What Has the Law to Do With a Wedding Invitations List?

One Saturday afternoon I brought my 17-year old nephew to my solicitor’s office. We were attending a wedding dinner that night. I ushered him into my chamber, and he found himself surrounded by voluminous law books, law periodicals and law reports. He cast an amazed look at the amount of papers piling up on my desk – all requiring my urgent and immediate attention. I also had several large cards laying haphazardly on the desk – wedding invitations.

My nephew, who was interested in a career in law, took a book titled ‘Family Law’ and began reading it. Meanwhile I continued my work of drafting a statement of defence to a plaintiff’s statement of claim, preparing an affidavit in reply at the same time. I also looked at some files of divorce cases which were scheduled for hearing at the High Court next month.

After reading for about 20 minutes or so, my nephew stood up and posed me a question: “Uncle, is there a relationship between whom one invites to his wedding and the law?”

“The simple answer to that question is, no, there isn’t. Whom do you invite is not governed by any law, of course. There would be legal chaos if there be a law governing how many guests one could include in one’s wedding invitations. But there may be relationship between whom one invites to one’s wedding and the state of one’s later married life, albeit a fortuitous one. Why do you ask?”

He shrugged, and said,” No particular reason. Just ask for the sake of asking.”

“OK, but you must avoid asking such questions in the future. If you are interested in the law, you are of course encouraged to ask questions – and good questions only. For example, you might want to ask why, in the first place, there are laws governing marriages and divorce.”

His curiosity piqued, my nephew was all ears, as I continued: “In the first place, do you know that a marriage is a contract? That means it entails contractual obligations on the part of the two parties to the marriage, and that’s why there are marriage and divorce laws and regulations.”

“Oh,” came my nephew’s answer, “I didn’t know that. It sounds rather unromantic that a marriage is a contract.” How true.

We spent the rest of the afternoon in my chamber. After my personal introduction to contract law, my nephew became quite interested in the law of contract. I handed him my Guest’s Law of Contract and he began to read it.

That evening, as we mingled with the guests who made the list on the wedding invitations, I couldn’t help reflecting on the question my nephew asked of me in the office earlier. Of course, a marriage (which is always lauded as being made in heaven) is a romantic affair, an occasion for joy and cause for celebration. Who would like to be told that, in the eyes of the law, a marriage, properly formalized, becomes a contract just as much as an ordinary, cold agreement comes into force after all the terms and conditions are fulfilled? Which couple would seek the solicitor’s legal advice on marriage while they are busy preparing the wedding invitations, wedding cakes, wedding reception and the associated paraphernalia? Of course that would be the last thing on their mind.

Hawaii Law Briefing – Hawaii Security Breach Law and Identity Theft Notification

Identity theft is one of the fastest growing crimes committed throughout the United States. Criminals who steal personal information use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other people’s identities.

Hawaii has the sixth worst record of identity theft in the nation, according to a 2007 report.

I. Hawaii’s Security Breach Law

Identity theft in Hawaii has resulted in significant losses to both businesses and consumers. This epidemic motivated the Hawaii legislature in 2006 to pass several bills whose purpose is to provide increased protection to Hawaii residents from identity theft:

Act 135: Requires businesses and government agencies that keep confidential information about consumers to notify those consumers if that information has been compromised by an unauthorized disclosure;

Act 136: Requires reasonable measures to protect against unauthorized access to personal information to be taken when disposing of records;

Act 137: Restricts businesses and government agencies from disclosing/requiring social security numbers to/from the public;

Act 138: Permits consumer who has been the victim of identity theft to place a security freeze on their credit report;

Act 139: Intentional or knowing possession without authorization of confidential personal information is a class C felony.

Together, the bills signed into law by Governor Linda Lingle as HRS Chapter 487R impose obligations on businesses in Hawaii to notify residents whenever their personal information maintained by the business has been compromised by unauthorized disclosure.

HRS Chapter 487R does not cover financial institutions subject to the Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice, or Health plans and providers subject to HIPAA.

The underlying policy behind HRS Chapter 487R is that prompt notification will help potential victims to act against identity theft by initiating steps to monitor their credit reputation. Thus, it is critical that any business subject to HRS Chapter 487R audit the manner in which confidential personal information is maintained and have a security breach team prepared to comply with the notice obligations and effectively deal with any breach of personal information.

II. Security Breach

HRS 487R imposes obligations on the part of Hawaii businesses to notify an individual whenever the individual’s personal information that is maintained by the business has been compromised by unauthorized disclosure and to do so in a timely manner.

Under the statute, “Personal Information” consists of an individual’s first name or first initial AND last name in combination with any one or more of the following data elements, when either the name OR the data elements are not encrypted: Social Security Number, driver’s license or Hawaii Identification Number; or an account number, credit or debit card number, or password that would permit access to an individual’s financial account.

The personal information is protected if on a “record.” A “record” is any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. Thus, a “record” can be in digital form or on a paper document, which differs significantly from other states that might cover only digital information.

The notice obligations are triggered when a “security breach” occurs. A “security breach” is defined as an incident of unauthorized access to AND acquisition of unencrypted or unredacted records of data containing personal information, where illegal use of the personal information has occurred, OR is reasonably likely to occur; AND that creates a risk of harm to a person. As the definition indicates many times it is difficult to determine whether information has been “acquired” or to the extent that a “risk of harm” exists.

Several states, including Alabama, Connecticut, Delaware, and Florida have devised a risk of harm exception. Such exception generally relieves the business from the notice obligation requirement after consultation with law enforcement. Since Hawaii law has no such exception most incidents of unencrypted/unredacted theft or loss of records containing personal information should carry the presumption that illegal use is likely to occur and a risk of harm. In addition, even if a statutory obligation does not arise other legal obligations may exist with respect to the theft or loss.

III. Notification Obligations

To the extent a security breach has occurred, and personal information has been compromised, the business must satisfy the notification obligations imposed by HRS Chapter 487R. Form notices are made part of this article for educational purposes only. The notice obligations must be satisfied without “unreasonable delay.” The only exception would be if a law enforcement agency informs the business in writing that notification may impede a criminal investigation or jeopardize national security. Once it has been determined that the notice will no longer impede the investigation, the notice must be promptly provided.

Under HRS Chapter 487R, the business must notify the resident (and the Office of Consumer Protection/credit reporting agencies where notice has been provided to 1,000 persons).
The notice must be given to the last available address. The notice may be sent to the resident’s email address only if the person has “opted in” to receive notices in that manner. Direct telephonic notice may be given under the statute, but generally is not the recommended way to notify the resident given the potential legal risk with such form of communication.

Under the statute, “substitute notice” may be provided where the costs to provide if the business can demonstrate that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business does not have sufficient contact information or is unable to identify particular affected persons.

Substitute notice shall consist of emailing the person when the email address is known, the conspicuous posting of a notice on the website maintained by the business, and notification of the security breach to major statewide media.

IV. Penalties

Statutory penalties can be significant. However, government agencies are exempt from statutory penalties under HRS ยง 487R-3. Under the law, businesses can be fined not more than $2,500 for each violation. Such penalty can add up quickly where hundreds or even thousands of Hawaii residents are not informed that their personal information has been compromised.

In addition, a court may impose an injunction on the business and the business may be liable for actual damages and attorneys’ fees.

V. Final Word

Hawaii and other states have taken significant steps to combat the growing epidemic of identity theft. It is important that both Hawaii businesses and employers, and consumers take reasonable steps to protect their interests and reputations.

For Hawaii employers and businesses:

o Enter into agreements imposing obligations on third-party companies to handle sensitive and personal information of your employees and customers in a reasonable manner and to report security breaches immediately;

o Ensure reasonable administrative, physical, and technical safeguards are placed over the personal information handled both the third-party company and internally;

o Periodically have the IT department conduct a risk analysis over electronically-stored information and computer network systems of the company;

o Have IT draft and periodically review comprehensive security procedures to limit vulnerability of the company’s systems and a plan of action;

o Train and retrain employees on privacy policies;

o Ensure company employees collect only the minimum amount of information necessary to accomplish the business purpose.

For consumers:

o Ask your employer, doctor, bank, etc., what steps are taken to protect against misappropriation of private information;

o Treat your mail and trash carefully; use cross cut shredders;

o Use locked mailboxes;

o Keep private information kept in your home hidden and secure;

o Don’t give out private information over the phone;

o Use care when using your computer; create strong passwords;

o Use common sense and stay alert (for example, write to your creditor as soon as you believe you have not timely received a billing statement);

o File a police report and obtain the police report number when you learn that your personal information has been compromised and close accounts, e.g., credit card, bank accounts, etc.;

o Follow up with law enforcement in writing and maintain a file; dispute bad checks written directly with merchants;

o Place a fraud alert/freeze on your credit files (Equifax, Experian or Transunion);

o Periodically obtain your credit report and look it over carefully; note inquiries from companies you did not contact, accounts you did not open, debts you cannot explain and report such information immediately to law enforcement.

SAMPLE LETTER 1

Data Acquired: Account Number, Credit Card or Debit Number, Access Code or Password that would permit access to Individual’s Financial Account

Dear

We are writing to you because of a recent security incident at [name of organization].
[Describe what happened in general terms, what type of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

To protect yourself from the possibility of identity theft, we recommend that you immediately contact [credit card or financial account issuer] at [phone number] and tell them that your account may have been compromised. Continue to monitor your account statements.

If you want to open a new account, ask [name of account insurer] to give you a PIN or password. This will help control access to the account.

To further protect yourself, we recommend that you review your credit reports at least every three months for at least the next year. Just call any one of the three credit reporting agencies at a number below. Ask for instructions on how to get a free copy of your credit report from each.

Experian Equifax TransUnion
888-397-3742 888-766-0008 800-680-7289

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at ______________ [or the Federal Trade Commission at ___________________]. If there is anything [name of your organization] can do to assist you, please call [toll-free (if phone number].

[Closing]

SAMPLE LETTER 2

Data Acquired: Driver’s License or Hawai’i Identification Card Number

Dear

We are writing to you because of a recent security incident at [name qt. organization].
[Describe what happened in general terms, what kind of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

Since your Driver’s License [or Hawai’i Identification Card] number was involved, we recommend that you immediately contact your local DMV office to report the theft. Ask them to put a fraud alert on your license.

To further protect yourself, we recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at a number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from ail of them, with instructions on how to get a free copy of your credit report from each.

Experian Equifax Trans-Union
888-397-3742 888-766-0008 800-680-7289

When you receive your credit reports, look them over carefully. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate and look for personal information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

If you do find suspicious activity on your credit reports, call local law enforcement and file a report of identity theft. [Or, if appropriate, give contact number for law enforcement agency investigating the incident for you.] Get a copy of the police report. You may need to give copies to creditors to clear up your records.

Even if you do not find any signs of fraud on your reports, we recommend that you check your credit reports at least every three months for at least the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place.

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at _________________ [or the Federal Trade Commission at __________________]. If there is anything [name of your organization] can do to assist you, please call [toll free (if possible) phone number].

[Closing]

SAMPLE LETTER 3

Data Acquired: Social Security Number

Dear

We are writing to you because of a recent security incident at [name of organization]. [Describe what happened in general terms, what kind of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at a number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each.

Experian Equifax TransUnion
888-397-3742 888-766-0008 800-680-7289

When you receive your credit reports, look them over carefully. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate and look for personal information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

If you do find suspicious activity on your credit reports, call local law enforcement and file a police report of identity theft. [Or, if appropriate, give contact number fur law enforcement agency investigating the incident, for you.] Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records.

Even if you do not find any signs of fraud on your reports, we recommend that you check your credit reports at least every three months for at least the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place.

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at ____________ [or the Federal Trade Commission at ______________]. If there is anything [name of your organization] can do to assist you, please call [toll-free (if possible) phone number].

[Closing]

New CDC Report On Seat Belts

Seat belt laws were created fairly recently in the United States, and their implementation has varied across states and vehicles-the consequences of which have proven detrimental on numerous occasions. One night last fall, a father and his daughter were traveling down a San Diego highway when he suddenly lost control of the vehicle and swerved into oncoming traffic. His daughter was ejected and died at the scene of the accident. The vehicle, a 1956 Volkswagen Beetle, had never been outfitted with safety belts, nor was the father ever required by law to install any. Given the strong relationship between occupant protection and the use of safety belts his daughter may have survived the accident had she been wearing one.

An estimated 12,713 lives were saved by seat belts in 2009. Moreover, more than 72,000 fatalities were prevented between the years of 2005 and 2009, according to the National Highway Traffic Safety Administration (NHTSA). In California, 574 of the 1,963 vehicle occupants killed in motor vehicle collisions in 2008 were not wearing any safety equipment, according to the California Highway Patrol’s accident statistics. As much as drivers who “buckle up” have improved the safety of motor vehicles, there were no laws mandating their use until New York enacted the first one in 1984. In the following years, every other state would follow, except for one: New Hampshire.

Seat belt laws fall into two categories: primary and secondary. In states where primary laws are in effect, law enforcement officials may stop a vehicle and issue a citation when either a driver or a passenger is not wearing a belt. An officer may only issue a citation for not wearing a safety belt after the vehicle has been pulled over for another violation in states with secondary laws. “Currently, 31 states, including California, the District of Columbia, and Puerto Rico have primary seat belt laws, and 18 states have secondary laws”, explains Jim Ballidis, a California personal injury lawyer.

Compliance has been higher in states with primary laws than in those with secondary laws, according to NHTSA. A recent telephone survey by the Centers for Disease Control and Prevention confirmed NHTSA’s finding: drivers in California, Oregon, and Washington-all states with primary laws-reported the highest seat-belt use in the country. Coming in first place was Oregon, where 94% of the people surveyed claimed to be seat-belt wearers, followed by California with 93.2%, and Washington State with 92%. Surprisingly, New Hampshire did not rank the lowest. Whereas 66.4% of people surveyed there said they always use a safety belt, only 59.2% of people in North Dakota reported the same.

As seat-belt use has increased, the number of vehicle occupant fatalities has decreased, according to the National Occupant Protection Use Survey (NOPUS). The recent CDC study noted a similar correlation between seat-belt use and injuries resulting from accidents: between 2001 and 2009, the injury rate among motor vehicle occupants decreased by 16%, while between 2002 and 2008, the number of people using buckling up rose from 81% to 85%.

Motor vehicle accidents are the leading cause of death for people between the ages of 5-34 in the United States. Safety belts have the potential to reduce the risk of fatal injuries during a crash by approximately 45%, according to the CDC. Considering these two facts, everyone should buckle up.