Data security breach

Major data security breaches have been disclosed by the nation’s largest information brokerage firms, retailers, companies, universities, and government agencies. Massive data security breaches in 2005, 2006, and 2007 heightened interest in the security of personal information; in the business and regulation of data brokers; in the liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for third party companies’ costs arising from data breaches; and in remedies available to individuals whose personal information was accessed without authorization.

Data security breaches often occur when fraudulent accounts are created, laptops or computers are stolen or hacked, passwords are compromised, insiders or employees steal data, or discs or back-up tapes are misplaced. Data security breaches illustrate the risks associated with collecting and disseminating large amounts of electronic personal information. The potential risks of harm to individuals from data breaches include identity theft and financial crimes (e.g., credit card fraud, check fraud, mortgage fraud, identification document fraud, and health-care fraud).

According to a June 2007 GAO report, there is no clear correlation between data security breaches and identity theft:


 * The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts.

Information security and breach notification requirements are imposed on some entities that own, possess, or license sensitive personal information. Congress, the Executive Branch, the states, and the courts continue to confront the problem of data breaches.

The Federal Trade Commission (FTC) has enforced consumer protection laws to enjoin and remedy lax information security practices.

The President’s Identity Theft Task Force reported its final recommendations in April 2007, including the establishment of national standards for entities to safeguard personal data and for notification to consumers of breaches that pose a significant risk of identity theft.

The payment card industry has also issued security standards and reporting requirements for organizations that handle bank cards.

The courts are also considering a number of lawsuits filed by consumers and banks based on the Federal Privacy Act and state common law breach of contract and negligence claims. State Attorneys General have also investigated data security breaches.

Many states have enacted laws requiring notice of security breaches of personal data and consumer redress. As of January 2007, 35 states enacted data security laws requiring entities to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality, and integrity of data. Congress and some states also have enacted credit freeze and fraud alert laws.

A federal law (The Veterans Affairs Information Security Act of 2006) and federal guidance (2007 Office of Management and Budget memorandum on “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”) were enacted to prevent and respond to federal agency data breaches. They require federal agencies that collect sensitive personal information to implement enhanced information security programs and provide notice to persons affected by data security breaches.

Other federal laws, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, require private sector covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of personal information.