The Indiana Law Blog

« Ind. Courts - Judge V. Sue Shields to retire | Main | Ind. Courts - The race for LaPorte County Circuit Judge »

Saturday, March 11, 2006

Ind. Law - Identity theft bill sent to Governor - some thoughts

The General Assembly has now passed and sent to the Governor HEA 1101. This bill is aimed at identify theft. Among other things, according to a legislative press release:

The bill would require disclosure of security breaches and encryption of data by companies holding customers’ and clients’ personal identification information in computer databases if it could cause identity theft, identity deception, or fraud. This would help protect consumers by making them aware when their personal information may have been stolen. People would then be able to take the necessary steps to protect themselves from any further damage.

We all recall numerous stories a few months ago of security breaches involving consumer data held by large companies and institutions. Just yesterday the ILB came across a timely article by Anita Ramasastry, Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology, titled "Data Insecurity: What Remedy Should Consumers Have When Companies Do Not Keep Their Data Safe?" Access it here. The article begins:

On December 31, 2005, an employee of Providence Healthcare Systems stored backup computer tapes overnight in his van, which was parked at home in his driveway. The tapes were stolen - and so were data for 365,000 patients in Oregon and Washington.

The data included patients' Social Security numbers, birth dates, addresses, and medical information. Yet the affected patients were not notified of the security breach until January 25, 2006 -- almost a month later. * * *

Unsurprisingly, this February, a class action lawsuit ensued. I will argue that the suit asks for reasonable remedies - but also that legislatures may need to step in to create clearer statutory duties and remedies for security breaches to ensure suits like this will succeed. * * *

The class action complaint seeks injunctive relief - that is, a court order forcing Providence to act. In particular, it asks that the court order Providence "to pay for enhanced credit report monitoring for all class members, pay for the fraud alerts, pay for reporting to the Social Security Administration, and pay for any credit repair process that is required if people are damaged." As amended, it also now seeks monetary damages.

It is eminently reasonable for the patients whose data was stolen to request these remedies. Those patients who are not yet identity theft victims will need to constantly check or monitor their credit history - and monitoring is not free: It takes time and, after the first credit report, it takes money.

For patients who are already identity-theft victims, even more time and money will have to be expended. In addition, identity theft can result in their temporary loss of access to credit until the issue is cleared up.

Professor Ramasastry concludes her article with a section headed "What Security Breach Statutes Should Look Like":

Because of these potential gaps in the common law, states (and/or the federal government) should pass statutes to protect consumers in the event of a security breach. These statutes should have three key features:

First, they should require companies to immediately notify consumers when breaches occur, so they can protect themselves and their credit. Oregon law didn't require this, and this may be one reason that Providence waited.

Second, they should require credit issuers to offer free security "freezes," by which consumers may prohibit lenders or retailers from granting credit to anyone claiming to be them, as long as their file is "frozen."

Third, they should require companies whose negligence results in a breach to offer consumers credit-monitoring services and if necessary, credit-repair services.

Without such statutes, consumers run the risk that even if they sue, they will not receive the reasonable redress they deserve for the time and money they lose due to negligence - in this case, negligence in securing the safety of the one of the most personal, private kinds of information there is: medical information. [emphasis added]

HEA 1101 adds a new Article to the Indiana Code, IC 24-4.9, Disclosure of Security Breach. You can find this new Article at pages 6-10 of the Enrolled Act.

HB 1101 does not require that Indiana residents be notified immediately if a security breach occurs. Notification would be covered by the new IC 24-4.9-3, Disclosure and Notification Requirements, beginning on p. 7 of the Enrolled Act. Rather, the language contains qualifers such as "without unreasonable delay" and "as soon as possible after." There is not even a "but in no event not later than ...".

How are people to be notified? That is pretty much left up to the data base owner (see top of p. 9) and may be via mail, phone, fax, or e-mail. Of course, telephone leaves no record, and e-mail is likely to be mistaken for spam or phishing by a wary recipient.

The section goes on to provide that if this has been a really big disclosure of private information -- such as one of over 500,000 Indiana residents -- the requirements for notification are eased and may be met by posting on the company's web site or via a press release.

The Enrolled Act goes on to exempt from its disclosure requirements entities already covered by laws such as the Fair Credit Reporting Act, HIPAA, etc., if they contain similar requirements.

Chapter 4 (see p. 10 of the Enrolled Act) deals with enforcement. A person who fails to comply with the requirements of the act "commits a deceptive act that is actionable only by the attorney general under this chapter." This language may preclude private suits.

Under the proposed IC 24-4.9-4-1(b), "A failure to make a required disclosure or notification in connection with a related series of breaches of the security of a system constitutes one deceptive act." In other words, a security breach resulting in the disclosure of information on a million consumers is ok under this bill as long as there is notification. Failure to notify would constitute one deceptive act, for which attorney general could seek a civil penalty of up to $150,000. This penalty would apparently go to the state general fund, not to those affected by the security breach.

Further, the new law specifically preempts local units of government from passing ordinances "dealing with the same subject matter as this article."

Finally, and most importantly, HEA 1101's new IC 24-4.9 offers no remedies to those consumers whose security has been breached, other than requiring that they be notified of the breach. What of the remedies that would pause or help repair the damage the breach has caused -- the remedies of security freezes, credit monitoring and credit repair set forth in Professor Ramasastry's article?

Short of that, the biggest question here is: Is the new IC 24-4.9 now to be the exclusive remedy available to Indiana residents for these security breaches resulting in disclosure of their information? Or can consumers whose records have been released bring suit for negligence and ask for damages, costs, security freezes, and credit monitoring or credit repair? Will the companies whose negligence resulted in the disclosure be able to claim compliance with the minimal notification requirements of the new law as a defense?

Posted by Marcia Oddi on March 11, 2006 04:58 PM
Posted to Indiana Law