A Scarlet Letter for Your Company

15 April 2006

Co-authored by Tate Stickles

Today's nightmare. You maintain a database of your customer information on your computer. (Who doesn't?) Your system gets "breached" by a bad guy. You get sued. Ouch.

Let's start by clarifying "breach." By "breach," I mean a break-in by either your own employees because your security has some weaknesses or because of a simple accident (ever send an email to the wrong person?), or by the real bad guys—hackers. Today, lax database security can result in you having to announce to the world that you have poor database security and that you can't protect your customers' personal information. Double ouch.

A database security breach is commonly defined as (take a deep breath): an unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained in a database. Personal information is the usual kind of stuff we don't want other people to have, such as social security number, driver's license numbers, and bank and other financial account numbers.

Back in the early days of the Internet, folks rarely mentioned database security breaches in polite conversation. Occasionally, news of one would leak out, but for the most part breaches were either ignored or kept quiet by companies embarrassed by them. Of course, the concern was that if the public found out about a breach, it would be bad for business, and it was often cheaper to pay the money to fix the problem.

However, a few years ago, people starting paying more attention to database security breaches. They moved from being mere Internet stories you heard from a friend of a friend into becoming a major security issue for companies.

Things radically changed when California passed the country's first database security law. As with a lot of computer issues, California was the first state to identity an emerging computer or Internet problem and take action. California's law created a kind of scarlet letter for a company that had a security breach because of the law's public notice requirements.

Under the California law, companies are required to notify California residents if their computer systems are compromised and personal information disclosed. This notice requirement has become kind of a defacto national disclosure requirement as companies adopt it as a best practice nationwide.

A company named ChoicePoint became the unfortunate poster child of database security when they notified California residents of a breach early last year. California could not have chosen a better company to publicize the new law given ChoicePoint's line of business.

ChoicePoint is a commercial data broker--a company that sells information collected from a large number of databases to insurance companies, direct marketers, and anyone else willing to pay for it. Their sources include databases containing insurance claims histories, motor vehicle records, police records, credit information, background screenings, public records, and vital records, just to name a few.

Think of their file on you as your credit report on steroids. Next to God and your spouse, companies like ChoicePoint know more about you than anybody else, i.e., your mother calls them to find out what's new in your life.

You can see the problem with collecting so much personal information about people in one place. Like a bank, companies like ChoicePoint are being targeted by criminals for the information collected in these giant databases. ChoicePoint was only the first of a number of news stories relating to database breaches that hit the news last year. Coupled with the exploding coverage of the crime of identity theft, these stories have dominated the technology law headlines.

The most common stories have involved hackers either directly hacking into a system to get at the personal information stored there, or using malware and viruses to have personal information sent directly to them. Other stories have involved dishonest insiders releasing information to outsiders, often for a fee.

Still, not all database security breaches are criminal. Some have been simply caused by unauthorized employees accessing systems they should not be able to get into, or by other simple human error. Desktop and laptop computers and servers containing unencrypted sensitive data have been lost or stolen, and shipped computer backup tapes have been lost in transit.

Regardless of the source of the security breach, the numbers since the beginning of 2005 are staggering. Privacywatch.org estimates that over 54 million Americans have had their personal information compromised. That's ugly. With the media digging their teeth into the story, the politicians have finally responded. Following California's lead, almost thirty states have passed database privacy laws, including Florida.

Last year, Florida moved to fight identity theft and provide Florida residents with notice that they might be at risk due to breach in a company's database security. The database security portion of Florida's new law became a new section 817.5681 in the Florida Statutes. Florida's law became effective July 1, 2005.

Florida's law requires anyone conducting business in Florida with a database of personal information to provide Florida residents with notice of any breach of security of the database in certain situations. Notice is required when the personal information was not encrypted, and is at least reasonably believed to have been acquired by someone unauthorized to have such personal information.

"Personal information" is defined by Florida's law as a person's name in combination with one or more of the following: social security number, driver's license or Florida Identification Card number, and a financial account number in combination with any required security code providing access to a person's financial account. While the law does allow time for a company to investigate alleged database breaches, notification has to be made without "unreasonable" delay. While defining what qualifies as an unreasonable delay keeps lawyers in business, don't think that this ambiguity gets you off the hook. The law gives you 45 days in most cases. However, the notice requirement may be delayed should law enforcement request a delay if such notice may impede a criminal investigation.

The law also gives you a choice of notice options. You could provide written notice to every Florida resident, but the cost of stamps could make this option rather expensive. You can provide electronic notice provided such electronic notice conforms to certain requirements.

You could also provide substitute notice, but his type of notice is most likely to result in the worst publicity for your company.

You can use substitute notice only if you can show the cost of providing notice of your breach to Florida residents will exceed $250,000, you have to notify more than 500,000 people, or if a person does not have sufficient contact information.

If you are allowed to use substitute notice, you have to notify Florida residents by email (if possible), post a notice about your breach on your website (that scarlet letter thing again), and notify the major statewide media. That's right, the Miami Herald, Daily Business Review, and other newspapers, radio, and TV stations have to be told. If you use substitute notice, you had better hope for other major news that day so that you end up on page 27.

Failure to provide Florida residents with notice of your breach subjects you to various fines up to a maximum of $500,000. Keep in mind that the maximum is per breach, so if you get hit more than once, it's up to $500,000 for each hit. Triple ouch.

There are other variations and quirks to Florida's law, so if you think you have suffered a database security breach, please consult your technology attorney as soon as possible.

These database security laws are not going to go away. In fact, efforts are already underway to push a national law through Congress that would standardize the database security laws being passed in different forms by the states.

Until we have a national law, complying with database security laws is going to be a headache. Your best defense is still to protect the personal information you collect at all costs.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.