Order Code RL34120
Federal Information Security and Data Breach
Notification Laws
Updated April 3, 2008
Gina Marie Stevens
Legislative Attorney
American Law Division
Federal Information Security and Data Breach
Notification Laws
Summary
The following report describes information security and data breach notification
requirements included in the Privacy Act, the Federal Information Security
Management Act, Office of Management and Budget Guidance, the Veterans Affairs
Information Security Act, the Health Insurance Portability and Accountability Act,
the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit
Reporting Act.
Information security laws are designed to protect personally identifiable
information from compromise, unauthorized disclosure, unauthorized acquisition,
unauthorized access, or other situations where unauthorized persons have access or
potential access to personally identifiable information for unauthorized purposes.
Data breach notification laws typically require covered entities to implement a breach
notification policy, and include requirements for incident reporting and handling and
external breach notification.
During the 110th Congress, three data security bills — S. 239 (Feinstein), S. 495
(Leahy), and S. 1178 (Inouye) — were reported favorably out of Senate committees.
Those bills include information security and data breach notification requirements.
Other data security bills were also introduced, including S. 806 (Pryor), S. 1202
(Sessions), S. 1260 (Carper), S. 1558 (Coleman), H.R. 516 (Davis), H.R. 836
(Smith), H.R. 958 (Rush), H.R. 1307 (Wilson), H.R. 1685 (Price), and H.R. 2124
(Davis).
For related reports, see CRS Report RL33273, Data Security: Federal
Legislative Approaches, by Gina Marie Stevens. Also see the Current Legislative
Issues web page for “Privacy and Data Security” available at [http://www.crs.gov].
This report will be updated.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Information Security and Data Breach Notification Laws . . . . . . . . . . . . 3
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Federal Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Federal Information Security Management Act . . . . . . . . . . . . . . . . . . . 6
Office of Management and Budget “Breach Notification Policy” . . . . . 8
Veterans Affairs Information Security Act . . . . . . . . . . . . . . . . . . . . . . 9
Private Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Health Insurance Portability and Accountability Act . . . . . . . . . . . . . 13
Gramm-Leach-Bliley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Federal Trade Commission Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Fair Credit Reporting Act, as amended by the Fair and
Accurate Transactions Act of 2003 . . . . . . . . . . . . . . . . . . . . . . . 20
The Payment Card Industry Data Security Standard . . . . . . . . . . . . . . . . . . . . . . 22
Federal Information Security and Data
Breach Notification Laws
Introduction
Numerous data breaches and computer intrusions have been disclosed by the
nation’s largest data brokers, retailers, educational institutions, government agencies,
health care entities, financial institutions, and Internet businesses.1 A data breach
occurs when there is a loss or theft of, or other unauthorized access to, data
containing sensitive personal information that results in the potential compromise of
the confidentiality or integrity of data. Sensitive personal information generally
includes an individual’s name, address, or telephone number, in conjunction with the
individual’s Social Security number, driver’s license number, account number, credit
or debit card number, or a personal identification number or password. Breach
notification laws enacted by many states require the disclosure of security breaches
involving sensitive personal information.
In the absence of a comprehensive federal data breach notification law, many
states enacted laws requiring consumer notice of security breaches of personal data.2
The majority of states have introduced or passed bills to require companies to notify
persons affected by breaches involving their personal information, and in some cases
to implement information security programs to protect the security, confidentiality,
and integrity of data. As of January 2008, 39 states enacted data security laws
requiring entities to notify persons affected by security breaches and, in some cases,
to implement information security programs to protect the security, confidentiality,
and integrity of data.3 Six states have reportedly introduced bills designed to
strengthen merchant security and/or hold companies liable for third party companies’
1 See generally CRS Report RL33199, Personal Data Security Breaches: Context and
Incident Summaries, by Rita Tehan.
2 See Julie Brill, Vermont Assistant Attorney General, Chart on Comparison of State
Security Breach Laws, (updated 7-12-07).
3 Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii,
Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan,
Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North
Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee,
Texas, Utah, Vermont, Washington, Wisconsin, and Wyoming. National Conference of
S t a t e L e gi sl at ur es, S t a t e S e c u r i t y Bre a c h Not i f i c a t i o n L a w s , a t
[http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm]; John P. Hutchins, U.S. Data
Breach Notification Law: State by State (2007).
CRS-2
costs arising from data breaches (California, Connecticut, Illinois, Massachusetts,
Minnesota, and Texas).4
From February 2005 to December 2006, 100 million personal records were
reportedly lost or exposed.5 The Privacy Rights Clearinghouse chronicles and reports
that over 223 million data records of U.S. residents have been exposed due to
security breaches since January 2005.6 In 2006 the personal data of 26.5 million
veterans was breached when a VA employee’s hard drive was stolen from his home.
In 2007 the retailer TJX Companies revealed that 46.2 million credit and debit cards
may have been compromised during the breach of its computer network by
unauthorized individuals.7 In 2008 the Hannaford supermarket chain revealed that
approximately 4 million debit and credit card numbers were compromised when
Hannaford’s computer systems were illegally accessed while the cards were being
authorized for purchase. There were 1800 reported cases of fraud connected to the
computer intrusion.
Data breaches involving sensitive personal information may result in identity
theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud,
mortgage fraud, employment-related fraud, government documents or benefits fraud,
loan fraud, and health-care fraud). Identity theft involves the misuse of any
identifying information, which could include name, SSN, account number, password,
or other information linked to an individual, to commit a violation of federal or state
law.8 According to the Federal Trade Commission, identity theft is the most common
complaint from consumers in all 50 states, and accounts for over 35% of the total
number of complaints the Identity Theft Data Clearinghouse received for calendar
years 2004, 2005, and 2006. In calendar year 2006, of the 674,354 complaints
received, 246,035 or 36% were identity theft complaints.9 With continued media
4 See Timothy P. Tobin, In Response To TJX Data Breach, One State Enacts Legislation
Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other
States, at [http://privacylaw.proskauer.com/]. The Minnesota bill was signed into law on
May 21, 2007. 2007 Minn. Laws Ch. 108, H.F. 1758.
5 Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times,
December 18, 2006, p. C3.
6 Privacy Rights Clearinghouse, A Chronology of Data Breaches, at
[http://www.privacyrights.org/ar/ChronDataBreaches.htm].
7 U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc.,
[ h t t p : / / w w w . s e c . g o v / A r c h i ve s / e d ga r / d a t a / 1 0 9 1 9 8 / 0 0 0 0 9 5 0 1 3 5 0 7 0 0 1 9 0 6 /
b64407tje10vk.htm].
8 P.L. 105-318, Identity Theft Assumption and Deterrence Act; 18 U.S.C. § 1028.
9 Federal Trade Commission, Identity Theft Victim Complaint Data, Feb. 7, 2007, at
[http://www.ftc.gov/bcp/edu/microsites/idtheft/downloads/clearinghouse_2006.pdf].
CRS-3
reports of data security breaches,10 concerns about new cases of identity theft are
widespread.11
These public disclosures have heightened interest in the security of sensitive
personal information; in the security of computer systems; in the applicability of
existing federal laws to the protection of sensitive personal information; in the
adequacy of enforcement tools available to law enforcement officials and federal
regulators; in the business and regulation of data brokers;12 in the liability of retailers,
credit card issuers, payment processors, banks, and furnishers of credit reports for
costs arising from data breaches; in remedies available to individuals whose personal
information was accessed without authorization;13 in the prosecution of identity theft
crimes related to data breaches; and in the criminal liability of persons responsible
for unauthorized access to computer systems.14
Federal Information Security and Data Breach
Notification Laws
Background
Because of questions about the applicability of existing federal laws to sensitive
personal information, this report provides an overview of federal information security
and data breach notification laws that are applicable to certain entities that own,
possess, or license sensitive personal information.15
10 See Nancy Trejos, “Identity Theft Gets Personal: When a Debit Card Number Is Stolen,
America’s New Crime Wave Hits Home,” Washington Post at F01 (Jan. 13, 2008).
11 Legislation introduced in response to the increase in data security breaches is discussed
in CRS Report RL33273, Data Security: Federal Legislative Approaches, by Gina Marie
Stevens.
12 See U.S. Government Accountability Office, Personal Information: Key Federal Privacy
Laws Do Not Require Information Resellers to Safeguard All Sensitive Data 56,
GAO-06-674, June 26, 2006, at [http://www.gao.gov/new.items/d06674.pdf]
13 See CRS Report RL31919, Federal Laws Related to Identity Theft, updated by Gina Marie
Stevens.
14 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle.
15 For a discussion of Section 222 of the Communications Act of 1934, as amended (47
U.S.C. 222), which establishes a duty for telecommunications carrier to protect the
confidentiality of customers’ customer proprietary network information (CPNI), see CRS
Report RL34409, Selected Laws Governing the Disclosure of Customer Phone Records by
Telecommunications Carriers, by Kathleen Ruane. For a discussion of Sections 302 and
404 of the Sarbanes-Oxley Act of 2002, P.L. 107-204, which require public companies to
ensure that they have implemented appropriate information security controls with respect
to their financial information, see CRS Report RS22482, Section 404 of the Sarbanes-Oxley
Act of 2002 (Management Assessment of Internal Controls): Current Regulation and
Congressional Concerns, by Michael V. Seitzinger.
CRS-4
Information security laws are designed to protect personally identifiable
information from compromise, unauthorized disclosure, unauthorized acquisition,
unauthorized access, or other situations where unauthorized persons have access or
potential access to personally identifiable information for unauthorized purposes.
Data breach notification laws typically require covered entities to implement a breach
notification policy, and include requirements for incident reporting and handling and
external breach notification.
No single federal law or regulation governs the security of all types of sensitive
personal information. Determining which federal law, regulation, and guidance is
applicable depends in part on the entity or sector that collected the information, and
the type of information collected. Under federal law certain sectors are legally
obligated to protect certain types of sensitive personal information. These
obligations were created, in large part, when federal privacy legislation was enacted
in the credit, financial services, health care, government, securities, and Internet
sectors. Federal regulations were issued to require certain entities to implement
information security programs and provide breach notice to affected persons.16
The applicability of a particular law depends in part on the information owner.
For example, there are federal information security requirements applicable to all
federal government agencies and a federal information security law applicable to a
sole federal department (Veterans Affairs). In the private sector, different laws apply
to private sector entities engaged in different businesses. This is what is commonly
referred to as a sectoral approach to the protection of personal information.
Some critics say that current laws focus too closely on industry-specific uses of
information, like credit reports or medical data, rather than on protecting the privacy
of individuals.17 Others believe the sectoral approach to the protection of personal
information reflects not only variations in the types of information collected (e.g.,
government, private sector, health, financial, etc.), but also differences in the
regulatory framework for particular sectors. Others advocate a national standard for
entities that maintain personal information in order to harmonize legal obligations.18
The type of information collected also determines in part whether a particular
law is applicable. Information on individuals collected, maintained, or processed by
a covered entity is regulated. In some cases a law’s scope extends to information
created, received, maintained, or transmitted on behalf of a covered entity (by a
contractor or subcontractor). Another approach taken is where the law targets a
specific category of information (e.g., federal agency, health, customer financial
information). The medium or format the information is kept in is also frequently
relevant (electronic, paper, or other form).
16 Thomas J. Smedinghoff, “The New Law of Information Security: What Companies Need
To Do Now,” 22 The Computer & Internet Lawyer 9 (November 2005).
17 Tom Zeller, Jr., “Breach Points Up Flaws in Privacy Laws,” New York Times (February
24, 2005).
18 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan,
April 2007 at [http://www.identitytheft.gov/reports/StrategicPlan.pdf].
CRS-5
Data breach notification laws typically cover “personally identifiable
information” or “sensitive personal information” or “individually identifiable
information.” Generally included are an individual’s name or another personal
identifier, social security number, biometric records, date and place of birth, and
mother’s maiden name. Other information included in some laws is that which
identifies the individual or with respect to which there is a reasonable basis to believe
that the information can be used to identify the individual, or information that can be
used to distinguish or trace the individual’s identity. In some cases, information
about an individual’s education, financial transactions, medical history, and criminal
and employment history may be covered. The law governing financial institutions
regulates nonpublic personal information.
Federal Sector
A newly enacted federal law and recently issued federal guidance require federal
agencies that collect sensitive personal information to implement enhanced
information security programs and provide notice to persons affected by data security
breaches. The Veterans Affairs Information Security Act of 2006 was enacted to
prevent and respond to data breaches in the Department of Veterans Affairs. The
2007 Office of Management and Budget memorandum on “Safeguarding Against and
Responding to the Breach of Personally Identifiable Information” requires all federal
agencies to implement a breach notification policy to safeguard personally
identifiable information.
Privacy Act. The Privacy Act is the principal law governing the federal
government’s information privacy program. Other relevant federal laws include the
Computer Matching and Privacy Protection Act of 1988,19 and Section 208 of the E-
Government Act of 2002 which requires agencies to conduct privacy impact
assessments on new information technology systems and electronic information
collections.20 The Privacy Act of 197421 governs the collection, use, and
dissemination of a “record”22 about an “individual”23 maintained by federal agencies
in a “system of records.”24 The act defines a “record” as any item, collection, or
grouping of information about an individual that is maintained by an agency and
contains his or her name or another personal identifier. In order for an agency record
to be protected by the Privacy Act, it must be retrieved by individual name or
19 5 U.S.C. § 552a note.
20 44 U.S.C. § 3501 note.
21 5 U.S.C. § 552a.
22 5 U.S.C. § 552a(a)(4).
23 “The term “individual” means a citizen of the United States or an alien lawfully admitted
for permanent residence.” 5 U.S.C. § 552a(2).
24 The act defines “system of records” as a group of records under the control of any agency
from which information is retrieved by the name of the individual or by an individual
identifier. Id at § 552a(a)(5).
CRS-6
individual identifier. The Privacy Act also applies to systems of records created by
government contractors.25 The Privacy Act does not apply to private databases.
The Privacy Act prohibits the disclosure of any record maintained in a system
of records to any person or agency without the written consent of the record subject,
unless the disclosure falls within one of twelve statutory exceptions. The act allows
most individuals to seek access to records about themselves, and requires that
personal information in agency files be accurate, complete, relevant, and timely.26
The subject of a record may challenge the accuracy of information. The Privacy Act
requires that when agencies establish or modify a system of records, they publish a
“system-of-records notice” in the Federal Register.27
Each agency that maintains a system of records is required to “establish
appropriate administrative, technical, and physical safeguards to insure the security
and confidentiality of records and to protect against any anticipated threats or hazards
to their security or integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual ... “28
The Privacy Act provides legal remedies that permit an individual to seek
enforcement of the rights granted under the act. The individual may bring a civil suit
against the agency. The court may order the agency to amend the individual’s record,
enjoin the agency from withholding the individual’s records, and may award actual
damages of $1,000 or more to the individual for intentional or wilful violations.29
Courts may also assess attorneys fees and costs. The act also contains criminal
penalties; federal employees who fail to comply with the act’s provisions may be
subjected to criminal penalties.
The Office of Management and Budget (OMB) is required to prescribe
guidelines and regulations for the use by agencies in implementing the act, and
provide assistance to and oversight of the implementation of the act.30
Federal Information Security Management Act. FISMA is the principal
law governing the federal government’s information security program. Title III of
the E-Government Act of 2002, the Federal Information Security Management Act
25 5 U.S.C. § 552(m).
26 5 U.S.C. § 552a(e)(5).
27 The Federal Register notice must identify, among other things, the type of data collected,
the types of individuals about whom information is collected, the intended “routine” uses
of data, and procedures that individuals can use to review and correct personal information.
5 U.S.C. § 552e(4).
28 5 U.S.C. § 552a(e)(10).
29 Shortly after the breach of the personal data of 26.5 million veterans in 2006 by the
Department of Veterans Affairs, veterans groups filed a class-action lawsuit alleging
violations of the Administrative Procedure Act and the Privacy Act. Vietnam Veterans of
America, Inc. et al. V. Nicholson, No. 1:06-cv-01038-JR (D. D.C. filed June 6, 2006).
30 5 U.S.C. § 552a(v). 40 Fed. Reg. 28976 (July 9, 1975).
CRS-7
of 2002 (FISMA),31 requires federal government agencies to provide information
security protections for agency information and information systems.32 Agencies are
required to develop, document, and implement an agency wide program “providing
information security protections commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use, disclosure, disruption, modification,
or destruction of (i) information collected or maintained by or on behalf of the
agency; and (ii) information systems used or operated by an agency or by a
contractor of an agency or other organization on behalf of an agency.”33
The agency’s information security plan also must include procedures for
detecting, reporting, and responding to security incidents; notifying and consulting
with the Federal information security incident center and with law enforcement
agencies and relevant Offices of Inspector General.34 The National Institute of
Standards and Technology (NIST) is responsible for developing standards and
guidelines for providing adequate information security for all agency operations and
assets, except for national security systems. Agencies are required to comply with
the information security standards developed by NIST.35 Agencies must also
conduct, annually, an independent evaluation of their security programs. The
evaluations are forwarded to the Director of the Office of Management and Budget,
for an annual report to Congress.36 The Director’s authorities do not include national
security systems.37
31 Title III of the E-Government Act of 2002, P.L. 107-347; 44 U.S.C. § 3541 et seq.; see
CRS Report RL32357, Computer Security: A Summary of Selected Federal Laws, Executive
Orders, and Presidential Directives, by John Moteff.
32 Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order to
provide integrity, confidentiality, and availability. 44 U.S.C. § 3542.
33 44 U.S.C. § 3544(a)(1)(A).
34 44 U.S.C. § 3544(b)(7).
35 44 U.S.C. § 3544(a)(1)(B); 40 U.S.C. § 11331.
36 See generally Information Security: Agencies Report Progress, but Sensitive Data Remain
at Risk: Hearings Before the Subcomms. of the House Comm. on Oversight and Government
Reform, 110th Cong. 6-8 (2007), available at [http://www.gao.gov/new.items/d07935t.pdf].
37 FISMA defines a national security system, in statute, as:
Any computer system (including any telecommunications system) used or operated by
an agency or by a contractor of an agency, or other organization on behalf of an agency —
(i) the function of which —
(I) involves intelligence activities;
(II) involves cryptologic activities related to national security;
(III) involves command and control of military forces;
(IV) involves equipment that is an integral part of a weapon or weapons system;
(V) ...is critical to the direct fulfillment of military or intelligence missions; or
(ii) is protected at all times by procedures established for information that have been
specifically authorized under criteria established by an Executive Order or an Act of
(continued...)
CRS-8
Agency heads are responsible for compliance with FISMA’s requirements and
related information security policies, procedures, standards, and guidelines, and for
ensuring that senior agency officials provide information security. The authority to
ensure compliance is delegated to the agency Chief Information Officer (CIO).
FISMA also assigns specific policy and oversight responsibilities to the Office of
Management and Budget (OMB).
Office of Management and Budget “Breach Notification Policy”. In
response to recommendations from the President’s Identity Theft Task Force,38 the
Office of Management and Budget issued guidance in May 2007 for federal agencies
on “Safeguarding Against and Responding to the Breach of Personally Identifiable
Information.”39 The OMB Memorandum M-07-16 requires all federal agencies to
implement a breach notification policy to safeguard “personally identifiable
information” by August 22, 2007 to apply to both electronic systems and paper
documents.40 To formulate their policy, agencies are directed to review existing
privacy and security requirements, and include requirements for incident reporting
and handling and external breach notification. In addition, agencies are required to
develop policies concerning the responsibilities of individuals authorized to access
personally identifiable information.
Attachment 1 of the OMB memorandum, Safeguarding Against the Breach of
Personally Identifiable Information, reemphasizes agencies’ responsibilities under
existing law (e.g., the Privacy Act and FISMA), executive orders, regulations, and
policy to safeguard personally identifiable information and train employees. Two
new privacy requirements and five new security requirements are established. To
implement the new privacy requirements, agencies are required to review current
holdings of all personally identifiable information to ensure that they are accurate,
relevant, timely, and complete, and reduced to the minimum necessary amount.
Within 120 days, agencies must establish a plan to eliminate the unnecessary
collection and use of social security numbers within eighteen months. Agencies must
implement the following five new security requirements (applicable to all federal
information): encrypt all data on mobile computers/devices carrying agency data;
employ two-factor authentication for remote access; use a “time-out” function for
remote access and mobile devices; log and verify all computer-readable data extracts
from databases holding sensitive information; and ensure that individuals and
37 (...continued)
Congress to be kept classified in the interest of national defense or foreign policy.
The definition explicitly excludes systems that are used for routine administrative and
business applications (including payroll, finance, logistics, and personnel management
applications). P.L. 107-347,§ 301(b)(1).
38 Exec. Order No. 13,402, 71 FR 27945 (2006).
39 [http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf].
40 The memo defines the term “personally identifiable information” as “information which
can be used to distinguish or trace an individual’s identity, such as their name, social
security number, biometric records, etc. alone, or when combined with other personal or
identifying information which is linked or linkable to a specific individual, such as date and
place of birth, mother’s maiden name, etc.” Id.
CRS-9
supervisors with authorized access to personally identifiable information annually
sign a document describing their responsibilities.41
Attachment 2 of the OMB Memorandum, Incident Reporting and Handling
Requirements, applies to the breach of personally identifiable information in
electronic or paper format. Agencies are required to report all incidents involving
personally identifiable information within one hour of discovery/detection; and
publish a “routine use”42 under the Privacy Act applying to the disclosure of
information to appropriate persons in the event of a data breach.43
Attachment 3, External Breach Notification, identifies the factors agencies
should consider in determining when notification outside the agency should be given
and the nature of the notification. Notification may not be necessary for encrypted
information. Each agency is directed to establish an agency response team. Agencies
must assess the likely risk of harm caused by the breach and the level of risk.
Agencies should provide notification without unreasonable delay following the
detection of a breach, but are permitted to delay notification for law enforcement,
national security purposes, or agency needs. Attachment 3 also includes specifics as
to the content of the notice, criteria for determining the method of notification, and
the types of notice that may be used.
Attachment 4, Rules and Consequences Policy, directs each agency to develop
and implement a policy outlining rules of behavior and identifying consequences and
corrective actions available for failure to follow these rules. Supervisors may be
subject to disciplinary action for failure to take appropriate action upon discovering
the breach or failure to take required steps to prevent a breach from occurring. Rules
of behavior and corrective actions should address the failure to implement and
maintain security controls for personally identifiable information; exceeding
authorized access to, or disclosure to unauthorized persons of, personally identifiable
information; failure to report any known or suspected loss of control or unauthorized
disclosure of personally identifiable information; and for managers, failure to
adequately instruct, train, or supervise employees in their responsibilities.
Consequences may include reprimand, suspension, removal, or other actions in
accordance with applicable law and agency policy.
Veterans Affairs Information Security Act. Title IX of P.L. 109-461,44
the Veterans Affairs Information Security Act, requires the Veterans Administration
(VA) to implement agency-wide information security procedures to protect the VA’s
41 The first four information security requirements were adopted in an earlier memorandum,
See OMB Memo 06-16, “Protection of Sensitive Agency Information” at
[http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf].
42 The Privacy Act defines a routine use to mean “with respect to the disclosure of a record,
the use of such record for a purpose which is compatible with the purpose for which it was
collected.” 5 U.S.C. § 552a(a)(7).
43 OMB Memorandum M-07-16, p.11.
44 The Veterans Benefits, Health Care, and Information Technology Act of 2006, P.L. 109-
461 (December 22, 2006); 38 U.S.C. §§ 5722 et seq.
CRS-10
“sensitive personal information” (SPI)45 and VA information systems. P.L. 109-461
was enacted to respond to the May 2006 breach of the personal data of 26.5 million
veterans caused by the theft of a VA employee’s hard drive from his home.46
Pursuant to P.L. 109-461, the VA’s information security program is to provide
for the development and maintenance of cost effective security controls to protect VA
information, in any medium or format, and VA information systems.47 The
information security program is required to include the following elements: periodic
assessments of the risk and magnitude of harm that could result from the
unauthorized access, use, disclosure, disruption, modification, or destruction of VA
information and information systems; policies and procedures based on risk
assessments that cost-effectively reduce security risks and ensure information
security; implementation of security controls to protect the confidentiality, integrity,
and availability of VA information and information systems; plans for security for
networks, facilities, systems, or groups of information systems; annual security
awareness training for employees and contractors and users of VA information and
information systems; periodic testing of security controls; a process for remedial
actions; procedures of detecting, reporting, and responding to security incidents; and
plans and procedures to ensure continuity of operations. Additionally, the VA
Secretary is directed to comply with FISMA, and other security requirements issued
by NIST and OMB. The law also establishes specific information security
responsibilities for the VA Secretary, information technology and information
security officials, VA information owners, other key officials, users of VA
information systems, and the VA Inspector General.
P.L. 109-461 requires that in the event of a “data breach”48 of sensitive personal
information processed or maintained by the VA Secretary, the Secretary must ensure
that as soon as possible after discovery that either a non-VA entity or the VA’s
Inspector General conduct an independent risk analysis of the data breach to
determine the level of risk associated with the data breach for the potential misuse
of any sensitive personal information.49 Based upon the risk analysis, if the Secretary
determines that a reasonable risk exists of the potential misuse of sensitive personal
45 “The term “sensitive personal information”, with respect to an individual, means any
information about the individual maintained by an agency, including the following: (A)
Education, financial transactions, medical history, and criminal or employment history. (B)
Information that can be used to distinguish or trace the individual’s identity, including name,
social security number, date and place of birth, mother’s maiden name, or biometric
records.” P.L. 109-461, § 902.
46 See CRS Report RL33612, Department of Veterans Affairs: Information Security and
Information Technology Management Reorganization, by Sidath Viranga Panangala.
47 38 U.S.C. § 5722.
48 “Data breach means the loss or theft of, or other unauthorized access to, other than an
unauthorized access incidental to the scope of employment, data containing sensitive
personal information, in electronic or printed form, that results in the potential compromise
of the confidentiality or integrity of the data.” 38 U.S.C. § 5727(4).
49 38 U.S. C. § 5724(a)(1).
CRS-11
information, the Secretary must provide credit protection services in accordance with
regulations issued by the VA Secretary.50
The VA Secretary is required to report to the Veterans Committees the findings
of the independent risk analysis for each data breach, the Secretary’s determination
regarding the risk for potential misuse of sensitive personal data, and the provision
of credit protection services.51 If the breach involved the sensitive data of DOD
civilian or enlisted personnel the Secretary must also report to the Armed Services
Committees.52 In addition, quarterly reports are to be submitted by the VA Secretary
to the Veterans Committees of Congress on any data breach of sensitive personal
information processed or maintained by the VA during that quarter.53 With respect
to the breach of SPI that the VA Secretary determines to be significant, notice must
be provided promptly following the discovery of such data breach to the Veterans
Committees, and if the breach involved the SPI of DOD civilian or enlisted personnel
also to the Armed Service Committees.54
P.L. 109-461 also requires the VA to include data security requirements in all
contracts with private-sector service providers that require access to sensitive
personal information.55 All contracts involving access to sensitive personal
information must include a prohibition of the disclosure of such information unless
the disclosure is lawful and expressly authorized under the contract; and the
condition that the contractor or subcontractor notify the Secretary of any data breach
of such information. In addition, each contract must provide for liquidated damages
to be paid by the contractor to the Secretary in the event of a data breach with respect
to any sensitive personal information, and that money shall be made available
exclusively for the purpose of providing credit protection services.
P.L. 109-461 requires the Secretary of the VA within 180 days of enactment (by
June 22, 2007) to issue interim regulations concerning notification, data mining,
fraud alerts, data breach analysis, credit monitoring, identity theft insurance, and
credit protection services.56 Interim final regulations were issued by the VA Deputy
Secretary on June 22, 2007 to address data breach security regarding sensitive
personal information processed or maintained by the VA.57 The regulations do not
supercede the requirements imposed by other laws such as the Privacy Act, the
50 38 U.S. C. § 5724(a)(2).
51 38 U.S.C. § 5724(c)(1).
52 38 U.S.C. § 5724(c)(2).
53 38 U.S.C. § 5726.
54 38 U.S.C. § 5724(b).
55 38 U.S.C. § 5725.
56 38 U.S. C. § 5724(b).
57 72 Fed. Reg. 34395 (2007), 38 C.F.R. § 75, Subpart B. The interim final regulations
implement the sections of P.L. 109-461 on data breaches, credit protections services, and
reporting requirements. A separate rulemaking will be commenced to issue regulations to
implement sections of P.L. 109-461 requiring a VA information security program and
establishing information security responsibilities. Id.
CRS-12
Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act,
and their implementing rules.
Section 75.114 of the regulations, Accelerated Response, permits the VA
Secretary to provide prompt notice to record subjects of a data breach and/or offer
credit protection services prior to the completion of a risk analysis if the VA
Secretary determines that there is an immediate, substantial risk of identity theft and
that providing notice may enable the record subjects to protect themselves and that
credit protection services will assist in mitigation of possible harm; or that private
entities would be required to provide notice under federal law if they experienced a
breach involving the same or similar information.
Section 75.115 of the regulations, Risk Analysis, requires the VA Secretary to
make sure that, as soon as possible after the data breach, a non-VA entity with
relevant expertise in data breach assessment and risk analysis or the VA’s Office of
Inspector General conducts an independent risk analysis of the data breach. The risk
analysis must include a finding with supporting rationale concerning whether the
circumstances create a reasonable risk that sensitive personal information potentially
may be misused. The risk analysis must also contain operational recommendations
for responding to the data breach.
Section 75.116 of the regulations, Secretary Determination, provides that the
Secretary consider the risk analysis to determine, based on criteria in the regulation,
whether a reasonable risk exists for the potential misuse of sensitive personal
information involved in a data breach. If the Secretary finds that a reasonable risk
exists for the potential misuse of sensitive personal information, the Secretary should
take responsive action as specified based on the potential harms to individuals
subject to a data breach.
Section 75.117 of the regulations, Notification, requires the Secretary to
promptly provide written notification by first-class mail to individuals found to be
subject to a reasonable risk for the potential misuse of any sensitive personal
information. The notification should include a description of what happened, a
description of the types of information involved; a description of what the agency is
doing to investigate the breach, to mitigate losses, and to protect against further
breaches; contact information for the agency; steps individuals can take to protect
themselves from the risk of identity theft, including fraud alerts; and a statement
whether the information was encrypted or otherwise protected. Notification may be
delayed pursuant to lawful requests from other federal agencies to protect data or
computer resources, or prevent interference with an investigation or data recovery.
Section 75.118, Other Credit Protection Services, permits the Secretary to offer
individuals subject to a reasonable risk for potential misuse of SPI, one or more of
the following credit protection services: one year of credit monitoring services
consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
data breach analysis;58 fraud resolution services (including dispute letters, fraud
58 “The term “data breach analysis” means the process used to determine if a data breach has
(continued...)
CRS-13
alerts, and credit freezes); and/or one year of identity theft insurance with $20,000
coverage and $0 deductible.
Private Sector
Other federal laws, such as the Health Insurance Portability and Accountability
Act and the Gramm-Leach-Bliley Act, require private sector covered entities to
maintain administrative, technical, and physical safeguards to ensure the
confidentiality, integrity, and availability of personal information.
Health Insurance Portability and Accountability Act. Part C of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA),59 requires “the
development of a health information system through the establishment of standards
and requirements for the electronic transmission of certain health information.”60
These “Administrative Simplification” provisions require the Secretary of Health and
Human Services to adopt national standards to: facilitate the electronic exchange of
information for certain financial and administrative transactions; establish code sets
for data elements; protect the privacy of individually identifiable health information;
maintain administrative, technical, and physical safeguards for the security of health
information; provide unique health identifiers; and to adopt procedures for the use
of electronic signatures.61
HIPAA covered entities — health plans, health care clearinghouses, and health
care providers who transmit financial and administrative transactions electronically
— are required to comply with the national standards and regulations promulgated
pursuant to Part C.62 Under HIPAA, the Secretary is required to impose a civil
monetary penalty on any person failing to comply with the Administrative
Simplification provisions in Part C.63 The maximum civil money penalty (i.e., the
fine) for a violation of an administrative simplification provision is $100 per
violation and up to $25,000 for all violations of an identical requirement or
prohibition during a calendar year.64 HIPAA also establishes criminal penalties for
any person who knowingly and in violation of the Administrative Simplification
provisions of HIPAA uses a unique health identifier, or obtains or discloses
58 (...continued)
resulted in the misuse of sensitive personal information.” 38 U.S.C. § 5727(5).
59 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq.; see
CRS Report RL33989, Enforcement of the HIPAA Privacy Rule, by Gina Marie Stevens
60 42 U.S.C. §§ 1320d — 1320d-8.
61 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards
for transactions and code sets, privacy, security, and employer identifiers.
62 42 U.S.C. § 1320d-4(b) requires compliance with the regulations within a certain time
period by “each person to whom the standard or implementation specification [adopted or
established under sections 1320d-1 and 1320d-2] applies.
63 42 U.S.C. § 1320d-5(a).
64 42 U.S.C. § 1320d-5(a)(1).
CRS-14
individually identifiable health information.65 Enhanced criminal penalties may be
imposed if the offense is committed under false pretenses, with intent to sell the
information or reap other personal gain. The penalties include (1) a fine of not more
than $50,000 and/or imprisonment of not more than one year; (2) if the offense is
under false pretenses, a fine of not more than $100,000 and/or imprisonment of not
more than five years; and (3) if the offense is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage, personal gain,
or malicious harm, a fine of not more than $250,000 and/or imprisonment of not
more than 10 years.66 These penalties do not affect other penalties imposed by other
federal programs.
Privacy Standard. HIPAA requires health plans, health care clearinghouses,
and health care providers who transmit financial and administrative transactions
electronically to ensure the privacy of medical records and to prohibit the disclosure
of certain information without patient consent.67 The HIPAA Privacy Rule issued by
HHS in 2002 requires a covered entity to maintain reasonable and appropriate
administrative, technical, and physical safeguards to prevent use or disclosure of
protected health information in violation of the Privacy Rule.68 The Office of Civil
Rights (OCR) in HHS enforces the Privacy Rule.69
Security Standards. Regulations governing security standards under HIPAA
require health care covered entities to maintain administrative, technical, and
physical safeguards to ensure the confidentiality, integrity, and availability of
electronic “protected health information”70; to protect against any reasonably
anticipated threats or hazards to the security or integrity of such information, as well
as protect against any unauthorized uses or disclosures of such information.71 The
Centers for Medicare and Medicaid Services (CMS) has been delegated authority to
enforce the HIPAA Security Standard.72
65 42 U.S.C. § 1320d-6.
66 42 U.S.C. § 1320d-6(b).
67 45 C.F.R. Part 164 Subpart E — Privacy of Individually Identifiable Health Information.
68 45 C.F.R. § 164.530(c).
69 65 Fed. Reg. 82381.
70 “The term “individually identifiable health information” means any information,
including demographic information collected from an individual, that - (A) is created or
received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an
individual, the provision of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual, and - (i) identifies the individual;
or (ii) with respect to which there is a reasonable basis to believe that the information can
be used to identify the individual. 42 U.S.C. § 1320d(6).
71 HIPAA Security Standards for the Protection of Electronic Personal Health Information,
45 C.F.R. Part 164 (February 20, 2003).
72 See generally, Centers for Medicare and Medicaid Services, Security Materials at
[http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage].
CRS-15
The Security Rule applies only to protected health information in electronic
form (EPHI), and requires a covered entity to ensure the confidentiality, integrity, and
availability of all EPHI the covered entity creates, receives, maintains, or transmits.
Covered entities must protect against any reasonably anticipated threats or hazards
to the security or integrity of such information, and any reasonably anticipated uses
or disclosures of such information that are not permitted or required under the
Privacy Rule; and ensure compliance by its workforce.73
The Security Rule allows covered entities to consider such factors as the cost
of a particular security measure, the size of the covered entity involved, the
complexity of the approach, the technical infrastructure and other security
capabilities in place, and the nature and scope of potential security risks. The
Security Rule establishes “standards” that covered entities must meet, accompanied
by implementation specifications for each standard. The Security Rule identifies
three categories of standards: administrative, physical, and technical.
The Security Rule requires covered entities to enter into agreements with
business associates who create, receive, maintain or transmit EPHI on their behalf.
Under such agreements, the business associate must: implement administrative,
physical and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity and availability of the covered entity’s electronic protected
health information; ensure that its agents and subcontractors to whom it provides the
information do the same; and report to the covered entity any security incident of
which it becomes aware. The contract must also authorize termination if the covered
entity determines that the business associate has violated a material term. A covered
entity is not liable for violations by the business associate unless the covered entity
knew that the business associate was engaged in a practice or pattern of activity that
violated HIPAA, and the covered entity failed to take corrective action.
Gramm-Leach-Bliley Act. Title V of the Gramm-Leach-Bliley Act of 1999
(GLBA) requires financial institutions to provide customers with notice of their
privacy policies, and requires financial institutions to safeguard the security and
confidentiality of customer information, to protect against any anticipated threats or
hazards to the security or integrity of such records; and to protect against
unauthorized access to or use of such records or information which could result in
substantial harm or inconvenience to any customer.74 Financial institutions are
defined as businesses that are engaged in certain “financial activities” described in
Section 4(k) of the BankHolding Company Act of 1956 and accompanying
regulations.75 Such activities include traditional banking, lending, and insurance
functions, along with other financial activities. Financial institutions are prohibited
from disclosing “nonpublic personal information”76 to non-affiliated third parties
73 45 C.F.R. § 164.306(a).
74 15 U.S.C. § 6801 - 6809.
75 12 U.S.C. § 1843(k).
76 (4) Nonpublic personal information
(A) The term “nonpublic personal information” means personally identifiable financial
(continued...)
CRS-16
without providing customers with a notice of privacy practices and an opportunity to
opt-out of the disclosure. A number of statutory exceptions are provided to this
disclosure rule, including that financial institutions are permitted to disclose
nonpublic personal information to a non-affiliated third party to perform services for
or functions on behalf of the financial institution.
Privacy Rule. Regulations implementing GLBA’s privacy requirements
published by the federal banking regulators govern the treatment of nonpublic
personal information about consumers by financial institutions,77 require a financial
institution in specified circumstances to provide notice to customers about its privacy
policies and practices, describe the conditions under which a financial institution may
disclose nonpublic personal information about consumers to nonaffiliated third
parties, and provide a method for consumers to prevent a financial institution from
disclosing that information to most nonaffiliated third parties by “opting out” of that
disclosure, subject to exceptions.78
FTC Safeguards Rule. This rule implements GLBA’s requirements for
entities under FTC jurisdiction. The Safeguards Rule applies to all businesses,
regardless of size, that are “significantly engaged” in providing financial products or
services. These include, for example, check-cashing businesses, payday lenders,
mortgage brokers, nonbank lenders, real estate appraisers, and professional tax
preparers. The Safeguards Rule also applies to companies like credit reporting
agencies and ATM operators that receive information about the customers of other
financial institutions. The rule requires financial institutions to have an information
security plan that “contains administrative, technical, and physical safeguards” to
“insure the security and confidentiality of customer information: protect against any
anticipated threats or hazards to the security or integrity of such information; and
protect against unauthorized access to or use of such information that could result in
76 (...continued)
information —
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the
consumer; or
(iii) otherwise obtained by the financial institution.
(B) Such term does not include publicly available information, as such term is defined by
the regulations prescribed under section 6804 of this title.
(C) Notwithstanding subparagraph (B), such term —
(i) shall include any list, description, or other grouping of consumers (and publicly available
information pertaining to them) that is derived using any nonpublic personal information
other than publicly available information; but
(ii) shall not include any list, description, or other grouping of consumers (and publicly
available information pertaining to them) that is derived without using any nonpublic
personal information. 15 U.S.C. § 6809(4).
77 16 C.F.R. Part 13 (FTC); 12 C.F.R. Parts 40 (OCC), 216 (FRB), 332 (FDIC), 573 (OTS),
and 716 (NCUA).
78 See generally, 12 C.F.R. 225.28, 225.86
CRS-17
substantial harm or inconvenience to any customer.”79 Using its authority under the
Safeguards Rule, the Commission has brought a number of enforcement actions to
address the failure to provide reasonable and appropriate security to protect consumer
information.80
Information Security Guidelines. Section 501(b) of GLBA requires the
banking agencies to establish standards for financial institutions relating to
administrative, technical, and physical safeguards to ensure the security,
confidentiality, and integrity of customer information, protect against any anticipated
threats or hazards to the security or integrity of such information, and protect against
unauthorized access to or use of such information that could result in substantial
harm or inconvenience to any customer.
Interagency Guidance issued by the federal banking regulators81 applies to
customer information which is defined as “any record containing nonpublic personal
information ... about a customer, whether in paper, electronic, or other form, that is
maintained by or on behalf of” a financial institution.”82 The security guidelines
direct each financial institution to assess the risks of reasonably foreseeable threats
that could result in unauthorized disclosure, misuse, alteration, or destruction of
customer information and customer information systems, the likelihood and potential
damage of threats, and the sufficiency of policies, procedures, customer information
systems, and other controls. Following the assessment of risks, the security
guidelines require a financial institution to manage and control the risk through the
design of a program to address the identified risks, train staff to implement the
program, regularly test the key controls, systems, and procedures of the information
security program, and develop and maintain appropriate measures to dispose of
customer information. The security guidelines also direct every financial institution
to require its service providers by contract to implement appropriate measures
designed to protect against unauthorized access to or use of customer information
that could result in substantial harm or inconvenience to any customer. Each
financial institution is required to monitor, evaluate, and adjust its information
security program as necessary. Finally, each financial institution is required to report
to its board at least annually on its information security program, compliance with
the security guidelines, and issues such as risk assessment, risk management and
control decisions, service provider arrangements, results of testing, security breaches
79 Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer
Records and Information, 16 C.F.R. Part 314.
80 For information on enforcement actions the Commission has brought involving the
privacy of consumer information under Section 5 of the FTC Act, see [http://www.ftc.gov/
privacy/privacyinitiatives/safeguards_enf.html].
81 See 12 C.F.R. Part 30, App. B (national banks); 12 C.F.R. Part 208App. D-2 and Part 255,
App. F (state member banks and holding companies); 12 C.F.R. Part 364, App. B (state non-
member banks); 12 C.F.R. Part 570, App. B (savings associations; 12 C.F.R. Part 748, App.
A (credit unions).
82 See Board of Governors Federal Reserve System, The Commercial Bank Examination
Manual, Supp. 27, 984-1034 (May 2007), at [http://www.federalreserve.gov/boarddocs/
SupManual/cbem/200705/0705cbem.pdf].
CRS-18
or violations and management’s responses, and recommendations for changes in the
information security program.
Response Programs for Unauthorized Access to Customer
Information and Customer Notice. The security guidelines recommend
implementation of a risk-based response program, including customer notification
procedures, to address unauthorized access to or use of customer information
maintained by a financial institution or its service provider that could result in
substantial harm or inconvenience to any customer, and require disclosure of a data
security breach if the covered entity concludes that “misuse of its information about
a customer has occurred or is reasonably possible.”83 Pursuant to the guidance,
substantial harm or inconvenience is most likely to result from improper access to
“sensitive customer information.”84
At a minimum, an institution’s response program should contain procedures for:
assessing the nature and scope of an incident and identifying what customer
information systems and types of customer information have been accessed or
misused; notifying its primary federal regulator when the institution becomes aware
of an incident involving unauthorized access to or use of sensitive customer
information; consistent with the Agency’s Suspicious Activity Report (“SAR”)
regulations, notifying appropriate law enforcement authorities; taking appropriate
steps to contain and control the incident to prevent further unauthorized access to or
use of customer information (e.g., by monitoring, freezing, or closing affected
accounts and preserving records and other evidence); and notifying customers when
warranted.
The security guidelines note that financial institutions have an affirmative duty
to protect their customers’ information against unauthorized access or use, and that
customer notification of a security breach involving the customer’s’s information is
a key part of that duty. The guidelines prohibit institutions from forgoing or delaying
customer notification because of embarrassment or inconvenience.
The guidelines provide that when a financial institution becomes aware of an
incident of unauthorized access to sensitive customer information, the institution
should conduct a reasonable investigation to promptly determine the likelihood that
the information has been or will be misused. If the institution determines that misuse
has occurred or is reasonably possible, it should notify the affected customer as soon
83 Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part
30 (OCC), Supplement A to Appendix D-2, at 12 C.F.R. Part 208 (Federal Reserve
System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision),
70 Fed. Reg. 15736 - 15754 (March 29, 2005).
84 “Sensitive customer information means a customer’s name, address, or telephone number,
in conjunction with the customer’s social security number, driver’s license number, account
number, credit or debit card number, or a personal identification number or password that
would permit access to the customer’s account. Sensitive customer information also includes
any combination of components of customer information that would allow someone to log
onto or access the customer’s account, such as user name and password or password and
account number.” 70 Fed. Reg. 15736-15754 (March 29, 2005).
CRS-19
as possible. Customer notice may be delayed if an appropriate law enforcement
agency determines that notification will interfere with a criminal investigation and
provides the institution with a written request for the delay. The institution should
notify its customers as soon as notification will no longer interfere with the
investigation.
If a financial institution can determine which customers’ information has been
improperly accessed, it may limit notification to those customers whose information
it determines has been misused or is reasonably likely to be misused. In situations
where the institution determines that a group of files has been accessed improperly,
but is unable to identify which specific customers’ information has been accessed,
and the institution determines that misuse of the information is reasonably possible,
it should notify all customers in the group. The guidelines also address what
information should be included in the notice sent to the financial institution’s
customers.
Federal Trade Commission Act. The Federal Trade Commission (FTC),
an independent agency of the U.S. government, was established by the Federal Trade
Commission Act of 1914 (FTCA).85 Its principal mission is the promotion of
consumer protection and the elimination and prevention of anticompetitive business
practices The Commission’s jurisdiction extends to a variety of entities and
individuals operating in commerce. The FTC has taken a multi-faceted approach to
protecting the privacy and security of consumers’ personal information. Its
enforcement tools include laws and regulations such as the Safeguards Rule issued
under the Gramm-Leach-Bliley Act, which requires financial institutions to take
reasonable measures to protect customer data, and the Disposal Rule under the FACT
Act which requires companies to dispose of credit report data in accord with a set of
practices designed to prevent others from using that data without authorization.86
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or
affecting commerce.”87 Unfair practices are practices that cause or are likely to cause
consumers substantial injury that is neither reasonably avoidable by consumers not
offset any countervailing benefit to consumers or competition.88 A representation,
omission, or practice is deceptive if (1) it is likely to mislead consumers acting
reasonably under the circumstances; and (2) it is material — likely to affect
consumers’ conduct or decisions with respect to the product at issue.89
The Commission has used Section 5 to challenge deceptive claims companies
have made about the privacy and security of their customers’ personal information.
In deceptive security claims cases the FTC alleged that the companies had made
promises to take reasonable steps to protect sensitive consumer information, and that
85 15 U.S.C. §§ 41-58.
86 See CRS Report RL32535, Implementation of the Fair and Accurate Credit Transactions
(FACT) Act of 2003, by Angie A. Welborn and Grace Chu.
87 15 U.S.C. §§ 45(a)..
88 15 U.S.C. § 45(n).
89 Cliffdale Associates Inc., 103 F.T.C. 110(1984).
CRS-20
they did not implement reasonable and appropriate measures to protect the sensitive
personal information obtained from customers against unauthorized access.90 In
unfair practices cases, the FTC has alleged that a company’s failure to employ
reasonable and appropriate security measures to protect consumers’ personal
information caused or was likely to cause substantial injury to consumers that was
not offset by countervailing benefits to consumers or competition and was not
reasonably avoidable by consumers.
In cases where the FTC did not have authority to assess civil money penalties,
the FTC entered into consent orders requiring the defendants to implement
information security programs (e.g., B.J.’s Wholesale Club, DSW, Inc., and Card
Systems). In a recent case where violations of the Federal Trade Commission Act
and the Fair Credit Reporting Act were alleged, the largest civil money penalty ever
by the FTC ($10 million) was assessed.
Fair Credit Reporting Act, as amended by the Fair and Accurate
Transactions Act of 2003. The Fair Credit Reporting Act of 1970 (FCRA)
regulates credit bureaus, entities or individuals who uses credit reports, and
businesses that furnish information to credit bureaus.91 “[A] major purpose of the
Act is the privacy of a consumer’s credit-related data.”92 Consumer reporting
agencies, also known as credit bureaus, have particular responsibilities with respect
to ensuring that a consumer’s information is used only for purposes that are
permissible under the act,93 for ensuring that “reasonable procedures” are employed
(including making reasonable efforts to verify the identity of each new prospective
user of consumer report information and the uses certified by each prospective user
prior to furnishing such user a consumer report) to ensure that consumer reports are
supplied only to those with a permissible purpose,94 and for correcting information
in a consumer’s report that may be incorrect or the result of fraud.95 Permissible
purposes include decisions involving credit, insurance, or employment.96 A
consumer reporting agency is also permitted to provide reports to persons having “a
legitimate business need” for the information in connection with a consumer-oriented
transaction. The Act and its requirements only apply to entities that fall within the
90 For information on enforcement actions involving the privacy of consumer information
under Section 5 of the FTC Act, see [http://www.ftc.gov/privacy/privacyinitiatives/
promises_enf.html].
91 15 U.S.C. §§ 1681 - 1681x, as amended.
92 Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir. 1996).
93 15 U.S.C. § 1681e(a).
94 15 U.S.C. § 1681e.
95 For a detailed discussion of the Fair Credit Reporting Act, see CRS Report RL31666, Fair
Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee.
96 15 U.S.C. § 1681b.
CRS-21
definition of a “consumer reporting agency,”97 and only to products that fall within
the definition of a “consumer report.”98
The Fair and Accurate Transactions Act (“FACT Act”) amended FCRA, adding
requirements designed to prevent identity theft and assist identity theft victims. The
FACT Act also included a provision requiring financial regulatory99 agencies and the
FTC to promulgate a coordinated rule designed to prevent unauthorized access to
consumer report information by requiring reasonable procedures for the proper
disposal of such information.
The Federal Trade Commission enforces the FCRA. A violation under the
FCRA is deemed to be an unfair or deceptive act or practice in violation of section
5(a) of the FTC Act. There are various penalties for violating the FCRA, the
applicability of a particular provision depends on such factors as who brings the
action and the degree of the violator’s noncompliance. For example, the Act imposes
liability for both willful noncompliance and negligent noncompliance.100 The
monetary penalties include actual damages sustained by a consumer, plus costs and
attorneys fees. In the case of willful violations, the court may also award punitive
damages to a consumer. Any person who procures a consumer report under false
pretenses, or knowingly without a permissible purpose, is liable for $1000 or actual
damages (whichever is greater) to both the consumer and to the consumer reporting
agency.101 Also, the Act governs enforcement actions brought by the Commission,
other agencies, and the states, and provides for various monetary and injunctive
penalties.102 For those who knowingly violate the FCRA, the monetary penalties
include up to $2500 per violation in a civil action brought by the Commission.103
97 The FCRA defines “consumer reporting agency” as “any person which, for monetary fees,
dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit information or other information on
consumers for the purpose of furnishing consumer reports to third parties, and which uses
any means or facility of interstate commerce for the purpose of preparing or furnishing
consumer reports.” 15 U.S.C. § 1681a(f).
98 A “consumer report” is “any written, oral, or other communication of any information by
a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing,
credit capacity, character, general reputation, personal characteristics, or mode of living
which is used or expected to be used or collected in whole or in part for the purpose of
serving as a factor in establishing the consumer’s eligibility for credit or insurance to be
used primarily for personal, family, or household purposes; employment purposes; or any
other purpose authorized under section 604 [of the FCRA].” 15 U.S.C. § 1681a(d).
99 P.L. 108-159, 117 Stat. 1952.
100 15 U.S.C. § 1681n(a).
101 15 U.S.C. § 1681n(b).
102 15 U.S.C. § 1681s.
103 15 U.S.C. § 1681s(2)(A).
CRS-22
The Payment Card Industry Data Security Standard
The payment card industry has also issued security standards and reporting
requirements for organizations that handle bank cards.104 The Payment Card Industry
Data Security Standard (PCI DSS) is an industry regulation developed by VISA,
MasterCard, and other bank card distributors. It requires organizations that handle
bank cards to conform to security standards and follow certain leveled requirements
for testing and reporting. The core of the PCI DSS is a group of principles and
accompanying requirements designed to build and maintain a secure network, protect
cardholder data, maintain a vulnerability management program, implement strong
access control measures, monitor and test networks, and maintain an information
security policy. PCI DSS went into effect December 31, 2006. Legislation has been
passed in the Texas House mandating compliance with the PCI DSS standard.105
104 Available at [https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf].
105 See, 2007 Tex. H. B. No. 3222 which mandates PCI DSS compliance, and provides a
safe harbor under the statute if the business that suffered the data breach was in compliance
with PCI DSS 90 days before the date of the security breach.