A 2007 government analysis noted that in the previous two years over 1,000 data breaches were reported in the United States and that the rate at which breaches were occurring appeared to be increasing. Because these breaches, which involve the theft of personally identifiable information such as name, address, Social Security number, and credit card data, are closely related to payments fraud and identity theft, the Payment Cards Center hosted a workshop on July 23, 2008, to discuss how Congress and various state legislatures have responded.
The workshop was led by Diane Slifer, J.D., M.B.A., who has frequently presented at forums on data security and has represented clients in matters related to data breaches. In his paper "Legislative Responses to Data Breaches and Information Security Failures,* Philip Keitel provides an overview, based on Slifer's presentation and his own research, of several laws that have been enacted to address issues related to data breaches and the general protection and handling of sensitive consumer information.
One of the laws, the Gramm-Leach- Bliley Act (GLB Act), was enacted by Congress in 1999. The GLB Act includes three principal provisions intended to protect consumers' personal financial information held by financial institutions. The first provision, the financial privacy rule, calls for financial institutions to establish and communicate policies concerning their use of the personal financial information of consumers and to afford consumers control over how this information is shared with others. Second, the GLB Act includes a safeguards rule that requires financial institutions to have a security plan in place to protect the confidentiality and integrity of personal consumer information. The third and final rule encourages institutions covered by the GLB Act to implement safeguards against "pretexting" — that is, attempting to gain access to the personal information of another by creating a false scenario.
In addition to the GLB Act, Slifer discussed rules on protecting consumer data and preventing identity theft contained in the Fair and Accurate Credit Transactions Act (FACT Act) of 2003. One such rule requires federal banking agencies to make certain that information taken from consumer reports and used for a business purpose is disposed of properly. Another FACT Act rule, known as the receipt truncation provision, requires those who accept credit cards or debit cards for business transactions to print no more than the last five digits of the card number or the expiration date on receipts. Under the FACT Act's "red flag" provisions, banking institutions must establish policies and procedures that help prevent identity theft. For example, debit or credit card issuers must assess the validity of a change of address if it is followed shortly by a request for a new card. Finally, the address discrepancy provisions in the FACT Act require entities that request consumer credit reports to develop reasonable policies and procedures to respond to situations where an address reported differs from one already in a consumer's credit report.
Today, Social Security numbers (SSNs) are broadly disseminated in many environments where they serve as personal identifiers, something that was not foreseen when the system was created in 1936. As a result, they have become a favorite target for cyber criminals who use others' SSNs to create false identities or to assume another individual's identity for the purpose of committing financial crime. In response, more than 42 states have, since 2005, enacted some form of law that regulates the use of SSNs or mandates a particular method for protecting the information. While there is some variation in these laws, the most common provisions include prohibiting companies from printing SSNs on identification cards or other materials; restricting the intentional communication of the numbers, whether by mail or public posting; and requiring that when used, the numbers be truncated or otherwise modified. As discussed in the paper, state laws related to SSNs have often had a significant effect on traditional business practices. One government report found that the sharing of the numbers among commercial partners and third-party vendors is common and often defined in contract language and in long-established business practices.
Finally, the paper addresses laws pertaining to notification required after a data breach has occurred. As of July 2008, 48 states (all but New Mexico and South Dakota) possessed a law concerning notification after a data breach or had such a bill pending before their legislatures. These laws generally require notification of consumers, state agencies, or other parties when unencrypted personal information held in some manner by an organization is acquired or accessed by an unauthorized person. However, the provisions of these laws vary widely from state to state. For example, some states require notification only when there is an identifiable risk of harm to a consumer, while others require notification when any relevant information is believed to have been accessed by an unauthorized party, irrespective of possible harm to consumers. As this example illustrates, diverse stateby- state requirements present real compliance challenges.
For more than a decade, federal and state legislators have tried to create an improved environment for private consumer data and to help protect consumers whose personal information has been compromised. Despite these efforts, policymakers and industry participants still face many obstacles to preventing and responding to data breaches. In today's technological environment, where wireless devices and remote access are commonplace, fraudsters can be expected to attack data security systems in new and unanticipated ways. One lesson to be drawn is that efforts to protect against the risk of data breaches represent daunting and continuing challenges for both industry participants and policymakers.