July 3, 2015

What Does It Mean To Be "Certified" In Privacy And Information Security?

I recently became certified by the IAPP in information privacy and received the CIPP/US designation. "What does that mean?" you ask? Good question!

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws. Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification?

More and more people are claiming to be privacy experts these days, including a number of lawyers. Although very few law firms advertised a privacy practice group as of just a few years ago, almost all large law firms do now...with varying degrees of credibility. Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context. They are nonetheless re-branding themselves as "privacy" lawyers. While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between. The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security.

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice.  Furthermore, there are very accomplished lawyers in these spaces who are not certified by IAPP.   However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.

The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law.  There is no specalization available from the N.C. State Bar for privacy, information security, or any related field of law.  

June 27, 2015

A New Role with the YLD, the Future of the Legal Profession

Those of you know me well or who read this blog regularly know that I believe in the Young Lawyers Division of the North Carolina Bar Association and the more than 6,400 young lawyers who belong to it.  In the past eight years, I have witnessed young lawyers volunteer to help thousands of people with significant legal needs and do important work to improve the legal profession.  This is a great group of people, and I am immensely honored that they have elected me to lead them.  I will take office as Chair of the YLD in June of 2016.  In the meantime, if you are a service-minded lawyer under 36, or if you have ideas about what the YLD can do to further its missions (service to the public, service to the bar, and leadership training), please let me know

June 15, 2015

Five Simple Steps You Can Take to Protect Your Loved Ones on Elder Abuse Awareness Day

This post is a PSA.  Those of you who know me well (or read this blog regularly) know that I have spent a considerable amount of of time and energy trying to help people prevent elder financial abuse.  The elderly in the United States lose an estimated $2.6 billion annually due to elder financial abuse and exploitation.  Today is the eighth annual Elder Abuse Awareness Day, which seems like an appropriate time to suggest a few simple steps you can take to help protect your loved ones from elder financial abuse.

1.  If his or her bank offers the opportunity (and is in North Carolina), ask your loved one to provide the bank with a list of trusted persons to whom the bank may speak in the case of suspicious activity.  I've written and spoken about this topic frequently, and you can read my comments here, here, here, here and here.

2.  Encourage your loved one to talk to an elder law attorney about naming a trustworthy person as attorney-in-fact to look after your loved one's interests.  Discourage your loved one from granting a power of attorney to anyone who is not 100% trustworthy and competent.

3.  A small number of unscrupulous telemarketers prey on the elderly.  One way to reduce the potential for this kind of abuse it to put your loved one's telephone number(s) on the national Do Not Call registry by filling out the form available here

4.  Social media is not just for young people.  Many older adults have social media accounts these days.  Fraudsters sometimes use information gathered from social media to help them perpetrate frauds, such as spearphishing attacks.  Ask your loved ones to allow you to set privacy settings on their social media accounts so that strangers (and anyone else they shouldn't trust) will not be able to gain access to information that would help in such attacks.

5.  Encourage your loved one to obtain their free annual credit report and help them review the report for evidence of identity theft.  I have written about how to get a free credit report (as well as how to respond to identity theft) here.

Thank you for taking the time to read this post.  I hope this information will help you as you try to protect your loved ones from the growing threat of elder financial exploitation. 

June 2, 2015

Potential Opportunities for Cost Sharing by Community Banks

At the North Carolina Bankers Association's Annual Convention today, Kris Kiefer, Deputy Comptroller at the OCC, and John Henrie, Regional Director of the FDIC, referenced a recent OCC paper regarding bank pooling of resources to obtain better services at lower cost. 

The paper, titled “An Opportunity for Community Banks: Working Together Collaboratively,” describes ways in which community banks might collaborate to lower costs and obtain specialized expertise. The paper outlines how community banks can structure cooperative arrangements, and emphasizes the need for effective oversight of those arrangements.

Community banks can collaborate in several ways, according to the OCC, such as:
  • exchanging information and ideas;
  • jointly purchasing materials or services;
  • sharing back-office or other services;
  • sharing a specialized staff member or team;
  • jointly owning a service organization;
  • participating in disaster mitigation agreements; and
  • jointly providing/developing products and services.
In some cases, community banks will want to form an entity (such as an LLC) to engage in activies. The regulatory issues to be addressed in those situations will be whether the activities are permissible and whether the investment by the banks in the entity are permitted.  The OCC has its own rules and guidance for permissible activies, and has published guidance based on prior decisions.  State chartered banks may generally follow those rules and guidance, despite being regulated by other agencies.  Often the entities will be considered "noncontrolling investments" or "bank service companies," which are different from a regulatory standpoint than the "bank operating subsidiaries" that many banks may be more familiar with.  Often an application will be required.

As with loan participations and syndications, the guidance makes clear that bank collaborations should be documented in a binding agreement that allocates the resposibilities and risks associated with the activity. 

Ideally, collaboration in areas in which it makes sense would enable community banks to achieve better outcomes at lower costs, increase their range of services, and enhance the expertise available to them.


June 1, 2015

TILA-RESPA Integration Will Be Here In Two Months. Are You Ready?

As all mortgage lenders know by now, beginning August 1, the new TILA-RESPA integrated disclosure requirements will become effective for any lender that makes more than five mortgage loans in a calendar year.  With two months to go, now is a good time to make sure your institution is ready.
If you have been paying attention, you know that the rule covers much more than just two new disclosure forms.  This is a complex, substantive change in the law.   In fact, the CFPB has published hundreds and hundreds of pages of rules and guidance.  I am not going to attempt to describe the new rules in detail here. (The final rule alone is 1,888 pages.) Instead, I just want to point out a few things and recommend a checklist for assessing your progress as you prepare for the August 1 deadline.
First, as I am sure you know, the new Loan Estimate form combines two existing forms, the Good Faith Estimate (GFE) and the initial Truth-in-Lending disclosure into one form.  The Loan Estimate must be provided to an applicant (placed in the mail) no later than the third business day after he or she submits a loan application.  
When Is An Application "Complete"?

One thing I want to be sure you understand is that unlike under the current rules, after August 1, a loan application that you might otherwise consider "incomplete" may trigger the Loan Estimate obligation.

The rule defines a loan application as having six of the seven elements that RESPA required: consumer’s name, consumer’s income, consumer’s social security number to obtain a credit report, property address, estimate of the value of the property and mortgage loan amount sought. The definition in the rule does not include RESPA’s seventh, catch-all term “any other information deemed necessary by the loan originator.” So, while you used to be able to deem a loan application incomplete for purposes of RESPA if it lacked some additional information that you deemed necessary, you no longer have that discretion. 
Also be careful about this: An application must be in writing, but any written record of an oral conversation is sufficient to trigger the requirement.

Even if a complete application has not been received, it will be permissible to provide an "early written estimate."  You should, however, include a clear disclaimer on any such estimate.
Revised Disclosures

Sometimes, disclosures need to be revised.  If a revised disclosure is necessary, it must be received by the customer at least four business days prior to closing, which means that it if is mailed, it must be mailed seven business days before closing.
Did You Endorse That Service Provider?

Separate from the Loan Estimate is a required list of settlement services for which the customer can shop. You must identify at least one provider for each service. Do you have a policy for how you will identify these providers for each market area? How many will you list for each category? Are you going to vet them? If not, do you have a disclaimer ready? (Hint: the model form does not have one.)
Collecting Fees

There are also new restrictions on fees that can be collected prior to giving a Loan Estimate and prior to a consumer’s consent to proceed. For example, no fee other than a credit report fee can be collected prior to the Loan Estimate and consumer consent to proceed. 
Pre-Closing Disclosure
As most of you know, the other major document required by the new rules is the Closing Disclosure, which as you know, combines two existing forms, the HUD-1 Settlement Statement and final Truth-in-Lending disclosures, into one form, and must be provided to consumers at least three business days before closing the loan. 
Mistakes are going to happen, but if they are caught in time, they can be corrected.  The rule says you can retroactively cure violations by refunding the excess portion of a cost or fee to the consumer, and delivering corrected disclosures to reflect the refund, within 60 days after closing.  You’ll need to decide if you want to set up a post-consummation review process to ensure that you provide corrected Closing Disclosures to catch these and correct them.  
Additional Disclosures
Beyond the two primary disclosures, there are others to have ready by August 1:
  • the post-consummation escrow cancellation notice (aka "Escrow Closing Notice") 
  • the post-consummation mortgage servicing transfer
  • partial payment notice

Record Retention 
You probably need to update record retention policies as well.  
  • Keep a copy of the Closing Disclosure (and all documents related to the Closing Disclosure) for five years after consummation, even if you sell the loan and the servicing rights.
  • Keep the Post-Consummation Escrow Cancellation Notice (Escrow Closing Notice) and the Post-Consummation Partial Payment Policy disclosure for two years. 
  • For all other evidence of compliance with the Integrated Disclosure provisions of Regulation Z (including the Loan Estimate) maintain records for three years after consummation of the loan.
  • Be sure you know when to use the new forms versus when to continue to use the existing disclosures (GFE, initial and final TIL, and the HUD-1)
    • Specifically, the TILA-RESPA rule does not apply to HELOCs, reverse mortgages or mortgages secured by a mobile home or by a dwelling that is not attached to real property (i.e., land). (§ 1026.19(e) and (f))
    • However, certain types of loans that are currently subject to TILA but not RESPA are subject to the new integrated disclosure requirements, including: construction-only loans, vacant-land loans, and loans secured by 25 acres or more.
  And Many More...
Here are a few things you’ll want to think about, such as the following: 
  • Do you have policies and forms for pre-consummation and post-consummation disclosures? 
  • Also, think about how a consumer will give the required indication of intent to proceed with a loan? Are you going to have a form?
  • How are you going to track the new tolerances?
In addition, I suggest you take a look at the Readiness Questionnaire in Part 2 of the CFPB’s Mortgage Rules Readiness Guide. I encourage you to work through the TILA-RESPA Integration section that begins on page 15 and ends on page 21.  This is not mandatory (and it has not been added to the Exam Manual), but it may be useful to help determine how ready you are and what you need to do next. 

My hope is that each of you reading this article will be buoyed with confidence that you are well-prepared for the August 1 compliance deadline, but if you are not, I hope this article will help you identify the areas that need work in the final days before implementation.


May 30, 2015

The CFPB Wants More Information About Mortgage Loans. Guess Who's Going to Collect It.

As you may know, the Consumer Financial Protection Bureau collects data from mortgage lenders about mortgage loans. It is currently attempting to dramatically expand the scope of information that mortgage lenders are required to provide to it.  
The Home Mortgage Disclosure Act (HMDA, or, as I like to call it, "Hmm Duh") was enacted in 1975 and the Federal Reserve Board was given rulemaking authority (through which it authored Reg. C) until July 21, 2011, when the Dodd-Frank Act transferred that authority to the CFPB. HMDA requires lending institutions to report certain mortgage loan data. The Dodd-Frank Act also directed the CFPB to expand the HMDA dataset to include additional information about loans that would be helpful to better understand aspects of the mortgage market.  
The CFPB proposed changes to the data that mortgage lenders are required to collect and report was proposed in July of last year. (That proposal was 572 pages--svelt by CFPB standards.)  The proposal went well beyond what the Dodd-Frank Act required. The comment period ended in October, and we are now awaiting the final rules. Here's what the proposal entails:
More Loans
Regulation C currently uses a “purpose” test to determine whether a mortgage loan transaction must be reported. Loans made to purchase, refinance, or improve a home are covered. The proposed rule would require that covered lenders report, with some exceptions, all loans secured by dwellings. "Dwelling" isn't limited to primary residence—it includes vacation homes, multi-family, and rentals. home equity lines of credit  (HELOCs), which were not previously always covered unless the use of proceeds related to the home, will always be covered if the proposed rule is adopted.
Higher Reporting Threshold
Currently, Regulation C requires banks to submit HMDA data even if they make only one home loan in a given year; however, the proposal would set a 25 loan threshold. For purposes of counting the threshold, only closed-end loans (including reverse mortgages)--not HELOCs--are counted. 
New Information
The proposed rule would add not only the 17 new data fields called for by Dodd-Frank, but also 20 additional fields that the CFPB believes are necessary to help it monitor the marketplace. 
The new information required by the Dodd-Frank Act includes, for example:
  • the property value; 
  • term of the loan; 
  • total points and fees; 
  • rate spread;
  • the duration of any teaser or introductory interest rates;
  • prepayment penalties;
  • bonamortizing features;
  • loan officer number;
  • the applicant’s or borrower’s age; 
  • credit score;
  • application channel (retail or broker)
The CFPB's additional 20 fields include the following:
  • applicant’s debt-to-income ratio
  • loan-to-value ration (LTV)
  • the automated underwriting system used
  • the reason for denial (currently optional) 
  • Qualified Mortgage (QM) status
  • the interest rate of the loan, and 
  • the total discount points charged for the loan
  • fees 
  • certain property information
  • manufactured housing data
All of this is ostensibly to allow CFPB to see how the mortgage market is functioning, and specifically to determine how the "Ability to Repay" rule is affecting the market. (Although without a "before" data set, how can they know?)

Reporting Timeframe
Mortgage lenders currently report annually by March 1 for the preceding calendar year. Under the proposal, mortgage lenders that make 75,000 or more loans will have to start reporting quarterly. 
Reporting Format and Method

The proposed rule would align many of the HMDA data requirements with the widely used Mortgage Industry Standards Maintenance Organization ("MISMO") data standards, including the Uniform Loan Delivery Dataset ("ULDD") that is already used by the government-sponsored enterprises (GSEs).
The CFPB is considering creating its own web-based HMDA software that mortgage lenders would use to report their data. That sounds like a bad idea to me. (Remember how well the federal government's last big website rollout went?)
Public Disclosure
The CFPB did not state what, if any, of the new data proposed to be collected would be made available to the public. The bureau is still considering this issue.  (If the data is made a available to the public, you can bet that some special advocacy groups will be scrutinizing the data and drawing inferences from it.)

Final Rule Expected This Year.
The CFPB has not announced when the final rule will be published, but most people expect it to be this year. I have seen a prediction for July, but that seems too soon to me. There are too many details around the reporting format and method to expect a final rule this summer, given the CFPB's many other initiatives.

Fair Lending Focus

Aside from the increased burden on mortgage lenders, I predict that the primary consequence of this change will be an increase in enforcement actions against mortgage lenders.  Obviously this new data will enable CFPB and others to evaluate equal credit opportunity issues, and probably will facilitate more disparate impact type claims

May 9, 2015

The CFPB's Consumer Complaint Database Will Soon Include Consumers' Complaint Narratives. Are You Ready?

In case you missed it, the CFPB is trying to become the next Yelp or Angie's List.

The CFPB began accepting complaints from consumers as soon as it opened its doors in 2011—with over half a million currently on file.  In June of 2012, it started publishing a limited amount of data from the complaints on its website. Now, it has decided to give consumers a platform to "publicly share their stories." 

The CFPB's website already allows a consumer to describe his or her complaint in narrative form in a text box on the complaint webpage. The consumer can also attach documents to the complaint. The CFPB forwards the complaint to the company, requests a response, gives the consumer a tracking number, and updates the consumer on the status of the resolution.

In March, the CFPB revised its consumer complaint policy to allow consumers to publish their grievances—in their own words—on the CFPB's website.   Beginning later this month (May 2015), when consumers submit complaints to the CFPB, they will have the option to check a box to share their narrative. The narratives will have names, telephone numbers, account numbers, Social Security numbers, and other identifiers redacted. The CFPB will not, however, verify the truth or accuracy of the facts asserted in the consumer's complaint. 

Banks and other companies will be given the option to select from a limited list of structured response options within 180 days after the consumer complaint is routed to them. The response cannot be customized. Actually, the final policy says that the financial institution can "recommend" one of the pre-set response to the CFPB, but the CFPB reserves the right to reject the response.

Complaints will be listed in the public database only after the financial institution responds to the complaint or after it has had the complaint for 15 days, whichever comes first. The CFPB will publish the consumer complaint narrative when the financial institution provides its public-facing response, or after the financial institution has had the complaint for 60 days, whichever comes first. If, within 15 days of receiving a notice of the complaint, a financial institution tells the CFPB that it has no record of a financial relationship with the complaining person, or if the financial institution tells the CFPB that it believes the complaint is fraudulent, the CFPB is not supposed to publish the complaint.

Despite the fact that this sort of information can become stale and of marginal value over time, the CFPB has determined that complaints will remain on the public database indefinitely.  Furthermore, the final policy fails to address whether complaints will be removed or changed when a financial institution merges or is acquired, or when a division is spun out.

I have written and spoken before about the importance of online reputation management for financial institutions. This development underscores the need for each financial institution to have a comprehensive online reputation management strategy. Aside from behaving honestly and ethically, the best (but not the only) thing a financial institution can do to protect its reputation online is to inundate the web with positive content. While there are some legal concerns to address when a financial institution expands its presence on the web, this strategy is the most effective way to ensure that the overall narrative reflects the financial institution's mission and message.

Image credit: matt cordell using (x-ray delta one)

March 1, 2015

Data Security Breaches, Unauthorized Transfers, and Corporate Accout Takeovers ...What You Missed!

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself.  (I was under the weather and quite hoarse.  My apologies to all who had to endure my voice.)

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

February 9, 2015

NC Commissioner of Banks Ray Grace Re-Appointed

Commissioner Ray Grace -photo by M. Cordell
Today, Governor McCrory appointed Ray Grace to serve as North Carolina's Commissioner of Banks for another term.  Although Commissioenr Grace has been "appointed," the process actually works like a nomination; His appointment must be confirmed by each house of the General Assembly. 

After serving in the Marine Corps during the Vietnam War, Grace graduated from college and immediately joined the Office of the Commissioner of Banks as a trainee examiner in 1974. He has served in various roles over the years, and has deep experience in the regulation and supervision of North Carolina financial institutions. 

After former Commissioner Joseph A. Smith, Jr., resigned effective February 16, 2012 to become the nationwide mortgage settlement czar, then-Governor Beverly Purdue appointed Grace, then Deputy Commissioner, to serve as Acting Commissioner. Under the banking statute in effect at the time, Governor Purdue was required to submit the name of a permanent successor to the General Assembly within four weeks. She nominated Ray Grace by the end of the month, and he became Acting Commissioner. However, as I predicted back in February of 2012, the confirmation process took much, much longer.  Governor McCrory re-nominated Acting Commissioner Grace more than a year later, in March of 2013. The Senate approved on May 15, 2013, and the House approved on June 6, 2013.  Commissioner Grace's initial term was the remainder of what would have been Joe Smith's final term, expiring March 31, 2015.  

Under the new banking statute, Governor McCory was required to appoint a Commissioner of Banks by February 1.  Apparently it took a few days for that appointment to be publicly announced.  Assuming he is confirmed by the General Assembly, the Commissioner's term will continue for four years (until March 31, 2019).


January 16, 2015

What Would The White House's Data Security Breach Proposal Mean For North Carolina Businesses?

Earlier this week, the President announced a new cybersecurity initiative. The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy."
Of course, the President has no legal authority to implement most of his proposals. The Constitution gives Congress the sole power to introduce and pass legislation. The President's role is simply to sign or veto a bill once Congress approves. However, the President's bully pulpit gives him the practical ability to influence Congress' agenda. The primary purpose of the President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces. What we have been told is that the proposal has multiple components. One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here.

North Carolina and 45 other states already have a data breach notification law. This might suggest that there is no need for a nationwide breach notification rule. Are state breach notification rules inadequate? Is there a compelling need for nationwide uniformity? These are important policy questions. In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act. This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered. The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents. Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach. The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information." The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law. Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or "accesss...in excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach. Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals." Encryption might support a presumption that there is no reasonable risk of harm. However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
  • that it had experienced a breach and conducted a risk assessment,
  • the results of the risk assessment,
  • that it had concluded that there was no reasonable risk to individuals; and
  • logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information. The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule. In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice. The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement. The first priority is almost always to identify and eliminate vulnerabilities. Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations. Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay." However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension.

Public Notice. In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach. Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000. Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach.

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies. Under the North Carolina statute, the threshold for making such a report is 1,000.

Allocation of Responsibility to Provide Notice. Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary. As you can see, the White House proposal differs from existing North Carolina law in a number of ways. From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions. (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues.