Costly Privacy Breaches in 2009

Network security failures have led to some of the largest breaches of private financial and personal data in 2009.

Heartland Payment Systems reached a settlement with American Express for $3.6 million after a security breach revealed 130 million credit and debit card numbers, affecting nearly 4.2 million people. Several class action lawsuits are currently pending.

• Although Heartland Payment Systems exposed private financial data for American Express customers that resulted in a multi-million dollar settlement, American Express faced its own privacy breach in Phoenix, Arizona. A company employee enabled accomplices to withdraw more than $1 million by supplying PIN numbers, account information, and credit and debit card numbers.
• In 2008, a Countrywide Financial employee copied data onto a flash drive with the intention of selling nearly 2 million customer records. One year later, after Bank of America acquired Countrywide, it discovered a man posing as an Air Force reservist had obtained thousands of account numbers, resulting in a loss of $500,000.
• One of the top security breaches did not result from hacking, but rather the implementation of a skimming device on ATMs. Chase Bank discovered a skimmer had been placed on ATMs, recording the magnetic strip information and taking small amounts of money from customer accounts, totaling nearly $1.8 million.
• RBS Worldpay experienced a similar breach after hackers obtained financial data and cloned ATM cards, stealing nearly $9 million from more than 130 ATMs.
• An unknown source managed to obtain and sell Capitol One Bank’s customer information online. Using counterfeit cards, and customer information, the crime ring collected more than $650,000 from ATMs in Minnesota.
• Accounting departments should carefully scrutinize employee payrolls after PayChoice, a payroll processing company, was alerted that their system had been compromised after customers reported that fake employee names appeared on their payrolls. The extent of financial information is not currently known.
• The Bank of New York Mellon learned that employee information should be protected from hackers and theft. A man used more than 150 identities of bank employees to take $1.1 million. The theft targeted charities, non-profit organizations, and other entities.
• Internet services providers should take heed from the beach at Network Solutions, where a code implanted on the company’s web servers tracked and copied financial information from hosted online stores. Nearly 573,000 credit and debit card accounts were compromised.

Companies should work with counsel and other qualified consultants to take extra precautions to protect web servers and restrict employee access to private personal and financial data to prevent cybercrime.

Tags:

A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.

Pharmacy benefits manager Express Scripts is facing a class-action lawsuit filed by an Express Scripts member who alleges that the company failed to use effective measures to protect the secrecy of its members’ confidential information and that it also failed to give reasonable notice of a security breach potentially affecting millions of those members. The complaint alleges that Express Scripts received an extortion demand in October 2008 indicating that an unauthorized third party had gained access to members’ personal data and that some individual members also had received similar threats. The complaint further alleges that Express Scripts failed, in the months following the breach, to send any notifications to its members other than vague statements posted on its website in November.

Currently, businesses with nation-wide operations face a patchwork quilt of federal and state laws regarding both steps required to safeguard personal data as well as steps to be taken in the event of a breach. With regard specifically to post-breach notifications, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands all have enacted their own legislation requiring notification of security breaches involving personal information. Therefore, for large enterprises such as Express Scripts, which is also  subject to complex federal rules such as HIPAA, data security planning can be a daunting undertaking.

However, businesses choosing or needing to retain potentially sensitive customer information nevertheless must make appropriate plans. The alternative, as Express Scripts may learn, entails negative publicity as a result of the initial breach, compounded by negative publicity as a result of an inadequate response. That kind of reputational damage can be difficult and costly to repair, especially if or when attorney’s fees and civil damages enter the equation.

All businesses, large and small, that handle confidential customer information must consult with knowledgeable counsel to ensure that they are protecting against and prepared for data security breaches.

Tags:

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:

• Disclosure to the Census Bureau and the Bureau of Labor Statistics;
• Disclosure for routine uses within a U.S. government agency;
• Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”
• Disclosure to law enforcement agencies;
• Disclosure to aid in congressional investigations; or
• Disclosure for other administrative purposes.

The penalties for violating the Privacy Act can be harsh. Federal courts can award reasonable attorneys’ fees, litigation costs, and damages. If a court finds that the agency acted willfully or intentionally, the court can award actual damages or the amount of $1,000.00 per person, whichever is greater.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.

Tags:

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability if your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.
  
• Orders prohibiting further misrepresentations.
  
• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
  
• Claims based on negligence for failing to follow enumerated policies.
  
• Civil fines.
  
• Officer and director liability.
  

It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.

Tags:

In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.

For the most part, all of the new laws follow what is now a fairly familiar pattern for data breach notification requirements. All require that notice of a breach be provided without “unreasonable delay,” but notice may be delayed to accommodate any pending law enforcement investigations. Notice also is not required under any of the new laws when the data that was accessed was encrypted. All of the laws provide for civil penalties for failure to comply.

However, there are a couple of noteworthy differences. West Virginia and Iowa join a minority of states with laws that do not allow for private causes of action for failure to comply with the notification requirements. In addition, the South Carolina, Virginia and West Virginia enactments contain no express exemption for immaterial breaches, though breaches requiring notice generally are defined to include only those where there is a reasonable risk of harm to the person whose data was accessed.

As always, business handling personal information should continue to remain vigilant regarding any new or revised provisions in the data breach notification laws for the jurisdictions in which they conduct business. There have been no major, new developments regarding the enactment of a national data breach notification law, and, at this point, with so many state laws on the books, it is possible that a federal law either will, if passed, provide only supplementary requirements in addition to the state laws or will fail to reach passage altogether. The longer the state regimes remain in place, the less the likelihood of complete federal preemption on the issue.

Therefore, for the foreseeable future, businesses will need to maintain up-to-date notification procedures that are in compliance with the laws of each state where they operate. It remains advisable to consult with counsel in developing procedures that are consistent with business goals and objectives.

Tags:

By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data. (Click here for more background on that topic.) While contingency planning in light of these laws (now present in 44 states and the District of Columbia) usually entails some up-front costs in the form of diverted resources and attorney’s fees, the overall cost of implementation has been relatively low. It may be fitting, then, that the perceived benefit of these laws has been similarly minimal, with some estimating only a 2% reduction in identify theft in recent years that can be attributed to data breach notification legislation.

 It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.

 The Nevada provision is succinct:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)

The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.

In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.

As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.

Tags:

The U.S. District Court in New Hampshire recently issued a written opinion that undoubtedly will give some Internet service providers reason to re-think their policies with regard to some anonymous user accounts. In Doe v. Friendfinder Network, Inc., the plaintiff discovered prior to filing suit that an unnamed individual had created a number of profiles using information about the plaintiff’s identity on various social networking websites operated by the defendants and oriented toward people seeking sexual relationships with others. The plaintiff sued defendants on various state-law claims arising out of the allegedly false and unauthorized personal advertisements. In its opinion, the court addressed the defendants’ motion to dismiss, which asserted that the plaintiffs’ claims were barred by the Communications Decency Act of 1996. That Act provides, in part, that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” which the Act further defines as “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.”

The court held that the Act did work to bar all of the plaintiff’s state-law claims, except for one: invasion of privacy, to the extent that the plaintiff’s claim was based on the right of publicity. The court specifically looked to an exception in the Act, which provides: “[n]othing in this section shall be construed to limit or expand any law pertaining to intellectual property.” The court stated that a state-law right of publicity claim arises from a “law pertaining to intellectual property,” and it further held that state-law intellectual property claims are within the scope of the Act’s exception. In so holding, the court expressly disapproved the 9th Circuit’s opinion in Perfect 10, Inc. v. CCBill, LLC, where it held last year that the exception only extended to claims based on violations of federal laws pertaining to intellectual property.

The Friendfinder case may be one to watch for at least two reasons. First, it has the potential to set up a conflict between two federal circuits, which may help lead to or hasten review by the Supreme Court. (A petition for certiorari was denied following the 9th Circuit’s ruling in the CCBill case.) Second, if the trial court’s opinion in Friendfinder prevails, then Internet service providers – especially those operating social networking sites (which now include heavy-hitters such as Facebook and Second Life) – may face the daunting prospect of having to verify the validity of information entered in users’ personal profiles in order to avoid exposure from state-law claims based on violation of a third party’s right of publicity. Such a precedent could mean significant changes to the way such sites operate today.
 

Tags:

Tags:

Tags:

Many companies have started to experience the consequences of non-existent, insufficient or poorly implemented data security plans in the form of enforcement lawsuits filed by state attorneys general for violations of state data privacy and data security laws. However, in an interesting twist on this usual variety of state-initiated litigation arising out of poor data breach planning, the State of Connecticut is suing IT consultant Accenture for alleged negligence in losing electronic files containing information on bank accounts for almost all Connecticut state agencies as well as several hundred state purchasing cards and a handful of Connecticut taxpayers. Connecticut’s lawsuit also alleges unauthorized use of state information and breach of contract.

Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though similar project for the State of Ohio. (The tape also contained personal information on about 1.3 million Ohio residents.) The intern apparently had been using the Connecticut program as a template for the Ohio project. You can read more about the incident and subsequent lawsuit here and here.

The Accenture case underscores the business necessity of having a thorough data security program that employees actually follow, because breaches can be very costly and weak link in the security chain are prevalent. An effective plan should provide for contingencies affecting sensitive data, especially financial or health information. Plans should also ensure either that all of the business’ employees are aware of the data security policies and procedures, or, better yet, provide for physical, electronic, or procedural barriers to prevent data from being used for any unnecessary or non-business-critical purposes. Companies implementing security plans should consider reducing the risks identified in the Accenture matter by prohibiting interns from having access to sensitive information and restricting the presence of sensitive information on portable devices.

With the increasing number of lawsuits focused on data breach and security incidents, it is crucial that all businesses take steps to develop comprehensive security policies and also to ensure that their assets will be protected in the event that those policies fail.

Tags: