This article discusses the application of §§ 501 and 505(b), 15 U.S.C. §§ 6801 and 6805(b), of the Gramm- Leach-Bliley Act (GLBA), and the data breach notification statutes of New York, California, and Florida, to retail automotive dealerships. In short, auto dealers are required to establish a program to protect the confidential and sensitive data of their customers and employees, and if that data is stolen or misused they must provide proper notice to those customers or employees whose confidential data was, or may have been, compromised. We begin with the GLBA, which requires financial institutions to disclose their informationsharing practices to customers and protect customer sensitive information.1 Under the GLBA, financial institutions are required to establish appropriate standards relating to administrative, technical and physical safeguards in order “to insure the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”2 The Federal Trade Commission (FTC) is the regulatory agency empowered to implement and enforce rules and regulations against entities that are “financial institutions” under the GLBA.3 The FTC issued a Final Rule on Privacy of Consumer Information (Privacy Rule) in May of 2000.4 The FTC also issued a Final Rule on Standards for Safeguarding Customer Information (Safeguards Rule) in May of 2002.5 The FTC has concluded that auto dealerships are “financial institutions” under the GLBA when they assist or provide financing to consumers and customers, and that they must therefore comply with its privacy obligations.6 RETAIL AUTOMOTIVE DEALERSHIPS AS “FINANCIAL INSTITUTIONS” The Privacy Rule and Safeguards Rule apply to car dealers who: • “Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family or household use; • Arrange for someone to finance or lease a car for personal, family or household 1 See 15 U.S.C. § 6801(a). 2 15 U.S.C. § 6801(b)(1)-(3). 3 See 15 U.S.C. § 6805(a). 4 See 16 C.F.R. Part 313. 5 See 16 C.F.R. Part 314. 6 See 16 C.F.R. 313.3 (k)(2)(iii); See also FTC Guidelines, FTC’s Privacy Rule and Auto Dealers: FAQS, available at: https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-privacy-rule-auto-dealers-faqs. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 2 use; or • Provide financial advice or counseling to individuals.”7 Thus, for car dealerships that engage in any of these activities, the personal information collected in order to provide these services is covered by the Privacy Rule.8 The FTC defines personal information as: an individual’s name, address, phone number, or “other information that could be used to identify the individual.”9 The Privacy Rule and Safeguards Rule apply to a dealership if it collects personal information about a consumer in connection with the potential financing or leasing of a vehicle. This applies even if the consumer does not complete a formal application.10 However, those Rules do not apply to a dealer if a customer buys a car with cash or arranges financing on their own and without assistance or advice from the dealer.11 I. THE SAFEGUARDS RULE The FTC’s Safeguards Rule requires auto dealerships that are deemed financial institutions to have a written policy that explains the extent to which the dealership protects and maintains the confidentiality, privacy and security of personal information obtained from consumers and customers.12 In addition to developing their own safeguards, dealerships13 are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.14 Specifically, the Safeguards Rule requires dealerships to “develop, implement, and maintain a comprehensive information security program” that contains “administrative, technical, and physical safeguards that are appropriate” for that particular dealership considering its size and scope of its complexity.15 A. The Elements of a Dealership’s Security Program A dealership’s written information security plan must: a. Designate a program coordinator who is responsible for overseeing the Information Security Program.16 This employee or employees should be held accountable for the program.17 b. Identify internal and external security risks to customers’ information.18 This risk assessment, at minimum, should include consideration of employee training and 7 FTC’s Privacy Rule and Auto Dealers, supra Note 6; See also infra, Note 12. 8 See FTC’s Privacy Rule and Auto Dealers, supra Note 6. 9 FTC’s Privacy Rule and Auto Dealers, supra Note 6. 10 See Id. 11 Id. 12 See In re Franklin’s Budget Car Sales, Inc., FTC Docket No. C-4371, FTC File No. 102-3094 (October 3, 2012) (Decision and Order) (finding that respondent car dealership violated the Safeguards Rule.); See also Rich, Jessica, Consumer Protection for Auto Dealers: Most of it is Common Sense – NIADA National Leadership Conference & Legislative Summit (November 12, 2014) (Transcript available at: https://www.ftc.gov/system/files/documents/public_statements/598841/141112niadaspeech.pdf). 13 For the remainder of this article, all mentions of “dealership(s)” describe retail automotive dealerships qualifying as “financial institutions” under the GLBA. 14 See 16 C.F.R. 314.4(d)(2) 15 16 C.F.R. 314.3(a); See also In re Franklin’s Budget Car Sales, supra, at 3. 16 16 C.F.R. 314.4(a); See In re Franklin’s Budget Car Sales, supra, at 3. 17 See In re Franklin’s Budget Car Sales, supra, at 3. 18 See 16 C.F.R. 314.4(b); See Id. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 3 management; an assessment of the dealership’s information systems, including its design, and its ability to process, store, transmit and dispose of information; and prevention of and response to attacks or system failures.19 c. Design and implement information safeguards to control the risks identified through the risk assessment.20 The program should document the dealership’s policies regarding how it handles customer information and the program should be monitored and regularly tested to ensure the effectiveness of the programs’ controls, systems and procedures.21 d. Oversee its service providers.22 Dealerships can accomplish this by first choosing service providers capable of maintaining safeguards for the customer information.23 Also, the dealership should require its service providers to contract to implement and maintain such safeguards.24 e. Adjust the information security system in light of: (1) results obtained from ongoing testing of the program; (2) any major change in business operations; or (3) other circumstances that may have a material impact on the information security system.25 The success of any dealership’s information security program depends primarily on the employees who implement it.26 For best practices for ensuring that employees are capable of effectively maintaining the information security system, review the section titled “Securing Information” on the FTC’s website, which can be found at the following address: https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customerinformation-complying. II. THE PRIVACY RULE The Privacy Rule requires dealerships to provide a “clear and conspicuous” written notice describing their privacy policies and practices (a “Privacy Notice”) to a “consumer” when the consumer has given the dealership personal information for purposes of potentially financing or leasing a vehicle and the dealership intends to disclose that personal information to nonaffiliated third parties, and to a “customer” when they sign a contract with the dealership to buy or finance a car.27 A person becomes a “consumer” when he or she provides personal information in order to potentially finance or lease a vehicle.28 A person becomes a “customer” when (a) that individual enters into a contract with a dealership to buy a car; and (b) the dealership extends them credit or arranges for someone else to extend them credit.29 Once an individual enters into a lease agreement with the dealership, they become a 19 See 16 C.F.R. 314.4(b)(1)-(3). 20 See 16 C.F.R. 314.4(c). 21 Id.; See also In re Franklin’s Budget Car Sales, supra, at 3. 22 See 16 C.F.R. 314.4(d). 23 See 16 C.F.R. 314.4(d)(1). 24 See 16 C.F.R. 314.4(d)(2). 25 See 16 C.F.R. 314.4(e). 26 FTC Guidelines, Financial Institutions and Customer Information: Complying with the Safeguards Rule, available at: https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying. 27 See 16 C.F.R. 313. 28 See 16 C.F.R. 313.3(e); See also FTC’s Privacy Rule and Auto Dealers, supra Note 6. 29 See 16 C.F.R. 313.3(h)-(i); See also FTC’s Privacy Rule and Auto Dealers, supra Note 6. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 4 “customer” as well.30 When either leasing or arranging credit, a dealership needs to provide the “customer” a privacy notice at the time of the signing of the retail installment contract or lease agreement, even if the customer’s private information will not be disclosed to third parties.31 In addition, the Privacy Notice must be provided to a “customer” annually for as long as the customer relationship lasts.32 The Privacy Notice must describe the dealership’s privacy policies and practices with respect to both affiliated and nonaffiliated third parties.33 The Privacy Notice must allow the customer to opt out of his or her nonpublic personal information being shared to a nonaffiliated third party if the disclosure is outside of certain limited exceptions, such as disclosures to process a transaction requested by the consumer, disclosures made with the consumer’s consent, and disclosures for law enforcement purposes.34 Dealerships are not required to give a Privacy Notice to every person who expresses an interest in buying a car or inquires about financing.35 However, the dealership’s obligations change if a person provides personal information in connection with a potential transaction, even if they do not complete a formal application — for example, if the dealership takes personal information in order to provide a quote on a financial package.36 The dealership must provide that consumer with a Privacy Notice if it intends to share his or her personal information with a nonaffiliated third party.37 A. The Contents of a Privacy Notice A Privacy Notice must state how the dealership collects, discloses and protects non-public information (NPI)38 about current and former consumers and customers.39 It must include the following information: • Categories of nonpublic personal information collected.40 For example, non-public personal information obtained from a credit application or NPI obtained from a consumer reporting agency.41 • Categories of nonpublic personal information disclosed.42 For example, information from a credit application, such as the applicant’s name, phone number, address, Social Security number, and bank account information.43 • Categories of third parties to whom the dealership discloses the personal information.44 For example, financial services providers, such as insurance 30 Id. 31 See 16 C.F.R. 313.4(a); See also FTC’s Privacy Rule and Auto Dealers, supra Note 6. 32 See 16 C.F.R. 313.5; See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, available at: https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financialinformation-rule-gramm. 33 Id. 34 See FTC Guidelines, Financial Privacy Rule Summary, available at: https://www.ftc.gov/enforcement/rules/rulemaking-regulatoryreform-proceedings/financial-privacy-rule. 35 See FTC’s Privacy Rule and Auto Dealers, supra Note 6. 36 Id. 37 See 16 C.F.R. 313.4 and 313.5; FTC’s Privacy Rule and Auto Dealers, supra Note 6. 38 Defined in 16 C.F.R. 313.3(n)(1). 39 See FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 40 See 16 C.F.R. 313.6; See also Id. 41 Id. 42 Id. 43 Id. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 5 companies; or non-financial companies, including direct marketers and nonprofit organizations.45 • If disclosing NPI to non-affiliated third parties, and that disclosure does not fall within any of the exceptions to the notice and opt-out requirements, an explanation of consumers’ and customers’ right to opt out of these disclosures.46 • Disclosures required by the Fair Credit Reporting Act (e.g., advising a customer of a credit turndown or other adverse credit action).47 • Policies and practices in place to protect the confidentiality and security of customers’ and consumers’ NPI.48 • Additional disclosures if disclosing information under the exceptions49 to the notice and opt-out requirements of the Privacy Rule.50 Whether it is on paper or on a website, the Privacy Notice must be clear and coherent, and it should call attention to the nature and significance of the information.51 If on the dealership’s website, it should be placed on a page that consumers use often, such as the homepage.52 B. Delivery of Privacy Notices The Privacy Notice must be delivered to its recipients in writing, unless the customer or consumer agrees to receive it electronically.53 Written notices may be handed directly to the customer or sent via the mail.54 If provided electronically, the dealership should post the privacy notice on its website and require the individual to acknowledge receiving the notice before he or she may continue using the website.55 The requirements for delivering annual notices differ from the initial Privacy Notice. Dealers may reasonably expect their customers have received the annual notice if (a) the customer, who has agreed to receive notices electronically, uses the dealership’s website in order to access financial products or services, and (b) the dealership posts the Privacy Notice on its website in a clear and conspicuous manner.56 Privacy Notices given orally or posted in the dealership office do not comply with the rule.57 44 Id. 45 Id. 46 Id. 47 Id. 48 Id. 49 These exceptions are found in 16 C.F.R. 313.13, 313.14 and 313.15. 50 See 16 C.F.R. 313.6(a); For a more detailed discussion of the additional disclosures required under these exceptions, see the “Exceptions” section of FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-LeachBliley Act, supra Note 32. 51 Id. 52 See 16 C.F.R. 313.9(b)(iii); See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 53 See 16 C.F.R. 313.9; See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 54 Id. 55 Id. 56 See 16 C.F.R. 313.9; See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 57 See 16 C.F.R. 313.9(d). ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 6 C. Opt-Out Notices Consumers and customers have a right under the Privacy Rule to opt out of having their information shared with certain third parties.58 As such, a dealership must provide the consumer an “opt-out notice” that is “clear and conspicuous” and describes their right to opt out of – or say no to – having the information shared.59 The dealership must provide the optout notice at the same time as the Privacy Notice.60 The opt-out notice needs to explain a “reasonable means” for consumers and customers to exercise their right to opt out.61 They must receive adequate notice and have an opportunity to opt out before the dealership discloses their NPI to nonaffiliated third parties.62 The Privacy Rule provides specific examples of acceptable and unacceptable “reasonable means” to opt out. For example, allowing customers to opt out via a toll-free telephone number or a detachable form with a check-off box is acceptable. The Privacy Rule states that requiring the consumer to write a letter as the only option is not a “reasonable means” to opt out.63 A dealership often hires an outside marketing company to send out flyers advertising specials running in the dealership’s sales or service department. In this case, the dealership does not need to provide an opt-out notice so long as the dealership did not distinguish between those who financed or leased vehicles from the dealership and those who did not.64 If the customer list does not distinguish whether each person financed their purchase or paid for the vehicle outright, it falls outside the Privacy Rule.65 But if advertising materials or a customer list for marketing purposes have been created or distinguished based on this information, an opt-out notice is required. D. Exercising the Opt-Out Right A dealership must allow consumers and customers a "reasonable opportunity" to opt out, for example, 30 days after the dealership sends the initial notice, before it may share their information with nonaffiliated third parties.66 Furthermore, consumers and customers who have the right to opt out may do so at any time.67 Once the dealership receives notice that a customer or consumer wishes to opt out, it must comply as soon as reasonably possible.68 E. Model Privacy Form In 2009, the FTC released its Model Privacy Form,69 which is designed to make it easier for consumers to understand how financial institutions, such as dealerships, collect and share 58 See 16 C.F.R. 313.6(a)(6). 59 See 16 C.F.R. 313.7(a); See also FTC Guidelines, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, available at: https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act. 60 See 16 C.F.R. 313.7(b); See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 61 See 16 C.F.R. 313.7(a); See also FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 62 Id. 63 Id. 64 See FTC’s Privacy Rule and Auto Dealers, supra Note 6. 65 Id. 66 FTC Guidelines, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, supra Note 32. 67 See 16 C.F.R. 313.7(f). 68 See 16 C.F.R. 313.7(e). 69 Available at: https://www.ftc.gov/system/files/documents/rules/privacy-consumer-financial-information-financial-privacyrule/privacymodelform_optout.pdf. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 7 their personal information and to compare different institutions’ information practices.70 Dealerships may rely on the Model Privacy Form as a safe harbor to comply with the disclosure requirements of the Privacy Rule so long as they do not edit or customize the form in any material way.71 While the Model Privacy Form is helpful to achieving compliance, dealers should first seek the advice of competent legal counsel prior to implementing any privacy or opt-out notice forms. III. BREACH NOTIFICATION REQUIREMENTS Every state and territory in the U.S., except Alabama, New Mexico and South Dakota, have data breach notification statutes, and most of them apply to any business, including a dealership, that acquires, owns or licenses computerized data that includes personal identifiable information of individuals who reside within that jurisdiction.72 Personal identifiable information is typically defined by state statute to include the resident’s name (e.g., first name or initial and last name) in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (1) social security number; (2) driver’s license number or state identification number; and (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account. Dealers obtain personal identifiable information of customers in connection with lease and sales transactions. Dealers often maintain such personal identifiable information in customer lists. Dealers also maintain personal identifiable information of its employees. As such, dealers need to be cognizant of state data breach notification laws because if such personal identifiable information maintained by the dealership is stolen or used in an unauthorized manner, it will be obligated to provide notice as required by statute to affected persons (e.g., customers), and possibly to state officials and others. For instance, if a customer list is taken by a sales manager or employee who leaves to work at another dealership, the dealership whose customer list was taken may have a data breach that triggers application of the data breach notification laws. A. “Data Breach” Defined A data breach is typically defined as the unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the entity. Most statutes exclude from the definition of data breach that which: (1) was encrypted or substantially redacted; (2) is already publicly available through lawful means; or (3) was improperly acquired in good faith by an employee or agent of the entity for legitimate purposes and is not otherwise used or subject to further unauthorized disclosure. 70 16 C.F.R. 313, App. A, Final Model Privacy Form Under the Gramm-Leach-Bliley Act, A Small Entity Compliance Guide, available at: https://www.ftc.gov/sites/default/files/documents/rules/privacy-consumer-financial-information-financial-privacyrule/model_form_rule_a_small_entity_compliance_guide.pdf 71 Id. 72 For a survey analyzing the data breach notification statutes of each jurisdiction within the U.S., visit the following webpage: https://www.arentfox.com/sites/default/files/Downloads/bio/2016201620162016AugAugMonMon/AF%20Survey%20of%20Data%20Brea ch%20Notification%20Statutes_Aug%20%202016%20new%20version.PDF. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 8 B. Responding to a Data Breach If a dealership experiences a data security incident, one of the first things it should consider is the potential scope of the incident and whose personal identifiable information may be implicated. If those customers whose personal identifiable information may have been breached reside in multiple jurisdictions in the U.S., a dealership will need to analyze the data breach notification rules of each of those jurisdictions and comply with each. In addition to state and territory specific statutes, a dealership should consider the applicability of various federal laws (including GLBA) and private auto industry requirements.73 The following answers the key initial questions with respect to the data breach notification statutes in New York, California and Florida. 1. NEW YORK The applicable statutes are N.Y. Gen. Bus. Law § 899-aa, 74 N.Y. State Tech. Law § 208. 75 (a) Who Must Comply? Any person or business which conducts business in New York State, and which owns, licenses, or maintains computerized data which includes private information. Any person or business which maintains computerized data which includes private information that such person or business does not own. N.Y. Gen. Bus. Law §§ 899-aa(2), (3). (b) What Data is Covered? Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Private information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records. N.Y. Gen. Bus. Law §§ 899-aa(1)(a), (b). The statute does not apply if the data subject to the breach is encrypted. The statute does not define encryption. N.Y. Gen. Bus. Law § 899-aa(1)(b). This exception does not apply if the encryption is compromised. (c) What Constitutes a Data Breach? 73 Neither the applicable federal rules nor industry specific rules concerning data breach notification requirements are discussed in this article. 74 Available at: http://public.leginfo.state.ny.us/navigate.cgi. 75 Available at: http://public.leginfo.state.ny.us/navigate.cgi. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 9 The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. N.Y. Gen. Bus. Law § 899- aa(3)(c). (d) Who Must Be Notified? If the breach affects a person that maintains or stores covered information, that person must notify the owner or licensee of that information. N.Y. Gen. Bus. Law § 899-aa(3). Affected persons must be notified, as well as the State Attorney General, the Department of State and the Division of State Police as to the timing, and distribution of the notices and approximate number of affected persons. In the event that more than 5,000 New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. N.Y. Gen. Bus. Law §§ 899- aa(8)(a), (b). (e) When Must Notice Be Sent? Notice must be sent immediately following discovery, consistent with law enforcement needs. N.Y. Gen. Bus. Law §§ 899-aa(1), (3). (f) In What Form and Manner Must Notice Be Sent? Notice shall be provided by one of the following methods: (1) written notice; (2) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting notice in such form as a condition of establishing any business relationship or engaging in any transaction; (3) telephone notification, provided that a log of each such notification is kept by the person or business who notifies affected persons; or (4) substitute notice, if a business demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 5,000, or such business does not have sufficient contact information. Substitute notice shall consist of all of the following: (1) email notice when such business has an email address for the subject persons; (2) conspicuous posting of the notice on such business’ web site page, if such business maintains one; and (3) notification to major ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 10 statewide media. N.Y. Gen. Bus. Law § 899-aa(5). (g) What Must the Notice Say? Such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. N.Y. Gen. Bus. Law § 899-aa(7). (h) Are There Any Exemptions? The statute does not address any exemptions. (i) Who May Enforce and What Penalties May Be Imposed? The Attorney General may enforce the statute. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses. Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of $5,000 or up to $10 per instance of failed notification, provided that the latter amount shall not exceed $150,000. N.Y. Gen. Bus. Law § 899-aa(6)(a). The Attorney General may seek injunctive relief and damages for actual costs or losses incurred as a result of the breach. The Attorney General may also seek a statutory penalty of up to $150,000 if the defendant knowingly or recklessly violated the statute. N.Y. Gen. Bus. Law § 899-aa(6)(a). There is no private right of action. New York City Administrative Code § 20-117 contains a notice statute with the same requirements in the event of a data breach. Sub-section (h) allows for a fine of up to $500 for a person that violates the statute, as well as a civil penalty of $100 for each violation. (j) Are There Any Industry-Specific Requirements? None. 2. CALIFORNIA The applicable statutes are Cal. Civ. Code §§ 1798.29,76 1798.80 et seq.77 (a) Who Must Comply? Under § 1798.29(a), any agency that owns or licenses computerized data that includes personal information shall comply, and a person or business that conducts business in California and that owns or licenses computerized data that includes personal information. 76 Available at: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.25-1798.29. 77 Available at: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 11 (b) What Data is Covered? Under §§ 1798.29(g) and 1798.82(d), unencrypted personal information is covered. “Personal information” is defined as: (1) An individual’s name in combination with any of the following elements, when either the name or elements are not encrypted: a. social security number; b. driver’s license number or California identification card number; c. account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; d. medical information; e. health insurance information; or f. information or data collected through the use or operation of an automated license plate recognition system, as defined in § 1798.90.5. (2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account. (c) What Constitutes a Data Breach? Data breach means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. (d) Who Must Be Notified? Any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person must be notified. (e) When Must Notice Be Sent? The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. (f) In What Form and Manner Must Notice Be Sent? Notice may be provided by one of the following methods: (1) written notice; (2) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code; or (3) substitute notice, if the agency or business demonstrates that the cost of providing ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 12 notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of: (A) email notice when the agency or business has an email address for the subject persons; (B) conspicuous posting, for a minimum of 30 days, of the notice on the agency or business’ Internet Web site page, if the agency maintains one; and (C) notification to major statewide media and the Office of Information Security within the Department of Technology. (g) What Must the Notice Say? Under §§ 1798.29(d) and 1798.82(d): (1) Any security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice. (2) The security breach notification shall include, at a minimum, the following information: (A) The name and contact information of the reporting agency subject to this section; (B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; (C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice; (D) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; (E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided; (F) The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver’s license or California identification card number; (3) The security breach notification may also include any of the following: (A) Information about what has been done to protect individuals whose information has been breached; (B) Advice on steps that the person whose information has been breached may take to ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 13 protect himself or herself. (h) Are There Any Exemptions? The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation. (i) Who May Enforce and What Penalties May Be Imposed? There is a private right of action available to recover damages for violations. Entities in violation of this title may also be enjoined. In addition, for a willful, intentional, or reckless violation of § 1798.83, a customer may recover a civil penalty not to exceed $3,000 per violation; otherwise, the customer may recover a civil penalty of up to $500 per violation for a violation of § 1798.83. (j) Are There Any Industry-Specific Requirements? Medical information statutes: Any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information constitutes a data breach. Any individually identifiable information, in electronic or physical form, regarding a patient’s medical history, mental or physical condition, or treatment constitutes personal information or data. A clinic, health facility, home health agency, or hospice licensed pursuant to §§ 1205, 1250, 1725 or 1745 must comply. Notification must be made within five days after detection of the breach, except as necessary for law enforcement purposes. Notification must also be made to state health authorities. 3. FLORIDA The applicable statutes are Fla. Stat. §§ 501.171, 78 282.0041, 79 282.318(2)(i). 80 (a) Who Must Comply? Under § 501.171(4), covered entities must comply. Under § 501.171(1)(b), “covered entities” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental 78 Available at: http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500- 0599/0501/Sections/0501.171.html. 79 Available at: http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0200- 0299/0282/Sections/0282.0041.html. 80 Available at: http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0200- 0299/0282/Sections/0282.318.html. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 14 entity. (b) What Data is Covered? Under § 501.171(4), personal information is covered. “Personal information” consists of an individual’s name and either: (1) social security number; (2) driver’s license or state ID number; or (3) information that would allow access to financial accounts. (c) What Constitutes a Data Breach? Under § 501.171(1)(a), a breach means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. (d) Who Must Be Notified? Under § 501.171(4)(a), a covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. A covered entity shall provide notice to the Department of Legal Affairs of any breach of security affecting 500 or more individuals in this state. (e) When Must Notice Be Sent? Under § 501.171(4)(a), notice must be sent as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the determination of a breach or reason to believe a breach occurred. (f) In What Form and Manner Must Notice Be Sent? Under § 501.171(4), notice may be provided by one of the following methods: (1) written notice; (2) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 or if the person or business providing the notice has a valid email address for the subject person and the subject person has agreed to accept communications electronically; or (3) substitute notice if the person demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the person does not have sufficient contact information. Substitute notice shall include the following: (A) a conspicuous notice on the Internet website of the covered entity if the covered entity ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 15 maintains a website; and (B) notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside. (g) What Must the Notice Say? Under § 501.171(4)(e), the notice shall include: (1) the date, estimated date, or estimated date range of the breach of security; (2) a description of the personal information that was accessed or reasonably believed to have been accessed as part of the breach of security; and (3) information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual. The written notice to the Department of Legal Affairs must include: (1) a synopsis of the events surrounding the breach at the time notice is provided; (2) the number of individuals in this state who were or potentially have been affected by the breach; (3) any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services; (4) a copy of the notice required under subsection [§ 501.171(4)] or an explanation of the other actions taken pursuant to [§ 501.171(4)]; and (5) the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach. The covered entity must provide the following information to the Department of Legal Affairs upon its request: (1) a police report, incident report, or computer forensics report; (2) a copy of the policies in place regarding breaches; and (3) steps that have been taken to rectify the breach. (h) Are There Any Exemptions? Under § 501.171(4)(b), if a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. ARENT FOX LLP LA / NY / SF / DC / ARENTFOX.COM 16 Under § 501.171(4)(c), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identify theft or any other financial harm to the individuals whose personal information has been accessed. (i) Who May Enforce and What Penalties May Be Imposed? Under § 501.171(9)(a), the Florida Department of Legal Affairs may enforce this section. In addition to the remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows: (1) In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. (2) If the violation continues for more than 180 days, in an amount not to exceed $500,000. The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach. All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund. (j) Are There Any Industry-Specific Requirements? None. IV. CONCLUSION Dealers must understand the privacy and data protection requirements of the Gramm-LeachBliley Act, including those set forth in the Federal Trade Commission’s Privacy and Safeguards Rules, and the data breach notification obligations which may apply to them if their customers’ or employees’ personal identifiable information which the dealership maintains is stolen or misused. Compliance with these legal rules requires having detailed policies and procedures governing how the dealership, including its management, vendors and employees, will maintain, use and secure such sensitive data. And dealerships should have written policies and procedures governing how it will respond to an actual or reasonably suspected data breach. These compliance obligations are not just an IT problem, but rather require informed consideration from management (including the board of directors if a dealership has one). It also requires mandatory employee training with respect to privacy and data protection issues. It is recommended that dealers consult with professionals who specialize in these areas of the law in order to comply with these various legal obligations.