Managing Risk: What Business Owners Must Know about Their Data Breach Liability Paula S. deWitte, J.D., Ph.D., P.E. Paula deWitte, P.L.L.C.
Jul 03, 2015
Managing Risk: What Business Owners Must Know about Their
Data Breach Liability
Paula S. deWitte, J.D., Ph.D., P.E.
Paula deWitte, P.L.L.C.
Objective
• Help business owners understand their liability to protect sensitive personal information (SPI) under the Texas Identity Theft Enforcement and Protection Act.
• Provide practical steps to safeguard your operations.
What you don’t know can hurt you.
Identity Theft Is Growing
• U.S. Dept. of Veterans Affairs = 1,800,000 (11/07)
• Countrywide Home Loan == 2,000,000 (08/08)
• CO Div. of Motor Vehicles = 3,400,000 (7/08)
• Overall U.S. identities lost since Jan 2005 => 250,000,000
• Estimated $1 Trillion worth of data stolen (2008)
• Cybercrime up 53%
• Cost to repair average 2008 data = $6,600,000
Statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.
Who Are You?
• A business owner
• Who owns/licenses or maintains “sensitive personal information” (SPI).
You may have security, both for the premises and for your computer/network.
You may be liable to Texas and to the victim for security/data breaches – even if they do not result in identity theft.
What is Sensitive Personal Information (SPI)?
• First initial and last name OR First name and last name
• Combined with any of:
– Social security number OR
– Drivers license number OR
– Account or credit card number in combination with any required security code, access code, or password that would permit access to that account.
What Can Trigger Your Duties
• Lost or stolen computer or laptop
• Improperly trashed or donated computers or computer parts without proper preparation
• Lost mobile devices, USBs, or CDs
• Weak, limited, or no data encryption
• Weak passwords
• E-mailing sensitive data to personal accounts
• Security or data breaches by someone who intentionally targets your organization
Texas Identity Theft Enforcement and Protection Act
• http://www.statutes.legis.state.tx.us/Docs/BC/pdf/BC.521.pdf
• Runs almost eight pages
Manage Your Risk
• Know the terms:
– Sensitive Personal Information
– Encryption
– Business duty
– Reasonable procedures
• Know what is required to comply with the law.
• You may be liable under the laws of another state!
– Currently, Massachusetts has the strictest law.
Business Duty 1: Use “reasonable procedures”…
• “..including appropriate corrective action to protect unlawful use or disclosure of any SPI collected or maintained by the business in the regular course of business.”
• Cannot be delegated.
• Liable for the actions of their employees, regardless.
What Is Reasonable?
• Reasonable to what standard?
– The business owner?
– The SPI owner (i.e., the potential victim)
– IT personnel?
– Information assurance (IA) experts?
– Prevailing public perception?
• Is there a standard?
Reasonable Procedures
• Must be in writing.
• Protect against anticipated threats or hazards.
• Consider administrative, technical, and physical.
• Consider all aspects of the SPI -- collection, storage, access, use, transmission, and protection.
• Institutionalize procedures.
• Audit.
Continuous Process
• Have a written information security program (WISP).
• Have a third party test your systems.
• Document the problems.
• Fix the problems.
• Conduct periodic reviews.
Business Duty 2: Destroy or Arrange for the Destruction…
• “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”
How to Properly Destroy
• What works?
• What doesn’t work?
Business Duty 3: Notify Potential Victims
• “… after discovering or receiving notification of that breach … as quickly as possible”
Notification
• How do you discover a breach?
• What constitutes “receiving notification of that breach”?
• What does “quickly as possible” mean?
• How do I notify potential victims?
What Does the Attorney General Tell an Identity Theft Victim To Do
• http://www.texasfightsidtheft.gov/
• Create a written criminal report to protect themselves from being denied credit.
• File report with the Federal Trade Commission.
• Collect as much evidence as possible. This evidence can be used against you!
Your Liability
• Statutory fines to Texas
• To the SPI Owner:– Lost income – Expenses of fixing credit– Attorney fees– Possible treble damages under DPTA
• Your consequences: – Loss of revenue and reputation
What SPI Do You Routinely Maintain?
• Employee Records– Every employee record has the employee’s name and
social security number
• Customer Information– Credit card numbers
• Discovery Documents • Statutory exceptions:
– Statue excludes publicly available information available from federal, state, or local governments
– Excludes encrypted data • No statutory definition for “encryption”
Do Not Rely on the Encryption Exception
• Encryption is not a yes/no category.
– Encryption is a continuum from weak to strong.
• True encryption requires encryption throughout system; one piece of your system that is not encrypted renders the entire system vulnerable.
Your Biggest Hidden Security Threats
• Social engineering: Unintentional and by those you trust
OR
• Insider threat: Intentional and by those internal to your enterprise
What Do You Do?
• Understand your risk.
• Understand what the law requires.
• Use industry best practices to protect SPI.
• Institute a continuous security process.
• Designate an in-house data security coordinator.
• Conduct periodic audits to review your systems.
• Have a written plan/process.
• Store only SPI that your business needs.
• Buy insurance.
Conclusions
• It is too big of a risk to businesses to ignore their potential liability
• The law is evolving while the problem with identity theft grows.
Contact
• Paula deWitte, P.L.L.C.
• Office: 713.706.6248
• Cell: 512.633.3791