1

1
Privacy Regulation and ID Theft

• Presenters Name Tim R. Sills
• Presenters Title Lead Consultant
• Date of Presentation March 11, 2004

2
Presentation Overview

• Topics
• ID theft the numbers
• Sample of US privacy laws
• Example incidents
• Key Message
• Government is taking a more active role
• Privacy breaches will continue to rise
  substantially
• A strategic approach is required to navigate
  legislation and avoid being front page news

3
ID Theft The Numbers

• Online Fraud Losses Hit 437M for 2003
• The FTCs year-end Consumer Fraud and ID Theft
  Report indicated it received more than half a
  million consumer complaints during 2003, a 40
  percent jump over complaints in 2002. More than
  40 percent of all complaints related to identity
  theft through "phishing" and other Web-related
  scams.
• The most common identity theft complaints related
  to credit card fraud, bank fraud,
  employment-related fraud, government document or
  benefit fraud and loan fraud.
• The worse part is that the FTC concedes the
  majority of incidents are not reported thus
  making the above number most likely much higher.

4
ID Theft The Numbers

• Identity Theft More Common
• A Gartner study found that more than 11 million
  consumers were the victims last year of credit
  card fraud, where a criminal uses a victim's
  credit card.
• Harris Interactive found that the seven million
  victims in 2002 represented an 81 increase over
  2001. And, early reports suggest that the
  increase is continuing in 2003.
• With such a variance, does anyone really know the
  number of consumers impacted and by how much?

5
California Database Security Breach Act

• Overview
• The CDSBA requires any person or business
  conducting business in California to notify
  affected customers of any breach of security
  resulting in the disclosure to an unauthorized
  person of personal information in electronic form.

6
California Database Security Breach Act

• What is protected?
• Personal Information is defined as an
  individuals first name or first initial,
  combined with the last name, plus any one of the
  following identifiers
• (1) Social Security number (2) drivers license
  number or California Identification Card number
  or (3) account number, credit or debit card
  number, in combination with any required security
  code, access code or password that would permit
  access to the account.
• Security
• If both the individuals name or the accompanying
  identifiers are encrypted, then the data does not
  constitute personal information.

7
CDSBA Breach Example
Friday, February 13, 2004

• Hackers break into California state server
• Hackers broke into a state agency's server
  containing the sensitive personal information of
  tens of thousands of people who work as nannies,
  butlers, and gardeners, and those who employ
  them.    
• The server houses information on about 90,000
  people. The hackers gained access to employee's
  names, Social Security numbers and wage records,
  and some employers' Social Security numbers.
• As a precaution, letters dated Feb. 11 warned
  household employers and employees of the breach
  and referred them to the state Office of Privacy
  Protection for help.

8
Health Insurance Portability and Accountability
Act (HIPAA)

• Overview
• Drive development of electronic data interchange
  with the goal of protecting the security and
  confidentiality of electronic health information.
• Covered Entities
• HealthPlans HMOs, health insurers, group health
  plans including employee welfare benefit plans
• Health Care Clearinghouses Persons and
  organizations that translate health information
  to or from the standard format that will be
  required for electronic transactions under HIPAA

9
Health Insurance Portability and Accountability
Act (HIPAA)

• What is protected?
• In order to be considered protected health
  information (PHI) it must
• Relate to a persons physical or mental health,
  the provision of health care, or the payment of
  health care
• Identify, or could be used to identify, the
  person who is subject of the information
• Be created or received by a covered entity
• Penalties
• Civil penalty for inadvertent violation fines
  of 100/per incident up to 25,000/per annum for
  each similar offense.
• Selling patient information for personal profit
  is not the same as accidentally allowing the
  information to be released. Criminal penalties
  could be much as 250,000 and/or 10 years in jail.

10
Health Insurance Portability and Accountability
Act (HIPAA)

• Security
• Covered entities must make reasonable efforts to
  limit protected health information to the minimum
  amount necessary to accomplish the intended
  purpose of the use
• Adopt written privacy procedures. These must
  include who has access to protected information,
  how it will be used within the entity, and when
  the information would or would not be disclosed
  to others.
• Train employees and designate a privacy officer.
  Employees must understand the new privacy
  protections procedures, and designate an
  individual to be responsible for ensuring the
  procedures are followed.
• Establish grievance processes. Must provide a
  means for patients to make inquiries or
  complaints regarding the privacy of their
  records.

11
Gramm-Leach-Bliley (GLBA)

• Overview
• Establishes functional regulation of financial
  institutions
• Banks- FDIC, FRB, OCC, OTS
• Securities and investments- SEC
• Insurers- State Departments of Insurance/Insurance
  Commissioners
• All other financial institutions- FTC

12
Gramm-Leach-Bliley (GLBA)

• What is protected?
• Any information maintained by or for a financial
  institution, which is derived from the
  relationship between the financial institution
  and a customer of the financial institution and
  is identified with the customer.
• Penalties
• The financial institution shall be subject to a
  civil penalty of not more than 100,000 for each
  violation and
• The officers and directors of the financial
  institution shall be subject to, and personally
  liable for, a civil penalty of not more than
  10,000 for each violation
• Also, fines in accordance with Title 18 of the US
  Code, imprisonment for not more than five years,
  or both

13
Gramm-Leach-Bliley (GLBA)

• Security
• Financial institutions must adopt policies and
  procedures that address administrative,
  technical, and physical safeguards. These
  policies and procedures must be reasonably
  designed to
• Insure the security and confidentiality of
  customer records and information
• Protect against any anticipated threats or
  hazards to the security or integrity of customer
  records and information and
• Protect against unauthorized access to or use of
  customer records or information that could result
  in substantial harm or inconvenience to any
  customer.

14
Childrens Online Privacy Protection Act

• Overview
• COPPA provides the first federal protection of
  Web sites that are targeted to children under age
  13 or whose operators knowingly collect personal
  information from children under age 13.
• Applies to commercial Web sites, federal Web
  sites and some non-profit Web sites
• Protect against any anticipated threats or
  hazards to the security or integrity of customer
  records and information and
• Protect against unauthorized access to or use of
  customer records or information that could result
  in substantial harm or inconvenience to any
  customer.

15
Childrens Online Privacy Protection Act

• What is protected?
• Provide parents notice of their information
  practices
• Obtain verifiable parental consent for the
  collection, use and/or disclosure of personal
  information from children
• Provide a parent, with the opportunity to prevent
  the further use of personal information that has
  already been collected, or the future collection
  of personal information from that child.
• Provide a parent, upon request, with the means to
  review the personal information collected from
  his/her child
• Establish and maintain reasonable procedures to
  protect the confidentiality, security and
  integrity of the personal information collected,
  and
• Limit collection of personal information for a
  childs online participation in a game, prize
  offer, or other activity to information that is
  reasonably necessary for the activity.

16
Childrens Online Privacy Protection Act

• Security
• Requires reasonable steps to be taken to ensure
  and protect the confidentiality, security, and
  integrity of personal information from children
  under 13.
• Example incidents from FTC press release 2/27/03
• Mrs. Fields will pay civil penalties of 100,000
  and Hershey will pay civil penalties of 85,000.
  
• mrsfields.com, pretzeltime.com, and
  pretzelmaker.com offered birthday clubs for
  children 12 or under and provided birthday
  greetings and coupons for free cookies or
  pretzels. The company allegedly collected
  personal information - including full name, home
  address, e-mail address and birth date - from
  more than 84,000 children, without first
  obtaining parental consent.

17
Breaches Come in All Shapes Sizes

• Victoria's Secret Reveals Too Much
• NEW YORK (AP) - Lingerie retailer Victoria's
  Secret agreed to pay a 50,000 fine as part of a
  settlement announced over a breach of privacy on
  the company's website.
• A glitch in a feature allowing customers to check
  their order status allowed them to randomly call
  up other orders, seeing details such as sizes,
  prices, customer names and addresses.
• Approximately 560 people were affected.

18
Civil Liability Trends

• What constitutes reasonable care and industry
  standard?
• Already legal cases involving security failure
  and resulting financial harm
• Future Duty of care set by statute, FTC,
  industry standards?
• Class actions on identity theft
• No flood of litigation, but an increase in
  underway

19
Case Examples

• Hamilton v. Microsoft Corp., California state
  court, SB 1386 and related claims based on
  unspecified breaches.
• According to Hamilton, Microsoft's programs
  contain serious security flaws that could allow
  hackers to break into the computer system of an
  individual or corporation via computer viruses or
  worms, obtain confidential or personal
  information and exploit that information to the
  detriment of the system's owners.
• Stollenwerk v. TriWest Healthcare Alliance,
  federal court case in Arizona, negligence case
  based on theft of hard drive containing personal
  information.
• Thieves broke into Phoenix-based TriWest
  Healthcare Alliance, a government contractor's
  office, and snatched computer hard drives
  containing Social Security numbers, addresses and
  other records of about 500,000 service members
  and their families.
• Intel v. Hamidi, California state courts, on
  trespass to chattels theory for alleged spam.
• Intel Corporation brought suit in California
  state court against former employee Ken Hamidi,
  alleging trespass to chattels and seeking to
  enjoin Hamidi from sending mass distributed
  emails to Intel employees at their places of work

20
Summary

• Weve discussed some key privacy legislation and
  its requirements.
• Its anyones best guess as to what the real
  financial impact has been to the consumers.
• Breaches and identify theft will increase
  exponentially.
• Apply common sense methodology to limit your
  companys exposure.

21
Thank You