• Assessing And Limiting e-Commerce Liability Through Policies, Procedures And Website Audits
• Free/Open Source Software: Five Tips You Should Know
• Information Security: An Overview Of Legal Considerations On Securing Data In Cyberspace

OVERVIEW
Website owners and service providers face unique liability risks. E-commerce sites typically face exposure based on their content, as well as the conduct of employees and third parties who interact there. These risks, in turn, may arise out of a company's own acts or omissions (or those of its employees) or the conduct of customers, subscribers or other third-party visitors or users.

E-commerce is a single term that encompasses a limitless – and ever changing – collection of entities, whose business models and technologies are constantly evolving and transforming. In all cases, however, site owners, operators and service providers should adopt policies and procedures to limit their exposure and – to the extent possible – seek contractual representations, warranties and indemnification commitments from solvent third parties. Internet sites and services also should ensure user privacy and website security and access.

In addition to direct liability, site owners and service providers may face potential indirect liability because of the interactive nature of cyberspace. While third-party liability historically was a problem faced primarily by Internet Service Providers ("ISP"), today even traditional companies increasingly are offering interactive services such as bulletin boards, chat rooms, free e-mail accounts and personal home pages, which could expose them to potential indirect liability. E-commerce businesses where third parties may post, store or transmit material risk liability for illegal or infringing content.

ASSESSING DIRECT AND INDIRECT LIABILITY RISKS
The risks faced by a website owner, service provider, e-commerce vendor or other business with an Internet presence may be divided into two broad categories:

• Direct liability for its own acts (or acts of its employees); and
• Indirect or third-party liability for the acts of strangers.

An entity's exposure may be directly proportionate to the level of interactivity of its site. Non-interactive e-commerce sites face more limited liability, which is easier to control (either in fact or through contractual indemnification commitments from third-party commercial content providers). By contrast, any site where users may post, store or transmit material that infringes third-party intellectual property rights, is otherwise illegal or offensive, or engages in acts that may be fraudulent or unlawful, potentially faces third-party liability risks that may be more difficult to control.

CONDUCTING A WEBSITE AUDIT
Before going live with a new site, and periodically thereafter, businesses should conduct website audits to evaluate potential liability risks. A typical corporate website may include hundreds or even thousands of separate pages, many of which may be updated by different people within an organization, without any centralized control.

An audit should include a review of all content and intellectual property posted on a website, as well as all contracts and license agreements entered into relating to the site. While corporate culture and the nature of the industry and websites involved will likely dictate that other legal questions should be evaluated, as a general proposition the following are some of the issues that should be considered:

• How is company material posted to the site?
• Who has authority to post material?
• What control mechanisms are in place?
• Is content posted directly or by an external host (or other third party)?

• Can third parties post content? If yes:
• What control mechanisms are in place?
• What policies have been adopted to limit liability for third-party intellectual property liability and to discourage the posting of infringing, illegal, obscene, child pornographic or other unwanted content?
• Does the site comply with the Digital Millennium Copyright Act ("DCMA")?
• Has the site adopted proper policies?
• Has the site registered its agent with the U.S. Copyright Office and identified the agent on the site?
• What internal DMCA procedures have been established?
• Does the site maximize its potential immunity from state law liability under the Good Samaritan exemption?
• What procedures have been established to report child pornography to appropriate police agencies in accordance with the Protection of Children from Sexual Predators Act of 1998?
• What procedures (if any) are in place to respond to third-party complaints?
• What documentation exists with respect to past complaints?
• What record-keeping procedures should be implemented or revised?
• What mechanisms are in place to respond to subpoenas, warrants, court orders and requests for assistance in tracking down the identity of anonymous or pseudonymous infringers or other persons directly responsible for misconduct on the site? Do privacy policies limit possible responses?

• Review content posted on the site:
• Who owns the content?
• Are ownership rights in original content apparent (or may employees or other third parties claim rights)?
• Should copyright registration forms be filed for material posted on the site (including software, sound, video, graphics or text), the site itself or databases made available online?
• Are trademarks adequately protected (and are they used properly)?
• Should trademarks be registered in the United States?
• Should international registrations be filed?
• Is patent protection available for technology or business models incorporated on the site?
• Is third-party content licensed or otherwise in the public domain?
• May a third party claim moral rights in a work where all other rights have otherwise been alienated?
• Does content appear to be infringing, illegal, excessively violent, harassing or otherwise objectionable (in which case it may be removed pursuant to the DMCA and/or Good Samaritan exemption)?
• Are databases on the site adequately protected?
• Is the owner entitled to protection under the EU Directive?
• Is the database protected under U.S. copyright law and subject to contractual restrictions?
• Do representations on the site comply with state and federal advertising laws (including any special requirements for particular products)?
• Does content comply with the EU Directive on comparative advertising (if directed to EU residents)?
• Does content on the site pose securities law problems?
• What procedures are in place to minimize the risk of employee disclosures?
• Are contests or promotions run on the site?
• Do contests comply with the laws of all jurisdictions whose residents may participate?
• How are residents from non-complying jurisdictions excluded from the promotion?
• Could the contest be characterized as an illegal lottery?
• Is adult content to be posted on the site?
• What procedures are in place to ensure that obscene content and child pornography are not posted and/or are promptly removed?
• Have mechanisms been put in place to restrict access to minors in order to benefit from the broad exemption created by the Child Online Protection Act ("COPA")?
• Is the site accessible in countries with stricter decency laws than the United States (including jurisdictions where the site owner could be exposed to personal liability)?
• Does the site include racist material, hate speech or third-party libelous or defamatory statements that, while protected in the United States by the First Amendment or the Good Samaritan exemption to the Telecommunications Act of 1996, could lead to liability in other countries?
• Is content at the site likely to provoke hostility or negative publicity because it is offensive or violates netiquette?
• Does any content on the site read like a party admission that could be harmful if introduced in court?

• Considerations about the site itself:
• Are the ideas underlying the business model adequately protected under patent law (if sufficiently novel), trade secret law or state common law rules or statutes governing idea misappropriation?
• Are disclosures and disclaimers adequately conspicuous?
• Are links to third parties fair?
• Are third-party trademarks included in metatags or white-on-white (or black-on-black) text?
• Are the website owner's marks included in third-party metatags?
• Have all appropriate domain names been acquired?
• What top-level domains ("TLD") are used?
• Have rights been acquired in the appropriate ccTLDs?
• Have obvious variations of recognized marks or domain names been acquired?
• Have potential consumer criticism site names been acquired?
• Does the site comply with local laws and regulations?
• Should separate regional sites be used for different national markets?
• If not, should separate contracts be posted on the site directed to residents of different
countries?
• If so, should use be controlled through pull-down menus or left to user discretion?
• Should residents of particular countries be blocked from gaining access to the site or engaging in transactions because of the type of content or nature of the goods or services offered at the site?
• Is the site (and its corporate ownership) established to fully take advantage of the Internet Tax Freedom Act and potential Internet tax havens?
• Does the site offer regulated substances such as tobacco, alcohol or prescription drugs (in which case the site must comply with additional laws and advertising regulations)?
• Are intelligent agents used to automatically retrieve information posted on the site? If so, what precautions have been taken to minimize the risk of liability?
• Are the individual owners of the site potentially at risk for vicarious copyright liability, even if they have attempted to insulate themselves by creating a corporation or other operating entity, by virtue of having the right and ability to control content on the site and having a financial interest in it?
• Does the site comply with local language requirements imposed in jurisdictions such as France and Quebec (if applicable)?
• Does the site include specific mechanisms for registering complaints?

• Review contracts, policies and agreements, including:
• disclaimers posted on the site.
• website terms and conditions.
• click-through or other contracts posted on the site.
• other agreements entered into with customers, subscribers, visitors or other users.
• agreements should be drafted to avoid antitrust and misuse problems.

• Evaluate the substance and consistency of contracts and policy statements posted on the site (or entered into with visitors):
• Do contracts adequately provide for rights in an electronic environment?
• Do older documents need to be updated to account for changes in the law?
• Are contracts and policies posted online internally consistent?
• Do contracts adequately allocate risk and contain appropriate representations, warranties and indemnification commitments?
• Do online contracts adequately provide for periodic revision or amendment?
• Does the site retain adequate records to establish contract formation?

• Control for jurisdiction:
  • Who is the intended audience for the site?
  • Do contracts include choice-of-law and forum clauses?
  • Are blocking mechanisms or disclaimers used to restrict transactions with (or access to) residents of certain jurisdictions?
  • What state and national laws should be complied with?
  • Where does the company in fact do business, both electronically and on terra firma?
  • Where does the company have assets or employees on terra firma?

• Consider issues unique to a specific site or site owner, such as:
• government regulations that may apply to a particular industry.
• court orders or consent decrees that may affect a particular company.
• is the site directed to children (in which case special considerations relating to the collection of consumer information and exposure to adult content may be relevant)?
• if an auction is run on the site, what precautions have been taken to limit fraud and avoid being drawn into disputes between putative buyers and sellers?
• if a chat room is run on the site, how is the site owner maximizing its protection under the Good Samaritan exemption to the Telecommunications Act of 1996?

• Security issues:
• What level of security is appropriate for the particular applications available on the site?
• Are the website's firewalls adequate?
• Is customer data stored behind a firewall?
• Is encryption used to protect certain stored data?
• What do contracts with third parties provide with respect to security issues?

• Privacy considerations:
• What is said on the website with respect to the collection, use and dissemination of personal identifying information about consumers?
• What are the site's actual practices?
• Does the site include a policy statement that would satisfy Federal Trade Commission ("FTC") guidelines?
• Where is the privacy statement located on the site? Are links to the statement adequate?
• Does the site collect information from children? If so, does it comply with the COPA regulations?
• Does the site offer healthcare-related services (in which case special privacy rules may apply)?
• Is the site engaged in financial transactions that could be subject to the requirements of 15 U.S.C. § 6801 in connection with online data collection practices?
• Is the website directed to European consumers?
• If so, does the privacy statement comply with EU requirements?
• Does the website owner need to register with the appropriate regulatory authority in Europe?
• Do safe harbor provisions apply?
• Is a website privacy statement a contract or a statement of policy?
• Is the site promoted by e-mail?
• Have recipients given their consent to receive such communications?
• Was consent express or implied by a user's failure to opt-out?
• Do people other than visitors receive unsolicited email?

ACTION ITEMS FOLLOWING A WEBSITE AUDIT
Upon conclusion of a website audit, a site or service should:

• Consider the third-party liability risks faced by e-commerce sites and services, and potential policies and procedures that may be adopted in response (if the site or service has any interactive component where third-party users may post, store or transmit illegal, unlawful or infringing content). Such procedures typically may include:
• policies included in service contracts and website terms and conditions;
• notice and take-down procedures or other policies or practices involving content monitoring; and/or
• standard procedures for responding to cease and desist and other demand letters;
• Revise standard contracts and website terms and conditions to ensure that representation, warranty and indemnification provisions (among other things) adequately protect a business;
• Implement policies and procedures to ensure that employees and consultants do not expose the company to liability;
• Introduce adequate safeguards in the process for revising material on a company's website;
• Adopt policies and procedures for responding to warrants, subpoenas and third-party complaints (if users are allowed to post material anonymously or pseudonymously or if user contact information is not thoroughly verified and therefore could be falsified);
• Adopt policies on links and frames; and
• Where legal standards are unclear, use disclosures and disclaimers and apply general standards of reasonableness to limit liability.

Merely conducting an initial audit may not fully insulate a company from liability. Policies and procedures adopted following an audit may become deficient in only a matter of months. New statutes and cases change the nature of Internet law much more rapidly than in any other field of legal endeavor. Internet sites therefore should be regularly audited, and policies and procedures reviewed and revised at frequent intervals.

(Originally published in slightly different form by Glasser Legal Works. Reprinted with permission.)

1. Auditing: Audit to determine what free/open source software is being used in your organization, either on a regular basis or as due diligence for a specific transaction or product launch.
2. Policy: Set up a corporate open source policy – determine what makes sense for your company and obtain documentation of licenses.
3. Inbound Compliance: For copied and distributed products or other programs that include, are based on, operate with or are derivative of free/open source software, determine what is required by the applicable license and determine compliance with those requirements. Also, consider jurisdictional effects on the licenses based on jurisdiction in which copying/distribution occurs.
4. Inbound Alternatives: Where the applicable license is unsuitable for a given product's business model, identify alternative products or the availability of alternative licenses from copyright holder.
5. Outbound Licenses: When licensing out programs with copyrights wholly owned by the company, determine if free/open source licenses are suitable for licensing such programs and which license to use to further business goals of the company (developing a community/critical mass of users, precluding exclusive uses by competitors, getting a favorable reputation among developers, etc.). Also, consider enforcement positions.

INTRODUCTION
Information security has become a critical risk management factor for all corporations that use electronic systems to collect, process, maintain, and share employee and/or customer data, or other confidential business information. While the risks may be greater for "online" companies, use of the Internet and other electronic communication is so pervasive among all business sectors that no company can afford to ignore cybersecurity issues. The risk of lawsuits and liability for companies handling computerized data is no longer simply a possibility, but a reality of today's business and regulatory environments. Information security will likely rival "privacy" as the primary legal and business cyberlaw issue in the years ahead. This trend suggests that it is in the best interests of companies to review their current security policies and protocols and ensure that appropriate measures are in place to prevent cybersecurity breaches and to mitigate damages if breaches do occur.

EXISTING LEGAL REQUIREMENTS
A broad array of legal requirements currently apply to companies handling computerized data on individual consumers. The nature of these requirements varies considerably, with some, for example, involving the traditional application of common law principles of contracts and torts, and others concerning very specialized statutory provisions targeting particular industries and activities. The unfair and deceptive acts and practices provisions of the Federal Trade Commission ("FTC") Act, and analogous state statutes, have played an important role in this evolving area. The EU, Canada, and other foreign jurisdictions are also highly relevant to the development of information security law. While it is beyond the scope of this paper to provide an exhaustive review of these requirements, this section highlights some of the most significant laws in effect.

Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. §§ 2701 et seq. This law establishes a variety of prohibitions to protect the privacy of electronic communications. It prohibits the intentional interception of wire, oral, or electronic communications and unauthorized access to an electronic communications service facility that leads one to obtain, alter, or prevent access to the electronic communications stored in that facility. The law also prohibits various disclosures of electronic communications. It generally prohibits electronic communication services providers and remote computing services from disclosing the contents of communications that providers store, carry, or maintain, and also prohibits them from knowingly divulging customer or subscriber records or other information pertaining to a customer or subscriber to the government. The law expressly recognizes exceptions to these disclosure prohibitions, including, among others, exceptions in the context of law enforcement or customer consent.

Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. This law is intended to protect computers used in interstate commerce and to prohibit trafficking in computer passwords. It makes unlawful, among other things, the unauthorized accessing of government computers or those owned by financial institutions; the damaging of such computers by transmitting to them a program, information, code, or command; and the trafficking in computer passwords with the intent to defraud. The CFAA provides for criminal fines and jail sentences for violations of its provisions, and authorizes a private right of action for individuals who suffer certain types of loss or damage. Such individuals may seek compensatory damages and injunctive relief.

Gramm-Leach-Bliley Financial Services Modernization Act of 1999 ("GLB"), 15 U.S.C. §§ 6801-6810, 6821-6827. This law sets forth, among other things, the legal obligations of financial institutions to protect the privacy of their customers. It places restrictions on the disclosure of individuals' non-public personal information and establishes criminal penalties for those who fraudulently attempt to gain access to individuals' financial information. The term "financial institutions" extends to entities "significantly engaged in financial activities," such as banks, savings and loans institutions, credit unions, insurance companies, securities and commodities brokerage firms, mortgage brokers, financial advisors, and credit counselors. Pursuant to the law, the FTC has issued the Safeguards Rule, effective as of May 23, 2003, which requires each financial institution to have in place a comprehensive security program to ensure the security and confidentiality of customer information. Other financial institution regulatory agencies, such as the Federal Reserve Board, the Securities and Exchange Commission, and the National Credit Union Administration, have also issued information security guidance.

Health Insurance Portability and Accountability Act ("HIPAA"), Pub. L. No. 104-191 (1996) (codified in scattered sections of 42 U.S.C.). Applicable to health plans, health care clearinghouses, and health care providers, this law seeks to standardize the electronic exchange of health information and to improve the privacy and security of health information. Pursuant to this law, the Secretary of Health and Human Services has promulgated three sets of rules: the transactions and code sets rule, which requires standardization of the data format of electronically exchanged information between health care entities; the privacy rule, which regulates the disclosure of patients' personal information and establishes standards for safeguarding such information; and the security rule, which standardizes the way health care entities protect the confidentiality, integrity, and availability of electronic protected health information. The security rule is not scheduled to take effect until April 2005, but it is of particular relevance here because these regulations mandate that health care providers limit access to sensitive computers, carry out extensive employee training, designate privacy officers, establish emergency plans, and implement encryption and audit trail technologies.

Sarbanes-Oxley Act of 2002. The increased personal responsibility of corporate officers for accounting issues has highlighted the importance of proper internal control mechanisms to protect and ensure the integrity of financial data. Moreover, shareholders could arguably complain of a breach of fiduciary duty in circumstances in which company officials knew (or perhaps should have known) of a security vulnerability but failed to address it adequately with the result that confidential data were lost. The underlying breadth and undefined character of the standards of appropriateness and reasonableness will no doubt prove a fertile ground for legal developments.

Uniform Electronic Transactions Act, approved by the National Conference of Commissioners on Uniform State Laws ("NCCUSL") on July 23, 1999 (enacted in 41 states and the District of Columbia as of November 2003). The law creates incentives for cybersecurity by placing liability for transmission errors on the party without the security to prevent such errors.

Children's Online Privacy Protection Act of 1998 ("COPPA"), 15 U.S.C. §§ 6501-6506. This law regulates the online collection of personal information from children under 13 by making unlawful any such collection in violation of rules promulgated by the FTC. The law extends to operators of commercial websites and online services directed to children under 13, or any operator that has actual knowledge that it is collecting personal information from children under 13. Personal information is defined to include any individually identifiable information about a child collected online, such as a full name, home address, e-mail address, telephone number, or any other information that would allow someone to identify or contact the child. COPPA applies both to information collected directly and indirectly through cookies or other tracking mechanisms. The FTC rules set forth "what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children's privacy and safety online."

National Strategy to Secure Cyberspace, Feb. 2003. At the federal level, the White House has produced "The National Strategy to Secure Cyberspace," and Congress has incorporated cybersecurity provisions in the USA PATRIOT Act as well as the Homeland Security Act of 2002. These developments highlight the importance of cyberspace as essential to both homeland security and national security; its security and reliability support the economy, critical infrastructures, and national defense. Although the new National Cyber Security Division seeks a voluntary partnership with private industry, federalized requirements for cybersecurity will cause companies with significant governmental contact to adopt heightened protections in light of the war on terrorism. Critical infrastructure industries have likewise felt the increased federal focus on protecting against cyberspace terrorism.

California Information Practices Act, security breach notification provision, Cal. Civ. Code §§ 1798.29, 1798.82. This law, which became effective on July 1, 2003, requires state agencies and companies conducting business in California that own or license computer data that includes personal information to disclose any computer security breaches to California customers. This disclosure must be made "in the most expedient time possible and without unreasonable delay," except in those circumstances where the legitimate needs of law enforcement require delay. The breaches covered by the law include those in which the confidentiality of an individual's name is compromised, coupled with unencrypted data indicating the individual's social security number; driver's license number; state identification card number; or account numbers, credit card numbers, or debit account numbers with passwords. Notice of breaches must be in written or electronic form (consistent with the provisions of 15 U.S.C. § 7001), except that, if the cost of providing notice would exceed $250,000, or if more than 500,000 people must be notified, notification may be made by e-mail, through statewide media outlets, or through a conspicuous posting on the company's website. The law authorizes a civil action for damages by any customer injured by a violation. The state has issued further guidance on recommended practices intended to aid businesses and other organizations in supplementing and enhancing their information security programs.

European Union Data Protection Directive, Directive 95/46/EEC. The Directive applies to the collection, storage, and disclosure of personal data by automated and non-automated means (including electronic means). Under Article 17, the Directive requires adequate security to protect against destruction, loss, and unauthorized access to data through a variety of security and data integrity rules. Although many of the EU requirements for data protection extend with full force primarily to the entity or entities that control the data in question, information security requirements also extend to entities that merely process the data on behalf of others.

Other Acts, such as Canada's PIPEDA, provide only a general principle (4.7) that states that "personal information must be protected by security safeguards appropriate to the sensitivity of the information." Depending on the nature of the information, these safeguards can run the gamut from physical measures such as locking filing cabinets, to organizational measures such as security clearances, to technological measures such as the use of passwords and encryption.

1. ENFORCEMENT ACTIONS

The FTC has targeted three companies for making false claims about the extent to which they maintain and protect the security of information collected from or about their customers. According to the FTC, Guess, Inc., the maker of Guess-brand clothing and accessories, misrepresented to its customers that it had security measures in place to protect against "the loss, misuse, and alteration of information under our control," and that it stored personal information "in an unreadable, encrypted format at all times." Alleging that Guess did not in fact store such information in an unreadable, encrypted format at all times, the FTC charged that Guess' website was vulnerable to commonly known web-based application attacks and that Guess' inadequate security measures had permitted the exposure of consumers' personal information, including credit card numbers. Guess has agreed to settle the charges, promising that it would refrain from misrepresentations about its information security measures and would institute a comprehensive information security program.

The second company targeted by the FTC was Microsoft, Inc. In response to a complaint filed by the Electronic Privacy Information Center, the FTC investigated Microsoft's privacy and security procedures for its various Passport programs, which, among other things, allow users to sign onto multiple websites with a single user name and password, facilitate online purchases, and enhance parental control over information collected about their children. Significantly, the complaint cites no privacy statute or regulation, only the FTC's general authority to regulate "unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act." While the FTC did not find any specific security breaches, it came to the conclusion that the Passport programs were not as secure as Microsoft claimed. The FTC and Microsoft eventually reached a settlement, requiring the company to strengthen its security practices and to arrange for regular outside audits of those practices.

The FTC also settled charges against drug manufacturer Eli Lilly and Co. In June 2001, Eli Lilly accidentally disclosed the e-mail addresses of nearly 700 people who were subscribers to a mental health information list. Shortly thereafter, the FTC issued a complaint, alleging that Eli Lilly's stated policy of employing appropriate measures to protect data submitted online was deceptive in light of Eli Lilly's inadequate privacy procedures for highly sensitive personal information. Eli Lilly agreed to a settlement similar to the one accepted by Guess, the terms of which barred the company from making misrepresentations about the extent of its security procedures and required it to institute a variety of measures to enhance its security program.

Various state attorneys general have also aggressively investigated online security practices and lapses. The New York-based media company Ziff Davis Media, Inc., for example, came under the investigation of the attorneys general of three states, New York, California, and Vermont, when, because of a coding error, it inadvertently left accessible on the Internet personal information from 12,000 subscribers. The state attorneys general and Ziff Davis Media reached a settlement agreement, wherein the company agreed to pay $25,000 to the 50 subscribers whose credit card information was exposed, and to overhaul its security measures by using encryption technologies, implementing authentication procedures, and instituting employee training programs.

Likewise, retailer Victoria's Secret recently settled an enforcement action brought by the Internet Bureau of the New York Attorney General's Office concerning a software malfunction that allowed customers to view other customers' orders. As part of the settlement, the retailer agreed to pay a $50,000 fine and institute an information security program including a risk assessment, personnel training, ongoing monitoring, external audits, and future obligations to notify New York residents of security breaches. Significantly, the action relied upon the retailer's alleged failure to abide by its own privacy policy pledge to protect the data of its customers. While laws specifically directed at protecting consumers' Internet privacy are pending in New York's legislature, New York has not as of yet enacted a provision equivalent to the new California law that requires companies to notify customers of security breaches. In taking action against Victoria's Secret, New York therefore relied upon provisions in its general business law that forbid deceptive business practices and false advertising, focusing on the fact that by allowing the security breach, Victoria's Secret failed to comply with its own posted privacy policies, in particular the representations that consumers' information would be kept on a secure web server. The Attorney General took the position that businesses that collect consumers' personal information have a duty to handle that information in a manner consistent with all of the company's explicit and implicit representations as to its privacy practices. Companies should thus be aware that even where specific legislation on Internet privacy is lacking, businesses could be vulnerable to suits based on general statutory prohibitions against deceptive business practices, which exist in every state.


2. CALIFORNIA RECOMMENDATIONS

On October 10, 2003, the Office of Privacy Protection within the State of California's Department of Consumer Affairs issued its "Recommended Practices on Notification of Security Breach Involving Personal Information." The Office of Privacy Protection is tasked with recommending policies and practices that protect California consumers' privacy.

A new California law on notice of security breaches, commonly referred to as SB 1386, took effect on July 1, 2003. The law requires that businesses expeditiously disclose to affected California residents security breaches concerning certain types of computerized, unencrypted personal information, in order to provide early warning where that information has been obtained by an unauthorized party. See Cal. Civ. Code § 1798.29. The newly issued Recommended Practices are non-binding guidelines that go beyond the scope of SB 1386, and are intended to aid businesses and other organizations in supplementing and enhancing their information security programs. The Recommended Practices aim to reduce the risk of identity theft through misuse of personal information entrusted to organizations, regardless of whether that information is in electronic or paper form.

Companies both within and outside of California should be aware of these Recommended Practices, as they are directed at any organization in possession of California residents' personal information, without regard to where the organization is located. Moreover, the guidelines set forth in California's Recommended Practices could well become a de facto standard of care nationwide.


1. Definitions of Key Terms

"Notice-triggering information" specifies the threshold for protected information and is defined as an unencrypted, computerized first name or initial and a last name, plus any one of various identification numbers, such as a social security number, driver's license number, credit card or other financial account number, in conjunction with a code that would allow access to that financial account.

"Higher-risk personal information" is defined broadly to include notice-triggering information as well as health, financial, or other personal information that would violate an individual's privacy if disclosed.

A "data owner" is an individual or organization with primary responsibility for controlling a record system's purpose or function.

A "data custodian" is an individual or organization to whom the data owner has delegated responsibility for maintenance and technological management of a record system.

The Recommended Practices are divided into three major parts: (1) Protection and Prevention;
(2) Preparation for Notification, and; (3) Notification. The recommendations contained in each part are summarized below.


2. Part One – Protection and Prevention

Identifying and classifying personal information. As a means of protection and prevention, organizations are advised to collect the least amount of personal information necessary to fulfill the organization's purpose, and to retain that information for the minimum possible amount of time. Organizations should also inventory all records storage systems to identify those that contain personal information. All personal information should then be classified according to its sensitivity, and any notice-triggering data should be identified.

Using safeguards. Organizations should use both physical and technological security safeguards where feasible to protect personal information. Organizations should restrict employee access to personal information, allowing access to only that information necessary for employees to fulfill their jobs. Any employee access to higher-risk information should be monitored, and access privileges of former employees should be terminated.

Employee training. Employers should provide ongoing training and communications to ensure employees' awareness of privacy policies and procedures. They should also monitor employee compliance, and impose penalties for violations.

Third-party information handlers. Organizations should enter into contracts obligating third parties, such as service providers and business partners, to comply with privacy and security policies. Third-party compliance should also be monitored.

Intrusion detection measures. Intrusion detection technology and complementary procedures should be used to ensure that security breaches are swiftly detected.

Data encryption. Data encryption and access control protections should be employed for higher-risk personal information.

Records disposal. Organizations should dispose of personal information in a secure manner, such as by shredding records and overwriting data stored on hard drives.

Security plan review. Security plans should be reviewed at least annually or any time there is a material change in business practices that may affect the security of personal information.


3. Part Two – Preparation for Notification

Each organization's information security program should have an incident response plan to be implemented in the event of a security breach. This will help to ensure that affected individuals receive timely notice of breaches.

Internal response. Organizations should have written procedures for internal notification of security breaches. One individual should be charged with coordinating these procedures, and employees should receive regular training on their roles in the response plan.

Containment measures. Organizations should devise measures for controlling, containing and remedying the impact of any security breach.

Notification of data owner. The data owner must be immediately notified of any breach.

Third-party compliance. Third parties such as service providers and business partners must be contractually required to comply with incident response procedures.

Notification of law enforcement authorities. Where security incidents may involve illegal activity, law enforcement authorities should be notified.

Procedures for notification of affected individuals. Organizations should have written procedures for notifying those individuals whose notice-triggering personal information has been or is reasonably believed to have been accessed by an unauthorized person.

Documentation. Organizations should maintain documentation of their actions taken in response to a security incident.

Incident response plan review. Incident response plans should be reviewed at least annually or any time there is a material change in business practices that may affect the security of personal information.


4. Part Three – Notification

Expeditious notification. Affected individuals should be notified as soon as possible after the organization becomes aware that unauthorized access to notice-triggering information has occurred. The Recommended Practices advise notification within 10 business days. If law enforcement instructs that notification of affected individuals within 10 days would impede an investigation, organizations should ask to be informed as soon as affected individuals may be notified.

Individuals to notify. Notification must be given to California residents whose notice-triggering information was acquired by an unauthorized person. The Recommended Practices suggest that organizations also provide notice of breaches involving information that is higher-risk but not notice-triggering, in order to allow affected individuals to protect themselves. If specific individuals cannot be identified, notification should be provided to all groups likely to have been affected.

Avoiding over-inclusiveness. Organizations should take care to send notification only to those individuals who were actually affected by the security breach.

Coordination with credit reporting agencies. Organizations should coordinate with credit reporting agencies, who can provide helpful information to affected individuals.

Form, contents, and manner of notice. Notices to affected individuals should include a description of the incident, the nature of the personal information involved, information on the steps the organization has taken to protect against further unauthorized acquisition, details concerning assistance available to affected individuals, such as a toll-free internal number, information on protecting oneself from identity theft, and contact information for the three credit reporting agencies, as well as the California Office of Privacy Protection and the FTC.

Notices should be written in clear, simple language, and should be sent as a stand-alone document to avoid confusion. Individual notice is preferred where feasible. Notification can be sent by first-class mail, by e-mail where prior consent to e-mail notification has been given, or, if the number of affected individuals exceeds 500,000 or the cost of providing individual notice exceeds $250,000, notice may be given by e-mail, in addition to being posted on the organization's website and provided to major statewide media.

Finally, the commentary accompanying the Recommended Practices cautions that these guidelines are not exhaustive; organizations should continually review their practices to ensure compliance with applicable privacy laws and standards, particularly as technology evolves.


3. INFORMATION SECURITY "BEST PRACTICES"

Based on the FTC and New York State enforcement actions, and California's recommended practices, we would suggest that companies consider the following information security measures:


1. Information Security Documentation

Establish and maintain a comprehensive data protection program in writing that is reasonably designed to protect the privacy, security, confidentiality, and integrity of personal information collected from individuals. The program should contain administrative, technical, and physical safeguards appropriate to the company's size and complexity, the nature and scope of the company's activities, and the sensitivity of the personal information collected from or about individuals, including:

1. designation of an employee or employees to coordinate and be accountable for the information security program;
2. identification of material internal and external risks to the privacy, security, confidentiality, and integrity of personal information that could result in the unauthorized use, transfer, disclosure, misuse, loss, alteration, destruction, or other compromise of such information, including any violation of the U.S.-EU data transfer requirements, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
3. designation and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures. For instance, "tracer data" should be run through the system periodically and databases should be "salted" so that they could be identified later;
4. evaluation and adjustment of the company's information security program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that the company knows or has reason to know may have a material impact on the effectiveness of its information security program;
5. establishment of appropriate:
1. internal management and reporting systems; and
2. employee training with respect to data protection, privacy, and information security; or
6. adoption of a data protection response, recovery, and remedy plan for breaches of privacy or information security including appropriate notification of security breaches where it is believed that personal data may have been compromised. (Note: Certain notifications are required under California law.)


2. Assessment and Verification


1. Comply with annual EU Safe Harbor requirements, if applicable.
2. Either self-assess or obtain an assessment and report from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, biannually, that:
1. sets forth the specific administrative, technical, and physical safeguards that the company has implemented and maintained during the reporting period;
2. explains how such safeguards are appropriate to the company's size and complexity, the nature and scope of the company's activities, and the sensitivity of the personal information collected from or about consumers;
3. explains how the safeguards that have been implemented meet or exceed the protections in these Compliance Promotion Protocols; and
4. certifies that the company's information security program is operating with sufficient effectiveness to provide reasonable assurance that the privacy, security, confidentiality, and integrity of personal information is protected and, for biannual reports, has so operated throughout the reporting period.


3. Document Retention

In its settlements, the FTC has required that companies maintain a print or electronic copy of each document relating to compliance, specifically:

1. for a period of five (5) years: a sample copy of each different print, broadcast, cable, or Internet advertisement, promotion, information collection form, Web page, screen, e-mail message, or other document containing any representation regarding the company's online collection, use, and security of personal information from or about consumers. Each Web page copy shall be dated and contain the full Uniform Resource Locator ("URL") of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web. Provided, however, that after creation of any Web page or screen in compliance with these protocols, the company need not retain a print or electronic copy of any amended Web page or screen to the extent that the amendment does not affect the company's compliance with these protocols; and
2. for a period of three (3) years: all reports, studies, reviews, audits, audit trails, security assessments, risk assessments, policies, training materials, logs (from devices that detect or prevent attacks such as firewalls and intrusion detection systems), and plans (including the assessments and reports called for in these Protocols), relating to the company's compliance with these Protocols.


4. Distribution:

Deliver a copy of these protocols, the company's privacy policy, and other relevant data protection documents to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to data protection, privacy, or information security.