar technology that encrypts the transmission. An organization should provide specific training to individuals who work from remote locations focused on safe practices for accessing system resources.
Michigan's new security breach notification law falls within the group of laws that require notification unless the database owner reasonably determines that there is no risk of harm resulting from a discovered security breach. Given how problematic it may be to determine the risk of harm, most database owners will likely want to err on the side of providing notice in order to avoid penalties under the statute. A notable gap in the statute is that it does not require reasonable controls to detect a security breach or even reasonable investigation of suspicious activity to determine whether a security breach has occurred. Nevertheless, database owners who have personal information about Michigan residents will want to have in place reasonable, cost-effective controls to prevent security breaches, as the cost of such controls will likely be less than the cost of a security breach.
1See ChoicePoint Breach Worse Than First Reported, ConsumersAffairs.com, February 22, 2005, available at http://www.consumerafairs.com/news04/2005/choicepoint_worse.html.
2Id. (as reported on May 11, 2007).
3See FTC Press Release: ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, January 26, 2006, available at http://www.ftc.gov/opa/2006/01/choicepoint.htm.
4See Privacy Rights Clearinghouse, A Chronology of Data Breaches, available at http://www.privacyrights.org/ar/ChronDataBreaches.htm.
5Id. (as of July 9, 2007).
6See Cal. Civ. Code § 1798.82 (2007). See also Privacy Rights Clearinghouse Press Release: California Security Breach Notification Law Goes into Effect July 1, 2003, June 23, 2003, available at http://www.privacyrights.org/ar/SecurityBreach.htm.
7See National Conference of State Legislatures, 2005 Breach of Information Legislation database, available at http://www.ncsl.org/programs/lis/cip/priv/breach05.htm.
8See National Conference of State Legislatures, 2005 Breach of Information Legislation database, available at http://www.ncsl.org/programs/lis/cip/priv/breach05.htm.
9National Conference of State Legislatures, State Security Breach Notification Laws database, available at http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm.
10This is the rule in California (Cal. Civ. Code § 1798.82 (requiring notification upon discovering or being notified that "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Florida (Fla. Stat. § 17.5681 (stating notification required upon determining that "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Georgia (Ga. Code § 10-1-912 (triggering notification upon discovery or notification that "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Louisiana (La. Rev. Stat. § 51:3073 & 3074 (requiring notification of any state resident "whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Maine (Me. Rev. Stat. Tit. 10 § 1348 (mandating notification to residents "whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Minnesota (Minn. Stat. § 325E.61 (triggering notification when "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Nevada (Nev. Rev. Stat. 603A.220 (triggering notification upon discovery or notification that "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); New Jersey (N.J. Stat. 56:8-163 (mandating notification if "personal information was, or is reasonably believed to have been, accessed by an unauthorized person")); New York (N.Y. Bus. Law § 899-aa (triggering notification duty if "private information was, or is reasonably believed to have been, acquired by a person without valid authorization")); North Dakota (N.D. Cent. Code § 51-30-02 (requiring notification if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Oklahoma (Okla. Stat. 74-3113.1 (mandating notification if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); Tennessee (Tenn. Code § 47-18-2107 (imposing a duty to notify if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")); and Washington (Wash. Rev. Code § 19.255.010 (requiring notification if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person")). Possibly less stringent is the Illinois law, which simply requires notification upon discovery or notification of the breach, but does not seem to require such notification when it is only reasonably likely that a breach has occurred. 815 Ill. Comp. Stat. 530/15. Georgia law also requires notification upon discovery that "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person," but applies only to data brokers. Ga. Code §§10-1- 911(1) & 912(a).
11This is the approach taken in Arkansas (Ark. Code 4-110-105(a)(1) & (d) (requiring notification upon discovery of a breach unless the data holder "determines that there is no reasonable likelihood of harm to customers")); Colorado (Col. Stat. 6-1-716(2)(a) (stating that notification is required if the database owner becomes aware of a breach of security of its system, "unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur")); Connecticut (Conn. Gen. Stat. 36A-701b(b) (requiring notification following discovery of security breach unless the data holder "reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed")); Michigan (MCL § 445.72(1) (imposing duty on database owner to notify upon discovery or notification of a data breach unless the database owner "determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft")); New Hampshire (N.H. Rev. Stat. § 359-C:20(I)(a) (imposing duty on data owner, upon discovering a data breach, to determine whether a misuse of the information has occurred, and requiring notification if misuse of the information has occurred or is reasonably likely to occur, or "if a determination cannot be made")); Rhode Island (R.I. Gen. Laws § 11-49.2-3(a) (requiring the database owner to disclose any breach that poses a significant risk of identity theft unless, after appropriate investigation or consultation with relevant law enforcement agencies, the data holder determines that "the breach has not and will not likely result in a significant risk of identity theft")); and Wisconsin (Wis. Stat. § 895.507(2)(a) & (cm)(1) (mandating notification if the database owner knows of a security breach, unless the unauthorized acquisition of data "does not create a material risk of identity theft or fraud to the subject of the personal information")). Vermont appears to take a more stringent approach, triggering notification following discovery or notification of the breach, unless the data holder "establishes that misuse of personal information is not reasonably possible" and requiring notice of this determination to the Vermont attorney general or appropriate department of banking, insurance, securities or health care administration, depending on whether the data collector is licensed by such an oversight agency. Vt. Stat. Tit. 9 § 2435(b)(1) & (d)(1).
12This is the law in Arizona (Ariz. Rev. Stat. § 44-7501(L)(1) (triggering notification duty if database owner becomes aware of unauthorized acquisition and access "that causes or is reasonably likely to cause substantial economic loss to an individual")); Delaware (De. Code § 12B-102(a) (requiring notification if the database owner's investigation of a discovered security breach determines that "misuse of information about a Delaware resident has occurred or is reasonably likely to occur")); Hawaii (Hawaii Rev. Stat. § 487N-1 (requiring notification upon discovery of unauthorized access where "illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person")); Idaho (Id. Code § 28- 51-105(1) (mandating notification if the database owner's investigation of a security breach determines that "misuse of information about an Idaho resident has occurred or is reasonably likely to occur")); Indiana (Ind. Code § 24-4.9-3-1 (requiring notification if the database owner "knows, should know, or should have known" that a discovered breach has resulted in or could result in identity deception, identity theft, or fraud")); Kansas (Kansas Stat. § 50-7a01(h) (triggering notification upon the database owner's discovery of a security breach that "causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer")); Montana (Mont. Code § 30-14-1704(4)(a) (triggering notification duty if database owner discovers unauthorized acquisition that "causes or is reasonably believed to cause loss or injury")); Nebraska (Neb. Rev. Stat. § 87-803(1) (requiring notification if the investigation of a discovered security breach determines that "use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur")); North Carolina (N.C. Gen. Stat. § 75-61 (identifying the trigger point for notification as the discovery of unauthorized access "where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer")); Ohio (Ohio Rev. Code § 1349.19(B)(1) (triggering notification upon discovery of a security breach that "causes or reasonably is believed will cause a material risk of identity theft or other fraud")); Pennsylvania (73 Pa. Cons. Stat. 2302 (requiring notification if the database owner discovers a security breach "that causes or the entity reasonably believes has caused or will cause loss or injury")); and Utah (Utah Code § 13-44-202(1)(a) (mandating notification if the database owner becomes aware of security breach and determines that "misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur")).
132006 PA 566 (amending 2004 PA 452), codified at MCL 445.63 et seq.
14 For example, the FTC brought charges against ChoicePoint for its flawed data protection process, which ChoicePoint settled for $10 million in civil penalties and $5 million in consumer redress (See Federal Trade Commission Press Release, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, January 26, 2006, available at http://www.ftc.gov/opa/2006/01/choicepoint.shtm), and TJX Corporation, which announced a security breach in January of 2007 involving over 45 million customer records, faces a class action lawsuit by three banking associations (See Massachusetts Bankers Association Press Release: Massachusetts, Connecticut Bankers Associations and the Maine Association of Community Banks and Individual Banks File Class Action Lawsuit Against TJX Companies Inc., April 24, 2007, available at https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf).
18MCL 445.63(e) & (p).
28MCL 445.72(5)(a), (b) & (c).
41MCL 445.72(4)(d)(i), (ii) & (iii).
42See MCL 445.72(11).
49MCL 445.72(9) & (10).
59D. Sieberg, Hackers Shift Focus to Financial Gain, CNN.com, September 26, 2005, available at http://www.cnn.com/2005/TECH/internet/09/26/identity.hacker/.
62MCL 445.72(3) states: "Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach under subsection (2), shall provide a notice of the security breach to each resident of this state. . . ." Moreover, at MCL 445.63(b), the statute defines "security breach" to mean the "unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. Neither provision (nor any other provision in the statute) requires a database owner to take reasonable steps to determine that a security breach has actually occurred.
63By way of contrast, California's statute requires notification "following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Cal. Civ. Code § 1798.82(a). While this is admittedly subject to more than one interpretation, it certainly suggests an affirmative duty to determine whether someone has acquired personal information.
64See MCL 445.72(13) (making liability contingent on "knowingly" failing to provide notice).
652004 P.A. 454.
68Case No. 246684 (Feb. 15, 2005), available at http://courtofappeals.mijud.net/documents/OPINIONS/FINAL/COA/20050215_C246684_55_246684.OPN.PDF.
69Id. at pp. 5-6.
70638 S.E.2d 246 (N.C. Ct. App. 2006).
71In addition to the Michigan statutes, plaintiffs would likely cite a number of standards promulgated by standard-setting organizations and under federal statutes, including: ISO/IEC 17799 (available at http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3); the Standard of Good Practice published by the Information Security Forum (available at http://www.isfsecuritystandard.com/index_ie.htm); the 800 series of special publications by the National Institute of Standards and Technology (available at http://csrc.nist.gov/publications/nistpubs/); the Payment Card Industry Data Security Standard (available at https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf); the HIPAA security rules (45 CFR 164.302-.318); and security regulations under Gramm-Leach-Bliley (see, e.g., FTC regulations at 16 CFR Part 314).
72See K. Kark, Security Breaches Cost $90 To $305 Per Lost Record, InformationWeek.com, April 11, 2007, available at http://www.information-week.com/news/showArticle.jhtml?articleID=199000222.
73C. Norris and T. Cadel, By Addressing Security Companies Avoid Public Scrutiny, Techtarget.com March 28, 2007, available at http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1244606,00.html?bucket=ETA&topic=303582l.