Intro To Data Identity Theft Liability For Businesses

Managing Risk: What Business Owners Must Know about Their

Data Breach Liability

Paula S. deWitte, J.D., Ph.D., P.E.

Paula deWitte, P.L.L.C.

Objective

• Help business owners understand their liability to protect sensitive personal information (SPI) under the Texas Identity Theft Enforcement and Protection Act.

• Provide practical steps to safeguard your operations.

What you don’t know can hurt you.

Identity Theft Is Growing

• U.S. Dept. of Veterans Affairs = 1,800,000 (11/07)

• Countrywide Home Loan == 2,000,000 (08/08)

• CO Div. of Motor Vehicles = 3,400,000 (7/08)

• Overall U.S. identities lost since Jan 2005 => 250,000,000

• Estimated $1 Trillion worth of data stolen (2008)

• Cybercrime up 53%

• Cost to repair average 2008 data = $6,600,000

Statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.

Who Are You?

• A business owner

• Who owns/licenses or maintains “sensitive personal information” (SPI).

You may have security, both for the premises and for your computer/network.

You may be liable to Texas and to the victim for security/data breaches – even if they do not result in identity theft.

What is Sensitive Personal Information (SPI)?

• First initial and last name OR First name and last name

• Combined with any of:

– Social security number OR

– Drivers license number OR

– Account or credit card number in combination with any required security code, access code, or password that would permit access to that account.

What Can Trigger Your Duties

• Lost or stolen computer or laptop

• Improperly trashed or donated computers or computer parts without proper preparation

• Lost mobile devices, USBs, or CDs

• Weak, limited, or no data encryption

• Weak passwords

• E-mailing sensitive data to personal accounts

• Security or data breaches by someone who intentionally targets your organization

Texas Identity Theft Enforcement and Protection Act

• http://www.statutes.legis.state.tx.us/Docs/BC/pdf/BC.521.pdf

• Runs almost eight pages

Manage Your Risk

• Know the terms:

– Sensitive Personal Information

– Encryption

– Business duty

– Reasonable procedures

• Know what is required to comply with the law.

• You may be liable under the laws of another state!

– Currently, Massachusetts has the strictest law.

Business Duty 1: Use “reasonable procedures”…

• “..including appropriate corrective action to protect unlawful use or disclosure of any SPI collected or maintained by the business in the regular course of business.”

• Cannot be delegated.

• Liable for the actions of their employees, regardless.

What Is Reasonable?

• Reasonable to what standard?

– The business owner?

– The SPI owner (i.e., the potential victim)

– IT personnel?

– Information assurance (IA) experts?

– Prevailing public perception?

• Is there a standard?

Reasonable Procedures

• Must be in writing.

• Protect against anticipated threats or hazards.

• Consider administrative, technical, and physical.

• Consider all aspects of the SPI -- collection, storage, access, use, transmission, and protection.

• Institutionalize procedures.

• Audit.

Continuous Process

• Have a written information security program (WISP).

• Have a third party test your systems.

• Document the problems.

• Fix the problems.

• Conduct periodic reviews.

Business Duty 2: Destroy or Arrange for the Destruction…

• “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”

How to Properly Destroy

• What works?

• What doesn’t work?

Business Duty 3: Notify Potential Victims

• “… after discovering or receiving notification of that breach … as quickly as possible”

Notification

• How do you discover a breach?

• What constitutes “receiving notification of that breach”?

• What does “quickly as possible” mean?

• How do I notify potential victims?

What Does the Attorney General Tell an Identity Theft Victim To Do

• http://www.texasfightsidtheft.gov/

• Create a written criminal report to protect themselves from being denied credit.

• File report with the Federal Trade Commission.

• Collect as much evidence as possible. This evidence can be used against you!

Your Liability

• Statutory fines to Texas

• To the SPI Owner:– Lost income – Expenses of fixing credit– Attorney fees– Possible treble damages under DPTA

• Your consequences: – Loss of revenue and reputation

What SPI Do You Routinely Maintain?

• Employee Records– Every employee record has the employee’s name and

social security number

• Customer Information– Credit card numbers

• Discovery Documents • Statutory exceptions:

– Statue excludes publicly available information available from federal, state, or local governments

– Excludes encrypted data • No statutory definition for “encryption”

Do Not Rely on the Encryption Exception

• Encryption is not a yes/no category.

– Encryption is a continuum from weak to strong.

• True encryption requires encryption throughout system; one piece of your system that is not encrypted renders the entire system vulnerable.

Your Biggest Hidden Security Threats

• Social engineering: Unintentional and by those you trust

OR

• Insider threat: Intentional and by those internal to your enterprise

What Do You Do?

• Understand your risk.

• Understand what the law requires.

• Use industry best practices to protect SPI.

• Institute a continuous security process.

• Designate an in-house data security coordinator.

• Conduct periodic audits to review your systems.

• Have a written plan/process.

• Store only SPI that your business needs.

• Buy insurance.

Conclusions

• It is too big of a risk to businesses to ignore their potential liability

• The law is evolving while the problem with identity theft grows.

Contact

• Paula deWitte, P.L.L.C.

• [email protected]

• Office: 713.706.6248

• Cell: 512.633.3791