Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity’s size, nature of its business, types of records it maintains and the risk of identity theft posed by the entity’s operations.  Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include. 

Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information.  Covered entities must contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements; provided, however, that  service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012. 

To read more about compliance with the new regulations, please see our Client Alerts (from February 2009 and from September 2008) and our previous blog posts.

View the Massachusetts regulations. 

The data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.  BCBS confirmed that the breach did not involve any medical information or patient information.

Connecticut’s data breach notification law requires any person who “conducts business in” Connecticut and who “owns, licenses or maintains computerized data that includes personal information” to disclose any breach of security to affected Connecticut residents “without unreasonable delay.”  Attorney General Blumenthal is requesting more details from BCBS about the breach, including a list of impacted health care providers, the credit monitoring services and other protections that BCBS is offering those providers, as well as BCBS’s policies and procedures for responding to data breaches.  He noted that failure to comply with Connecticut’s data breach notification law constitutes an unfair trade practice that may subject BCBS to fines of up to $5,000 for each Connecticut resident affected by the breach and require BCBS to provide restitution to those affected residents.

Ruiz did not experience identity theft, but he claimed that the increased risk of identity theft supported his claims.  With respect to the negligence claim, the Complaint stated, “Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants' conduct,” and the contract claim was supported with nearly identical language.  Defendants moved for summary judgment.

On the issue of standing, the court held that the increased risk of identity theft indeed constituted “an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical” and that Ruiz met the basic threshold to bring a case in federal court.  Unfortunately for the plaintiff, merely stepping through the proverbial courthouse door is not enough to win a case, and he did not get much further than that.

Dismissing the negligence claim, the court noted that Gap had already offered one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable, nonspeculative, present harm [that] is an essential element of a negligence cause of action” under California law.

The contract claim suffered the same fate, as the Court explained that “a breach of contract claim requires a showing of appreciable and actual damage,” and “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft … .”  Ruiz argued that the costs he independently paid for credit monitoring are compensable because they constitute his attempt to mitigate damages, but the court held that “Ruiz has no actual damages to mitigate since he has never been a victim of identity theft.”

Judgment was entered for the defendants.
 

New York State recently enacted legislation restricting the use of Social Security numbers (“SSNs”) by employers. The legislation takes effect on January 3, 2009.

Restrictions on the Use of SSNs
At present, the New York Social Security Number Protection Law prohibits a business from (i) intentionally communicating an SSN to the general public; (ii) printing an SSN on any card or tag required for the individual to access products, services or benefits provided by the business; (iii) requiring an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted; or (iv) requiring an individual to use his or her SSN to access an Internet website, unless a password or unique personal ID number or authentication device is also required.

This law defines an SSN very broadly as any number derived from an SSN. Accordingly, even the last four digits of an SSN are subject to the above-mentioned prohibitions. The newly-enacted New York legislation amends existing law by including an additional prohibition on the use of SSNs. Specifically, businesses must refrain from encoding or embedding an SSN in a card or document (such as in a bar code, chip or magnetic strip).

Restrictions on Employers’ Use of SSNs
The new legislation also amends New York’s labor law by restricting employers’ use of employee SSNs. Notably, employers are prohibited, except as required by federal or state law, from (i) publicly posting or displaying an SSN; (ii) visibly printing an SSN on any identification badge or card, including a time card; or (iii) placing an SSN in files with unrestricted access. As a result of the new law, businesses must verify that employee SSNs are being stored in a secure manner so as to prevent unauthorized access.

We Can Help
In addition to New York, a majority of states have enacted laws aimed at protecting personal information such as SSNs. Hunton & Williams’ Privacy and Information Management practice assists clients in complying with the myriad federal and state privacy and information security laws. If you would like assistance in reviewing how your organization handles and secures personal information, please contact us.