Books by attorney Tom James (Thomas B James)

Excerpt from E-Commerce Law by Tom James, JD (Thomas B James)

Chapter 13. Data Security

Data security is of vital importance to businesses that engage in e-commerce. Without adequate data security protections, third parties may gain unauthorized access to a customer’s personal information, potentially enabling identity theft. Releasing private information can also cause a customer embarrassment. A person may have legitimate reasons for not wanting others to know about the person’s health or financial condition and they may have nothing to do with identity theft. Unauthorized disclosures of customer information can have adverse consequences for a business, too. In addition to bad publicity and loss of customers, there may be liability for negligence, invasion of privacy, and/or breach of contract. Regulatory enforcement actions—and in some cases, criminal proceedings—are also possible.

Data security laws attempt to protect consumers from unauthorized uses of their information, by requiring businesses to implement controls to prevent the information from being disclosed to third parties. For more information about what kinds of information are private, see Chapter 17.

Enforcement of data security laws is usually by regulatory agencies, but in some cases a statute may provide for a private right of action as well. Depending on the circumstances, a data security lapse may also form the basis for a common law negligence cause of action for damages, provided the individual making the claim can prove actual economic loss as a result of the breach. At common law, a business that collects information from a customer has a duty to use reasonable security measures to prevent unauthorized people from accessing it. Merely posting a notice declaring that only authorized users may access data is not enough. Affirmative steps must be taken to prevent access by people who are not inclined to follow instructions. A duty to protect information from disclosure may also arise from contract, including, in some cases, promises set out in a website’s Terms of Use.

The FTC Act

The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used its power to enforce this provision to impose data security obligations on the owners of e-commerce businesses. An owner of a website that states, in the privacy policy or elsewhere, that the data customers submit will not be shared with others, or gives a similar kind of assurance of privacy or security, must actually maintain an adequate level of security. Otherwise, the company may face a charge of engaging in a deceptive trade practice. 

Even if no representation about privacy or security is made, though, collecting personal information from website visitors without protecting it from unauthorized disclosure to others may constitute an unfair trade practice. An act or practice is unfair if each of the following is true:

(a) It causes or is likely to cause substantial injury to consumers.

(b) The injury is not reasonably avoidable by consumers themselves.

(c) The injury is not outweighed by countervailing benefits to consumers or to competition.

The FTC has taken the position that a failure to provide reasonable and appropriate security for consumer information is an unfair trade practice because a data breach is likely to cause substantial injury that is not reasonably avoidable by consumers themselves and an absence of reasonable security measures does not benefit consumers or competition. Given the consequences that can flow from identity theft, it is difficult to argue with the FTC’s position.

What the FTC considers reasonable and appropriate may be ascertained from the settlement agreements into which the agency has entered with companies it has alleged to have inadequate security measures. The terms of these settlements are not binding as precedent, but they provide insights into what kinds of security measures the FTC believes are fair to consumers. From these settlements, it is clear that the FTC believes a reasonable data security program should include each of the following elements:

• Identification of protected information
• Assessment of risks and vulnerabilities
• Safeguards
• Contracts with third parties
• Response to detected security breaches
• Review and adjustment.

In some cases, these obligations are also addressed in laws specific to particular types of information and businesses. The requirements of these laws supplement and augment the security measures that are required to comply with the FTC Act. They do not supplant those requirements.

Identification of Information

Identifying the information a company has in its possession, or that it may come to have in its possession, which must be protected from unauthorized disclosure is an essential part of any security program. This means performing an inventory of all file cabinets, notes, computers, laptops, mobile devices, flash drives, disks, digital copiers, remote servers, and other equipment to determine where the company stores sensitive data. It is also important to identify all connections to the computers and devices where sensitive information is stored—e.g., Internet, computers at branch offices, computers used by third party service providers and contractors, wireless devices, inventory scanners, digital printers, etc. Information should be inventoried by type, location, and the names of the persons who have access to it.

Device identification must be thorough. Any device that stores protected information, even temporarily, should be identified. The hard drive in a digital copier or printer, for example, stores data about the documents it copies, prints, scans, faxes, or emails. Therefore, measures need to be taken to prevent unauthorized access to this drive, either by remote access or by extraction once the drive has been removed. If feasible, a company should purchase a printer/copier with overwriting and encryption features.

Particular attention should be given to identifying the location and the persons who have access to the principal kinds of information to which security obligations apply:

• Personally identifying information
• Information collected from children under thirteen years of age
• Health and health care information
• Financial information
• Information about publicly traded companies.

Personally Identifying Information

Since the most substantial injury to consumers that may result from a security breach is identity theft, the FTC seeks to ensure that commercial websites protect the personally identifying information of the consumers who visit them. This includes any information that may be used to identify a particular person—name, address, Social Security number, driver license number, date of birth, geographic location, etc. The FTC takes the position that user names, screen names, contact lists, IP addresses and geographic location are also covered by its regulations. According to the FTC, information that may be used to identify a particular device (e.g., an IP address) is “personally identifying information” even if it does not identify any particular human being.

Behavioral advertising (or “targeted marketing”) is the practice of tracking an individual’s online activities in order to deliver advertising tailored to the person’s interests. It is usually accomplished by using cookies. The FTC has taken the position that data collected for purposes of behavioral advertising comes within the meaning of “personally identifying information.” As such, a website claiming to maintain the confidentiality, privacy or security of information collected from users must store and transmit any information it collects for purposes of behavioral advertising in a secure way.

Information Collected from Children Under Thirteen

Important restrictions apply to the collection of information from children under thirteen years of ago. See Chapter 18.

Financial Information

The GLBA, also known as the Financial Services Modernization Act, is a federal law intended, among other things, to ensure the privacy and security of information that financial institutions collect from consumers. The FTC has promulgated two key rules to implement it: a Privacy Rule and a Safeguards Rule.¹³⁸ These rules apply both to financial institutions and to businesses that receive information from a financial institution. Information about the Privacy Rule may be found in Chapter 17.

For purposes of the Rules, a financial institution is a business that is significantly engaged in any of the financial activities described in section 4(k) of the BHCA. Section 4(k) of the BHCA defines financial activities to include any activity that the Federal Reserve Board, by regulation, defines as financial and also a number of specifically identified activities, such as lending, investing or safeguarding money or securities for others, insurance, investment advice, credit counseling, tax preparation, accounting, financial planning, and dealing in securities. This is not an exhaustive list.

“Substantial engagement” is a fact determination that is made on a case-by-case basis. Two factors are particularly important: (a) whether there is a formal arrangement, and (b) how often the business engages in the activity. A business that primarily sells nonfinancial products or services is not “substantially engaged” in financial activities merely because it sometimes informally allows its customers to run a tab. On the other hand, a business that formally extends credit to its customers, such as by issuing its own credit card, is substantially engaged in financial activities. Similarly, a business that only occasionally allows a customer to make payments for nonfinancial products or services on a layaway plan is not significantly engaged in a financial activity. If a business were to regularly engage in a financial activity, then it would be substantially engaged in the financial activity.

The Rules also apply to any company that receives protected information from a financial institution, even if the company is not itself a financial institution.

The Rules only apply to consumer information. A consumer is a person who obtains a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes. A consumer’s legal representative is also considered a consumer. Commercial clients—those who purchase products or services for a business purpose—do not come within the protection of the Rules. 

The GLBA requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information, i.e., personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by the financial institution. Penalties for noncompliance may be up to $100,000 per violation. States with comparable regulations may impose significant penalties for the same conduct.

Information About Publicly Traded Companies

The SOX Act requires publicly traded companies and any accounting firms that provide auditing services to them to have adequate security controls in place to ensure that financial and other information required to be reported under securities laws is accessed only by those people and systems with a legitimate need for access. A corporate officer must attest to the validity of reported information, requiring safeguards to prevent data tampering.

Health Information

HIPAA establishes data security and privacy rules for individually identifiable health information that is created or received by a “covered entity.” Health care providers, health plans, and health care clearinghouses are covered entities. The Act protects all health information that identifies an individual or could be used to identify an individual. This includes an individual’s past, present or future physical or mental condition; the provision of health care to the individual; and past, present or future payment for the provision of health care to the individual. The U.S. Department of Health and Human Services (DHHS) has established a HIPAA Privacy Rule¹³⁹ to implement HIPAA requirements.

Risk Assessment

To assess the risks to protected information that a company needs to address, it is necessary to trace information flow: This involves identifying:

(a) the sources from which the company receives information

(b) the mechanisms and means by which information is received

(c) the kinds of information the company collects at each entry point

(d) where the information that is collected at each entry point is kept

(e) who has or could have access to the information

(f) the mechanisms and means the company uses to transmit information.

A company needs to assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on a company’s circumstances, appropriate assessments may range from having a knowledgeable employee run off-the-shelf security software to having an independent professional conduct a full-scale security audit.

Measures to assess foreseeable risk should consider the possibility of unauthorized access from within the company as well as attacks from outside the company. A business should have measures in place to reduce the risk of either intentional or inadvertent misuse or disclosure of customer information by the company’s employees, agents, and persons and businesses with whom the company contracts for goods or services.

For publicly traded companies, the SOX Act requires that both inadvertent and malicious attempts to alter data must be blocked. Accordingly, a publicly traded company needs to consider not only the risk of being hacked but also the risk that an officer, director, employee, agent, or third-party contractor might accidentally erase or alter data. Periodic security audits are necessary.

The GLBA requires financial institutions and companies that receive information from them to have a written plan for protecting customer information from foreseeable threats to security and data integrity. The plan must designate one or more employees to coordinate its information security program and identify and assess the risks to customer information in each relevant area of the company’s operations. The plan also must consider and address any unique risks associated with a company’s particular business operations—such as the risks that are involved when employees access customer data from their homes or other off-site locations, or when customer data is transmitted electronically outside the company network.

Financial institutions and companies that receive information from them need to assess and address data security risks in relation to customer information in all areas of their operations, including but not necessarily limited to:

• Employee management and training
• Information systems
• Detecting and managing system failures.

Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) requires financial institutions to periodically assess the risks associated with their Internet-based products and services.

Safeguards

All e-commerce businesses that collect personally identifying information from consumers must have reasonable safeguards in place to prevent unauthorized disclosure of the information to third parties. What is reasonable varies depending on the kind of information, the kind of business, the size of the business, and the kind of activity in which the business is engaged. When a security safeguard is readily available at low cost and is in common use, the FTC is likely to take the position that it is required for every business that collects information from consumers.

Data Security Program

The FTC has taken the position that a failure to create a comprehensive information security program to protect consumers’ personal information is an unfair trade practice. Failure to implement reasonable policies and procedures to protect the security of consumers’ personal or financial information that a company collects and maintains is also an unfair or deceptive trade practice. Moreover, a comprehensive written program is often a required remediating element in settlement agreements between the FTC and companies charged with engaging in unfair data security practices, as is the designation of an employee or other individual to coordinate and be accountable for the program.

With respect to financial information, the FTC has adopted a Safeguards Rule to implement GLBA requirements for the protection of financial information collected by or received from financial institutions. It requires financial institutions and those who receive information from them to have a written plan for protecting customer information from foreseeable threats to  security and data integrity. It must provide for designing, implementing and maintaining a safeguards program to protect customers’ financial information, whether the information is collected by the company itself or received from a financial institution. The safeguards must include three kinds of controls: administrative, physical, and technical. Procedural safeguards (such as employee screening and training) are also recommended.

HIPAA requires covered entities to have a data security plan that addresses administrative, physical and technical safeguards of health and health care information. Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronically stored or transmitted health information and to manage employee conduct in relation to the protection of health information. Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from unauthorized access and from natural and environmental hazards. Technical safeguards are the technology and the policy and procedures for its use that protect electronically stored or transmitted health information and control access to it.

Several states have enacted laws requiring businesses that are in possession of personal information to implement and maintain reasonable security procedures and practices. A small but growing number are making specific data security practices obligatory, either through direct statutory enactment or by authorizing a regulatory agency to enact data security regulations. Massachusetts regulations require persons and businesses that own, license, store or maintain personal information about an individual or legal entity that resides in that state to have a comprehensive, written information security program in place and to monitor it periodically.

(This is only a partial excerpt from Chapter 13 of E-Commerce Law by Thomas James.)