Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security...

1

Data Security Breaches: Response - Notification - Enforcement

© 2009 Fox Rothschild

Data Security Breaches:Response – Notification – Enforcement

2



Topics For Discussion

Why do you need a response plan? What is a “data security breach”? Responding to a data security breach State requirements and legislative update Regulatory enforcement and litigation

3



Statistics

Identity Theft Resource Center reports 656 breaches during 2008, exposing over 35,000,000 records- 47% increase from 2007

Average cost of data breach = $202 per affected consumer- 40% increase from 2005

4



Recent Data Breaches

Hannaford Grocery (March 2008)- Hacker compromised at least 4.2 million

payment cards in more than 270 stores- Approximately 1,800 reported instances of

fraud related to the breach- Multiple class actions

5




Heartland Payment Systems (Jan. 2009)- Malicious software compromised merchant

processing network- Believed to be largest data breach in U.S.

history- At least four class actions:

Issuing banks – breach of obligations under PCI standards and negligence

Consumers – federal statutory claims, breach of contract, negligence and state privacy laws

6




Department of Veterans Affairs (May 2006)- Laptop computer and disk stolen from home of VA

employee- Contained personal information of 26.5 million

veterans who served in the military and have been discharged since 1976

- Recovered by FBI with no evidence of unauthorized access

- Under class action settlement, VA agreed to pay $20 million to defendants who were harmed by incident -- either physical manifestations of emotional distress or cost of credit monitoring

7



What Is The Objective?Fill In The Gap

Protection Compliance Audits

Criminal prosecution Civil prosecution

How to Manage the Data Security Breach

8



Why Do You Need AResponse Plan?

Thoughtful and Prepared Reaction

Better Decision Making

Minimized Risk and Loss

9



What Is A Data Security Breach?

A breach of the security of the system that involves unencrypted computerized personal information that has been, or is reasonably believed to have been, acquired by an unauthorized person.

State statutes require notification to affected individuals and, in certain instances, regulatory agencies and law enforcement.

10




“Personal information”- First name or initial and last name with one

or more of the following (when either name or data element is not encrypted): Social security number; Driver’s license number; Credit card or debit card number; or Financial account number with information such

as PINs, passwords or authorization codes.

11




“Breach of the security of the system”- Some states expressly require notice of

unauthorized access to non-computerized data New York: “lost or stolen computer or other

device containing information” or “information has been downloaded or copied”

Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”

12




Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements- Certain states require risk or harm

Arkansas: no notice if “no reasonable likelihood of harm to customers”

Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”

13




Distinguish between entity that “owns or licenses” data and entity that “maintains” data- Data owner has ultimate responsibility to

notify consumers of a breach- Non-owners required to notify owners

14



Collect Relevant Documents and Information

Data location lists Confidentiality agreements Customer contracts Third-party vendor contracts Privacy policy Information security policy Ethics policy Litigation hold template Contact list

15



Create A First Response Team

Information technology (computer & technology resources)

Information security (physical security & access) Compliance Business heads (consumer information) Human resources (private employee information –

health & medical, payroll, tax, retirement) Legal counsel (in-house and/or outside counsel) Public relations/investor relations

16



Assign Tasks To Members Of The First Response Team

Establish a point person Identify key personnel for each task Prioritize and assign tasks Calculate timelines and set deadlines Communicate with management Establish attorney-client privilege for investigation

and communications

Project Management Is Critical

17



Determine The Nature And Scope Of The Breach

Investigate facts Interview witnesses Determine type of information that may have been

compromised Identify and assess potential kinds of liability Identify individuals potentially at risk and determine

state or country of residence

Preserve Company’s Assets, Reputation and Integrity

18



Understand Data BreachNotice Laws

State laws:- What constitutes personal information?- When is a notice required?- Who must be notified?- Timing?- What information must be included in the notice?- Method of delivering notice?- Other state specific requirements?

Applicable industry-specific laws Applicable international laws

19



Determine Appropriate Notices

Consumers Employees Law enforcement (Federal/State) Federal regulatory agencies State agencies Consumer reporting agencies Third-party vendors Insurers Media

20



Prepare State Law Notices

General description of the incident Type of information that may have been

compromised Steps to protect information from further

unauthorized access Contact information (e.g., email address; 1-800

number) Advice to affected individuals (e.g., credit

reporting, review account activity)

21



Prepare State Law Notices

- Delivery method (e.g., certified letters, e-mail, website)

- Timing of notices- Tailor notices based on recipient- Use single fact description for all notices

22



State Laws - California

State involvement began in California, after series of breaches received national attention

Passed in 2002, went into effect in mid-2003 Requires notice to California residents if data is

lost or stolen Notification must occur whether or not business

has any presence in California

23



State Laws - California

44 states, the District of Columbia, Puerto Rico and the US Virgin Islands now have breach notification laws

Expanded in 1/2009 to include medical and health insurance information

California law may expand further to:- Specific requirements for notice letter, and reporting

to Attorney General of breaches affecting 500 or more

- Require "plain language" breach notices, with description of breach and estimate of number of persons affected

24



State Laws - Massachusetts

Went into effect on February 3, 2008 Applies to any person, business or agency that

licenses, maintains, owns or stores PPI Applies to information regardless of physical

form or characteristics (includes paper) Unauthorized access to, or use of, paper files

containing PPI triggers notice requirement Data encrypted at 128-bit or higher algorithmic

process is not a security breach, unless the encryption key is also lost

25




Notify affected resident, Attorney General and Director of Consumer Affairs and Business Regulation- Include number of affected individuals, nature of breach

and actions being taken to address incident- Director shall identify any further notifications to

consumer reporting agencies or state agencies Notice given to resident "shall not" include the number

of people affected or nature of the breach Provide option to obtain a police report and "security

freeze"

26




Data Destruction Requirements Persons, businesses and agencies must take

certain steps when disposing of records containing PPI in paper or electronic form

Records containing PPI must be destroyed so that PPI "cannot practically be read or reconstructed"

Parties improperly disposing of records may be fined $100 per individual, up to a maximum of $50,000 per event

27




Identity Theft Regulations (Update) New regulations will increase level of security

required – effective January 1, 2010 Same "covered entities" will be required to

encrypt data on laptops and removable storage devices, encrypt information transmitted wirelessly or on public network, and meet certain computer hardware requirements

28




Information Security Regulations (Update) Every person that licenses, maintains, owns or

stores PPI of a state resident must have a comprehensive information security program

If PPI handled electronically, then information security program must cover computer and wi-fi uses

29



State Laws - Missouri (to watch)

Breach Notification Bill Applies to all businesses in Missouri that own

or license electronic data with a resident's PPI Must notify resident within 30 days of a breach Must notify resident whenever there is

evidence of unauthorized access to PPI In bill (draft) form, creates criminal penalties

30



State Laws - New Jersey (to watch)

Proposed Revised Computer Security Rules Replaces previously proposed rules under the New

Jersey Identity Theft Prevention Act Now requires a comprehensive, written information

security program to protect PPI Must notify police first if a disclosure/breach If police consent, the persons must be notified of

disclosure/breach "as expeditiously as possible" No requirement to notify individuals if use of the

disclosed information is "not reasonably possible"

31



State LawsCost Recovery – Minnesota

If a breach of state law, must reimburse the financial institution that issued any “access device” for costs of reasonable actions undertaken in order to protect PPI, including: (1) cancellation or re-issuance of “access device”; (2) closure of any account and any action to stop payments or block transactions; (3) opening or reopening of any account; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction; and (5) notification of cardholders affected by the breach.

Financial institution may recover payments to cardholders

32



European UnionData Protection Directive

“Personal Data” “Processing” The "controller” is responsible for compliance The data protection requirements apply both

when the controller is established within the EU, and when the controller uses equipment situated within the EU in order to process data.

33



European UnionePrivacy Directive

Directive on Privacy and Electronic Communications a/k/a ePrivacy Directive

The ePrivacy Directive requires any "provider of publicly available electronic communications services" to (1) provide security of services and (2) maintain confidentiality of information

34



European UnionePrivacy Directive

Clearly, Directive covers telecommunications operators and internet service providers

However, why not (and currently being considered):- employers providing employees with e-mail- Internet cafes- hotels providing Internet access to guests- companies providing free wi-fi

35



United Kingdom

No law requires notification of an improper disclosure Prosecutions and fines under other laws about failure

to make adequate notification to affected persons Financial Services Authority fined Nationwide Building

Society $2M under Financial Services and Markets Act 2000 for violating principles: (1) reducing the extent to which it is possible for a business carried on by a regulated person … to be used for a purpose connected with financial crime; and (2) firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems

36



Australia

Australian Legislation: Privacy Act 1988- National Privacy Principles: applies to private organizations- Information Privacy Principles: applies to government agencies

Data Security: private organizations and agencies required to take reasonable steps to protect PPI from disclosure, loss and misuse

Sanctions: Privacy Commissioner can make non-binding declarations dealing with damages and losses. Privacy Commissioner or complainant may seek a federal court order enforcing the determination

Privacy Act does not contain breach notification rules

37



Germany

Proposed Amendments to German Data Protection Law

PPI includes names, addresses, dates of birth and bank information

PPI may be given to marketers only with specific consent from the individual

If changes become final, businesses would have three years to comply

38



Prepare Answers To Inquiries

Draft FAQ’s with responses Establish hotline Assign group of contact employees Train employees to respond to inquiries Develop clear escalation path for difficult

questions Track questions and answers

39



Prepare Press Release

Include the following information:- Facts surrounding the incident- Actions to prevent further unauthorized

access- Steps to prevent future data security

breaches- Contact Information for questions

Review by legal counsel

40



Consider Offering Assistance To Affected Individuals

Free credit reporting Free credit monitoring with alerts ID theft insurance Access to fraud resolution specialists Toll-free hotline

41



Enforcement Actions

Federal Trade Commission – Section 5 of FTC Act- Enforce privacy policies and challenge data security

practices that cause substantial consumer injury State Attorney General – State Notification Statutes

- Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .”

- Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”.

Litigation in federal or state courts

42



FTC Actions The TJX Companies, Inc.

In January 2007, TJX announced that an unauthorized intruder accessed its computer system, which contained detailed information about customer debit and credit cards.

Breach exposed at least 45 million credit and debit cards

Investigated by FTC, at least 39 states and the Secret Service

43



FTC ActionsThe TJX Companies, Inc.

FTC complaint alleged that TJX engaged in “unfair acts or practices” by:- Creating unnecessary risk to personal information by storing

and transmitting it in clear text- Failing to use readily available security measures to limit

wireless access to its networks- Failing to require network administrators and users to use

“strong” passwords or to use different passwords to access different programs, computers, networks

- Failing to use readily available security measures to limit access among computers and the internet (i.e., firewall to isolate card authorization computers)

- Failing to employ sufficient measures to detect and prevent unauthorized access or conduct security investigations

44



FTC ActionsThe TJX Companies, Inc.

Consent order (dated July 2008):- Establish, implement and maintain a comprehensive

information security program “reasonably designed to protect the security, confidentiality, and integrity of personal information.”

- Obtain assessments and reports from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.”

- Make available to the FTC (upon request) for inspection and copying documents relating to compliance.

- File with FTC a report setting forth “in detail the manner and form” in which it has complied with consent order.

45



Other FTC Actions

Other FTC settlements:- ValueClick (civil penalties = $2,900,000)- Goal Financial- Life Is Good - Premiere Capital Lending, Inc.- Reed Elsevier Inc.

46



NY Attorney General ActionCS Stars LLC

Theft of computer containing personal information of approximately 540,000 worker’s compensation recipients discovered on May 9, 2006

CS Stars LLC “maintained” personal information CS Stars notified data “owner” of potential breach on

June 29, 2006 Data owner notified appropriate entities and consumers

immediately FBI recovered computer No unauthorized use of personal information

47



NY Attorney General ActionCS Stars LLC

Attorney General criticized delay between discovery of missing computer and CS Stars’ notification to data owner

Settlement (April 2007) required CS Stars to:- Implement precautionary measures to safeguard

information- Comply with New York data breach notification

statute in the event of any future breach- Pay $60,000 to cover costs related to investigation

48



CT Dept. of Consumer Protection Action Bank of New York Mellon

Lost backup tape containing personal information of more than 600,000 Connecticut residents

Governor of Connecticut directed Commissioner of the Department of Consumer Protection to pursue all remedies available to affected Connecticut residents

BNY Mellon notified each affected consumer and provided 24 months of credit protection

To date, BNY has spent over $3.48 million to provide credit protection

49



CT Dept. of Consumer Protection Action Bank of New York Mellon

Settlement required BNY Mellon to:- Reimburse consumers for any funds stolen

as a direct result of breach- Pay $150,000 to the State of Connecticut

50



LitigationTypical Claims By Plaintiffs

Plaintiffs (consumers) typically allege the following causes of action:- Common law claims of negligence, breach of

contract, breach of implied covenant or breach of fiduciary duty

- Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts

51



LitigationTypical Court Rulings

Plaintiffs fail to show “injury” as a result of data breach.- Pisciotta v. Old Nat’l. Bancorp., 499 F.3d

629 (7th Cir. 2007): Exposure to identity theft without more does not

constitute “injury” Individual does not suffer harm as soon as

information exposed Credit monitoring costs do not constitute injury

52



LitigationTypical Court Rulings

Certain courts have dismissed data breach cases on ground of standing.- Randolph v. ING Life Ins. & Annuity Co., 486

F. Supp. 2d 1 (D.D.C. 2007); - Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D.

Ohio 2006); - Forbes v. Wells Fargo Bank, 420 F. Supp.

2d 1018 (D. Minn. 2006).

53



Litigation Typical Court Rulings

In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007).- Claims brought by issuing banks:

Breach of contract based on alleged violations of Visa and MasterCard’s networks rules

Negligence Massachusetts deceptive or unfair trade

practices Negligent misrepresentation

54



Litigation Typical Court Rulings

TJX Cos. Retail Sec. Breach Litig. - Dismissed breach of contract – Visa & MasterCard

rules did not provide third-party beneficiary rights to plaintiffs (issuing banks)

- Dismissed negligence – economic loss doctrine- Dismissed deceptive/unfair trade practices – no

basis in FTC Act or GLB Act- Did not dismiss negligent misrepresentation –

implied misrepresentation based on TJX’s participation in credit card networks

55



LitigationUnusual Court Rulings

Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008).- Laptop computer stolen, which contained

approximately 800,000 Gap job applications (including name and social security no.)

- Court denied defendant’s motion for summary judgment and held that plaintiff “has alleged injury in fact” to establish standing

- “Increased risk of identity theft” constituted sufficient “injury in fact”

56



LitigationUnusual Court Rulings

Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008).- Laptop computer stolen from employer’s pension

consultant, which contained personal information (including name and social security no.)

- Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty

- Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer

57



Avoid Future DataSecurity Breaches

Limit access to personally identifiable information Encryption Establish privacy compliance program Train and test employees Periodic audits Update and revise procedures Enhance technology to strengthen security and reduce

risk Credential third party vendors

58



Contact Information

Amy C. Purcell, Esquire

215.299.2798

[email protected]

Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security...

Documents

Transcript of Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security...