Information Security Breaches:New York and New Jersey Disclosure Requirements for Financial Institutions
August 29, 2007
Andrews Privacy Litigation Reporter
Attorneys David M. Hyman and Russel D. Francisco of Wolff & Samson discuss information and security issues under state and federal law with emphasis on the Gramm-Leach-Bliley Act, New York's law on information security breaches and New Jersey's identity theft statute.
Identity theft and breach of information security have become two major business challenges in the new millennium, as vast quantities of sensitive, personal information are now vulnerable to criminal interception and misuse. Accordingly, information security and identity theft have emerged as critical issues for financial institutions and other businesses that possess customers' sensitive, personal data.
This article discusses information security issues under federal and state laws. The article briefly discusses general obligations under the Gramm-Leach-Bliley Act, the federal statute governing a financial institution's duties to safeguard customer data. The focus of the article, however, is a financial institution's obligations under the New York State Information Security Breach and Notification Act and the New Jersey Identity Theft Prevention Act, which set forth notification requirements for businesses that experience a breach in their information security.
The article also discusses emerging trends in identity theft litigation as well as pending congressional action. Finally, the article outlines best practices for businesses that wish to strengthen their information security policies and procedures.
The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, is the federal statute that governs a financial institution's retention, use and disclosure of customer records and information. 1 GLB sets forth a financial institution's privacy obligations to its customers (Section 6801) and its duties concerning the safeguarding of customers' personal information (Sections 6802- 03). Section 6805 of GLB entrusts enforcement of its privacy rules to the Federal Trade Commission, which has promulgated regulations(http://www.ftc.gov/ogc/stat3.htm).
Generally, GLB prohibits disclosure of private customer records and information and prescribes "safeguarding" obligations for all financial institutions. 15 U.S.C. § 6802(a). There are specific, enumerated exceptions to the general prohibition on disclosure of private customer records and information as follows:
• When the financial institution "clearly and conspicuously discloses to the consumer" that the information may be disclosed to a non-affiliated third party, and the consumer is given an opportunity to direct that the information not be disclosed (Section 6802[b]);
• Disclosure to a non-affiliated third-party "to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services," provided that the financial institution "fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information" (Section 6802[b]);
• When disclosure is "necessary to effect, administer or enforce a transaction requested or authorized by the consumer" (Section 6802[e], [e] [A], [C];
• When disclosure is in connection with "maintaining or servicing the consumer's account" (Section 6802[e][1)][B]);
• When disclosure is "with the consent or at the direction of the consumer" (Section 6802[e]);
• "To protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction," including "required institutional risk control" (Section 6802[e]);
• To "persons holding a legal or beneficial interest relating to the consumer" or to "persons acting in a fiduciary or representative capacity on behalf of the consumer" (Section 6802[e][D], [E]);
• To "insurance rate advisory organizations" and other people or entities "assessing the institution's compliance with industry standards" (Section 6802[e];
• To the financial institution's "attorneys, accountants and auditors" (Id.); and
• To the extent "specifically permitted or required under other provisions of law" (Section 6802[e], , ).
One other noteworthy exception to GLB's privacy and disclosure rules is when customer records and information are disclosed:
in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit.
15 U.S.C. § 6802(e)(7).
Assuming that the financial institution has policies and procedures in place for the safeguarding of customer records and information, the business is in compliance with GLB. Theft, loss or other unauthorized access to that information, however, is not covered by GLB or the FTC regulations. To fill the significant gaps left by GLB, states recently began enacting legislation that protects consumers whose private information has been compromised. 2
New York Statute
In December 2005 New York enacted the New York State Information Security Breach and Notification Act. For businesses, the law is codified at N.Y. Gen. Bus. Law § 899-aa. It covers two types of information:
• "Personal information": any information that, because of name, number, personal mark or other identifier, can be used to identify such natural person; and
• "Private information": any information that contains one or more of the following:
Social Security number;
Driver's license number; or
Account number, credit or debit card number.
N.Y. Gen. Bus. Law § 899-aa(1)(a)-(b).
Under this statute the business must disclose "any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization." N.Y. Gen. Bus. Law § 899-aa(2). 3 The notification must be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement." Thus, law enforcement properly may require the business to delay or restrict the information contained in the notification. N.Y. Gen. Bus. Law § 899-aa(4).
Failure to adhere to the notice requirements of the statute subjects a business to injunctive relief and civil penalties (maximum $150,000). N.Y. Gen. Bus. Law § 899-aa(6).
Other Required Notifications
In addition to notifying customers upon compromise of the protected information, the business also must notify three state agencies: the Attorney General's Office, the Consumer Protection Board, and the New York State Office of Cyber Security & Critical Infrastructure Coordination.
A form is available online for use when notifying these New York agencies (http://www.oag.state.ny.us/consumer/tips/securitybreachReportForm.pdf). Moreover, if more than 5,000 customers are affected by the breach, the business must notify the three major consumer reporting agencies: Equifax, TransUnion and Experian (http://www.oag.state.ny.us/consumer/tips/id_theft_law.html).
New York State Sen. Charles J. Fuschillo, the Republican who introduced the bill, issued an introducer's memorandum that said the law was designed "to notify people of an unauthorized acquisition of their private information." S. 3492A, N.Y. State Introducer's Memorandum in Support, at 1 (2005). The memo cited two specific past instances in which consumers were not notified of breaches of information security. The examples involved ChoicePoint, a large personal information aggregating firm, and the DSW shoe outlet, whose customers' credit card information was stolen in 2004-05. Id. at 2.
The focus of the New York statute is the protection of source material, the places from which personal information may be obtained. Fuschillo's memo states:
Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports and Internet Web sites are all sources of personal information and form the source material for identity thieves.
Fuschillo then takes a harsh tone toward failure to notify customers:
If a ... business which possesses people's personal information and which is hacked does not notify people of the security breach, people will not be able to take the steps necessary to protect themselves from identity theft and similar offenses.
Id. at 2-3.
He further notes the following without further explanation:
This bill is not meant to target firms that simply provide the instantaneous means of transmission for information. Nor does this bill place undue burden on those that have no ownership, license or maintenance abilities regarding personal or private information.
Id. at 3
The legislative history of the Information Security Breach and Notification Act expressly states that the law is based on a California statute passed in 2003. Id. at 3. New York's version is lifted nearly verbatim from California's. New York, however, provides greater protection. 4
New Jersey Statute
New Jersey enacted the Identity Theft Prevention Act, N.J. Stat. Ann. § 56:8-163, in January 2006. The law generally provides the same notification requirements as New York's statute. Specifically, financial institutions in New Jersey must notify customers when it is discovered that the confidentiality or security of the customers' nonpublic personal information has been "compromised in any way." 5
Significantly, the New Jersey act, unlike New York's, requires that the financial institution "reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information and any misuse of such information," including fees the customer incurred in taking corrective actions.
Other Required Notifications
New Jersey additionally requires businesses to notify State Police of any breach in information security. N.J. Stat. Ann. § 56:8-163(c)(1).
Who Must Notify Customers
New York Law
Section 3 of New York's identity theft statute says:
Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
N.Y. Gen. Bus. Law § 899-aa(3).
If a financial institution does not own the stolen data, but rather is a safe-keeper of the data, its sole obligation under the statute is to notify the owners of the breach. Upon such notification, the owners' affirmative duty to notify their customers is triggered under the statute:
Any person or business which conducts business in New York state and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
N.Y. Gen. Bus. Law § 899-aa(2).
New Jersey Law
New Jersey's identity theft statute is even more direct:
Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.
N.J. Stat. Ann. § 56:8-163(b).
As of July 36 states (including New York and New Jersey) have passed identity theft statutes protecting consumers. The National Conference of State Legislatures maintains a Web site that collects and provides links to all enacted nationwide legislation regarding information security and identity theft:
• 2007 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2007.htm
• 2006 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2006.htm
• 2005 Legislation: http://www.ncsl.org/programs/lis/privacy/IDTheft2005.htm
• 2002-04 Legislation: http://www.ncsl.org/programs/lis/privacy/idt-legis.htm
Introduced Federal Legislation
In May the Senate Judiciary Committee approved two competing bills, S. 495 and S. 239, that require businesses to notify individuals if their personal data is breached. BNA Privacy & Sec. Law Rep., Vol. 6, No. 19, at 739 (May 7, 2007). Vermont Democrat Patrick Leahy and Republican Arlen Specter of Pennsylvania are co-sponsoring S. 495, a comprehensive data breach notification law that includes criminal penalties. Id. at 739-40. California Democrat Dianne Feinstein is sponsoring S. 239, a streamlined bill that features identical consumer notification provisions as S. 495, but does not address criminal penalties.
Both bills provide "tough civil penalties against companies that fail to safeguard sensitive consumer data or provide breach notice" of "up to $1,000 per individual per day of violation, capped at $1 million" per individual, "unless willful or intentional conduct is involved." Id. at 739.
The main focus of the debate will be the "risk of harm threshold that places limits on when notification is required." Id. In other words, Congress is debating the standard that will dictate when a business must provide notification and when notification is not required. If either bill is passed, the law would preempt all 36 state data breach notification laws that have been enacted nationwide. Id.
Best Practices for Businesses
The Federal Trade Commission, which is charged with the enforcement of GLB, gives businesses general guidance on how to properly notify customers of any compromise of their personal information (http:// www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.pdf). The information includes a useful form letter.
The following is an informal checklist of steps a business should take when facing a breach emergency:
• Ascertain number of customers affected
• May be required to inform credit bureaus of unauthorized access (e.g., New York)
• May have to advise customers to issue fraud alerts
• Make contact with law enforcement agency investigating the theft.
• Make sure law enforcement is aware of identity theft component of crime
• Ascertain whether law enforcement wants to delay customer notification
• What information should/should not be included in notice, consistent with needs of criminal investigation
• Notify any other affected businesses.
• Designate contact/point persons within the company.
• Set up a call center.
• Talking points
• Set up a Web page
• Notice letter to customers. Consider including the following:
• Describe clearly what the company knows, including all known details
• Consistent with needs of law enforcement
• Describe actions taken to remedy breach
• Phone number and/or Web site address
• What additional actions customer can take to protect themselves
• Provide phone numbers, web addresses
• Educate customers about identity theft
• Law enforcement contact, if acceptable to law enforcement
Contents of Notice
New York businesses have some flexibility regarding what to disclose about the details of the breach of security. New York's statute requires only the following information to be included in the notice to customers:
Regardless of the method by which notice is provided, such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired.
N.Y. Gen. Bus. Law § 899-aa(7) (Exhibit A).
New Jersey's statute is silent on the contents of the notification letter.
The guidelines provided by the FTC regarding the contents of the notice letter, which, among other things, advises businesses to provide all known details about the breach, are recommendations only. Indeed, the agency's Web site states that businesses should "check federal and state laws or regulations for any specific requirements."
At this time, there is limited -- but steadily growing -- case law nationwide concerning a financial institution's exposure to liability as a result of compromised personal information. As one New York court noted:
With the emergence of identity theft as one of this country's growing concerns, this court is required to address what promises to be a new area of law, namely the duties and responsibilities incidental to the safeguarding of confidential personal information, and more particularly, whether liability may attach to an entity that fails to safeguard personal and confidential information.
Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887, 888 (N.Y. Sup. Ct., New York County 2004).
In the handful of relevant cases, however, liability does not easily attach to a business entity charged with failing to safeguard personal information. See Jones v. Commerce Bank N.A., 2007 WL 672091 (S.D.N.Y. Mar. 6, 2007); Giordano v. Wachovia Sec., 2006 WL 2177036 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank N.A., 420 F. Supp. 2d 1018, 1019 (D. Minn. 2006); Guin v. Brazos Higher Educ. Serv. Corp., 2006 WL 288483, *1 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, 2005 WL 2465906, *1 (D. Ariz. Sept. 6, 2005).
The surviving causes of action in these cases generally sound in negligence, breach of contract and breach of fiduciary duty, 6 but most do not survive summary judgment because the plaintiffs are found to lack proof of injury, or, even if they have suffered an injury, the plaintiffs cannot adequately demonstrate that their injury was proximately caused by the defendant's failure to safeguard the confidential information. Significantly, a number of these cases overcame initial motions to dismiss and proceeded to discovery, but the vast majority did not survive at the summary judgment stage.
A recent decision from the New Jersey federal court, Giordano v. Wachovia Securities, involved a financial institution, Wachovia Securities, that lost a report in the mail containing personal customer data. Wachovia learned that the package containing the report "was damaged during shipment and, pursuant to the carrier's [UPS'] procedures, was destroyed." Id. at *1. Wachovia further informed its customers that there was "no evidence of theft" of the report and that there was no evidence that the "report has been obtained by a third party." Id.
The plaintiff nevertheless filed a class-action lawsuit against Wachovia and UPS, alleging negligence, invasion of privacy and breach of the duty of confidentiality. Id. at *2. Without reaching any of the merits of the case, the court dismissed the suit, finding that the plaintiff lacked standing:
The court concludes that plaintiff lacks constitutional standing to bring this action because plaintiff has failed to allege that she suffered an injury-in-fact that was either "actual or imminent." Plaintiff's allegations that, as a result of Wachovia's actions, she will incur costs associated with obtaining credit monitoring services in order to prevent identity theft simply does not rise to the level of creating a concrete and particularized injury. Plaintiff's claims, at best, are speculative and hypothetical future injuries. A complaint alleging the mere potential for an injury does not satisfy plaintiff's burden to prove standing.
Id. at *4 (emphasis added).
Similarly, in Forbes v. Wells Fargo Bank, computers containing personal information of Wells Fargo customers were stolen from the offices of Regulus, a service provider hired by Wells Fargo to generate monthly statements for the bank's customers. 420 F. Supp. 2d at 1019. After the computers were stolen, Wells Fargo notified all potentially affected customers of the theft and offered them services relating to identity theft protection. Id.
After receiving this notice, and although there had been no indication that the information on the computers had been accessed or used, plaintiffs brought suit against Wells Fargo for breach of contract, breach of fiduciary duty and negligence. They based their suit on the theory that Wells Fargo negligently allowed Regulus to keep customers' private information without adequate security.
The Minnesota federal court granted Wells Fargo's motion for summary judgment, saying: "A plaintiff may recover damages for an increased risk of harm in the future if such risk results from a present injury and indicates a reasonably certain future harm. Alone, however, the threat of future harm, not yet realized, will not satisfy the damage requirement." Id. at 1020 (internal citations omitted) (emphasis added).
Though the plaintiffs alleged that they spent time and money monitoring their credit, the court found that "their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized. In other words, the plaintiffs' injuries are solely the result of a perceived risk of future harm." Id. at 1021.
In Guin v. Brazos Higher Education Service Corp., the plaintiff alleged that the student loan servicing firm negligently permitted an employee to keep personal information on a laptop that was subsequently stolen from the employee's home office. 2006 WL 288483, *1. The laptop contained personal customer data, but it was impossible to determine which customers' information was saved on the hard drive when the laptop was stolen. Id. at *1.
Accordingly, Brazos gave notice to all its 550,000 customers that some of their personal information "may have been inappropriately accessed by the third party." Id. at *2. After receiving this notice, and without any proof that his personal information had been misappropriated, the plaintiff, who had acquired a loan through Brazos, filed an action against the company for negligence. Id. at *3.
In determining whether there had been a breach of duty, the parties agreed that GLB established a duty for Brazos to protect the security and confidentiality of customers' personal information. 7 Id. However, the court held that Brazos did not fail to comply with GLB because the statute does not prohibit working with sensitive data on a home office computer. Id. at *4.
Next, noting that "a plaintiff must suffer some actual loss or damage in order to bring an action for negligence" and that "the threat of future harm not yet realized will not satisfy the damage requirement," the court found that the plaintiff failed to prove injury. Id. at *5. Since the plaintiff was unable to show that his information was actually on the laptop when it was stolen or that his personal information was accessed by the burglars or was "transferred, possessed, or used with the intent to commit, aid or abet any unlawful activity," the court held that he failed to show that he was a victim of identity theft or sustained any other injury. Id. at *6.
The trend of dismissals based upon the above principles continues in the most recent decisions. See Kahle v. Litton Loan Servicing, 2007 WL 1461790, *7 (S.D. Ohio May 16, 2007) (granting summary judgment to defendant because "any injury of plaintiff is purely speculative"); Randolph v. ING Life Ins. & Annuity Co., 2007 WL 565872, *5 (D.D.C. Feb. 20, 2007) (granting defendant's motion to dismiss and stating that plaintiffs' "allegation that they have incurred or will incur costs in an attempt to protect themselves against their alleged increased risk of identity theft fails to demonstrate an injury that is sufficiently 'concrete and particularized' and 'actual or imminent"'); Bell v. Acxiom Corp., 2006 WL 2850042, *2 (E.D. Ark. Oct. 3, 2006) ("Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement."); Key v. DSW Inc., 2006 WL 2794930, *1 (S.D. Ohio Sept. 27, 2006) ("Plaintiff has failed to allege that she has suffered an injury-in-fact and therefore has not met the constitutional requirements for standing.").
No Proximate Causation
Even in cases where a plaintiff has been able to prove an actual injury, summary judgment has been granted where the plaintiff is not able to prove proximate causation. For example, in Jones v. Commerce Bank, the plaintiff, who held a checking account at Commerce Bank, was the victim of identity theft. 2007 WL 672091, *1. Specifically, the plaintiff discovered that $1,860 was withdrawn from her account and transferred to another account that was fraudulently opened in her name. Id. After investigating the incident, Commerce credited the $1,860 back into the plaintiff's account. Id.
The plaintiff then sued Commerce for negligence, breach of fiduciary duty, intentional and negligent infliction of emotional distress, commercial bad faith, consumer fraud, and breach of contract. Id. The court granted Commerce's motion to dismiss the claims of negligence, breach of fiduciary duty and breach of contract. However, discovery proceeded on the remainder of plaintiff's claims. Id. At the conclusion of discovery, the court granted Commerce's motion for summary judgment as a result of the plaintiff's failure to prove proximate cause, and the judge denied the plaintiff's motion to reconsider the ruling:
However, even assuming arguendo that Commerce owed plaintiff a duty, plaintiff must show evidence of causation -- i.e., that Commerce's breach of that duty proximately caused plaintiff's injuries. It was the theft of plaintiff's identity by unidentified individuals, in an unknown manner, that caused plaintiff's injuries, not four unauthorized withdrawals that were soon rectified. I granted summary judgment to defendant because plaintiff could not, on the evidence presented, establish the element of causation.
Id. at *3 (internal quotation marks and citations omitted) (emphasis added).
The court also rejected plaintiff's de facto res ipsa loquitur theory:
Plaintiff avers, in essence, that Commerce must have committed a negligent breach of duty because the combination of personal information used to fraudulently attain a check from plaintiff's insurance company was only possessed by Commerce, and no other institutions or entities. However, it cannot be said that the identity theft here is an event that "ordinarily does not occur in the absence of someone's negligence," just as it cannot be generally said that criminal activity requires some prior negligence to succeed. The thieves might well have stolen plaintiff's information without any negligence on the part of Commerce. Additionally, it does not appear that the information that allegedly establishes res ipsa loquitur was in the exclusive control of Commerce. In short, the facts of this case do not establish a viable argument for res ipsa loquitur sufficient to overcome the lack of evidence of causation on the part of Commerce.
Id. at *4 (emphasis added).
In Stollenwerk v. Tri-West Healthcare Alliance, the office of Tri-West, a company managing a health insurance program, was burglarized, and computer hard drives containing Mark Brandt's personal information were stolen. 2005 WL 2465906, *1. Soon thereafter, his personal information was used to open unauthorized credit accounts in his name. Brandt and two other people whose information was on the hard drives, Michael Stollenwerk and Andrea