By Thomas Traylor, III [0. Thomas Traylor, III is an attorney for the City of Atlanta Department of Law, Hartsfield-Jackson Atlanta Airport.] Data security breaches are a very real and pervasive threat. There are three principal data security breach sources: internal, external, and partners. Internal breaches refer to employees who abuse or exceed their access to personally identifiable information (“PII”). External breaches refer to unauthorized access to PII by third parties, such as network hacking, wireless packet sniffing, and malicious code. Breaches by partners occur when a business partner compromises PII, such as through a stolen notebook computer or lost backup tapes.
A recent study on data breaches determined that internal breaches compromised the highest median number of records per incident - followed by partner breaches and external breaches.[1. See Verizon Business, 2008 Data Breach Investigations Report (2008). The median number of records compromised for each data breach category was as follows: internal 375,000, partner 187,500, and external 30,000. See id. at 11.] In addition to understanding the relative damage per incident, it is important to examine the frequency of occurrence for each data breach category. The study determined that external breaches are significantly more likely to occur than either internal or partner breaches.[2. See id. at 11.] By calculating a risk index value from the data, the study determined that the greatest data breach risk is through partner breaches.[3. The risk index value was determined by multiplying the relative damage per incident (the median number of records compromised) by the likelihood of the breach occurring. See id. at 11.]
The study further noted that 55% of all external data system attacks required no or low level hacking skills. Only 17% were sophisticated attacks, with the balance of attacks falling in the middle.[4. See id. at 17-18.] This represents a shift from “fame” attacks, where the hacker was more interested in notoriety than in financial gain, to higher volume and lower sophistication financial attacks. This shift may represent the growing involvement of criminal hacking syndicates in emerging market countries.[5. See Marianne Kolbasuk McGee, DOJ Charges 11 in Retail Hacking, ID Theft Scheme (last modified Aug. 5, 2008) <http://www.informationweek.com/story/showArticle.jhtml?articleID=209903401>.]
In an effort to protect individuals from the growing threat of identity theft caused by data breaches, the Georgia General Assembly passed the Georgia Personal Identity Protection Act in 2005 (“GPIPA”).[6. 2005 Georgia Laws Act 163.] Initially, GPIPA’s applicability was limited to credit reporting entities; however, in 2007 the Georgia General Assembly expanded GPIPA’s coverage. [7. 2007 Georgia Laws Act 241.]
COVERED GPIPA ENTITIES
GPIPA covers three types of entities: information brokers, data collectors, and persons or businesses that maintain computerized data on behalf of an information broker or data collector. [8. O.C.GA. §10-1-911(2),(3); O.C.G.A. §10-1-912(b).]
Information brokers are people or entities that collect and process PII as a paid service for non-affiliated third parties.[9. O.C.G.A. §10-1-911(3).] However, this classification does not include any governmental agency that maintains records primarily for traffic, safety, law enforcement, or licensing purposes.[10. Id.] In contrast, data collectors include any state or local government entity that maintains PII.[11. O.C.G.A. §10-1-911(2).] However, PII that is maintained primarily for traffic, safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information is not covered by GPIPA.[12. Id.]
WHEN DOES GPIPA APPLY?
The key to understanding GPIPA is a close examination of the covered data combinations (a “GPIPA Event”). A GPIPA Event is the combination of a person’s first name (or initial) and last name, plus one or more of the following: (i) social security number; (ii) driver’s license number; (iii) state identification card number; (iv) account number; (v) credit card number; (vi) debit card number; (vii) account passwords; (viii) PINs; or (ix) other access codes. Items (iv), (v), and (vi) only apply if the account number could be used without additional access codes. [13. O.C.G.A. §10-1-911(6).]
If a GPIPA Event occurs and results (or is reasonably believed to result) in the unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of the personal information of such individual, then GPIPA applies.[14. O.C.G.A. §10-1-912(a).] However, GPIPA can apply, absent a GPIPA Event, if the compromised information is sufficient to perform or to attempt to perform identity theft.[15. O.C.G.A. §10-1-911(6)(E).]
EXCLUSIONS TO GPIPA
There are several important exclusions to otherwise viable GPIPA Events: (i) publicly available information; (ii) encrypted data (with no required minimum level of encryption); and (iii) redacted information (such as a partially redacted credit card number). [16. O.C.G.A. §10-1-911(6).]
NOTIFICATION OF A GPIPA EVENT
After discovery of a GPIPA Event, notification must be given to all Georgia residents who may be affected.[17. Id.] GPIPA does not require actual knowledge that PII was compromised; rather, a reasonable belief that an unauthorized person acquired PII is sufficient to require notification.[18. O.C.G.A. §10-1-912(a).] Although the notification duty only covers Georgia residents, notifying all affected individuals is good practice.[19. Id.]
Under GPIPA, notice of a data breach must be given in the most expedient time possible and without unreasonable delay. However, the notice may be delayed while law enforcement investigates the data breach, while the scope of the breach is determined, or while the system’s integrity, security, and confidentiality is restored.[20. Id.]
There are three primary notice methods and four substitute notice methods under GPIPA.[21. O.C.G.A. §10-1-911.] The primary notice methods are written notice, telephone notice, and electronic notice.[22. O.C.G.A. §10-1-911(4)(A)-(C).] However, electronic notice only may be given if the consumer consented in advance to receive electronic notices in lieu of paper notices.[23. O.C.G.A. §10-1-911(4)(C).] The procedures required for consumer consent to electronic notices is outlined in 15 U.S.C.A. § 7001.[24. Id.] In the alternative, substitute notice may be given if an organization can demonstrate that: (i) the cost of giving notice through one of the primary methods exceeds $50,000; (ii) there are more than 100,000 individuals affected; or (iii) the organization does not have sufficient contact information to provide primary notice.[25. O.C.G.A. §10-1-911(4)(D).] E-mail, conspicuous notice on the entity’s webpage, notification of state-wide media, or notification prescribed by existing security policies (as long as these are consistent with GPIPA’s notice timing requirements) are acceptable substitute notice methods.[26. O.C.G.A. §10-1-911(4)(D).]
For third parties that maintain data on behalf of an information broker or data collector, notice of the breach must be given to the information broker or data collector within 24 hours.[27. O.C.G.A. §10-1-912(b).] Presumably, after the information broker or data collector receives notice from the third party, the information broker or data collector would be subject to the same notice schedule as if the data breach originated on its system.
Additionally, if more than 10,000 Georgia residents are affected by a particular breach, notice must be given to all consumer reporting agencies without unreasonable delay. [28. O.C.G.A. §10-1-912(d).] The notice to the credit reporting agencies must include details of the timing, distribution, and content of the notifications to the affected individuals.[29. Id.]
All entities covered by GPIPA should create a data breach notification plan, so that it can be readily initiated if a data breach occurs. Some suggested elements of the notification plan are: (i) the internal notification procedure for the organization that lists the members of the response team and their emergency contact information; (ii) a form press release that quickly can be adapted to the facts of any situation; (iii) an on-call agreement with a direct mailing company to handle the volume of letters that may need to be printed, folded, and mailed; (iv) a plan for providing credit monitoring for affected individuals (although credit monitoring is not required under GPIPA, providing this accommodation may help preserve consumer goodwill); and (v) a notice to the insurance carrier, if there is an insurance policy available for a data breach event.
Although GPIPA does not create an independent civil cause of action, violations likely could be pursued under a variety of other theories, such as negligence per se. GPIPA does not contain any statutory remedies, in contrast to other states’ data protection laws. For example, California’s statutory remedies for data loss include a civil cause of action, statutory damages of $3,000 per violation for a willful, intentional, or reckless violation (otherwise $500 per violation), injunctive relief, attorneys’ fees and costs, and a cumulative remedy provision.[30. Cal. Civ. Code §1798.84.]
Although the breadth of GPIPA’s applicability to data breaches is broad, there are several strategies to minimize its applicability: (i) prevent data breaches by using updated security systems (many system breaches occur as a result of the exploitation of known security vulnerabilities that users fail to patch); (ii) design systems to minimize the storage of PII; (iii) use non-PII unique identifying numbers (rather than a social security number); (iv) verify that all stored PII is kept because of a compelling business reason;[31. Data systems should be designed in a way that minimizes the unnecessary storage of PII - keeping only data required to accomplish a business objective.] (v) to the extent that PII must be stored, unnecessary portions should be redacted (i.e. - instead of storing an entire credit card number, only store the last four digits); (vi) use storage substitutes such as hashes in place of PII; [32. A hash value is a mathematical computation of the data that masks the data’s real value. The hash value can verify user inputs against the hash value to verify authenticity, without actually storing the value the hash represents. For example, system passwords can be stored as a hash value, instead of storing the actual password. When a user attempts to log onto the system, the inputted password is compared to the hash value for authentication. However, if a hacker were to compromise the database of hashed passwords, the actual password cannot be “reverse-engineered” from the hash value – hash translation is a one-way process.] (vii) verify that stored PII is encrypted using a strong algorithm;[33. The use of encryption can help secure data and prevent GPIPA liability. Compromised data that otherwise would be covered by GPIPA is not considered a GPIPA Event if the data is encrypted. There are many types of encryption technology commercially available, with varying degrees of security confidence. Although GPIPA does not mandate a specific grade of encryption, higher grades of encryption offer the best protection. ] and (viii) design databases that compartmentalize the storage of PII on different network segments to make a GPIPA Event less likely.[34. To the extent that PII needs to be stored, its storage should be compartmentalized to make the creation of a GPIPA combination more difficult.]
RECOVERY FROM A HACKER
Depending on the specific facts associated with the data breach, your organization may be able to recover damages from the hacker. Two possible methods for civil recovery are the Computer Fraud and Abuse Act (17 U.S.C.A. §1030) and the Georgia Computer Systems Protection Act (O.C.G.A. §16-9-90 et. seq.). However, there are a number of factors that may prevent a meaningful recovery, such as difficulty tracking the hacker, enforcing a United States judgment abroad, and a high likelihood of relative insolvency. Unfortunately, unless you can track the hacker to the basement of his parents’ multi-million dollar home, there may be little assets to recover.
In addition to GPIPA, the Federal Trade Commission’s involvement in data security breaches is increasing. According to the FTC, it has filed twenty complaints alleging “security deficiencies in protecting sensitive consumer information.” In two recent complaints, In the Matter of the TJX Companies, Inc., 2008 WL 3150421 (2008) and In the Matter of Reed Elsevier Inc. and Seisint, Inc., 2008 WL 3150420 (2008), the FTC alleged that failing to employ reasonable and appropriate security measures to protect personal information is an unfair trade practice. In both cases, the parties agreed to consent orders that included the implementation of a comprehensive data security program and regular third-party data security assessments for twenty years.
Legislative action in the area of data protection likely will increase, so it is important to view GPIPA as an evolving statute. Future revisions to GPIPA may include a tightening of the encryption safe harbor, expanded remedies, and broader applicability to companies doing business in Georgia.