ID Theft Information – Business briefing

Identify Theft Information relating to the responsibilities of businesses that handle confidential personal information

New Hawaii Identity Theft Laws

Identity theft is one of the fastest growing crimes committed throughout the United States. Criminals who steal personal information use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other people’s identities.  This has resulted in billions of dollars in losses for business and consumers.  Last year alone, businesses and financial institutions reported losses in excess of fifty billion dollars!

Last May, Governor Linda Lingle signed into law several bills which will provide increased protection to Hawaii residents from identity theft. Several of these bills will directly impact Hawaii businesses. Act 135, Notification of Security Breaches, will require businesses and government agencies that keep confidential personal information about consumers to notify those consumers if that information has been compromised by an unauthorized disclosure;  Act 136, Destruction of Personal Information, will require businesses and government agencies to take reasonable measures to protect against unauthorized access to an individual’s personal information when disposing of the records they keep; and Act 137, Social Security Number Protection, will restrict businesses and government agencies from disclosing consumers’ Social Security numbers to the general public. All of these bills share a common goal: to protect individuals from exposure to identity theft by imposing limitations and restrictions on the use and disclosure of personal information.

I.  NOTIFICATION OF SECURITY BREACHES

Act 135 imposes new obligations on the part of Hawaii businesses to notify an individual whenever the individual’s personal information that is maintained by the business has been compromised by unauthorized disclosure. The underlying policy behind the Act is that prompt notification will help potential victims to act against identity theft by initiating steps to monitor their credit reputation.  In this regard, it is extremely important that any business subject to the Act’s provisions undertake measures to fully comply with the law when it becomes effective on January 1, 2007.

In determining whether an affected business must act, there are several issues it must address.  First, it must determine whether “personal information” has been compromised. “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver’s license number or Hawaii ID card number; or account number,

credit or debit card number, access code, or password that would permit access to an individual’s financial account.  It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Second, it must determine whether a “security breach” has occurred, as it is defined in Act 135.  Pursuant to the statutory definition, a “Security Breach” means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing “personal information” where illegal use of the personal information has occurred or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach.

In this regard, if information has been compromised the first thing that an affected business should do is determine whether the information constitutes “personal information” under the Act.  If the information does not meet the statutory definition, the Act will not impose any affirmative obligation on the affected business.  Consequently, if records were stolen containing only an individual’s name and address, the Act would not impose a duty on a business to inform the affected individual since the Act would not consider the data “personal information.” If, however, in addition to the name and address, social security numbers and or financial account identifying data were compromised, the Act would clearly consider this information “personal information,” and an obligation would ensue. It is important to note, however, that even if a statutory obligation does not arise under Act 135, other legal obligations may exist which will require that notice be given in a particular instance. For that reason, anytime information has been breached it is important for a business to consult with its own legal counsel to assist it with its statutory obligations.

Once it has been established that personal information has been compromised, the affected business next must determine whether a “security breach” has occurred.  In this analysis, it is incumbent on the business to try to determine whether illegal use of the personal information has occurred or is reasonably likely to occur and creates a risk of harm to a person.  Since in many instances, this may be difficult to discern, it would be prudent for the business to err on the side of caution and implement the necessary steps to inform the affected individuals.  If a business has uncertainty regarding this legal standard, it should consult with its own legal counsel.

Notification Procedures

Once it has been established that a security breach has occurred, and personal information has been compromised, a business will have to initiate action to inform the affected individuals.  This disclosure must be made without “unreasonable delay.”  The only exception would be if a law enforcement agency informs the business in writing that notification may impede a criminal investigation or jeopardize national security. Once it has been determined that the notice will no longer impede the investigation, the notice must be promptly provided.

Form of the Notice

The actual notice of the breach must be “clear and conspicuous” and include a description of:

  • The incident in general terms;
  • The type of personal information that was subject to the unauthorized access and acquisition;
  • The general acts of the business to protect the personal information from further unauthorized access;
  • A telephone number that the person my call for further information and assistance, if one exists; and
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Methods of Providing Notice

There are various ways in which the business may provide notice.  These include:

  • Written notice to the last available address the business has on record;
  • Electronic mail notice, for those persons for whom a business has a valid email address and who have agreed to receive communications electronically;
  • Telephonic notice to the affected persons (the giving of such notice should be documented in writing); and
  • Substitute notice, if the business can demonstrate that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business does not have sufficient contact information or is unable to identify particular affected persons.  In that case, substitute notice shall consist of email notice if the agency has an email address, conspicuous posting of the notice on the web page of the business and notification to major statewide media. Consequently, in the event a security breach has occurred involving 10,000 persons and the business only has contact information for 9,000, substitute notice would be permissible for the remaining 1000 persons.

II.  DESTRUCTION OF PERSONAL INFORMATION RECORDS

Business and government agency records are a leading source of personal information for identity thieves. Any entity that maintains personal information as part of its business operations should establish security procedures to maintain the confidentiality and integrity of that data. A critical element of any security plan is the destruction of records containing personal information when they are being discarded. Throughout the United States, there have been repeated instances of businesses carelessly dumping boxes containing scores of customers’ personal information in dumpsters.

Act 136 imposes new obligations on the part of Hawaii businesses to properly dispose of “personal information” contained in their records.  In short, it requires businesses that have “personal information” about individuals to destroy or shred that information when they are discarding it.  This is necessary to preserve the confidentiality of our citizens’ data.  This new law takes effect on January 1, 2007.

Pursuant to Act 136, businesses must establish “reasonable measures” to protect against the unauthorized access to that information in connection with or after its disposal.

These “reasonable measures” include:

  1. Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed;
  2. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing “personal information” so that the information cannot practicably be read or reconstructed; and
  3. Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business.

A business may satisfy its obligation on its own or by entering into a written contract with another party engaged in the business of record destruction to destroy “personal information”. If the business contracts out the service, it must still exercise “due diligence.” Under Act 136, “due diligence” ordinarily includes one or more of the following:

  • Reviewing an independent audit of the disposal business’s operations or its compliance with this statute or its equivalent;
  • Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; or
  • Reviewing and evaluating the disposal business’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.

What this means is that it would be inappropriate to contract with someone without checking into their background.  Contracting with a proven records destruction business which meets the above criteria would probably be OK, but hiring two guys with a truck with no experience in records destruction would not.

Pursuant to the Act, “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number;
  • Driver’s license number or Hawaii identification card number; or
  • Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Note that “personal information” is specifically defined. Records containing that information must be protected.

“Records” means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.  This definition is quite broad. It includes data appearing on paper and in computers, including hard drives and computer disks.

Consequently, if a business is in possession of “personal information” contained in records, which it maintains, it is incumbent on it to properly dispose of them.  As noted above, a business may satisfy this statutory obligation by exercising “due diligence” and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of record destruction.

Additionally, since a breach of the destruction provisions may also invoke the provisions of the security breach notification provisions of Act 135 an affected business must refer to that Act to determine whether additional action is required.

III.  SOCIAL SECURITY NUMBER PROTECTION

The purpose of Act 137 is to minimize the abuses associated with the fraudulent use of a social security number (SSN) by attempting to restrict its use as an identifier.  To provide businesses and government agencies with time to comply with the law, the Act is scheduled to take effect on July 1, 2008.

Prohibited Uses of Social Security Numbers

Pursuant to the Act’s provisions, unless otherwise authorized by law, a business cannot:

  1. Intentionally communicate or otherwise make available to the general public an individual’s entire social security number;
  2. Intentionally print or imbed an individual’s entire social security number on any card required for the individual to access products or services provided by the person or entity;
  3. Require an individual to transmit the individual’s entire social security number over the Internet, unless the connection is secure or the social security number is encrypted;
  4. Require an individual to use the individual’s entire social security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website; and
  5. Print an individual’s entire social security number on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.

Permissible Uses of Social Security Numbers

Notwithstanding the general prohibition on the use and dissemination of social security numbers there are several important exclusions to the rule:

  1. Use of the social security number in the following instances is permitted if the social security number is included in documents that are mailed and:
    • Are specifically requested by the individual identified by the social security number;
    • Required by state or federal law to be on the document to be mailed;
    • Required as part of an application or enrollment process;
    • Used to establish, amend, or terminate an account, contract, or policy; or
    • Used to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to the Fair Credit Reporting Act, as set forth, in 15 U.S.C. Section 1681(b);
  • The opening of an account or the provision of or payment for a product or service authorized by an individual;
  • The collection, use, or release of a social security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. Sections 1681 to 1681x, as amended; undertake a permissible purpose enumerated under the federal Gramm Leach Bliley Act, 15 U.S.C. Sections 6801 to 6809, as amended; locate an individual who is missing or due a benefit, such as a pension, insurance, or unclaimed property benefit; or locate a lost relative;
  • A business or government agency acting pursuant to a court order, warrant, subpoena, or when otherwise required by law;
  • A business or government agency providing the social security number to a federal, state, or local government entity including a law enforcement agency or court, or their agents or assigns;
  • The collection, use, or release of a social security number in the course of administering a claim, benefit, or procedure relating to an individual’s employment, including an individual’s termination from employment, retirement from employment, injuries suffered during the course of employment, and other related claims, benefits, or procedures;
  • The collection, use, or release of a social security number as required by state or federal law;
  • The sharing of the social security number by business affiliates;
  • The use of a social security number for internal verification or administrative purposes;
  • A social security number that has been redacted;
  • Documents or records that are recorded or required to be open to the public pursuant to the constitution or laws of the State or court rule or order.
  • Notwithstanding the foregoing exceptions, a social security number that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

    IV.  Penalty Provisions

    Any business that violates any provision of Acts 135, 136, or 137 shall be subject to penalties to the State of Hawaii of not more than $2,500 for each violation. In addition, any business that violates any provision shall be liable to an injured party in an amount equal to the sum of any actual damages sustained.

    V.  Disclaimer

    This document is only intended to provide a summary of Acts 135, 136, and137. It does not create or confer any rights or obligations on the part of any person, business, or government agency nor does it supplant any statutory obligations imposed by any other state or federal law. Any business or person with specific questions regarding statutory interpretation should consult with their own legal counsel.