This article is reprinted from TEQ Magazine, a publication of the Pittsburgh Technology Council.
In the last issue of TEQ we discussed the alarming rise in identity theft occurrences in the U.S. business community. In particular, we looked at the situation involving ChoicePoint and the Federal Trade Commission's enforcement action as a result of the FTC's view that ChoicePoint did not adequately protect consumer information. In this issue, we will focus on Pennsylvania's and New Jersey's different legislative reactions to the problem. We will also suggest some practical steps that businesses can take to prevent identity theft claims.
Pennsylvania: The Breach of Personal Information Notification Act
Like the FTC, the Commonwealth of Pennsylvania has joined the fight to protect consumers whose information has been compromised. On December 22, 2005, Governor Rendell signed Senate Bill 712–The Breach of Personal Information Notification Act (the "Act"). The Act, which will become effective on June 20, 2006, applies broadly to all entities, whether a "sole proprietorship, partnership, corporation, association or other group, however organized and whether or not organized to operate at a profit."
The Act provides that an entity that maintains, stores or manages computerized data that includes personal information must provide notice of any "breach of the security of the system" following discovery of the breach to any resident of the Common-wealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. The Act defines a "breach of the security of the system" as an "unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information."
Furthermore, if the notification is to be provided to more than 1,000 persons at one time, the entity also must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution and number of such notices. A violation of the Act constitutes a violation of the Unfair Trade Practices and Consumer Protection Act for which the Pennsylvania Attorney General's office will have exclusive jurisdiction. Echoing the FTC's commitment to adequate safeguards for personal data, Governor Rendell noted that Pennsylvania's "new law will ensure that personal information is protected in the event that it is stolen" and that it "will provide a strong line of defense in the event personal information is stolen."
New Jersey: The Identity Theft Protection Act
New Jersey also has joined the battle to protect consumer information and recently enacted a comprehensive new security breach notification law. Effective January 1, 2006, the Identity Theft Protection Act (the "ITPA") became law. It requires that "any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey . . ." It is clear from this language that the ITPA would apply to a business whose headquarters are located in another state (such as Pennsylvania), provided that such business conducts some of its business in New Jersey.
In addition to requiring notice to individuals impacted by the breach, the ITPA requires notice to the New Jersey State Police and, if the notice is sent to more than 1,000 persons, notice "without unreasonable delay" to all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis. ITPA also specifies the manner in which customer records must be destroyed. While ITPA does not mandate that a business destroy its records, once that business decides to do so, such records must be destroyed by "shredding, erasing or otherwise modifying the personal information in those records to make it unreadable, undecipherable or non- reconstructable through generally available means."
A knowing, voluntary or reckless violation of ITPA is a violation of New Jersey's Consumer Fraud Act, which could lead to liability for monetary penalties and injunctive relief. Further, unlike the Pennsylvania law, New Jersey's law provides for a cause of action by private litigants and the award of treble damages.
What Can Businesses Do to Protect Themselves?
At the most fundamental level, if your business currently does not have some kind of written data security plan both for its employee data and its consumer data, it should take immediate steps to prepare such a plan. Simply choosing not to have a plan will not insulate a business from liability.
The FTC will not hesitate to bring a data security action against a business that made no promises regarding protecting consumer information. Simply adopting a data security plan is not enough. Once your business has put into place such a plan, it is imperative to conduct a careful audit of the business' existing information security procedures and policies. For example, if your company represents to its customers that it has implemented reasonable and appropriate measures to maintain and protect the confidentiality and security of their personal information, you must make sure that those measures are both effective and actually implemented.
One of the many allegations made by the FTC in its complaint against ChoicePoint involved ChoicePoint's absolute failure to "include a rigorous credentialing process for subscribers to prevent persons without a lawful purpose from obtaining access to consumers' personal information," despite representations to the contrary in its privacy principles on its Web site. Another critical part of any policy should be a clear plan of action in the event of a breach, especially in connection with providing prompt notice to those affected. By taking steps now to guard against possible future breaches, a company can protect itself and consumers from the ever-growing dangers of identity theft.