Western Independent Banker - January/February 2008 - (Page 17)

By Lisa King Understanding Data Breach Notification Laws Answers on State Law Questions and the Impact of Non-Compliance CALIFORNIA’S NOTICE OF Security Breach Law (Cal. Civil Code 1798.29), enacted in 2002, serves as the benchmark for identity data breach legislation in the U.S. Since then, 40 states have enacted legislation requiring banks and other companies/state agencies to disclose security breaches involving personal information. Although there are clear variations within the states’ breach notification laws, they all share some basic commonalities. Encryption is a key component in determining whether or not data breaches should be communicated to customers. If your bank encounters a breach and customer information was not encrypted or you suspect the data may have been leaked, then you have a responsibility to notify customers that they may have been potentially affected. However, if the data is leaked but the personal information was encrypted, most state breach notification laws will exempt your bank from notifying customers. Data that is transmitted is commonly encrypted. The Data Accountability and Western Independent Banker Trust Act also requires encryption of data at rest that is just being stored, such as within a database. It is just as critical to encrypt that information as it is to encrypt data being transmitted. Additionally, you are responsible for notifying customers of potential data breaches if you have customers in a regulated state. Therefore, if you are located in New Mexico (which currently does not have a breach notification law), but you also have customers in Arizona (a state with breach notification laws), then you must notify those customers in Arizona. If you can prove that your customers were not compromised, then you do not have to notify at all. When to notify customers of security breaches and the penalties for non-compliance also vary from state to state. A state-bystate summary of identity data breach notification laws, compiled by the Dallas law firm of Scott & Scott LLC, can be found at: www. scottandscottllp.com/resources/state_data_ breach_notification_law.pdf. It outlines: the states that require customer notification of data breaches; the time period within which customers must be notified; and exemptions for encrypted personal information, criminal investigations, publicly available information and immaterial information. Financial Repercussions of Data Breaches Failure to adhere to data breach laws can result in large fines being levied against your bank. Consider the lesson learned from ChoicePoint, a consumer data broker that suffered an enormous security breach in 2004 because of its security and record-handling procedures. More than 163,000 consumers were compromised. ChoicePoint settled Federal Trade Commission charges by paying $10 million in civil penalties and another $5 million in “consumer redress” – funds set aside to make reparations to consumers who were negatively impacted by the breach. Recovery can also be costly, a lesson learned by TJX Companies, the retailer that operates T.J. Maxx and Marshalls. After the company suffered a major customer data breach in December 2006, resulting in 94 million accounts compromised, it took an after-tax charge of $118 million for Q2-2007 to cover current and potential costs arising from the data breach. According to estimates by Gartner, Inc., TJX will have spent $125 million pre-tax dollars on security improvements, both before and after the breach (in addition to the costs TJX already incurred to cover current and future legal costs and consulting fees). Proactive Measures to Protecting Data According to a study by the U.S. Secret Service and CERT (Computer Emergency Readiness Team), 78 percent of network attacks are committed by insiders (as was the case in the 2005 bank security breach involving bank employees from Bank of America, Wachovia, Commerce Bancorp and PNC Financial Services Group who illegally sold account information that affected 676,000 customers). 17 January/February 2008 http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf Table of Contents for the Digital Edition of Western Independent Banker - January/February 2008Western Independent Banker - January/February 2008ContentsA Message from the PresidentCompliance AdministrationFour Realities of Data Security Policy, EnforcementManaging Internet Banking RisksUnderstanding Data Breach Notification LawsThe Effect of Business Continuity Management on Compliance ProgramsBridging the GAAPTop 10 Compliance Fitness Steps for De Novo BanksCommon OFAC Errors and How to Avoid ThemThe Intersection of Equal Credit Opportunity and Sub-Prime LoansLocation-Based Tax Credits for BanksProtect Your Bank and Your CustomersWIB CalendarWelcome New MembersIndex to Advertisersadvertiser.comWestern Independent Banker - January/February 2008Western Independent Banker - January/February 2008 - Western Independent Banker - January/February 2008 (Page Cover1)Western Independent Banker - January/February 2008 - Western Independent Banker - January/February 2008 (Page Cover2)Western Independent Banker - January/February 2008 - Western Independent Banker - January/February 2008 (Page 3)Western Independent Banker - January/February 2008 - Western Independent Banker - January/February 2008 (Page 4)Western Independent Banker - January/February 2008 - Contents (Page 5)Western Independent Banker - January/February 2008 - Contents (Page 6)Western Independent Banker - January/February 2008 - Contents (Page 7)Western Independent Banker - January/February 2008 - A Message from the President (Page 8)Western Independent Banker - January/February 2008 - A Message from the President (Page 9)Western Independent Banker - January/February 2008 - Compliance Administration (Page 10)Western Independent Banker - January/February 2008 - Compliance Administration (Page 11)Western Independent Banker - January/February 2008 - Four Realities of Data Security Policy, Enforcement (Page 12)Western Independent Banker - January/February 2008 - Four Realities of Data Security Policy, Enforcement (Page 13)Western Independent Banker - January/February 2008 - Managing Internet Banking Risks (Page 14)Western Independent Banker - January/February 2008 - Managing Internet Banking Risks (Page 15)Western Independent Banker - January/February 2008 - Managing Internet Banking Risks (Page 16)Western Independent Banker - January/February 2008 - Understanding Data Breach Notification Laws (Page 17)Western Independent Banker - January/February 2008 - Understanding Data Breach Notification Laws (Page 18)Western Independent Banker - January/February 2008 - The Effect of Business Continuity Management on Compliance Programs (Page 19)Western Independent Banker - January/February 2008 - Bridging the GAAP (Page 20)Western Independent Banker - January/February 2008 - Bridging the GAAP (Page 21)Western Independent Banker - January/February 2008 - Bridging the GAAP (Page 22)Western Independent Banker - January/February 2008 - Top 10 Compliance Fitness Steps for De Novo Banks (Page 23)Western Independent Banker - January/February 2008 - Top 10 Compliance Fitness Steps for De Novo Banks (Page 24)Western Independent Banker - January/February 2008 - Common OFAC Errors and How to Avoid Them (Page 25)Western Independent Banker - January/February 2008 - Common OFAC Errors and How to Avoid Them (Page 26)Western Independent Banker - January/February 2008 - The Intersection of Equal Credit Opportunity and Sub-Prime Loans (Page 27)Western Independent Banker - January/February 2008 - The Intersection of Equal Credit Opportunity and Sub-Prime Loans (Page 28)Western Independent Banker - January/February 2008 - Location-Based Tax Credits for Banks (Page 29)Western Independent Banker - January/February 2008 - Protect Your Bank and Your Customers (Page 30)Western Independent Banker - January/February 2008 - Protect Your Bank and Your Customers (Page 31)Western Independent Banker - January/February 2008 - WIB Calendar (Page 32)Western Independent Banker - January/February 2008 - WIB Calendar (Page 33)Western Independent Banker - January/February 2008 - advertiser.com (Page 34)Western Independent Banker - January/February 2008 - advertiser.com (Page Cover3)Western Independent Banker - January/February 2008 - advertiser.com (Page Cover4)http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.