Over the past four years 39 states have enacted laws mandating consumer notifications if there is a theft of personal data from the company computers. The Federal Trade Commission (“FTC”) has also brought enforcement actions against companies for not properly protecting sensitive personal data. These state and federal laws are in addition to general privacy laws and policies that require advance disclosures to those giving personal information.
How can one comply with 39 state laws and with the FTC determinations? This article will provide an overview of how to reduce potential liability. It will also discuss how franchisors with access to customer data of their franchisees should implement mandatory programs for their systems.
Variations Among the Statutes
California was the first state to legislate a response to identity theft in 2003 by enacting Cal. Civ. Code, § 1798.82, et. seq., requiring any business or person “that maintains computerized data that includes personal information that the person or business does not own…[to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Id. at § 1798.29(a). The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using that information to empty their bank accounts or use their credit cards.
37 states have followed California’s lead by enacting similar consumer notification laws, with legislation currently pending in 10 state legislatures. The requirements of these 37 statutes, while strikingly similar to the California statute, are not uniform and the remedies and penalties for failing to provide proper notice varies. Some states, like California, permit civil actions by consumers, including class action lawsuits and the recovery of attorney’s fees. Id. at § 1798.84. New York invests enforcement in its state attorney general with the potential for fines up to $150,000. N.Y. Gen. Bus. Law § 899-aa6(a). Fines in Florida can range up to $500,000. Fl.Stat. Ann. 817.5681(1)(b)(2).
On the federal level, the FTC has taken the lead, finding the failure to secure personal data an unfair business practice. 15 U.S. C. § 45(a). Two enforcement actions stand out. In June 2005, the FTC entered into a settlement agreement with BJ Wholesale Club (“BJ”) for not properly protecting the personal information of thousands of its customers. The FTC required BJ to implement a comprehensive information security program that it was required to audit for the next twenty years. In January 2006 the FTC settled with ChoicePoint, a consumer data broker which had compromised more than 163,000 consumer financial records, for a similar 20 year stipulated judgment in addition to $10 million in penalties and $5 million in consumer redress.
The primary goal of this regulatory scheme – both the FTC and the state statues -- is to encourage companies to protect personal data. The state statutes define personal information to include non-public information such as social security numbers, driver’s licenses or state identification cards and an “[a]ccount number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.” 815 Ill. Comp. Strat 530/5. This past October California amended its statute to include medical and health insurance information. Cal. Civ. Code § 1798.29(e)(4)(5). Many of the statutes encourage companies to protect personal data by maintaining it in encrypted or redacted form by automatically exempting such data from the notification requirement. The FTC in the BJ enforcement action, however, focused on BJ’s failure to employ a whole variety of proper security measures beyond encryption to protect the personal data.
The state notification statutes, unlike the FTC, are principally designed to prevent identity theft by requiring companies to notify individuals when their personal data has been compromised through a data breach. Even if a company that is the subject of a data breach is not located in one of the 39 states where notification laws exist, notification is required if the company conducts business in a state where an individual whose data was compromised resides. See e.g. Id. at § 1798.82(a). Each of the 39 state statutes set forth various ways this notification may be accomplished. These may include direct mailing, emailing, telephonic and public notices, and in some situations posting notice of the breach on a public website.
The timing of the notice is obviously critical. The California statute, like most of the other 37 states, requires the notice to “be made in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1789.29(a). Wisconsin defines a reasonable time “not to exceed 45 days after the entity learns of the acquisition of personal information.” WI ST 895.507(3). Texas requires notification “as quickly as possible. ” Tex. Bus. & Com. Code, § 48.103(b). Also, most of the statutes permit notifications in accordance with “an information security policy” so long as its “procedures are otherwise consistent with the timing requirements” of the statute. See e.g. Del. Code Ann. tit. 6 § 12B-103. There are exceptions to the timing of the notification that must be consulted.
The key practical issue as to notification arises in the ambiguous circumstance where there may not be sufficient evidence to conclude that personal information “is reasonably believed to have been acquired by an unauthorized person.” Cal. Civ. Code 1798.29(a). For most businesses, this is a critical issue, since the fact of notification does not send a positive message to customers who will likely blame the business for mishandling their personal data. For example, two customers who use their credit cards on a website and report to the website owner that there has been a fraudulent use of their credit cards, does not necessarily mean that there has been a data breach of all of the website’s credit card information. Whether the fraudulent use of these two credit cards is coincidental or is the result of a security breach can only be resolved by a thorough investigation. Some state statutes give guidance on the required investigation to determine the likelihood that personal information will be misused for identity theft or fraud purposes.
Some franchisors, such as those in the hotel industry, attempt to control all customer data, in part to reduce liability under the privacy laws. Franchisees generally prefer to own their customer data, and may resist franchise agreements that give franchisors control of such data. Franchisors should at least require franchisees to comply with general privacy laws and with the new notification laws. Franchisors must also warn franchisees that their names and addresses will become public under new FDD Guidelines. However, more sensitive franchisee data must be protected under general privacy and the new notification laws.
Measures to Reduce Liability
- Protect personal information in the company computers through encryption, redaction and other security measures. The protection of personal information should be a prime focus of any corporate compliance program. For that reason, the New York Stock Exchange (“NYSE”) requires its members to establish a compliance program that includes the protection of “all non-public information that might be…harmful to…its customers, if disclosed.” NYSE’s Listed Company Manual, § 303A, ¶ 10.
- Conduct an immediate investigation whenever facts emerge that suggest a breach of personal data. A plan should be in place to deal with data breaches so an informed decision can be made immediately whether notice needs to be provided to law enforcement or consumers or whether the company should employ self-help by filing an immediate court action to retrieve the stolen data.
- Notify the appropriate law enforcement agency if it is determined that a security breach occurred. Research state laws.
- Maintain accurate and complete documentation whenever the possibility of a data breach is raised – the facts known about the alleged breach, the steps taken to determine whether a breach occurred, and all communications with law enforcement. It is critical to create a contemporaneous record that may later be viewed by government regulators or private litigants, particularly if the decision is made not to notify consumers or law enforcement, to show that the company acted expeditiously and responsibly in its response to the data breach.
- Franchisors should require franchisees in their franchise agreements to comply with these notification laws and with general privacy laws. The franchise agreement should allow the franchisor to take each of the steps outlined above. For customer and franchisee data under their control, franchisors should take the same steps as do other companies, outlined above.
The article "Protecting Personal Data in Franchise System: New Notification Laws" was originally published in The National Law Journal, December 3, 2007.