Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. Jonathan P . Armstrong, Eversheds LLP , Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C. Reprinted from the December 2005 issue of BNA International’s World Internet Law Report
Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. By Jonathan P . Armstrong, an Associate in the Leeds or first initial and last name, in combination with one or more of the following: office of Eversheds LLP and Bruce A. Heiman, a Partner with Preston Gates Ellis & Rouvelas Meeds LLP , ■ social security number; Washington D.C. The authors may be contacted at tel. ■ drivers licence number or California Identification Card (+44) (0)113 200 4658, jonathanarmstrong@ number; or eversheds.com; and tel. (+1) 202 662 8435, bruceh@ ■ account number, credit card or debit card number in prestongates.com, respectively. combination with any password that would permit access to an individual’s financial account. The issues surrounding security breach have been prominent in both the United States and the European Notification must occur quickly using one of a variety of Union during the latter half of 2005 and already, there are specified means. The content of the notice is not specified. signs that 2006 may become “the year of the security Injured customers may bring a civil suit for damages and a breach”. There is a contrasting approach to regulation in business may be enjoined. Some key points about S.B. this area on each side of the Atlantic. In the United States, 1386 are set out below. a significant number of states have, or are proposing legislation, mandating the reporting of security breaches What Triggers the Notice Requirement? following the model of legislation first enacted in California. Notice is required whenever there is a cybersecurity breach There also are a number of pending federal bills. A survey and the knowledge or reasonable belief that unencrypted by Eversheds LLP this year of more than 25 European personal information was in fact disclosed to an authorised jurisdictions, revealed that in Europe there are as yet no person. If a system is breached, but the person or business direct equivalents of the Californian legislation either at an is confident that no information was disclosed, then no E.U. level or a domestic level. This article shows the current notification is necessary. Also, the bill specifically states position in the United States and the contrasting approach that: in Europe. “Good faith acquisition of personal information by an Legal Requirements in the United States employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal California’s Breach Notification Law: S.B. 1386 information is not used or subject to further unauthorized disclosure”. In April 2002, a California state government data centre processing payroll information suffered a security breach, When Must Notification be Made? resulting in the disclosure of confidential information including names, social security numbers, and payroll After learning of an incident (“following discovery or information of over 250,000 state employees. Prompted by notification”), notification is supposed to occur as quickly as outrage over this incident, the California legislature quickly possible consistent with determining the scope of the passed, and then Governor Davis signed, S.B. 1386. 1 The breach, stopping further disclosures, and cooperating with law was the first of its kind in the country, and took effect any law enforcement agency investigation. on July 1, 2003. How Must Notification be Provided? The new law required anyone conducting business in The statute states that notice may be provided either by California to promptly notify any California resident whose written notice or by electronic notice, if the electronic notice unencrypted personal information was, or is reasonably is consistent with the federal Electronic Signatures in Global believed to have been, disclosed to an unauthorised person and National Commerce Act of 2000 (known as “E-SIGN”). as a result of a breach of their computer system. The law Alternatively, the business may opt to provide “substitute covers all sizes and types of businesses with no notice” if it can show that the cost of providing notice in exemptions for small businesses or non-profit one of these two manners would exceed $250,000, that organisations. Moreover, the law covers all companies the affected class of subject persons to be notified exceeds “conducting business in California”, not just California 500,000, or that insufficient contact information is available. corporations or other entities registered with the state. It is Substitute notice requires that the business notify its possible that activity as minimal as having a few employees customers by doing all of the following: in the state could subject a company to its requirements. In ■ e-mailing notice when it has an e-mail address for affected addition, on its face the law applies to a company doing persons; business in California even if the personal information is stored on data servers in other states. ■ conspicuously posting the notice on its website (if it maintains one); and The law applies to those who “own or license” electronic personal information, defined as an individual’s first name, ■ notifying major statewide media. 2
Recommend
More recommend