AUGUST 2005
Privacy, Data Protection and Information Management
Corporate Liability for Data Loss/Identity Theft and
Defensive Legal Strategies
On June 17, 2005, CardSystems Solutions, a third-party
processor of payment card data on behalf of MasterCard,
Visa and other financial institutions, announced that it
had “identified a potential security incident.” On the
same day, MasterCard announced that a hacker had
breached CardSystems’ computers and potentially
exposed sensitive personal information for nearly 40
million card accounts. This security breach came hot on
the heels of CitiFinancial’s report that backup tapes
containing similar data for nearly four million of its
customers had been lost in transit.
While CardSystems and CitiFinancial are among the
latest companies to suffer data loss incidents, these are
just two of the instances of data breaches which have
been reported this year. For example, on May 3rd, Time
Warner announced that the names and social security
numbers of nearly 600,000 people mysteriously vanished
en route to a data repository. On April 18th, DSW Shoe
Warehouse announced that the numbers and names
associated with approximately 1.4 million credit cards
were stolen by hackers. Polo Ralph Lauren, Lexis Nexis,
ChoicePoint, and others have also experienced data
security incidents.
All of these instances of alleged data loss potentially
expose consumers to the ever-increasing risk of identity
theft. Generally, identity theft occurs when one person
uses another’s personal information--such as Social
Security, credit card or driver’s license numbers--to make
credit card purchases, open credit accounts or execute
other fraudulent financial transactions. The Federal
Trade Commission (FTC) estimates that identity theft
affected over 27.7 million Americans from 1999-2003,
and 9.3 million in 2003-2004. Current estimates suggest
that each identity theft victim will spend an average of
$1,500 in fees and 600 hours of time to respond. The
FTC estimates that identity theft costs about $52.6
billion each year.
LEGAL STANDARDS AND CORPORATE LIABILITY
Both governmental and private responses have followed
the reports of data loss incidents and the legal reaction
to them.
Within the last year, the FTC has begun enforcement
actions for violations of the Gramm-Leach-Bliley
(“GLB”) Safeguards Rule. The Safeguards Rule, which
became effective in May 2003, requires covered
financial institutions to “develop, implement and
maintain reasonable administrative, technical and
physical safeguards to protect the security, confidentiality
and integrity of customer information.” Under the rule,
covered companies must take several measures to protect
data, including conducting a risk assessment of
information systems and the company’s ability to detect,
prevent and respond to computer intrusions; designing
and implementing steps to control identified risks;
overseeing service providers and requiring them
contractually to protect customer information; and
periodically updating their security programs.
In the past, individuals who have had their identity
information misused had little legal recourse, except
against the criminals who committed the theft. Now,
however, significant lawsuits are being filed against
corporations that were entrusted with the misused
personal information. The theories of fault are diverse
Kirkpatrick & Lockhart Nicholson Graham LLP
but are often based on the presumption that the entity
entrusted with sensitive information breached a duty to
keep it secure. Because the adverse consequences for
such breaches are potentially quite serious, including
the prospect of economic damages, companies that
possess or access such data should pay close attention
to how the law continues to develop in this area.
Pending class-action lawsuit against
ChoicePoint, Inc.
One potentially significant case to watch involves
ChoicePoint, Inc. ChoicePoint, a data warehousing
corporation, provides personal consumer information
to businesses for a fee. In February of this year,
ChoicePoint announced that the personal information
of 145,000 people may have been compromised when
thieves posing as legitimate small-business customers
gained access to its databases. Authorities identified
at least 750 people who have been defrauded because
of this incident.
After the announcement, a class-action lawsuit was
filed against ChoicePoint in a California state court
on behalf of all individuals whose personal
information had been disclosed. The suit seeks to
prevent similar disclosures in the future and to recover
damages. It asserts many grounds for relief, including
a traditional negligence claim for the disclosure; a
claim based upon ChoicePoint’s noncompliance with
the U.S. Fair Credit Reporting Act (“FCRA”); a claim
based upon ChoicePoint’s violation of the California
Consumer Reporting Agencies Act (“CCRAA”); and
claims based upon misappropriation and invasion of
plaintiffs’ privacy rights. As one might expect, the
plaintiffs seek compensatory, statutory and punitive
damages and an order enjoining ChoicePoint from
continuing to operate in a fashion that puts
individuals’ personal data at risk. If the plaintiffs
prevail, damages may run high; the plaintiffs’ request
for statutory damages under the FCRA of up to $1,000
per plaintiff would itself yield a verdict of $145
million.
Alleged securities laws violations related to
ChoicePoint’s data disclosure
ChoicePoint’s databases were allegedly compromised
on numerous occasions between April 2004 and
March 2005. During this period, ChoicePoint’s CEO
and President allegedly sold between $16 and $20
2 August 2005
million worth of ChoicePoint Stock. Upon disclosure
of the security breach, ChoicePoint’s stock tumbled
nearly 15%, reducing its market capitalization from
about $4 billion to about $3.45 billion.
Consequently, a number of securities lawsuits have
been filed against ChoicePoint’s executives claiming
violations of the Federal Securities Act, and, more
specifically, fraud on the market under Rule 10b-5.
Plaintiffs allege that the executive officers owed a
duty to the common shareholders to disclose the data
compromises as material nonpublic information prior
to executing their own trades.
Negligence action against a Michigan union of
911 operators
Although the outcome of any pending case is unclear,
at least one court, in a negligence action, has provided
some guidance regarding the standard of care owed
to one set of complainants. This past February, a
Michigan Court of Appeals ruled, in an unpublished
opinion, that unionized 911 operators were owed a
duty of care by the Union that held their personal
information. As reported, a union official had
disclosed the personal information, resulting in
identity thefts for the union members.
Consistent with the traditional principles of tort law,
this duty was based upon the existence of a special
relationship between the union and its members.
Although the Union was aware that one of its officers
was not properly safeguarding confidential personal
information of Union members, it took no steps to
prevent that practice nor to adopt any other
appropriate safeguards to protect this information.
The Court determined that the Union should have
foreseen that the information would be misused and
Union members would suffer harm and that the Union
owed its members a duty to protect them from the
risk of identity theft. Although the opinion is not
binding as precedent, it does evidence one court’s
thoughts on the duties owed to keep data secure and
suggests that at least some state courts are prepared
to examine how traditional negligence principles
relate to the harm caused by identity theft.
Other lawsuits
ChoicePoint and the Michigan union are not the only
entities forced to defend against lawsuits based upon
data theft or loss. This past April, LexisNexis, an
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
information gathering company, reported that
sensitive personal information for more than 310,000
people had been stolen from its databases. The
announcement followed a similar press release by
LexisNexis’ parent corporation, Reed Elsevier, that
its own databases had been breached more than 59
times using stolen passwords, leading to the possible
theft of personal information such as addresses and
Social Security numbers. Shortly after its
announcement, a class-action lawsuit was filed
against LexisNexis for financial losses associated with
the breach of its databases.
subsequent coverage claims as well as
provide material which may be necessary in
any related criminal investigations.
■
Secondary Liability—In ChoicePoint and
other cases, plaintiffs allege fault not only for
the original data loss incident but also
because of subsequent concealment of the
event and/or negligence in responding to the
initial report of data loss. The existence of a
response team reflects a company’s high
level of care and concern with which data
loss incidents are evaluated, ensures a proper
response and demonstrates that responsible
business practices are in place.
■
Coordination with Law Enforcement
Authorities—A response team can evaluate
the circumstances of an incident to determine
whether to notify law enforcement. As many
data loss incidents reflect criminal conduct
by outsiders as well as by employees and
other insiders, companies should establish
contacts with appropriate law enforcement
agencies in advance of a data loss incident.
These relationships may be quite useful in
responding to a data loss incident,
particularly emergency situations.
■
Reputational Injury —Some data
loss incidents can quickly become the focus
of press coverage, website discussions or
customer inquiries. A response team should
be prepared to handle media
communications and public relations to
better protect the reputational value of the
company.
DEFENSIVE LEGAL STRATEGIES
We believe any corporation which suffers the loss of
sensitive personal information within its control could
become the target of responsive lawsuits, whether based
in common law principles of negligence or, for public
companies, securities law violations. Consequently,
companies should consider becoming more proactive
in minimizing their risks and implementing defensive
strategies such as those described below.
Data Loss Response Teams:
One option is for companies to create a data loss
response team to address data loss incidents quickly.
The team should incorporate representatives from,
among other disciplines, Legal, Public Relations,
Information Security, Risk Management/Insurance,
Records Management, Compliance and, if suitable,
Privacy. The team should develop game plans for
responding to incidents depending on the type of
data loss and construct appropriate, readilyexecutable task lists outlining critical first reactions.
Response teams can help successfully manage
several aspects of a data loss incident:
■
Insurance Coverage—Insurance policies may
provide claims coverage for the expenses
incurred by an insured company in
responding to a data loss incident and
restoring normal operations. However, many
claimants often fail to track and record these
expenses, particularly in the first frantic
period following an incident. Response
teams can institute suitable cost-capture
measures which will help provide the
documentation and records to support
3 August 2005
Criteria for Providing Notice:
Many of the new legal requirements, both statutory
and at common law, require or expect notices to be
provided to potential victims of data loss by the
companies that have experienced the incident. These
notices are intended to mitigate identity theft and
fraud. Whether a notice is actually required often
necessitates a close legal analysis; the evolving
standards in this area focus on how companies
evaluate the likelihood that lost data can be misused
as a result of data theft. Companies thus should
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
develop and implement a methodology through
which they will evaluate whether a notice is legally
required – or whether notice is nonetheless
appropriate (for example, in order to protect the
reputation of the firm). The development of such
criteria should take into account variables such as
geography, the nature of personal information lost,
the circumstances of the loss, and the likelihood the
lost data can be used to execute an identity theft or
fraud.
Proactive Data Loss Evaluations and Response:
Companies should review their existing data systems
and processes to probe for weaknesses and implement
remedies which further minimize the likelihood that
data loss results in identity theft. Information security
professionals are well qualified to work with a
company’s legal officers to define and evaluate
security alternatives such as encryption, restructuring
of databases, adopting access controls over data
elements required to conduct an identity theft, and
improving records management and disposition.
Many companies that experience a data loss incident
and subsequently determine that notice to potential
victims is appropriate are often unprepared to
promptly organize and distribute a properly-worded
notice. Some state laws and federal publications
identify specific elements that should be contained
in such a notice. Companies should have one or
more model notices on hand, properly annotated, to
assure legal sufficiency under the various
circumstances that could arise. Having draft notices
available before a data loss incident can significantly
reduce the time in issuing a proper notice, thereby
increasing the likelihood that potential victims can
protect their credit and accounts against misuse.
Preparing a model notice in advance also triggers
other planning activities that can speed the notice
process. These planning activities may include
arranging for credit report services for potential data
loss victims, preparing a suitable website and/or
customer support hotline, and developing procedures
for the replacement of credit cards, passwords or other
identity tools. The development and use of these
techniques will be improved with prior legal input.
4 August 2005
Review and Renegotiate Service Agreements:
For many companies, conducting business today
requires that their service providers receive and
process personal information that can be the target of
identity thieves. Under some identity theft laws,
companies are responsible for notifying potential
victims when the data loss results from the acts or
omissions of these service providers. However, very
few service agreements sufficiently require the service
providers to assist the primary company in reporting
data loss incidents and to cooperate in fulfilling the
primary company’s legal responsibilities.
Companies should consider changes to existing and
future service agreements to include terms addressing
data loss incidents, which should require the
following:
■
Periodic reporting by the service provider on
security controls, management processes and
other operations intended to maintain the
security of personal information. Reporting
should be sufficient to permit a company to
evaluate whether the security controls are
themselves aligned to the quality of the data
and its potential for misuse if improperly
accessed or acquired.
■
Prompt and immediate reporting of any
incident that may involve the improper
access or acquisition of personal data that
could lead to identity theft. The reporting
obligations should specify the timeliness and
method of reporting and impose on the
service provider an obligation to cooperate
fully, and at no cost, with the company and,
if appropriate, with law enforcement,
regulatory authorities, insurance carriers and
auditors in the investigation and evaluation
of the incident, as well as in any necessary
remediation.
■
Prompt and immediate reporting of any data
loss incident involving a service provider’s
subcontractors. In more than one incident,
the service provider’s subcontractor has been
the source of the data loss. Companies, as
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
customers, should examine what the service
provider contractually requires of its
subcontractors and ensure that contract terms
require that data loss incidents involving any
subcontractor are properly reported to the
customer.
■
Appropriate liability and indemnification
provisions. These should impose on the
service provider the economic responsibility
for the customer’s expenses in responding to
and resolving data loss incidents arising from
the service provider’s conduct. These
provisions can supplement or substitute for
insurance coverage for economic losses
incurred in investigating and, if appropriate,
responding to data loss incidents.
Prepare for Audits:
Many companies in possession of personal information
confront an expanding array of external and internal
audits relating to their information systems, controls,
risk management procedures and remediation processes.
Several agencies, including the Federal Financial
Institution Examination Council (“FFIEC”), have
published a variety of informative workbooks on the
controls and criteria they look for when conducting
examinations. For companies which are not financial
service firms, these resources can be useful in identifying
business processes which minimize the risks of data loss
incidents.
In addition, public companies subject to Sarbanes-Oxley
are discovering that the breadth of “internal controls”
reviews often embraces data loss. As a result, companies
may find that the “internal controls” to be implemented
for the integrity of financial reporting are often the same
or similar to the controls otherwise appropriate for
minimizing the risks of personal data loss. Thus, the
Sarbanes-Oxley audits are also worth taking into account
in this context.
Obtain Professional Services:
We understand that the myriad of issues surrounding
corporate liability for data loss can be quite daunting.
In response, K&LNG has organized an international
team, drawn from across several practice areas, to support
our clients as they address these complex topics. The
lawyers listed below and on the following page are drawn
from our Litigation, White-Collar Criminal
Investigations, Insurance Coverage, and Technology,
Privacy, Data Protection and Information Management
practices, and stand ready to assist you in navigating
these treacherous waters.
Michael D. Ricciuti
617.951.9094
mricciuti@klng.com
Jeffrey B. Ritter
202.778.9396
jritter@klng.com
Jason P. Fiorillo
617.261.3186
jfiorillo@klng.com
5 August 2005
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
PRIV
ACY AND INFORMA
TION MANAGEMENT PRACTICE
PRIVACY
INFORMATION
Kirkpatrick & Lockhart Nicholson Graham LLP comprises 1,000 lawyers who practice in offices located in Boston,
Dallas, Harrisburg, London, Los Angeles, Miami, Newark, New York, Palo Alto, Pittsburgh, San Francisco, and
Washington. K&LNG represents entrepreneurs, growth and middle market, capital market participants, companies
and leading FORTUNE 100 and FTSE 100 global corporations in every major industry, nationally and internationally.
K&LNG has an experienced privacy and information management practice on both sides of the Atlantic. As such,
we are well positioned to assist companies in addressing their international privacy law compliance needs. For
more information, please visit www.klng.com.
For more information, please visit our website at www.klng.com or contact one of the lawyers
listed below:
Boston
Thomas F. Holt, Jr.
Deborah J. Peckham
Michael D. Ricciuti
617.261.3165
617.261.3126
617.951.9094
tholt@klng.com
dpeckham@klng.com
mricciuti@klng.com
London
Dominic J. Bray
44.20.7360.8191
dbray@klng.com
Los Angeles
Katherine J. Blair
310.552.5017
kblair@klng.com
New York
John D. Vaughan
212.536.4006
jvaughan@klng.com
Pittsburgh
Mark A. Rush
412.355.8333
mrush@klng.com
San Francisco
Jonathan D. Jaffe
Kathryn M. Wheble
415.249.1023
415.249.1045
jjaffe@klng.com
kwheble@klng.com
Washington
Benjamin S. Hayes
Jeffrey B. Ritter
Melanie Brody
Henry L. Judy
202.778.9884
202.778.9396
202.778.9203
202.778.9032
bhayes@klng.com
jritter@klng.com
mbrody@klng.com
hjudy@klng.com
www
w.. k l n g . c o m
BOSTON
■
DALLAS
■
HARRISBURG
■
LONDON
■
LOS ANGELES
■
MIAMI
■
NEWARK
■
NEW YORK
■
PALO ALTO
■
PITTSBURGH
■
SAN FRANCISCO
■
WASHINGTON
Kirkpatrick & Lockhart Nicholson Graham LLP (K&LNG) has approximately 1,000 lawyers and represents entrepreneurs, growth and middle market companies, capital markets participants, and
leading FORTUNE 100 and FTSE 100 global corporations nationally and internationally.
K&LNG is a combination of two limited liability partnerships, each named Kirkpatrick & Lockhart Nicholson Graham LLP, one qualified in Delaware, U.S.A. and practicing from offices in Boston,
Dallas, Harrisburg, Los Angeles, Miami, Newark, New York, Palo Alto, Pittsburgh, San Francisco and Washington and one incorporated in England practicing from the London office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts
or circumstances without first consulting a lawyer.
Data Protection Act 1988 - We may contact you from time to time with information on Kirkpatrick & Lockhart Nicholson Graham LLP seminars and with our regular newsletters, which may be of
interest to you. We will not provide your details to any third parties. Please e-mail cgregory@klng.com if you would prefer not to receive this information.
© 2005 KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP. ALL RIGHTS RESERVED.