- Creditor Must Be Notified if Personal Representative Rejects a Claim in Probate
- Unclaimed Property—Collecting Fees Owed on Safe Deposit Boxes
- Oklahoma Adopts Uniform Real Property Electronic Recording Act
- Notification Required for Security Breach Of Computerized Data
Creditor Must Be Notified if Personal Representative
Rejects a Claim in Probate
This year the OBA drafted an amendment to the Oklahoma probate-claims process (in House Bill 2726), to provide greater certainty that a creditor will receive actual notice when the creditor’s claim against an estate is rejected or not acted on by the estate’s personal representative. This change is effective November 1, 2008.
When a creditor files a claim against an estate, already-existing law (58 O.S. Section 337) requires the personal representative either to allow or reject that claim. If the personal representative rejects the claim in whole or in part, notice of that rejection must be sent by the personal representative within five days.
However, there is a loophole in the rejected-claim notification requirement: A failure to give notice to the creditor as required by Section 337 will not slow down the time period for cutting off the creditor’s claim. (There is no penalty or disadvantage to the personal representative who simply gives no notice at all—and some attorneys have been fairly aggressive in exploiting this.)
Under previously existing language of the statute, if the personal representative “refuses or neglects” to allow or reject a claim for thirty days after it is first presented, or “refuses or neglects to mail a notice of rejection” of the claim (in either case, as required by the statute) the claim will still be treated as “rejected” as of a date thirty days after the claim is first presented to the personal representative.
Section 339 then puts the next step in motion: A creditor (even without notice) has only 45 days to sue on a claim that is considered “rejected,” before it becomes forever barred.
In one situation, an attorney for the personal representative of an estate apparently suggested that the personal representative could simply do nothing about a bank’s properly filed claim (an unsecured debt). The creditor had spoken with the personal representative, who acknowledged that she was dealing with the claims, but she did not actually accept or reject the claim. Time passed–the claim was never formally rejected–but it became statutorily rejected after 30 days, through inaction. The bank as creditor received no notice that the claim was rejected; another 45 days passed without any communication; and finally the bank (still waiting for something to happen) became forever barred from suing on the debt.
Under the statute’s previously-existing language, simply letting pass about 75 days after a creditor files a perfectly valid claim against the estate (even with no response at all received by the creditor from the personal representative in that time) will allow the estate to permanently avoid liability on the claim. (This year’s amendment, as explained below, fixes the issue.)
A personal representative holds a fiduciary position, and should process claims in good faith. Most personal representatives do so; but a personal representative is usually also an heir with a built-in “financial conflict of interest.” (The fewer claims an estate pays, the larger an heir’s resulting inheritance may be.) Some personal representatives would be strongly tempted to avoid particular creditors’ claims by “doing nothing” (neither approving nor rejecting those claims, nor sending notice of rejection)—in hopes the creditor’s time for suing on the claim will run out before the creditor realizes his rights are slipping away.
To me this sort of “trickery” is inconsistent with the intent of the original statute, which requires notice to the creditor that a claim has been rejected. The most obvious purpose of notice is to give the creditor fair warning that his claim is not approved, and that alerts him to the need to take action (suing the estate) if he wants to prevent his claim from lapsing.
The OBA drafted an amendment to deal with this issue. As revised, Section 337 now states that the 45-day period for a creditor to sue on a rejected claim (in Section 339) does not start running until the personal representative has actually mailed notice of rejection of the claim to the creditor. This language will no longer allow a personal representative to “lay behind the log” to gain an unfair result.
During the legislative process, additional language was added stating that this provision will not cause the deadline for suing on a rejected claim to be later than the date on which a petition for final accounting is filed in an estate proceeding.
Unclaimed Property—Collecting Fees Owed on Safe Deposit Boxes
Senate Bill 1685, which made a number of small changes to the unclaimed property statutes, was signed into law and became effective immediately on May 2, 2008. Most of the provisions do not affect banks. However, a useful change to the safe deposit box provisions gives banks a right to reimbursement for unpaid box rental and drilling costs, relating to box contents turned over to the State Treasurer.
Of course, safe deposit box contents (and other types of assets) are reported as “unclaimed property” when the entity holding the assets has had no contact with the property’s owner for a required number of years. (Safe deposit box contents must be reported as unclaimed property five years after the box rental period has expired. Title 60, O.S., Section 657.3.)
The provision detailing the contents of an unclaimed property report, Section 661(B)(3), requires a holder to list “[i]n the case of the contents of a safe deposit box . . . a description of the property and the place where it is held and may be inspected . . . and any amounts, including offsets for drilling costs and rent, owing to the holder . . . .” It was always strange that the statute mentions “offsets,” but the process for delivering box contents to the State Treasurer involves no compensation for a bank’s unpaid costs.
In 2007 we learned the explanation for this–Section 661 was enacted from a set of “uniform laws” that also included a separate method of reimbursement for a bank’s unpaid costs—but Oklahoma did not enact that reimbursement section.
Generally, a right of “offset” is dependent on possession, and release of control of property that is held forfeits the right of offset. We had some discussions with the State Treasurer’s office concerning what the “offset” language means, and whether a bank should surrender box contents (as unclaimed property) before the bank is paid.
The Treasurer’s office stated that it had no statutory authority to pay anyone for amounts owing in connection with property turned over—and suggested a bank should sell part of the box contents to reimburse itself, as allowed by law.
Section 1310 of the Banking Code (6 O.S. Section 1310) sets out a procedure for a bank to drill a box on which rent is unpaid, later selling the box contents at an advertised sale to recover whatever is owed for unpaid box rental and costs of drilling the box. However, a bank must hold any box contents for a year after drilling the box, before advertising and selling the contents.
In some cases a bank does not immediately drill a box on which the rental is unpaid. (It may cost several times the annual rental to drill a box and install a replacement lock—particularly if the closest locksmith is in another town. Banks often wait until several boxes need to be drilled—and sometimes delay so long that they are up against the deadline for turning over unclaimed property. If a bank waits too long before starting, it cannot both (1) comply with the unclaimed property deadline, and also (2) wait a year after drilling the box, before selling the contents.
In addition, there are situations where a bank is hesitant to sell a box’s contents at all. Perhaps it does not want to incur the expense of advertising and properly conducting a sale; or the box contents have an obvious sentimental value to someone (old photographs or mementos), so the bank hates to sell the items if family might show up later; or the contents may be so private (letters) that selling them publicly might almost be an invasion of privacy. In all such cases, there may be an advantage in “punting,” by simply waiting to turn the property over to the State Treasurer.
Turning box contents over to the Treasurer also allows for a further delay before the items are sold. (The Treasurer must wait one year after receiving the property before selling it, allowing more time for proper persons to show up to claim property of special or sentimental value. The “lost” person’s name will be advertised twice, state-wide, before sale by the Treasurer. The Treasurer also has authority to donate items of historical value to museums, which everyone may recognize as the best result, although the bank cannot do so. Turning the property over to the Treasurer, first, protects the bank from any liability for how items are disposed of.)
Until now, a bank’s decision not to sell box contents and to wait to turn them over to the Treasurer has resulted in no way for the bank to be reimbursed for its costs. This year’s amendment provides a way around that problem.
The new provision, contained in Section 663(D), states, “Property removed from a safe deposit box . . . is received by the State Treasurer subject to the right of the holder to be reimbursed for the cost of the opening and to any valid lien or contract providing for the holder to be reimbursed for unpaid rent or storage charges. The State Treasurer shall reimburse the holder out of the proceeds remaining after deducting the expenses incurred by the State Treasurer in selling the property.” Of course, if a bank turns property over, and the net sales proceeds (after deducting costs of sale by the State Treasurer) are not sufficient to pay the amount owed to the bank, the bank will only be entitled to receive “the proceeds of the sale remaining after deducting the expenses incurred by the State Treasurer.”
This statutory change may be useful to banks in two ways: First, even in a situation where a bank drills a box less than a year before it is required to surrender the contents as unclaimed property (making it impossible for the bank to sell the box contents itself), the bank will still have a shot at being reimbursed for what it is owed, when the Treasurer sells the property. Second, where a bank is reluctant to sell special contents of a safe deposit box, or simply wants to avoid the nuisance of advertising and conducting a sale, the bank can simply “doing nothing” after drilling the box–allowing the State Treasurer to conduct the sale and pay what’s owed to the bank, but not in a greater amount than the net sales proceeds.
Oklahoma Adopts Uniform Real Property Electronic Recording Act
Oklahoma’s House Bill 2587 enacted the Uniform Real Property Electronic Recording Act (URPERA), effective November 1, 2008. This Act specifically authorizes (but does not require) county clerks in Oklahoma to do several things: (1) to accept electronic filings of real estate documents, including electronically-signed and electronically-notarized documents, (2) to convert newly filed and older documents to electronic documents, and (3) to provide for electronic search and retrieval of documents.
At least on a longer-range basis, this legislation should help banks by facilitating the electronic filing of deeds, mortgages, mortgage releases, etc. (A few counties in Oklahoma already allow such filings, but most counties do not. The number of counties allowing electronic filings will increase gradually, but the timing will depend greatly on (1) whether the local county clerk places a priority on such issues, and also (2) adequate funding to set up an electronic filing system for the county. Banks strongly interested in such a system may want to visit with their local county clerk concerning requirements for such a system, including costs and funding sources.)
The Act directs the Oklahoma Archives and Records Commission to develop Oklahoma standards for electronic filing of documents, consistent with standards of recording offices in other states. Until standards are developed and adopted, the Act cannot be fully implemented–but a task force has begun the process.
An “electronic document” (defined in Title 16, O.S., Section 86.2(3)), is “a document that is received by the county clerk in an electronic form.” This definition includes an electronically-filed image of a paper document–what a few counties are already allowing.
The new definition also allows filing of a real estate document that does not exist in paper format—a document created completely electronically, with an electronic signature and an electronic notarization. But if documents are filed that completely eliminate paper, it’s important to have standards. Everyone might agree that a typed e-mail message with an electronic signature and electronic notarization attached is not formal enough to be recorded as a mortgage—but what guidelines make an electronic document “official enough” or in sufficiently proper form to be filed? The Act will answer this question, in a uniform way, through development of standards. In so doing, the Act will also standardize practices throughout the state, so that all county clerks willing to accept electronic documents will use the same rules.
The Act includes section 86.3, stating that electronic documents complying with URPERA are full equivalents of paper documents. This provision states, “If a law requires, as a condition of recording, that a document be an original, be on paper or another tangible medium, or be in writing, the requirement is satisfied by an electronic document” satisfying URPERA.
This section also provides, “If a law requires, as a condition of recording, that a document be signed, the requirement is satisfied by an electronic signature” (as defined in section 86.2). It states, “A requirement that a document or a signature associated with a document be notarized, acknowledged, verified, witnessed, or made under oath is satisfied if the electronic signature of the person authorized to perform that act [notary public, judge, etc.], and all other information required to be included, is attached to or logically associated with the document or signature.”
The Act gives each county clerk authority to take certain actions with respect to electronic documents: (1) to receive, index, store, archive and transmit them; (2) to provide for electronic access to, and for electronic search and retrieval of, documents and information; (3) to convert paper documents accepted for recording into electronic [digital or imaged] form; (4) to convert into electronic form information recorded before the county clerk began to record electronic documents; and (5) to accept electronically any fees.
This list of authorizations is broad enough to allow a particular county clerk to electronically convert all new documents as they are filed, and gradually to convert all old documents already on file; to set up an electronically accessible system of records, that can be searched from within the county clerk’s office, or even from the internet (as already exists in the Oklahoma County Clerk’s office); and to eliminate (if desired) the entire hard-bound set of filed real estate records, placing those in storage.
In many county courthouses, storage space for official records is cramped, and eliminating in-office storage of real estate books by transitioning to an all-electronic system may be attractive at some point. But “money” is probably the biggest obstacle, and without funding in a particular county, nothing will happen.
It would be very convenient for bankers to be able to file mortgages electronically, directly from a loan closing. Instant filing would avoid the time or expense to physically deliver documents to the county seat, or the delay involved in mailing those documents. Expediting the filing of documents would greatly limit the chance that other documents could be filed in the “gap,” before a bank’s mortgage.
There can also be many advantages for bankers if a county develops a completely online searchable system of real estate records. Imagine the convenience if a banker could search real estate filings from his own computer by grantor/grantee, determine the exact name in which a deed for a particular property is held (so that a mortgage can be prepared to match), look at who holds mortgages on a specific property, or examine whether other lenders’ mortgage releases seem proper.
The Act will not automatically bring all of these things into existence (without more steps occurring), but it’s a valuable step toward electronic filing—and electronically-accessible real estate records–in many Oklahoma counties.
Notification Required for Security Breach of Computerized Data
In 2008 an “identity theft” bill (House Bill 2245) was introduced in the Oklahoma Legislature. It would have imposed very stringent notification and penalty provisions on businesses in situations where the security of an individual’s personal or financial information is breached. This language, proposed by AARP, was similar to other bills introduced over the past several years—all of which OBA has worked to defeat, because of unrealistic burdens and penalties placed on businesses.
But the general subject is of increasing concern, and has gained more traction in the Legislature each year. In 2008 a different approach was taken. Totally different provisions (that banks could live with) were substituted for H.B. 2245’s original language, with assistance from the ABA (which suggested substitute language) and the bill’s author. Thus, H.B. 2245 became the Security Breach Notification Act (the Act).
As revised, the Act applies only to a security breach involving “computerized data that includes personal information.” In contrast to the original version, the Act completely exempts paper documents. The Act actually imposes no new requirements on banks with respect to computerized data, assuming that a bank is already in compliance with federal Guidance in place since 2005.
Effective November 1, 2008, the Act does impose new requirements on non-bank companies in Oklahoma, with respect to notifying individuals when a security breach of computerized data occurs. Failure by such businesses to notify the persons whose information is involved in a security breach could result in sizeable damages for actual injury, or civil penalties, if identity theft or other fraud results from the breach.
(If a bank fails to comply with the previously existing federal Guidance regarding a breach of computerized data, the bank will no longer be exempt under the Act. In that scenario, a bank could be liable both federally and under the Act for failing to give notice of a “security breach” affecting computerized data. But, as stated above, compliance with the Guidance is also compliance with the Act, so there is no potential liability under the Act if the Guidance is satisfied.)
I will explain the provisions of H.B. 2245 (as enacted)—which is codified in Title 24, O.S., Sections 161 through 166–and how these provisions will apply (or not) to banks and other companies.
The original language of H.B. 2245 (before it was amended) covered security breaches with respect to either paper or electronic records. The definitions were so broad that most paper files retained by an ordinary business (including copies of invoices or sales slips) would have been covered. If an authorized person gained access to those records, there technically would have been a security breach, requiring time-consuming and expensive notification to everyone involved. More importantly, failure to provide notice of a breach could have triggered extremely large penalties.
Many businesses in Oklahoma (especially “mom and pop” businesses) do not have security procedures even vaguely equivalent to what is expected of banks. A small business may have an entire room or attic full of paper documents—usually not locked. Imposing heavy penalties if there is security breach regarding paper records is not realistic, without some kind of reasonable period for a transition to better document-security practices and better document-disposal practices for paper documents. The original bill just imposed harsh “security breach” penalties. On this basis, it seemed better to remove paper-based security breaches entirely from the bill.)
An additional problem with stored paper records is that a business usually does not have a back-up copy of those records—and when the records are stolen, it might not have a list of the names and addresses of persons whose records it held. If paper records were compromised through a “security breach” (or natural disaster), and the business had an affirmative duty to notify all persons whose records were involved (as the original bill required), notification could be an extremely time-consuming and expensive (if not impossible) task. By contrast, with computerized data a business may still have the records that have been improperly accessed (or a backup copy), so determining who to contact is easier.
Computerized data is generally more “sensitive” than paper documents, because more data can be stolen at once (in contrast to paper records). It’s in a compact form that can be rapidly re-transmitted and easily manipulated (without a lot of data entry) to carry out fraud.
Computerized data is also in some ways easier to protect than paper documents—because it’s more compact, and because people already understand that it needs higher protection. With greater awareness of the security issues involved with computerized data, companies are closer to a level of security required to limit the company’s vulnerability to a security breach for that type of data.
All of this helps to explain why a “Security Breach Notification Act” relating only to computerized data was substituted for the bill’s original provisions.
2. The Act’s Coverage
Section 163 imposes two basic “notice” requirements, which are the heart of the Act’s provisions.
First, an individual or entity “that owns or licenses computerized data that includes personal information” must disclose any breach of the system’s security to “any resident of this state” if  that individual’s “unencrypted and unredacted personal information” has been (or is believed to have been) accessed and acquired by an unauthorized person, and  it is reasonably believed that, as a result, a resident of this state is or will become a victim of “identity theft or fraud.” The disclosure must be “without unreasonable delay,” unless a law enforcement agency determines and advises that giving notice “will impede a criminal or civil investigation or homeland or national security.”
(If encrypted information is accessed or acquired by someone with access to the encryption key, notification should be the same as for unencrypted information.)
Second, if someone maintains, but does not own or license, “computerized data that includes personal information,” that individual or entity must notify the information’s owner or licensee of any breach of the security of the system by an unauthorized person. For example, a service provider (such as a data processor, attorney or collection agency) could be maintaining computerized data belonging to an entity for which it provides services. The service provider must notify the “owner” of the data if the computerized data is improperly accessed.
3. Exclusions for Financial Institutions and Others
The Act does not impose additional or duplicative requirements on an entity that already has and uses an adequate set of security-breach notification procedures.
As one example, Section 164(B) states the following exclusion from the Act: “1. A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the provisions of this act.”
Section 164(B) continues, “2. An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the primary or functional federal regulator of the entity shall be deemed to be in compliance with the provisions of this act.”
If a “financial institution” (defined below) complies with the Guidance, that’s enough. (A bank already doing what Federal provisions already require has no additional compliance burden as a result of the Act’s enactment. Federal regulation is recognized as sufficient. Two layers of regulation are not required.)
A “reverse” conclusion can also be drawn from the same language: If a “financial institution” is not complying with the pre-existing notification requirements and procedures under the Guidance, (1) it can be found in violation of the Guidance, and (2) it can also be found in violation of the Act’s provisions. Noncompliance with the Guidance makes an entity subject to (not exempt from) the Act. For this reason, understanding the Act’s provisions is still important for banks.
In Section 162(4), a “financial institution” is defined as “an institution the business of which is engaging in financial activities.” (Based on 15 U.S.C., Section 6809, “financial activities” are all activities permitted within a financial holding company). This includes insurance, brokerage, and lending activities in general, and a variety of miscellaneous activities listed in Federal Reserve Regulation Y. Every bank holding company, every financial holding company, and every subsidiary of either should fit within the Act’s exclusion for financial institutions following the Guidance.
To drop back a step, Section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C., Section 6801) required the OCC, Federal Reserve, FDIC and OTS to develop and implement a response program to address unauthorized access to, or use, of customer information that could result in substantial harm or inconvenience to a customer. In 2005 these federal agencies issued the Guidance, and all financial institutions that they regulate must follow it. (The Fed’s version is Appendix D-2 to Regulation H–for Fed-member state banks–and Appendix F to Regulation Y–for holding companies. The FDIC version is Appendix B to 12 C.F.R. Section 364. The OCC version is Appendix B to 12 C.F.R. Section 30.)
The Guidance requires a financial institution’s response program (a) to assess the nature and scope of a customer-information-related incident, (b) to notify the primary Federal regulator if sensitive customer information is involved, (c) to notify law enforcement authorities, consistent with SAR regulations, (d) to take appropriate steps to contain and control the incident, and (e) to notify customers when warranted.
Section 164(A) also provides a second, more general, exclusion from notification requirements of the Act for any entity “that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information,” if those procedures “are consistent with the timing requirements” of the Act. Assuming that the entity “notifies residents of this state in accordance with its procedures in the event of a breach of security of the system,” that entity “shall be deemed to be in compliance with the notification requirements” of the Act. Even an entity that is not a financial institution and is not subject to the Guidance can adopt “an information privacy or security policy” of its own and provide prompt notice of any security breach. Doing so will likely decrease the chance that any enforcement action will be brought against that entity, under the Act.
4. Breach of Security
The definition of “breach of the security of a system” in section 162(1) is one of the Act’s most important provisions. It carefully excludes specific circumstances and certain types of computerized data. The exclusions help to focus the Act’s notification requirements on those security breach incidents that actually pose an increased risk that the consumer will become subject to identity theft or fraud.
That Act defines a security breach as “the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals, and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.”
By rereading the above definition, one can discover several ways that improperly accessed information could fall out of coverage under the Act:
(a) Information that is “encrypted” or “redacted” (as both of those terms are defined below) is excluded.
(b) Non-computerized data (in other words, in paper format), drops out.
(c) Data that does not compromise the security or confidentiality of an individual’s “personal information” falls out (another phrase defined below).
(d) If information is not part of a database that involves “multiple individuals” (for example, if it is an isolated e-mail message), it apparently drops out.
(e) If the breach may cause “identity theft or fraud,” but not to any person who is a resident of this state, the Act does not apply.
(f) If the breach would otherwise fit the Act’s definition, except that it is known that it has not caused “identity theft or fraud,” and the entity reasonably believes it will not cause “identity theft or fraud” in the future, it falls out. (If a computer with sensitive data is stolen by a crack-head who wants to pawn it, there is almost a breach; but the thief is caught within five minutes, before he can do anything, and doesn’t realize that there is sensitive data on the computer. The risk that the incident could result in “identity theft or fraud” has passed, and no notification is required.)
5. “Personal Information”
To meet the “personal information” definition in Section 162(6)–what the Act protects–the computerized data involved in a security breach must include (a)the first name (or first initial) plus last name of a person who is a resident of this state, and in addition, (b)any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or number of a state ID issued instead of a driver’s license; or (3) financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that is needed to permit access to the financial accounts of a resident.
Let’s say someone gains improper access to a list of Social Security numbers, or a list of loan numbers or credit card numbers on a past-due list, or a list of bank account numbers for holders of Super Now accounts—in all of these examples, with no names attached. This is not a “security breach” requiring notification to customers under the Act, because without connecting a customer name to a number of this type, a person improperly accessing the information has a very low chance of committing identity theft or fraud, and will probably move on to something more promising.
The definition of “personal information” specifically excludes “information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.” As one example, a creditor sues to collect an account. The account number, along with the individual’s name, is disclosed in the pleadings filed in the case. Access to that specific information by anyone is not a “security breach.” A similar answer results if persons’ names and Social Security numbers are included in UCC-1 filings and someone “mines” that information from already publicly-available documents.
6. Method of Enforcement
If there is a violation of the Act (in other words, failure to give notice to individuals in a situation where notice is required) and that violation “results in injury or loss to residents of this state,” any action for actual damages, or to impose a civil penalty for violation (not to exceed $150,000 per breach or series of similar breaches) must be brought by either the Oklahoma Attorney General or a district attorney.(Section 165(B)). An entity cannot be sued by private individuals, but the Attorney General or district attorney can sue on behalf of all state residents suffering injury or loss.
Section 165(C) contains a useful exception: “A violation of this act by a state-chartered or state-licensed financial institution shall be enforceable exclusively by the primary state regulator of the financial institution.”
For example, state enforcement against a state-chartered bank (which could occur only if the Guidance is not followed) must be by the Oklahoma Banking Department; enforcement against an insurance company or insurance agency must be by the Oklahoma Insurance Department; and enforcement against a state-licensed finance company or mortgage company is by the Department of Consumer Credit.
Giving exclusive enforcement authority to the entity’s state regulator (where there is one) avoids the problem of different supervisors for different subjects, and hopefully will result in consistent regulation of all entities of the same type.
Computerized data maintained in either an “encrypted” or “redacted” format is outside of the Act’s coverage. Although someone may gain unauthorized access to information in these formats, there is no “security breach,” on the basis that (without more) the thief lacks enough information to commit “identity theft or fraud.”
“Encrypted,” as defined in Section 162(3), means (1) data transformed by use of algorithms, resulting in a low probability of assigning meaning to it unless someone also has access to a confidential process or key that can decode it, or (2) information secured by another method that renders the data elements unreadable or unusable.
The word “redact,” as defined in Section 162(8), refers to altering or truncating data so that (1) no more than the last five digits of a Social Security number are accessible, or (2) no more than the last four digits of a driver license number, state ID card number, or account number are accessible.
(Looking at situations involving non-computerized data—which therefore are not covered by the Act–may help to demonstrate what the word “redact” means. Other law (15 O. S., Section 752A) already requires Oklahoma businesses to use a redaction standard for paper receipts provided in card-based transactions. Receipts printed by ATM machines, and also paper receipts printed in point-of-sale transactions using debit or credit cards, are required by state law to show no more than the last five digits of the individual’s account number. (Most such receipts include only four digits.) Many banks also print “paper” deposit receipts that disclose only the last several digits of an account number. This is basically the “industry standard,” considered adequate to avoid identity theft or fraud even if the paper receipt falls into the wrong hands. In many (but not all) situations a point-of-sale receipt prints the individual’s name, in combination with the last four digits of an account number, but access to this much would still not meet the Act’s definition of “security breach,” even if computerized data was involved (such as an e-mailed receipt for an online purchase by credit card) instead of a paper receipt.
To summarize—and switching back to the world of “computerized data” (which the Act does cover)–“personal information” excludes computerized data with shortened (“redacted”) account numbers (as explained above), but includes computerized data with names and full account numbers (if that data is not encrypted, and no other exception applies).
Where there is a security breach and the Act requires a notice to individuals whose “personal information” is affected, Section 162(7) lays out four separate possibilities for giving notice.
The first three standard approaches to notice (any one of them being adequate) are (1) “written notice to the postal address in the records of the individual or entity”; (2) “telephone notice”; or (3) “electronic [e-mail] notice.” If desired or necessary, an entity could use one method of notice for some persons and another method for others. For example, to save money or time, an entity could e-mail all individuals for whom it has e-mail addresses, and mail a notice to the rest. If the group of affected persons is small, or the circumstances are unique, or the relationship between the parties is somewhat sensitive, the entity might want to call the persons individually.
(The notice needs to be clear, but the entity sending it may want to consider the individual’s likely reaction to receiving it by various methods, and the most tactful way to disclose. The contents of the notice should be tailored to the specific incident that has occurred. Maybe the entity believes it has fairly well “contained” any risk that the data could be fraudulently used, and it wants to say so. In some situations, entities giving notice may also offer to do certain things to lessen the risk, such as providing free credit report monitoring for a year or two.)
The fourth allowed method of notice is “substitute notice.” The Act allows an individual or entity to use “substitute notice” if it can demonstrate one of the following three things: (1) that the cost of providing notice by the other methods would exceed $50,000; (2) that the group of persons to be notified exceeds 100,000 persons; or (3) that the individual or entity does not have sufficient contact information or consent to provide notice by any of the other three methods.
Where “substitute notice” is permitted, the entity sending notice is allowed to use any two of the following methods of notice: (1) “e-mail notice if the individual or entity has e-mail addresses for the members of the affected class of residents”; (2) “conspicuous posting of the notice on the Internet web site of the individual or the entity if the individual or the entity maintains a public Internet web site”; and (3) “notice to statewide media.”
In this situation, an entity with a website can post on its site, and also give notice to major state media, in a case where “substitute notice” is allowed. Substitute notice is not “actual notice,” so it’s allowed only in extreme cases.