National Association of Mutual Insurance Companies

Print | ShareThis

DATA SECURITY BREACH

THE ISSUE IS… Identity theft is the fastest growing crime in the country and with the highly publicized security breaches from ChoicePoint, LexisNexis, Bank of America and Citibank, regulators have opened investigations into the data security failures. The latest data security failure occurred when a hacker accessed and compromised 40 million MasterCard International accounts that were serviced by CardSystems Solutions Inc.

IT’S IMPORTANT BECAUSE… Financial information privacy remains a controversial and politically significant issue. The continued attention on privacy is leading to increasing awareness of the vulnerabilities of companies and their affiliates.

Congress is studying the issue and is beginning to introduce various pieces of legislation to address this dilemma. Among the key issues to be addressed are: 1) what breaches should trigger notifying customers, i.e. any unauthorized disclosure or disclosures that could lead to malfeasance such as identity theft; 2) should there be state functional regulation or if not, which federal agency should have jurisdiction to enforce notifications; and 3) will federal legislation preempt state laws?

Sen. Dianne Feinstein (D-CA) introduced S. 115, Notification of Risk to Personal Data Act, which would require consumer notification in the event that sensitive, unencrypted personally identifiable information has been either acquired or accessed without authorization. The enforcement authority is delegated to the Federal Trade Commission (FTC), with damages limited to not more than $5,000 per violation, subject to a maximum of $25,000 per day. The bill also allows state attorneys general the right to bring claims for violations of the bill, does not fully preempt state laws and includes a carve out for California law, S.B. 1386.

Sen. Bill Nelson (D-NE) and Representative Ed Markey (D-MA) have jointly introduced S. 500/H.R. 1080, the Information Protection and Security Act. The bill directs the FTC to promulgate regulations governing the conduct of information brokers and the protection of personally identifiable information held by such brokers. State attorneys general may bring claims, with no mention of limits or caps, for violations of the regulations promulgated under the bill. The bill includes damages of $1,000 per violation and does not preempt state law.

Sen. Feinstein has also introduced S. 751, the Notification of Risk to Personal Data Act, which more closely mimics California S.B. 1386 that requires the notification of consumers in the event that an authorized person has acquired their personal information. The bill exempts agencies from the notification requirement for national security and law enforcement purposes. Data covered by the bill includes Social Security numbers, driver’s license numbers, and credit card numbers. Violations would be subject to fines of $1,000 per individual whose personal data was compromised as well as $50,000 for each day that notification is delayed. The authority to enforce the notice requirements, including the assessment of fines, would reside with the FTC. The bill would also preempt state laws as they relate to notification.

Sen. Charles E. Schumer (D-NY) introduced S. 768, the Comprehensive Identity Theft Prevention Act. S. 768 creates an Office of Identity Theft within the FTC and authorizes the Office to take civil enforcement actions against those that violate the act. The bill also prohibits the solicitation, display, sale, purchase, or use of, and access to, Social Security numbers. The bill sets forth notification requirements regarding the unauthorized acquisition of, or the intention to share, an individual’s sensitive personal information and place penalties on those who violate the requirements.

Sens. Arlen Specter (R-PA) and Patrick Leahy (D-VT) introduced S. 1332 that would address identity theft, data broker security standards, customer notification, and corporate use of Social Security Numbers. The bill would include provisions increasing penalties for identity theft involving electronic personal data; require entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; limit the buying, selling, and display of Social Security numbers without the consent of the individual whose number it is; prohibit companies from requiring individuals to use Social Security numbers as account numbers and limiting when companies can force individuals to disclose those numbers in order to obtain goods and services; and barring government agencies from posting public records that contain Social Security numbers on the Internet.

Sen. Jeff Sessions (R-AL) introduced S. 1326, the Notification of Risk to Personal Data Act, that would only apply to computerized data and not paper. An agency (not just financial services) must notify affected individuals upon determination that electronic data was compromised and that a significant risk of identity theft exists. The bill is not intended to modify, limit or supersede federal law, including Gramm-Leach-Bliley and the Fair Credit Reporting Act. The bill permits civil remedies for failure to give proper notice, subject to a cap of $250,000 per breach. The bill also permits legal action by state attorneys general as well as allowing functional regulators to enforce compliance with the bill. There is a preemption of state laws that relate to electronic information security standards or notification of a security breach.

Sen. Gordon Smith (R-OR) has announced plans to introduce legislation that will include a national obligation for companies to have a security procedure in place to safeguard sensitive and personal information, and a balanced breach notification trigger to inform consumers when risks of identity theft are at stake.

Reps. Deborah Pryce (R-OH) and Michael Castle (R-DE) are drafting a bill addressing the protection of sensitive nonpublic personally identifiable information. The draft proposal would amend the Fair Credit Reporting Act (FCRA) to establish new requirements for a broad range of entities that handle sensitive consumer information. Covered entities would be responsible for conducting investigations of security breaches involving “sensitive financial identity information” to determine the likelihood that such date will be misused in a manner that would cause substantial inconvenience or substantial harm to consumers. Organizations/entities would be required to promptly notify consumers, law enforcers, the federal government, and in some cases, consumer reporting agencies, about any harmful breaches.

Rep. Melissa Bean (D-IL) introduced H.R. 1069, to require organizations to disclose any “unauthorized acquisition” of electronic data containing personal information.

Reps. Joe Barton (R-TX), John Dingell (D-MI), and Cliff Stearns (R-FL) are working on legislation as well. Their draft proposal would require the FTC to design rules requiring companies that hold personal information about people in databases to establish security policies and procedures to protect that information. The security policies must cover the use, sale or dissemination of personal information. The draft would also require companies to give their customers notices of data breaches, but the FTC would determine which breaches would require notification. The draft would not restrict the use of Social Security numbers and would preempt state laws dealing with electronic data security breaches.

On March 15th, Rep. Cliff Stearns (R-FL), Chairman of the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection held a hearing regarding the data security breaches that occurred in the data brokerage firms ChoicePoint and LexisNexis that resulted in the theft of thousands of individuals’ personal information. Stearns has said that he will introduce a notification bill that will “carefully balance consumer privacy with the legitimate need for access to this information for business and law enforcement purposes.”

The House Financial Services Committee has held two hearings addressing the vulnerabilities of companies’ data security systems. The Full Committee held a hearing on May 4 titled “Assessing Data Security: Preventing Breaches and Protecting Sensitive Information. Another hearing was held on May 18th by the Subcommittee on Financial Institutions and Consumer Credit titled “Enhancing Data Security: The Regulators’ Perspective.”

The Senate Judiciary Committee has schedule a markup session on the Specter-Leahy and Feinstein bills on July 21. It is expected that Judiciary Chairman Specter will merge the two bills together during the markup proceedings.

NAMIC POSITION… NAMIC supports the privacy provisions contained in the Gramm-Leach-Bliley Act (GLBA) as well as the Fair Credit Reporting Act (FCRA). NAMIC believes that consumers deserve to know that the "nonpublic personal information" they submit to a financial institution, including an insurance company, will not be used in an inappropriate manner or obtained by any unauthorized person(s). However, NAMIC recognizes that, despite the best intentions and provisions contained in GLBA and FCRA, identity theft has become the fastest growing crime in the United States.

The highly publicized security breaches have led the Congress to consider ways to reduce the frequency of such breaches and to ameliorate the adverse impact on those persons who’s personal information has been compromised. NAMIC supports legislation that would establish a national standard for notifying consumers when a security breach has occurred and it is likely that the information will be misused. It is also important to ensure that any legislation does not create a burdensome process on either the financial institutions or consumers.

Posted: Monday, July 25, 2005 12:00:00 AM. Modified: Monday, July 25, 2005 10:24:37 AM.

Become a Sponsor

(317) 875-5250 - Indianapolis | (202) 628-1558 - Washington, D.C.