Western Independent Banker - January/February 2008 - (Page 17)

By Lisa King Understanding Data Breach Notification Laws Answers on State Law Questions and the Impact of Non-Compliance CALIFORNIA’S NOTICE OF Security Breach Law (Cal. Civil Code 1798.29), enacted in 2002, serves as the benchmark for identity data breach legislation in the U.S. Since then, 40 states have enacted legislation requiring banks and other companies/state agencies to disclose security breaches involving personal information. Although there are clear variations within the states’ breach notification laws, they all share some basic commonalities. Encryption is a key component in determining whether or not data breaches should be communicated to customers. If your bank encounters a breach and customer information was not encrypted or you suspect the data may have been leaked, then you have a responsibility to notify customers that they may have been potentially affected. However, if the data is leaked but the personal information was encrypted, most state breach notification laws will exempt your bank from notifying customers. Data that is transmitted is commonly encrypted. The Data Accountability and Western Independent Banker Trust Act also requires encryption of data at rest that is just being stored, such as within a database. It is just as critical to encrypt that information as it is to encrypt data being transmitted. Additionally, you are responsible for notifying customers of potential data breaches if you have customers in a regulated state. Therefore, if you are located in New Mexico (which currently does not have a breach notification law), but you also have customers in Arizona (a state with breach notification laws), then you must notify those customers in Arizona. If you can prove that your customers were not compromised, then you do not have to notify at all. When to notify customers of security breaches and the penalties for non-compliance also vary from state to state. A state-bystate summary of identity data breach notification laws, compiled by the Dallas law firm of Scott & Scott LLC, can be found at: www. scottandscottllp.com/resources/state_data_ breach_notification_law.pdf. It outlines: the states that require customer notification of data breaches; the time period within which customers must be notified; and exemptions for encrypted personal information, criminal investigations, publicly available information and immaterial information. Financial Repercussions of Data Breaches Failure to adhere to data breach laws can result in large fines being levied against your bank. Consider the lesson learned from ChoicePoint, a consumer data broker that suffered an enormous security breach in 2004 because of its security and record-handling procedures. More than 163,000 consumers were compromised. ChoicePoint settled Federal Trade Commission charges by paying $10 million in civil penalties and another $5 million in “consumer redress” – funds set aside to make reparations to consumers who were negatively impacted by the breach. Recovery can also be costly, a lesson learned by TJX Companies, the retailer that operates T.J. Maxx and Marshalls. After the company suffered a major customer data breach in December 2006, resulting in 94 million accounts compromised, it took an after-tax charge of $118 million for Q2-2007 to cover current and potential costs arising from the data breach. According to estimates by Gartner, Inc., TJX will have spent $125 million pre-tax dollars on security improvements, both before and after the breach (in addition to the costs TJX already incurred to cover current and future legal costs and consulting fees). Proactive Measures to Protecting Data According to a study by the U.S. Secret Service and CERT (Computer Emergency Readiness Team), 78 percent of network attacks are committed by insiders (as was the case in the 2005 bank security breach involving bank employees from Bank of America, Wachovia, Commerce Bancorp and PNC Financial Services Group who illegally sold account information that affected 676,000 customers). 17 January/February 2008 http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf

Table of Contents for the Digital Edition of Western Independent Banker - January/February 2008

Western Independent Banker - January/February 2008
Contents
A Message from the President
Compliance Administration
Four Realities of Data Security Policy, Enforcement
Managing Internet Banking Risks
Understanding Data Breach Notification Laws
The Effect of Business Continuity Management on Compliance Programs
Bridging the GAAP
Top 10 Compliance Fitness Steps for De Novo Banks
Common OFAC Errors and How to Avoid Them
The Intersection of Equal Credit Opportunity and Sub-Prime Loans
Location-Based Tax Credits for Banks
Protect Your Bank and Your Customers
WIB Calendar
Welcome New Members
Index to Advertisers
Advertisers

Western Independent Banker - January/February 2008

http://www.nxtbook.com/naylor/WIBS/WIBS0413
http://www.nxtbook.com/naylor/WIBS/WIBS0313
http://www.nxtbook.com/nxtbooks/naylor/WIBS0213
http://www.nxtbook.com/nxtbooks/naylor/WIBS0113
http://www.nxtbook.com/nxtbooks/naylor/WIBS0612
http://www.nxtbook.com/nxtbooks/naylor/WIBS0512
http://www.nxtbook.com/nxtbooks/naylor/WIBS0412
http://www.nxtbook.com/nxtbooks/naylor/WIBS0312
http://www.nxtbook.com/nxtbooks/naylor/WIBS0212
http://www.nxtbook.com/nxtbooks/naylor/WIBS0112
http://www.nxtbook.com/nxtbooks/naylor/WIBS0611
http://www.nxtbook.com/nxtbooks/naylor/WIBS0511
http://www.nxtbook.com/nxtbooks/naylor/WIBS0411
http://www.nxtbook.com/nxtbooks/naylor/WIBS0311
http://www.nxtbook.com/nxtbooks/naylor/WIBS0211
http://www.nxtbook.com/nxtbooks/naylor/WIBS0111
http://www.nxtbook.com/nxtbooks/naylor/WIBS2011MediaKit
http://www.nxtbook.com/nxtbooks/naylor/WIBS0610
http://www.nxtbook.com/nxtbooks/naylor/WIBS0510
http://www.nxtbook.com/nxtbooks/naylor/WIBS0410
http://www.nxtbook.com/nxtbooks/naylor/WIBS0310
http://www.nxtbook.com/nxtbooks/naylor/WIBS0210
http://www.nxtbook.com/nxtbooks/naylor/WIBS0110
http://www.nxtbook.com/nxtbooks/naylor/WIBS0609
http://www.nxtbook.com/nxtbooks/naylor/WIBS0509
http://www.nxtbook.com/nxtbooks/naylor/WIBS0409
http://www.nxtbook.com/nxtbooks/naylor/WIBS0309
http://www.nxtbook.com/nxtbooks/naylor/WIBS0209
http://www.nxtbook.com/nxtbooks/naylor/WIBS0109
http://www.nxtbook.com/nxtbooks/naylor/WIBS0608
http://www.nxtbook.com/nxtbooks/naylor/WIBS0508
http://www.nxtbook.com/nxtbooks/naylor/WIBS0408
http://www.nxtbook.com/nxtbooks/naylor/WIBS0308
http://www.nxtbook.com/nxtbooks/naylor/WIBS0208
http://www.nxtbook.com/nxtbooks/naylor/WIBS0108
http://www.nxtbookMEDIA.com