Saturday, August 06, 2005

CLE PROGRAM: Information Security and Dealing with Information Security Breaches

Information Security Panel

This panel included speakers with a wealth of information about the current state of information security breach notification laws, the experiences of companies who have suffered a breach, and the legislative response to this situation.

Here are a few highpoints of many of the presentations.

Julie Brill
Assistant Attorney General, Vermont

Ms. Brill briefly reviewed some of the litigation filed by state Attorneys General in response to companies failing to provide notification to citizens of a state when the companies suffer security breaches. The CDRom for the Annual Meeting contains the testimony presented by the State Attorneys Generals at the recent hearings on consumer notification. That testimony includes a comprehensive list of the known security breaches that affected consumer accounts. She estimated that approximately 50 million consumers have been affected by security breaches.

Ms. Brill encouraged everyone to read the new state breach notification laws to ensure they can appreciate the subtle variety in the laws. She also commented that some of press reports about the new states laws have contain inaccuracies. To the extent the state notification laws differ, she felt the differences were largely in respect to how much of the OCC guidance was included in the state law.

Ms. Brill also summarized what she thought were the differences between the OCC Guidance and the majority of the state laws:
  • The definition of the information that triggers an obligation to notify is broader in the OCC Guidance
  • The language that describes whether notice must be given is more ambiguous
  • The OCC Guidance requires notification whether the information acquired was encrypted or not
  • The OCC Guidance also covers paper information as well as computerized information

She commented that the argument that the state laws lack uniformity is a red herring. She believes the state laws are similar enough that we have, effectively, uniform legislation.

She also does not agree there is a risk that consumers may become “numb” from receiving security breach notifications too often. She believes consumers are responding appropriately and that they are right to be very concerned about these breaches. She believes the breach notifications are an incredible educational tool that are beginning to help consumers learn what they must do to protect themselves from the risks of Identity Theft. Until American business changes its practices and improves the security of consumer information, the breach notifications will continue to be a good tool that has value.

She commented that most of the states want a federal security breach notification law. They believe the federal law should address two important points. First, the trigger for providing notice ought to be objective, not subjective, like the OCC Guidance. The states don’t want the entity that suffered a breach to decide if notice must be given. Second, the states don’t believe preemption is necessary.

Finally, she commented that the states want an expansion of the Safeguards Rule. They do not believe the current rule is strong enough, and should be modified to cover all entities that store or process sensitive consumer information, not just financial institutions that are currently covered by GLB.

[More to follow after lunch]

No comments: