From PLI’s Course Handbook
Tenth Annual Institute on Privacy and Data Security Law
#19129
11
THE REALITIES OF SECURITY
BREACH NOTIFICATION
Jody R. Westby
Global Cyber Risk LLC
► THE LEGAL LANDSCAPE
The privacy tsunami -- created by ChoicePoint’s admission in 2005 that it had inadvertently
sold personal data on 145,000 individuals to a criminal ring posing as a small business -continues. At the present time, forty-four states plus the District of Columbia, Puerto Rico, the
Virgin Islands, and one municipality (New York City) have enacted security breach notification
laws. Variances in state security breach notification laws – and the continuing enactment of new
laws – have created a complicated and costly patchwork of compliance requirements for
businesses.
On the federal level, numerous bills have languished in Congress since 2005 as industry and
consumer groups battled over risk triggers for notification, leaving businesses without the
certainty they seek regarding how to handle security breaches. As a result, federal breach
requirements are showing up piecemeal in various pieces of legislation. The first breach
notification requirement for federal agencies and government contractors was included in the
Veterans Affairs Information Security Act1 (“VA Act”). In addition to notification, the VA Act
also requires the VA to provide credit protection services in accordance with regulations issued
by the Secretary of Veterans Affairs.2 The regulations also address notification, data mining,
fraud alerts, data breach analysis, credit monitoring, and identify theft insurance. 3 The second
federal requirement for notification was in the recently enacted (February 17, 2009) HITECH
Act provisions in the economic stimulus bill.4 The HITECH Act provisions apply to covered
entities under the Health Insurance Portability and Accountability Act and requires notification
in the event of a breach of protected health information (PHI). The HITECH Act also requires
business associates, vendors, and certain third-party service providers of covered entities to
notify covered entities and/or individuals in the event of a breach.5
1
The Veterans Benefits, Health Care, and Information Technology Act of 2006, Title IX, Veterans Affairs
Information Security Act, Pub. Law 109-461, Dec. 22, 2006.
2
38 U.S.C. § 5724(b).
3
Id.
4
American Recovery and Reinvestment Act of 2009, H.R. 1, Health Information Technology for Economic and
Clinical Health Act, § 13001, et. seq., 111th Cong., 1st Sess., Feb. 17, 2009.
5
Heidi Echols, Maura Ward, Karen Sealander, Bernadette Broccolo, Stephen Bernstein, “HITECH Act: Analysis of
Policy Implications, Requirements of Health IT Stimulus Provisions,” Bureau of National Affairs, Privacy &
Security Law Report, Vol. 8, No. 9, March 2, 2009, 344-357 at 347.
2
In addition to statutory requirements, the Office of Management and Budget (“OMB”) issued a
Memorandum in 2007 that directs all government agencies and departments to develop and
implement a breach notification policy.6 The likely risk of harm and the level of impact of the
breach will determine when, what, how, and to whom notification should be given. Factors to
be considered in the likely risk of harm includes the nature of the data elements breached, the
likelihood the information is accessible and usable, the likelihood the breach may lead to harm,
and the ability of the agency to mitigate the risk of harm. Breaches subject to notification
include paper and electronic data. Agencies are given leeway to implement more stringent
measures than those set forth in the Memorandum. Notification can be provided commensurate
with the number of people affected and the urgency with which they need to receive notice.
The OMB Memorandum also sets forth security requirements, such as the use of encryption and
the deployment of two-factor authentication to control remote access to systems containing PII.7
The financial regulatory authorities also issued Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice (“Interagency Guidance”),
which is deemed to be mandatory.8 The Interagency Guidance serves as the regulatory
agencies’ compliance guidance on (a) Section 501(b) of the GLBA, and (b) their previously
issued Interagency Guidelines Establishing Information Security Standards (Security
Guidelines).9 The Guidance on Response Programs explains that the regulatory authorities
expect a financial institution’s information security program, required under the Security
Guidelines, to include a response program. The Guidance applies to “customer information”
that is “nonpublic personal information” maintained by or on behalf of a financial institution.
The European Union (“EU”)10 and several foreign countries, such as Canada,11 Britain,12
Australia, and New Zealand13 are also considering or being urged to consider laws governing
Clay Johnson, III, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,”
Executive Office of the President, Office of Management and Budget, M-07-16, May 22, 2007,
www.dhs.gov/xlibrary/assets/privacy/privacy_attachment6_OMB07-16.pdf.
7
Id.
8
“Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer
Notice,” Part III of Supplement A to Appendix, 12 C.F.R. Part 30 (OCC); Supplement A to Appendix D-2, 12
C.F.R. Part 208 (Fed. Reserve System); 12. C.F.R. Part 364 (FDIC); 12 C.F.R. Part 568 (OTS); 70 Fed. Reg.
15736-15754 (Mar. 29, 2005).
9
“Interagency Guidance Establishing Information Security Standards,” 69 Fed. Reg. 77,610 (Dec. 28, 2004),
http://www.federalreserve.gov/BoardDocs/Press/bcreg/2005/20051214/attachment.pdf.
10
Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service
and users’ rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing
of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No
2006/2004 on consumer protection cooperation, COM(2007) 698 final, Nov. 12, 2007, eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0698:FIN:EN:PDF.
6
3
security breach notification and identity theft. Unlike the U.S. approach, the European
Commission Directive has proposed that only communications providers be required to notify
customers and regulators of breaches to personal data. At present, the Directive on privacy and
electronic communications only requires providers to notify customers of security risks, not
security breaches.14 The Commission’s proposal requires providers to notify the National
Regulatory Agency of security breaches that result in the loss of personal data and/or that may
cause an interruption in service. They also must notify the customer of breaches that result in
the loss, modification or destruction of, or unauthorized access to the customer’s personal data.
EU Member States also have been active in this area. Authorities in the U.K., for example, have
taken a tough stance against financial security breaches. Although there was no notification
requirement, financial regulators fined a British financial institution $1.9 million for its failure to
adequately respond to the theft of a laptop containing sensitive customer data. Authorities
explained that they intended to send a message to industry that they should take these kinds of
security breaches very seriously.15
As breaches continue to rise, privacy organizations and consumer groups have become more
organized and vocal about PII disclosures, making security breach stories a favorite of the
media. Compilations of data on breaches have increased the awareness of both the public and
legislators to the risks of identity theft. For example, the Privacy Rights Clearinghouse has
maintained a chronology of breaches since ChoicePoint on their Web site which lists breaches
that exposed individuals to identity theft and qualified for disclosure under state notification
laws. To date, nearly 256 million records containing PII have been breached.
All of these factors have converged to create a complicated scenario for corporations. The array
of legal, operational, technical, and policy issues surrounding security breach notification have
“CIPPIC calls for data security breach notification law,” Digital Copyright Canada, Jan. 9, 2007,
http://www.digital-copyright.ca/node/2895.
12
Robert Westervelt, “UK group pushes for stiff data security breach laws, SearchSecurity.com, Oct. 4, 2007,
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1275425,00.html; SA Mathieson, “UK should
introduce data breach notification law, say Lords,” InfoSecurity, Aug. 10, 2007, http://www.infosecuritymagazine.com/news/070810_lords.html.
13
Consultation paper – Draft Voluntary Information Security Breach Notification Guide, The Office of the Privacy
Commissioner (Australia), Apr. 2008, http://www.privacy.gov.au/publications/breach_0408.html.
14
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications), Off. J. of the European Parliament and of the Council, L 201/37, http://eurlex.europa.eu/LexUriServ/site/en/oj/2002/l_201/l_20120020731en00370047.pdf.
15
U.K. Regulator Sets First Data Security Fine: Bank Will Pay $1.9 Million Over Laptop Theft,” Privacy &
Security Law Report, Bureau of National Affairs, Vol. 6, No. 8, Feb. 19, 2007 at 287-88.
11
4
significantly increased risks to companies who have security breaches. From the technological
side, solutions must be deployed to encrypt data, detect breaches, track online activities, and
control access. Management policies define the culture of an organization and are an essential
element in mitigating damages to reputation and financial loss. Operational controls and
processes determine the course of action an organization takes in the heat of the moment when a
breach occurs. This paper will analyze each of these areas and provide information, analysis,
and insights into managing the risks accompanying security breaches and meeting notification
requirements.
► THE LEGAL & REGULATORY PERSPECTIVE
The legal/regulatory framework is driving the security breach issue and forcing technical,
operational, and policy changes that are impacting cyber security programs. Although
California enacted the first security breach notification law and has been a leader in privacy
nationally, the other 43 states that have enacted notification laws did not enact mirror images of
California’s law. Therefore, these state statutes have become a maze of state credit freeze,
identity theft, and security breach notification laws with varying requirements.
What Data Is Covered By Breach Laws?
The information that can trigger a state breach notification requirement – usually generically
referred to as personally identifiable information (“PII”) – can vary. Usually, it involves a
person’s first and last name (or the first initial and last name) plus
 a social security number or
 Drivers license or state identification number or
 Financial account number, credit or debit card number (some states also require the PIN or
access code to have been breached if they are needed for access to the account).

California has extended its breach notification requirements to unauthorized acquisition
or use of medical or health insurance information.
In the area of PII, however, it is always prudent to consider public expectations with respect to
the privacy of personal data. Following the letter of the law may not be enough if customers
expect more than the law allows. These public expectations have been shaped, in part, by the
definition of PII developed by the European Union, the U.S. Federal Trade Commission,
financial regulators, and professional organizations, and these may reach well beyond the
notification threshold of state laws.
5
At the outset, it is important to understand that PII is not clearly defined or universally agreed
upon. The Federal Trade Commission, for example, has defined personal information as:
[I]nformation from or about an individual including, but not limited to: (a) first
and last name; (b) home or other physical address, including street name and
name of city or town; (c) an email address or other online contact information,
such as an instant messaging user identifier or a screen name that reveals an
individual’s email address; (d) a telephone number; (e) a Social Security
Number; (f) a persistent identifier, such as a customer number held in a “cookie”
or a processor serial number, that is combined with other available data that
identifies an individual; or (g) any information that is combined with any of (a)
through (f) above.16
Within the context of the U.S. Safe Harbor Privacy Principles, PII is defined as “[D]ata about an
identified or identifiable individual that are within the scope of the [Directive 95/46/EC of the
European Parliament], that is received by a U.S. organization from the European Union, and
recorded in any form.”17 The EU Data Protection Directive has a broad definition of PII,
bringing many types of information not referenced by the FTC. It defines “personal data” as:
[A]ny information relating to an identified or identifiable natural person (“data
subject”); an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural, or
social identity.18
The definition of PII offered by the American Institute of Certified Public Accountants (AICPA)
and the Canadian Institute of Chartered Accountants (CICA) aligns more closely with the EU
Directive:
Personally identifiable information is defined as any information relating to an
identified or identifiable individual. Such information includes, but is not limited
16
See In the Matter of Microsoft Corp., File No. 012 3240, Agreement Containing Consent Order (Consent Order
accorded final approval on Dec. 20, 2002), http://www.ftc.gov/os/caselist/0123240/microsoftagree.pdf.
17
Safe Harbor Privacy Principles, U.S. Dep’t of Commerce, July 21, 2000,
http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm.
18
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Official Journal
L. 281/31, Nov. 23, 1995, http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm#directive.
6
to, the customer's name, address, telephone number, social security/insurance or
other government identification numbers, employer, credit card numbers,
personal or family financial information, personal or family medical information,
employment history, history of purchases or other transactions, credit records and
similar information. Sensitive information is defined as personally identifiable
information specifying medical or health conditions, racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership or
sexual preferences.
Financial regulators threw in an additional twist with the term “sensitive customer information”
(“SCI”) that is covered by the Interagency Guidance. SCI includes a customer’s name, driver’s
license number, account number, credit or debit card number, or a personal identification
number or password that would permit access to the customer’s account. It also includes data
that will enable a person to log on to or access a customer account, such as a username and
password.19
The VA Act defines “sensitive personal information” even broader:
Any information about the individual maintained by an agency, including the
following:
(A) Education, financial transactions, medical history, and criminal or
employment history.
(B) Information that can be used to distinguish or trace the individual’s
identity, including name, social security number, date and place of birth,
mother’s maiden name, or biometric records.20
For purposes of this paper, all data subject to notification shall be referred to as PII.
What Is a Security Breach?
Beyond determining whether data is within the scope of a breach law, what constitutes a
security breach that could trigger a notification requirement also varies between laws. Some
state laws consider a security breach to have occurred if the PII is actually acquired.21 Other
19
12 C.F.R. part 40.
38 U.S.C. § 5727(19).
21
For example, Arkansas, California, Colorado, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana,
Minnesota, Montana, Nevada, New York, North Dakota, Tennessee, Texas, Washington, and Oklahoma.
20
7
laws consider access to the data enough to constitute a security breach.22 Most state security
breach notification laws apply only if the PII was unencrypted. Some state laws only apply if
illegal use or misuse of the information has occurred or is reasonably likely to occur.23 In
certain states, this must be determined by an investigation.24 Even if a breach has occurred,
several states exempt entities from notification requirements if an investigation reveals there is
no reasonable likelihood of harm to the person whose PII was accessed or acquired.25
Who Does the Law Apply To?
State laws are also inconsistent with respect to what entities are subject to security breach
notification requirements. Some laws apply to individuals, businesses, and public sector
agencies.26 Other state laws apply only to individuals and businesses, excluding public sector
entities; some apply to “any person;” and others apply only to information brokers or exempt
entities subject to the Gramm-Leach-Bliley Act (GLBA).
22
For example, Arizona, Connecticut, and Vermont.
For example, Hawaii, Idaho, Indiana, Kansas, Maine, Nebraska, New Hampshire, New York City, North
Carolina, and Utah.
24
For example, Maine, Nebraska, and New Hampshire.
25
For example, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Kansas, Louisiana,
Maine, and Michigan.
26
For example, Arizona, Arkansas, California, Colorado, Idaho, Michigan, New Hampshire, and Tennessee.
23
8
When and How is Notice Given?
When notification must be given is also unclear. Most states followed California’s lead and
require that notification be given in “the most expedient time possible” and “without
unreasonable delay.” Other states, such as Florida and Connecticut, require notification within a
certain number of days from the discovery of the breach. The form of notice can also vary.
Most laws are modeled after California and allow notice to be given in written or electronic
form, although some state laws allow notice by telephone. Mass notices via email, websites,
and major media may be given if extremely large numbers of records are involved and the cost
of notification is significant. Most states allow notification to be delayed if law enforcement
believes notification may disrupt or impede an investigation.27 In addition to consumer
notification, some state laws also require the entity that suffered the breach to notify law
enforcement, consumer reporting agencies, or other potentially affected parties.28
Federal Notification
The VA Act requires notification to individuals found to be “subject to a reasonable risk for the
potential misuse of any sensitive personal information.” The HITECH Act requires notification
within 60 days of the breach. The Interagency Guidance requires notification “as soon as
possible,” but allows delays if notification could interfere with a criminal investigation. The
OMB Memorandum does not set a specific threshold for notification, leaving it up to case-bycase analysis based on likelihood of harm and level of risk. Notification is to be “without
unreasonable delay” but with exceptions for law enforcement investigations and national
security considerations.
In light of the patchwork compliance requirements associated with state security breach
notification laws, it is no wonder that Congress has been pressured by businesses to enact a
federal law that will preempt state compliance obligations. Under state laws, most businesses
have to meet the highest ceiling, lest they risk headlines over non-compliance in the most
rigorous jurisdictions. As Harriet Pearson, Chief Privacy Officer of IBM, noted:
“Security Breach Notifications: a State and Federal Law Maze,” Gibson, Dunn & Crutcher, July 27, 2005,
http://www.gibsondunn.com/practices/publications/detail/id/766/?pubItemId=7832.
28
For example, Colorado, Florida, New York, and Ohio.
27
9
[I]f you are doing business across the country, basically, I don’t think you are
going to sit down and [say], “Well, if it happened in Arkansas versus…
California, I am going to use radically different standards.”29
Thus, from the legal perspective, risks abound with respect to security breach notification
requirements. Organizations, therefore, would be prudent to ensure they have effective
enterprise security programs in place that can accommodate the complexity of their compliance
requirements and enable them to be prepared in the event of a breach.
► THE POLICY PERSPECTIVE
The President’s Task Force on Identity Theft (Task Force) was established in May 2006 and
charged with developing a strategic plan to make the federal government’s efforts in countering
identity theft more effective and efficient. The resulting report, Combating Identity Theft: A
Strategic Plan, sets forth four broad policy changes and provides a number of recommendations
that, if implemented, could help reduce breaches of PII and facilitate the notification process.
The suggested policy changes are:

Federal agencies should reduce the unnecessary use of Social Security numbers;

National standards should be established (1) to require private sector entities to
safeguard the personal data they compile and maintain, and (2) to provide notice to
consumers when a breach occurs that poses a significant risk of identity theft;

Federal agencies should implement a broad, sustained awareness campaign to educate
consumers, the private sector, and the public sector on deterring, detecting, and
defending against identity theft; and

A National Identity Theft Law Enforcement Center should be created to allow law
enforcement agencies to coordinate their efforts and information more efficiently, and
investigate and prosecute identity thieves more effectively.

The Task Force’s recommendations were multidisciplinary, global in scope, and
numerous. Only one of them, however, directly addressed security breach notification
and even then without providing any specificity: Establish national standards extending
data protection safeguards requirements and breach notification requirements.
Jaikumar Vijayan, “Q&A: IBM Executive on Breach Notification Laws, Data Security Push,” The Privacy
Advisor, International Assn. of Privacy Professionals, Vol. 6, No. 7, July 2006.
29
10
This shortcoming is significant and provides no clear guidance to Congress on sorting out the
various legislative provisions in the pending legislation.
The Federal Trade Commission (“FTC”) has taken aggressive action against identity theft and
has endeavored to assist and protect consumers from the resulting fraud, expense, and time
burdens. The FTC’s division of Privacy and Identity Protection has prepared valuable
information for businesses regarding how to notify law enforcement, other affected businesses,
and customers of breaches, including a model letter for notifying consumers that their PII has
been breached.30 Instead of focusing on exceptions or triggers, the FTC encourages
notification. Its “Facts for Business” document on complying with the GLBA Safeguards Rule
advises businesses to consider “notifying customers, law enforcement, and/or businesses in the
event of a security breach.”31
The FTC also has authority to enforce the Fair Credit Reporting Act (FCRA), which gives
victims of identity theft the right to obtain certain documents and transaction records from
businesses. Although not a notification requirement, it does involve the release of certain
corporate information to consumers following a breach.
Beyond providing information to consumers, other laws apply to the destruction of PII. The
FTC enforces the Fair and Accurate Credit Transactions Act (FACTA), which directed the
financial regulatory agencies to promulgate a rule on the proper disposal of consumer
information. The resulting Disposal Rule applies to people and organizations that use consumer
reports. These reports contain PII and must be disposed of according to reasonable and
appropriate disposal practices. The disposal of PII is important because security breaches can
occur from information that has not been properly destroyed, triggering notification
requirements.
These federal policy initiatives by the financial regulatory agencies, the FTC, and OMB offer
valuable guidance to private sector organizations on how to manage risks associated with
breaches of PII.
► THE MANAGERIAL & OPERATIONAL PERSPECTIVE
“Information Compromise and the Risk of Identity Theft: Guidance for Your Business,” Facts for Business,
Federal Trade Commission, http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.shtm.
31
“Financial Institutions and Customer Information: Complying with the Safeguards Rule,” Facts for Business,
Federal Trade Commission, http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.shtm.
30
11
The managerial and operational aspects of security breach notification are central to compliance
and risk management. The tone at the top regarding privacy of PII, compliance with security
breach notification laws, and protection of reputation and financial resources in the event of a
breach are critical to the effectiveness of any security program. They set the direction for
operational policies and procedures that control day-to-day operations and help mitigate
liabilities.
Examples of managerial and operational policies that are essential in managing the risks
associated with security breaches of PII include:

An organizational commitment to respect the privacy of PII and comply with legal
requirements.

A requirement that awareness training and targeted training regarding compliance with
policies and procedures be ongoing.

A commitment by management that only the minimum PII will be collected and that it
will be destroyed as soon as practicable.

A commitment to cross-organizational communication and cooperation and the
establishment of an organizational structure that enables this to happen.

A pledge from management to establish and sustain an enterprise security program that
incorporates privacy and cybercrime considerations.

A commitment from management to allocate adequate resources for privacy and security
programs.

An organizational commitment to engage in public-private sector cooperation to counter
cybercrimes and privacy breaches.

A clear requirement from management that the organization have a well-developed and
tested response plan that includes preservation of evidence and interaction with law
enforcement, crisis communications, customer notification, and investor and employee
communications.
Operational risks occur on the front line when employees, contractors, business partners, or
others do not have policies and procedures to guide their actions and when controls are lacking
to detect violations, anomalies, or inadequate performance. Security breach notification laws
have impacted businesses in every industry sector and of every size. Regardless of sector or
size, however, one common fault is the failure to plan in advance for a breach. The President’s
Identity Theft Task Force reported that an April 2006 cross-industry survey concluded that only
45% of large U.S. multinational corporations had a formal process for handling security
12
violations and data breaches.32 Responding on the fly is always risky; it is especially so with
respect to the breach of PII that is subject to so many security breach compliance requirements.
Adding to the risk is the fact that security breaches come in many scenarios:

Lost or stolen laptops, thumb drives, personal digital assistants, cell phones, wireless
devices, and CDs;

Employees who engage in stealing, disclosing, selling, or improperly using corporate
data or posting it to websites;

Hackers who access or steal data;

PCs that are discarded with unsanitized or wiped hard drives;

Data that is improperly disposed of;

Data that is acquired through peer-to-peer software; and

Backup or archival tapes that are lost or stolen.
The California Department of Consumer Affairs’ Office of Privacy Protection (Privacy Office)
has published Recommended Practices on Notice of Security Breach Involving Personal
Information, which provides valuable guidance on the prevention of breaches, appropriate
notifications, and responses. The Privacy Office suggests the following practices can help
prevent breaches:

Collect the minimum amount of PII necessary and retain it for the minimum amount of
time necessary;

Inventory records systems, critical computing systems, and storage media and identity
those containing PII;

Classify PII in records systems according to sensitivity;

Use appropriate physical and technical safeguards to protect PII (particularly higher risk
PII, including paper records);

Pay more attention to higher-risk PII on laptops or portable storage devices or
appliances;
President’s Task Force Report at 35 (citing Ponemon Institute LLC, Benchmark Study of European and U.S.
Corporate Privacy Practices, Apr. 26, 2006 at 16).
32
13

Promote awareness of security and privacy policies and procedures through ongoing
employee communications and training;

Require that service providers and partners who handle PII comply with security
policies and procedures;

Use intrusion detection technology and procedures to ensure rapid detection of
unauthorized access to higher-risk PII;

Use encryption in combination with host protection and access controls to protect
higher-risk PII;

Dispose of records and equipment containing PII in a secure manner; and

Review security plans at least annually or when there is a material change in operations
that could affect the security of PII.33
Response and notification involve multiple compliance requirements. Entities suffering a data
breach may be required to notify state agencies, credit reporting bureaus, law enforcement,
business partners, and individuals. Responses are best handled by a team of people with clearly
assigned roles and responsibilities who have worked through response scenarios and are
prepared to manage a situation.34 Initially, at the time a breach occurs, it is important to
safeguard computer logs and other evidentiary data that may be needed to prosecute the
perpetrator or defend the reasonableness of the company’s security program. The organization
must determine exactly what PII was involved in the breach, find out whether part or all of it
was encrypted, ascertain whether the breach was caused by an insider or an external actor, and
make some initial determinations regarding the likelihood of harm as a result of the breach and
whether notification is actually required. Each of these pieces of information must be protected
and many of them may be shared among the response team members.
A well-rehearsed communications plan is one of the most important elements of an effective
response. Organizations should determine in advance who will speak to employees and the
board, who will handle press inquiries, who will interact with regulators and law enforcement,
who will prepare the notification, who will speak to analysts and shareholders, and who will
work with law enforcement. The coordination of these communications must be managed. The
timing of the notification is also important. Generally, it is within 45 days of the date the breach
33
Recommended Practices on Notice of Security Breach Involving Personal Information, California Dept. of
Consumer Affairs Office of Privacy Protection, Feb. 2007 at 9-10,
http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf (hereinafter “California Recommended
Practices”).
34
James Christiansen, “Avoid a Meltdown: Reacting to a Security Breach,” CSOonline.com,
http://www.csoonline.com/read/080106/counsel_pf.html.
14
was discovered, unless it is delayed at the request of law enforcement. What the company will
offer victims of a breach must also be considered. Some experts have noted that, over time, a
sort of “standard” notification package has developed which is offered to victims at the time of
notification. This usually includes free credit monitoring services, free annual credit reports, and
information regarding placing a fraud alert on the victim’s credit files.35
When notification is given, the California Privacy Office recommends that notice letters
contain:
 A general description of the breach and what type of information was involved
 What measures have been taken to protect the person’s PII from unauthorized access or
acquisition in the future
 What the organization will do to assist victims
 Information regarding what the individual can do to protect themselves from identity
theft
 Contact information for helpful agencies and information on resources.
The Privacy Office also recommends that the language of the notice be simple and clear,
avoiding jargon and technical language. Good layout to improve readability and highlight
informational points in the notice is recommended. The Office suggests that the notice be sent
by first class mail or, alternatively, by email. If large numbers of individuals are involved or the
cost of notification is more than $250,000, California recommends that notice be posted on the
organization’s website, sent through major media, and sent by email.36
In managing notification issues, it is also important to take into account public perception.
Although an event may not have triggered a notification, it may be prudent to notify individuals
anyway, lest their expectation of privacy give way to fury over not being informed, damaging
the reputation of the firm or causing other negative consequences. Respected privacy expert
Lisa Sotto of Hunton & Williams notes that:
Privacy issues are hot button social issues that often transcend mere legal
compliance. Indeed, the risk to an organization’s reputation and revenues often
far exceeds the risk associated with non-compliance with breach laws. As a
Lisa J. Sotto and Aaron P. Simpson, “A How-To Guide to Information Security Breaches,” Privacy & Security
Law Report, Bureau of Nat’l Affairs, Vol. 6, No. 14, April 2, 2007 at 559-562 (hereinafter “Sotto and Simpson”).
36
California Recommended Practices at 11-13.
35
15
result, organizations responding to a breach should focus on doing the right thing
as opposed to doing only those things that are required by the law.37
► THE TECHNICAL PERSPECTIVE
Obviously, numerous technical considerations come into play with security breaches. Often, it
is the breach of a technical control that enables a person to acquire or access protected data. In
developing a response plan, it is important to take into account the types of technical issues that
are involved in a breach of PII so they can be appropriately addressed through the organization’s
enterprise security plan, policies, and procedures. Clearly, identity management and access
control technologies are important tools in managing risks associated with PII. In addition,
monitoring and anomaly detection software can help detect unauthorized activity and record the
actions taken. Steganography detection software can help block unauthorized transmissions of
PII outside an organization.
These tools are especially important in preventing PII breaches by insiders. Effective firewall
and malware detection technologies are critical to maintaining a perimeter around digital assets
and blocking unauthorized access from outside an organization.
No technology, however, is as prominently tied to a security issue as encryption is to security
breach notification. Under most laws, encrypted data is not subject to notification requirements
when breached. Encryption technologies that meet the National Institute of Standards and
Technology’s Advanced Encryption Standard (AES) are recommended.38
Authentication and authorization controls are increasingly important in protecting against
breaches of PII. The Federal Financial Institutions Examination Council issued guidance on
Authentication in an Internet Banking Environment, recommending that two-factor
authentication be used for Internet-based products and services. Increasingly, two-factor
authentication is being accepted as a best practice in preventing unauthorized access to systems
and data.39 As identity theft continues to rise, this trend will continue, eventually usurping
single-factor authentication altogether.
37
Sotto and Simpson at 562.
See Federal Information Processing Standard 197, National Institute of Standards and Technology, Nov. 2001,
http://csrc.nist.gov/publications/fips/index.html.
39
“Authentication in an Internet Banking Environment, Federal Financial Institutions Examination Council, Aug. 8,
2001, http://www.ffiec.gov/pdf/authentication_guidance.pdf.
38
16
Security breach notification laws have significantly raised awareness regarding the importance
of effective enterprise security programs that combine legal, technical, managerial, and
operational considerations. The headlines on security breaches have gotten the attention of
executives unlike any amount of talking, coaxing, explaining, or cajoling about the need for
enterprise security programs and adequate funding. The FTC has once again taken a leadership
position in wedding privacy and security by issuing tips to reducing risks on computer systems
and privacy to data. Measures for effective security include:

Identifying internal and external risks to the security, confidentiality, and integrity of
customer PII;

Designing and implementing safeguards to control the risks;

Periodically monitoring and testing the safeguards to be sure they are working
effectively;

Adjusting the security plan according to the results of testing, operational changes, or
other circumstances that might impact information security;

Overseeing the information handling practices of service providers and business partners
who have access to the personal information;

Considering all the relevant areas of operation, including employee management and
training; information systems (including network and software design); information
processing, storage, transmission and disposal, and contingencies (including detecting,
responding, and preventing system failure); and

Taking into account new vulnerabilities and leading causes of security risks (including
web application security vulnerabilities).40
Other technical aspects to security breach notification risk management include the various
services that are springing up to assist victims of identity theft. Numerous companies, including
the credit bureaus, offer an array of technologies and/or services that monitor credit reports and
manage identities.
“Security Check: Reducing Risks to your Computer Systems,” Facts for Business, Federal Trade Commission,
http://www.ftc.gov/bcp/conline/pubs/buspubs/security.shtm.
40
17
► CONCLUSION
The confusion around how to counter identity theft has resulted in an array of state laws that
inconsistently define PII and mandate notification to individuals based upon differing criteria.
At the federal level, notification requirements apply onto to data held by the Veterans Affairs
and PHI. The FTC and OMB, in the meantime, have actively taken on identity theft and
security breach notification issues.
The legal risks and headlines associated with breaches of PII require managerial and operational
policies that accommodate breach compliance requirements and mitigate risks. The California
Privacy Office has published excellent guidance for businesses on notification practices. In
planning ahead regarding how to handle breaches, it is important to develop a communications
plan and consider what benefits the organization will offer to individuals whose PII has been
breached. Legal requirements, however, should not be the sole guide post; meeting the
customer’s or public’s perception of privacy may be just as important – if not more important –
than the legal requirements in terms of managing risk. Technical tools are available to help
prevent, detect, and respond to breaches. Technological considerations will impact policies and
procedures, however, and must be woven into the organization’s enterprise security program.
Today, it is almost impossible for any business to operate without collecting PII, making it
essential that companies understand their compliance requirements and remain alert to new laws
that continue to surface, both in the U.S. and abroad.
18