The publisher of the Privacy & Data Security Law Journal recently sponsored an audio conference entitled “Latest Developments in Privacy and Data Security for Financial Institutions.” The speakers were Christopher J. Volkmer, the Current Developments columnist for the Privacy & Data Security Law Journal and the managing member of the Volkmer Law Firm LLC, which advises financial institutions, outsourcers, and other businesses in transactions and compliance matters, and Robert J. Scott, the managing partner of Scott & Scott, LLP, a law and technology services firm dedicated to helping senior executives assess and reduce the legal, financial, and regulatory risks associated with privacy, network security, and compliance. The speakers can be reached at chris@volkmerlaw.com and rjscott@scottandscottllp.com, respectively. Excerpts from the audio conference follow.
Volkmer: I’m going to take the first part of our presentation today. I’d like to start with a discussion of where we are today.
When we talk about current developments, I think it’s good to take a moment and look at where we’ve come from to where we are today. I think that when we look at the trends that apply in this area, what I see is that privacy and data security is moving from a recognition of risk profile to having to deal with the consequences of risk.
Initial Statutes
Initially, there was really not a focus on privacy breaches, perse; rather, the focus in the Gramm-Leach-Bliley Act, or “GLBA,” was on the establishment of privacy rights.
As we moved forward, the real watershed was California’s SB 1386, which was the first privacy breach notification law. This basically forced the unveiling to the public and the regulators the extent and breadth of data security breaches and their consequential effect on individuals, primarily in the area of identity theft. So, we had the privacy breaches of ChoicePoint and other systems involving hundreds of thousands or millions of records and the focus was on getting the word out. Who is entitled to notice? When are people entitled to notice? It was recognizing that we have a need for people to get information in order to protect their privacy rights.
I think now, as we look at 2006–2007, we’re dealing more with the effects of privacy and data security breaches. The TJX case, which we’ll talk about a little bit later, was a spectacular data security breach involving millions and millions of customer records and so the focus became vindication of privacy rights. How are those rights going to be vindicated? And one example of that is the passage of a law in Minnesota which we’re also going to talk about a little later.
Risk Analysis
I’d like to talk about risk analysis now and use a recent Supreme Court case as the platform for that. The case is SafeCo v. Burr, and it’s an interesting case that I would recommend to privacy officers and lawyers because it’s filled with compliance discussion.
The question before the Court was, “When is a party required to send adverse action notices under the Fair Credit Reporting Act?” and the particular question was, if you have an initial applicant, for instance, someone who is applying for car insurance, and you give the person a rate that is a quote for a premium that is not the best available rate, do you have to send that initial applicant a notice of adverse action under the Fair Credit Reporting Act?
This case was actually two cases that were combined for hearing before the Court and involved two different insurance companies, one was Geico and one was SafeCo. SafeCo took the position that if we have an initial applicant then there is no established rate and therefore there is nothing to compare to know if there is anything adverse as required under the Fair Credit Reporting Act. When future negative changes occurred with respect to policyholders, SafeCo would send an adverse action notice. But SafeCo took the position that it didn’t make sense for the Fair Credit Reporting Act to require it to send adverse action notices to initial applicants, or that would force insurance companies and others to send adverse action notices to virtually every customer who did not get their best available rate. Geico took a little bit of a different position. Geico said, “We’re going to rate our initial applicants without consideration to the Fair Credit Reporting Act,” that is, without consideration of consumer reports obtained under the Fair Credit Reporting Act. “Then we’re going to apply the consumer reports criteria and see if we get a different result. If the consumer gets a worse rate, that is a more expensive policy, as a result of applying the consumer report information, then we’re going to send them the adverse action notice, but if the rate stays the same then we’re not going to send them a notice.”
Briefly, the Supreme Court said that one of these methods complied with the law and one of them did not. Basically the Court found that SafeCo’s method did not comply with the law and that adverse action notices did need to be sent because SafeCo did, in fact, rely on consumer report information to establish its rates.
The next question was whether this action of SafeCo was willful under the statute because willful noncompliance with the Fair Credit Reporting Act notice requirements could result in the imposition of not only statutory damages but also punitive damages and attorney fees. So the Court looked at the action to determine whether SafeCo was willfully doing that and whether a reckless standard should be applied as satisfying the standard and the Court basically found that SafeCo was not reckless in taking its action. We’ll talk about that in a minute, but basically the insurance companies were found, even though noncompliant in one instance, not subject to the willful damages under the Fair Credit Reporting Act.
SafeCo’s Significance
SafeCo is important to privacy offices and lawyers; it is a model for the kind of statutory interpretations that you will have to face under some of these new data breach security laws. For example, whether there is the decision of whether or not to send the notice of a security breach. The interagency guidance of the federal regulators says that notice needs to be sent when unauthorized access has “occurred or is reasonably possible.”
So, we can handle the situations where we know there’s a known breach but what about situations where a breach is reasonably possible? For example, there are copies made onto computer disks of nonpublic personal information and those disks are unaccounted for. This is not to say that they’re stolen, they may be in somebody’s desk drawer, but we simply do not know what happened to them. Is that a situation where unauthorized access is reasonably possible and do notices need to be sent under the interagency guidance?
Similarly, under some of the state laws, like the California law, the standard is whether nonpublic information was or was reasonably believed to have been acquired by an unauthorized person. Again, privacy officers and legal counsel are going to have to determine whether a breach is reasonably believed to have occurred and that’s not always going to be a black line, so, what SafeCo teaches is, we’re going to review these issues under an objectively reasonable test and an action is going to be objectively reasonable when you look at the statutory text, when you look at the court decisions that are available, and the available regulatory guidance. The Court also did not foreclose the possibility of reliance upon legal advice as a defense.
The point to keep in mind here is, if you’ve got an initiative in this privacy area, many times it could focus on whether you are going to comply, whether it’s going to be a question of whether there is compliance with this statute or regulation, and I think you should think of SafeCo as guiding you in an objectively reasonable method of compliance with the applicable statute or regulation.
The Model Notice
Let’s move on to the next development. I think one of the most significant areas for current developments is in the new privacy rule and the new form of model notice.
In 2006, Congress passed the Financial Services Regulatory Relief Act and basically under Section 28 of that Act, Congress mandated the rulemaking bodies — the Fed, OCC, FDIC, OTS, NCUA, FTC, CFTC, and SEC — to come up with a joint form of a model notice for giving privacy notices under the GLBA. Congress found that consumers were not understanding the privacy disclosures being given to consumers under the GLBA, that the disclosures were confusing and contradictory, they weren’t presented well, they were presented in all sorts of different forms and type, and so Congress felt that a model form would help this. Congress said that if a model form is used by financial institutions then that would serve as a safe harbor against claims by persons or regulators that the financial institution was not properly disclosing its privacy practices.
The model form that was promulgated by the financial institution regulators was very specific and laid out the type size, the layout, and the paper size. The regulators also acknowledged that many financial institutions currently rely upon the safe harbor model clauses that are in the current regulations and provided that those would remain as a safe harbor for one year after the final rule is adopted.
Some objections were raised by the financial community to the model form that has been proposed. The comments were from most of the major associations including the ABA, the Financial Services Roundtable, the Consumer Banker’s Association, the National Association of Federal Credit Unions, and others. One of the main issues is that the rule specifically states what size and number of pages financial institutions are required to use in adopting the model form. It’s a minimum of two pages or up to three pages if you have an opt out and it has to be on 8-1/2 x 11 size paper and it must be separate sheets, it cannot go on the front and back because in their consumer research they found that consumers had a difficult time turning the page to figure out what their privacy disclosures were.
When you think about the implications simply of these issues, it can turn into a big dollar issue for many institutions. The larger paper size and the separate pages add to printing costs and postage costs; they may conflict with existing delivery methods. Many financial institutions do not print these notices on 8-1/2 x 11 size paper and so you have to go through a completely new formatting process to make these model forms available to customers.
One commenter also complained that it was unclear in the proposed regulations whether any variants to the model form, even if it accurately describes facts applicable to the institution, causes the institution to lose the exemption, the safe harbor. There’s also confusion about the use of electronic forms.
Basically, the only guidance that the regulators gave for electronic forms is if you give a PDF copy to a customer, that is an exact picture of what the printed copy is, that would satisfy the model form notice requirements, but the financial community wanted more flexible ways to deliver these notices electronically. They also complained that the affiliate sharing is not accurately described, the form actually described different requirements that are actually prescribed by the rules under the GLBA. I think this model form bears careful consideration and tracking by financial institutions because you want to have a very immediate and practical effect on the way privacy forms are delivered and whether your institution can gain a safe harbor.
AML and BSA
Let’s go on to cover the Anti-Money Laundering and Bank Secrecy Act current issues.
The enforcement in these areas is a high focus for bank regulators and others who are responsible for enforcement activities. There’s been an upswing in public and private enforcement actions and one of the major themes is the need for institutions to adopt a risk-based practice in this area rather than rulesbased. A rules-based practice would be, for example, simply relying upon an analysis of transactions over a certain dollar threshold to be reviewed. That kind of analysis may miss a pattern of activity that is less than the dollar threshold but is obviously a structuring of a series of transactions to avoid reporting requirements. Arisk-based practice and a risk-based compliance program would have the ability to at least check to find patterns of activity that could lead to violation or a reporting of a potential violation of the AML or BSA statutes or regulations.
One example is of a recent enforcement activity against American Express Bank International and the practice of the Black Market Peso Exchange. It’s really very interesting reading, and complex reading, to see the lengths to which money launderers go to undertake their money laundering activity. But, in a nutshell, over $55 million of AML activities were detected over four years and it was obviously, at least in the regulators’ minds, connected to drug money laundering. There were hundreds of transfers to accountholders from sources unrelated to the accountholders, and those transfers were inconsistent with the accountholder’s business as understood by bank personnel.
So, the regulators found that the efficiencies at AEBI included the failure to implement a customer information program, or “Know-Your-Customer” program. I think this will be a continued area of focus by regulators and examiners.
There also was a failure to report on the customers’ use of blank share accounts, which are accounts that do not specifically identify the owner. Sometimes organizations can use their share certificates at three or four levels and then at the top have the share held by somebody who is operating under power of attorney. Obviously, these present challenges to the financial institutions to effectively report under AML and BSA. The other deficiencies identified by the regulators for AEBI were the failure to identify the country of origin or the source of income in funds and even when AEBI flagged the transaction, because they did have adequate systems in place. The manager of the relationship viewed it as consistent with the customer’s business and there was no independent compliance review.
The action in this area is the result of an increased focus on antiterrorism and anti-money laundering. There are no examination manual procedures that have been posted by the FFIEC, but very recently, it published a BSA/AML examination manual on August 14th of 2007 and if you go through the updates, the table of contents will indicate to you which areas are updated. They continue to emphasize that narratives and reports are critical for the enforcement agencies. They discourage the use of attachments to describe the activity; the attachments are not picked up in the interagency systems. There are additional guidelines for compliance such as cross-border ACH transactions and that’s an enterprise-wise approach to management in this area. So, again, for current developments in this area, it is probably good to make sure your compliance folks are familiar with the new and updated examination manual published by the FFIEC.
Credit Card Risks
The next area I’d like to cover is credit card risks and those risks associated with data theft. I’d like to start this discussion by talking about the BJ’s Warehouse case. It’s a very interesting case, actually, a series of cases in Pennsylvania.
The facts are that the banks issued credit cards to customers, the customers used those credit cards at BJ’s,a retailer. All this is just simply regular transactions in the ordinary course of business. BJ’s transaction system, which was designed by IBM, trapped the transaction data; it was not supposed to, but it did.
The trapped transaction data was stolen from BJ’s system and the banks were forced to reissue cards and cover fraud costs under Visa’s No Loss policy for customers. So, the issuing banks who issued credit cards, who had done nothing wrong but just put their cards out in commerce, now are picking up the costs related to BJ’s data theft. So the banks sued BJ’s to recover these costs, and they also sued the bank which was the transaction processor for BJ’s.
The banks used a number of theories of liability, including negligence, implied contract, equitable subrogation, equitable indemnification, and breach of fiduciary duty. They basically alleged that BJ’s should have enforced the Visa security rules and if the Visa security rules regarding customer data had been followed the breach would not have occurred.
Unfortunately, for the banks, the court said that there was no privity, no particular reliance upon BJ’s, because the issuing banks didn’t know where their cards were going to be used, they just put them out into commerce and they relied upon, had a general reliance upon the Visa system but not a particular reliance upon the systems that were implemented by BJ’s. The court found that the economic loss doctrine barred negligence claims and the other equitable theories were also dismissed. And so, what we had was a situation where the banks were incurring losses and they had no effective remedy in court. Then the TJX data breach occurs.
In the TJX case, there were years of transaction data involving millions and millions of customer records and those records were the subject of a data breach. There have been several class actions filed, some by consumers, some by shareholders, and some by financial institutions. The Massachusetts Banking Association and a couple of other associations in the northeast filed their lawsuits in a way that was very conscious of the BJ’s case and the way they tried to distinguish their case was to add a claim for unfair practices under the state statute; they claim that the state statute specifically addresses this situation and allows them to recover in a way that was not addressed in the BJ’s Warehouse case.
In the TJX case there is a proposed settlement for the consumer claims but as far as I know the bank claims are still pending.
Where Is A Remedy?
The banks issuing credit cards are still without an effective remedy in court, and the next avenue that financial institutions can pursue is within the state legislatures, and the first example of this was in Minnesota. The Minnesota statute is a very short statute, and it basically adopts an absolute rule, with respect to a data privacy obligation, and basically it says that an entity that has transaction data, essentially a retailer, can keep that data only for 48 hours. It doesn’t talk about the need to have any customer return policies or anything like that, it simply says 48 hours and the data must be gone and if there’s a breach of data security, of the system, and that data is exposed, then the statute says that the retailer shall reimburse financial institutions for their breach costs.
I think this is an obvious reaction to the holdings in BJ’s Warehouse case, and the further huge data breach occasion with TJX. While this is initially at face value good for financial institutions, it’s going to create some problems, I think, and we need to think about how this is going to affect data breach issues generally.
The basic problem that the Minnesota law has is that it assumes that there is someone in each case that is to blame for a data security breach. Now, in TJX that was certainly the case, its system was wildly out of compliance, but in many cases people can adopt a security system that is in compliance with industry norms and industry standards and there can still be a data breach. In other words, there’s no such thing as a perfect data security system, yet the legislature in Minnesota says, notwithstanding, somebody using best efforts and reasonable means to protect data, we’re going to tag you with responsibility for this and basically, it is taking the position that the legislature can allocate risk in this area.
The Schwarzenegger Veto
There’s a very interesting second example of this, in California, which, as we noted earlier, is one of the leaders in privacy laws in the United States and is used as a model for many other states.
Yet, in the most recent legislature session in California, Assembly Bill 779 was proposed and it basically made retailers responsible for the breach costs and the notice costs and other costs incurred by financial institutions as a result of a breach. This was legislation sponsored and backed by the California Credit Union League and it was pending for a long time and just last week it was vetoed by Governor Schwarzenegger. In a press release, the governor said, “The bill attempts to legislate an area where the marketplace has already assigned responsibilities and liabilities.” It will be interesting to see how other states approach this area and whether they attempt to allocate risks and assign responsibility in the same way that Minnesota has for data security breaches.
Three Standards
The central question will be “who bears or should bear the risk of security breaches involving credit and debit cards?” And it seems to me there are three approaches at least. One would be the system owner rule, which is pretty much the Minnesota rule, making the owner of the system responsible for all breaches in the system.
A second alternative would be the litigation rule, which basically ensures a clear right to sue for data breaches but may also include some defenses. For example, under proposed legislation in Texas, a cause of action was created; the legislature denied any kind of class action status to that cause of action and said there was essentially an affirmative defense if you complied with a standard for maintaining security of sensitive data. That bill was not passed by the Texas legislature but it is a model, it’s out there. The third alternative is the card association rule.
Basically, the card associations have their own private way of management of claims they can assess fines for participants. They did so in the BJ’s case for hundreds of thousands of dollars and do allow some reimbursement costs to issuing banks who are participants, but it’s a private system and it probably will not answer the question as to whether there are public litigation rights available for financial institutions in this area.
Outsourcing Risks
So, again, new developments, very new law, very unsettled and worth keeping an eye on. Let’s move to outsourcing risks.
This is an area that is going to be a continuing and growing concern for financial institutions, especially where the outsourcing involves non-public personal information. The security breach risks simply increase the level of risk associated with an outsourcing transaction because of the breach costs involved and the reputation risk involved. Nobody is going to remember who the processor was, everyone is going to remember who the financial institution was if there is a security breach. And if there is a data breach due to a lack of actual security by the outsourcer, then it’s an additional reason why you might have to change the outsourcers to another provider. However, every time you change outsourcers that’s another risk in terms of negotiating the new contract and the new transfer of data. And in this context, outsourcing can mean everything from data processing to the delivery of magnetic tapes and the destruction of data. As you know under FACTA and other data safeguarding laws, even destruction of data is now covered by regulation and is now often outsourced by financial institutions.
Let’s discuss the positions of the parties with respect to the allocation of risk in this area, that is, the data breach risk.
The customer view is that the outsourcer is responsible for its operations and is in the best position to prevent the loss, so it’s basically the financial institution saying to the outsourcer, “It’s your responsibility and you indemnify us for any losses resulting from your failure to live up to that responsibility.”
The outsourcer’s view, as I mentioned earlier, is there’s no perfect data security system, the bank itself could not ensure perfect security, and so it’s unreasonable for the bank to insist that the out-sourcer have perfect security. The outsourcer would say, “Look, we will use industry standard methods to protect data but if we go beyond that and say that we’re responsible for every potential breach when somebody breaks the law and raids our system, then we essentially become the insurer of the financial institutions and we’re in the outsourcing business, not the insurance business.”
Both views have their points; it is a matter of negotiation. The negotiation usually comes down to a few contract clauses that you’re going to have to carefully negotiate in your outsourcing agreements.
Key Contract Clauses
Obviously, the indemnification section is going to need to be closely looked at and is going to have to discuss the relative position of the parties. You can slice and dice this various ways; it may include, for example, a data security standard and compliance with laws. Sometimes financial institutions want the outsourcer to comply with the data security standards that are developed by the financial institution’s data security group. So, there can be lots of standards that are imported into a contract and into indemnification provisions.
The limitations of liability provisions are also heavily negotiated. There can be caps and subcaps and parties can choose to determine whether the costs associated with data breach are inside or outside of a cap for limitation of liability. More and more now, the owner of the data will also want to make sure it controls the notice procedures for any kind of data breach.
There are also insurance considerations, a more careful analysis of what insurance is available, when that insurance can respond to data security breaches, and the like; that’s another way to address a risk of loss — through the insurance that the insurer or the financial institution may have.
Offshore Outsourcing
Offshore outsourcing is not expressly prohibited by the financial institution regulators, but it does present some additional risk analysis that you will have to consider as a financial institution if your outsourcer proposes that some or all of its functions are going to be moved offshore.
You’ll have to look at country risk and system control risk, that is, is the outsourcer operating its own systems offshore or is it relying upon a third party to operate other systems? And there’s enforcement risk: will the financial institution have an effective remedy if there’s a data breach offshore?
Summary
The likely trends in this area are that large vendors will want to continue to access cheaper solutions and so vendors will be coming to financial institutions more and more often asking, “Is it okay if we have some of this sensitive data go offshore?” In all contracts, the vendors will want to continue deflecting risks, including the risk of data security breaches. I think there will be a closer regulatory view of key vendor contracts, especially the risks associated with data security breaches. At the same time there’s a pressure in financial institutions to increase their marketing efforts and services. The door is open for a variety of service offerings by financial institutions and those institutions want, of course, to take advantage of that freedom—but the more services you have the more occasion there will be for the risk of data security breaches, so those will remain in tension.
And so, in conclusion, I think privacy and data security issues for financial institutions continue to be rapidly changing. There’s going to be a movement from rules-based analysis to remedies-based analysis; credit card risks remain an issue for credit card issuers; and outsourcing will be a continuing area of concern as vendors seek to limit their exposure in this area.
With that, I’m going to turn the program over to my friend, Rob Scott.
Scott: Thank you, Chris.
I’m going to try not to cover the same areas that Chris did but there may be some overlap. My focus is really going to be on network security and privacy injury liability from a legal perspective and focusing on introducing a study that we commissioned with the Ponemon Institute and what we learned from that, and then moving from there into the actual cases and legal theories that are out there and introducing some risk mitigation strategies that we’re recommending to our clients in financial institutions.
The Research
The image of ostriches with their heads in the sand is an appropriate one for introducing the research that we commissioned with the Ponemon Institute. We conducted the survey in May of ’07 and what we did was survey 720 C-Level executives in midmarket and large enterprise firms, primarily chief security officers and chief information security officers, CIOs and chief privacy officers. What we learned in that study was quite amazing.
First, as Bar Chart 1 indicates, 85 percent of respondents experienced a data breach or security incident and of those 85 percent, 81 percent believed that they had a notice triggering obligation in connection with the security incident, i.e., having to have given written notice to affected parties even under GLBA and related regulations or state privacy rules. I was quite surprised at the number of organizations that had experienced a notice-triggering security incident.
With respect to the probable cause of the data breach, as indicated in Bar Chart 2, we found that 42 percent relates to missing laptop devices and PDAs. If you look at negligence being the top three — 42 percent for missing devices, 16 percent for negligent employees, and 10 percent for negligent third parties — you see that a very large percentage of the overall incidents are caused by things other than hackers and malicious activity. In fact, criminal activity, which would cover hacking, is only six percent of the total and yet, if you think about where most people are focusing their spending, a lot of security spending is focused on securing the in-points, securing the perimeter, and securing the firewalls. Yet so many incidents being caused by negligence suggest in my mind a slightly different focus for the investment of additional resources in those areas.
We also focused on what organizations are failing to do following an incident.
As indicated in Bar Chart 3, 73 percent of the respondents that suffered a security incident did not invest in event management tools; 46 percent had not invested in training; and 46 percent had not invested in an encryption solution. So the proactive side of avoiding liability for privacy and security related risks is really not where they need to be, particularly in the area of encryption, because most of the legislation defines personal information using the words, “unencrypted” to identify the information that is covered. Thus, if the data is encrypted, for example, on a laptop that goes missing, you don’t have a privacy event in most instances and so encryption technology is very important. We are recommending to our clients to consider the Seagate Hard Drives that are now shipping with the Dell Latitude line on laptops if you’re with Dell. Seagate has been instrumental in developing encryption standards that are on the hard drive and you can specify on your new laptops to have encrypted hard drives, it avoids the problems that some of our clients have experienced with third-party software applications and certainly is going to ultimately lower the cost of employing the encryption solutions in your organization. I recommend to all of you to talk with your IT management folks and see if there’s a way for hard drives for laptops to include hard drives that have encryption technology built in.
Data Breach Costs
The thing that was absolutely staggering to me is that very few associations calculated the costs associated with a data breach and those that did really underestimated the importance of what I refer to as “privacy trust.” Privacy trust is the reputation that your organization has in the market place with its clients and prospects as pertains to their perception of how well you do at guarding their personal information. Particularly in the financial services area, privacy trust is a very important factor because of the nature of the relationship; it’s very sensitive and monetary transactions are going on and privacy trust scores go down when security incidents occur and when firms do a poor job of dealing with data privacy incidents.
Getting back to the costs, people are mostly just looking at costs to notify victims; not many are doing a great job of looking at loss of customers and decline of share value as a result of a security incident. The TJX case that Chris mentioned was settled within a series of those cases, all of the consumer class action cases were settled within the last few weeks and the report was that the total dollars for the settlement were within the $108 million that were previously estimated by the company. So, in the large cases, you can certainly see a major impact.
One of the things that I see in my practice a lot when I am hired by my clients to investigate a security incident is that many, many organizations rush to judgment, don’t analyze the situation accurately, and wind up in situations where they’re overreporting. This survey sort of bears that out.
- 37 percent of the respondents indicated that they notified everyone, anyone who was potentially affected without regard to probability of harm or without regard to a compliance obligation to give notice — they notified everyone.
- 36 percent did a careful assessment before notifying, and
- 14 percent notified only after absolute confirmation of harm.
I think it’s critically important when facing a security incident that is potentially notice triggering that you analyze all of the situation to make sure that you know what all of your compliance obligations are and then and only then make a decision from a business perspective as to how you want to go about discharging your obligations and/or doing other things for the customers that are potentially affected.
The survey also measured how the suffering of the data breach impacted IT spending and what we found is that spending as a percentage is up 100 percent for those that had a breach versus those who have not yet had a breach. I question whether or not the fact that those who did not have a data breach had spent very significant money on training and awareness with a significant impact on avoidance of a security incident but certainly, training is an area where I think most companies are under spending and where there’s the most opportunity, especially within financial institutions, to mitigate risks.
The other area that I think is worth noting here, and Chris will appreciate this, is that those who have a breach, 37 percent were spending on outside legal counsel and on the proactive sort of non-breach scenario there was only 15 percent. I think it’s important to evaluate in the breach situation that there are tremendous benefits that lawyers, particularly outside counsel, can bring of attorney work product and attorney client privilege extending to the investigation of the incident.
In the attorney work product privilege context, we have something called the “predominant purpose” related to anticipation of litigation. What all that means is that, for example, if you bring in a forensics group to help you investigate a security incident it may be determined that the principal purpose of that activity was to secure the network and make sure that information was gathered and not necessarily anticipation of litigation. So if you’re dealing with a security incident, particularly one that may escalate into a compliance challenge either in the form of notice and/or possible regulatory or private action claims, it’s important to get an attorney that has expertise and privacy incident response on board as quickly as possible to mitigate the total risks.
Risk Management
That sort of covers the key findings from the survey. Now, I want to focus on risk management and look at what kind of privacy injury claims are out there in the marketplace and then what can you do from a risk transfer perspective to avoid getting caught up in these situations.
I know that Chris mentioned insurance considerations and I’ll be framing some of these privacy injury claims scenarios from an insurance perspective.
First of all, the three main categories that we see from the perspective of privacy injury claims are federal regulatory investigations, state regulatory investigations, and then private causes of action.
From an FTC perspective, we see the FTC bringing causes of action in the wake of security incidents alleging all of these different causes of actions. You’ll see the one that I think is most prevalent in the area of security incidents is the failure to maintain adequate security. Every security incident case of any consequence is going to have a claim for negligence, a negligent failure to provide adequate security.
The FTC is bringing actions to enforce violations of GLBA, and there are some significant costs associated with FTC investigations. Some cases that you may be aware of, Superior Mortgage, DSW, and ChoicePoint, have two significant financial components. One, the payment of monetary settlements, and then significant costs of compliance monitoring for up to 20 years in a couple of these cases. There is very significant legal liability eventually associated with FTC investigations and I want to use this as an opportunity to introduce a new series of insurance products that are aimed at covering privacy injuries.
Many companies have these policies. AIG and CNA are sort of the leaders in this space and these policies cover all of the costs associated with responding to a security incident that results in either breach notification obligations or regulatory or state causes of action in terms of duty to defend. They provide a defense in these claims and, specifically, the two policies that I’ve mentioned, AIG’s and CNA’s, both cover the costs related to defending FTC enforcement actions relating to privacy injury.
Similarly, under state law we see a number of actions coming about and the largest in this area is violations for having to protect or destroy customer data. Those of you who are familiar with the GLBA framework know that many states are passing what is equivalent to the GLBA safeguard rules that require companies to take appropriate actions to protect from a physical and electronic security perspective customer information. Many are enacting these laws under the rubric of identity theft protection legislation and the state’s attorney generals are bringing lawsuits under these statutes, particularly high prevalence in the so-called “dumpster diving” situations where people are being targeted for disposing of documents in the trash and then creating an identity theft risk.
In Texas, the safeguard rule, under Texas law, is carved out for financial institutions so if you’re a financial institution governed by GLBA you may or may not be governed by state identity theft regulations; that’s something to look at from a compliance perspective
State Regulatory Investigations
There also are state regulatory investigations and for the kinds of things that they’re going after and enforcing, again, there is insurance available to cover these investigations. I recommended that to all of my clients that are in the financial services arena, because those clients are very high risk targets for privacy injury.
Most of my clients are trying to gain an understanding of what the risk management landscape is like. Coming from the case law itself, causes of action, taken directly from the pleadings, include privacy injury cause of action cases, breach of contract claims; it’s fairly straightforward. Chris mentioned some of them, these are typically “bank on bank” kinds of causes of action where one bank is suing another bank for loses related to re-issuances of credit cards and the like.
There are also third-party beneficiary claims as a related concept under breach of contract where you might not have been a party to the lawsuit but you’re alleging third-party beneficiary status. One of the cases that Chris mentioned talked about no privity of contract, that’s something that’s going to be important in the contract claims area and particularly when you’re evaluating a third-party beneficiary claim. Same thing with contractual and non-contractual indemnity claims; these are basically claims over one party who is being sued for a loss and then there’s a claim over to a service provider or a vendor. In our experience, our clients at financial services are mainly being exposed based on third-party handling kind of risks. One of my clients had all of their financial statements printed on their competitor’s letter head and sent that out to their customers, so those kinds of third-party handling claims are fairly prevalent and can give rise to contractual indemnity claims.
It’s important in this area to understand from a risk management perspective — and I know that Chris talked about the transactional requirements and requiring your vendors to adhere to certain security rules — GLBA requires under the GLBA privacy and safeguards rules that all vendors must agree to adhere to the same standards as pertaining to regulated companies.
But I also think it’s important to secure, if you’re thinking about insurance, make sure that you get insurance that will protect you for claims related to your data regardless of where your data resides, so if you’re a handling company that is negligent and it results in a loss for which you’ll be financially responsible, that your insurance will kick in and you won’t necessarily be relying on indemnity claims against your vendors to be made a whole from a privacy injury.
Negligence Claims
The negligence claims are the largest and, I think, will be the most enduring. These are claims that sound in negligence and the basis of the claim is that you had a duty to maintain security either statutory or otherwise and you failed to act as a reasonable person in discharging those responsibilities. I think that, in 20 years, when we’re talking about privacy injury liability, we’ll be talking about what does it mean to act as a reasonable person in connection with maintaining adequate security. I just think that of all the theories that is the one that is going to be most prevalent.
The other one that we see a lot of, negligent misrepresentation regarding breaches in security, a lot of lawsuits regarding privacy injury, not only alleged failure to maintain security but they also alleged that with respect to the information that the company disseminated and/or with respect to failure to give notice timely that the individuals were damaged as a result of those failures and they’re counting that in a negligent misrepresentation cause of action.
Of the private party claim scenarios, one that I’d like to talk about that Chris didn’t have an opportunity to mention is the wave of class action cases that are pending now under the amendment to the Fair Credit Reporting Act, which requires that companies that print invoices or receipts that have credit card information on them must redact those receipts to exclude card number information and expiration date information.
There has been a wave of class actions against a number of companies for violating the law and the potential liability in the eyes of one court in California was catastrophic, such did the amount of the claim grossly exceed the total net capital value of the defendant in that case. So, this is something to be concerned about.
Chris alluded to, and I’ll mention again, that the PCI data security standards have been front and center and the question arises, to what extent did the PCI standards come into play in the courtroom when you’re asking what does it mean to act reasonably under the circumstances. There are some who think that over time that the PCI standard will sort of be the bright line standard in credit card cases where if you’re not in PCI compliance there’s some sort of strict liability.
Interestingly, in the TJX case, a third bank was sued for failing to require TJX to maintain compliance with PCI standards. That case was settled so they didn’t proceed through court, but it’s interesting to view this case where the merchant bank would be responsible for requiring the merchants to be in compliance with PCI standards but that was the nature of the cause of action against the third bank in one of the TJX incident lawsuits.
State Breach Notification Laws
We maintain a database of state breach notification laws and we categorize them by their salient differences. You can see whether there’s civil or criminal penalties, whether or not there’s a private right of action, whether or not there’s encryption information, whether or not there’s exemptions for criminal investigations, and whether or not there are exemptions for immaterial breaches. Here is that chart:
Question:Does it make a difference what type of encryption is used for privacy regulation purposes?
Volkmer: I’ll start, Rob, and maybe you can finish. To my knowledge, it does not. There are various levels of encryption that are available, but the statutes that I have seen don’t distinguish between those levels and they use encryption as a generic term and so even if a party uses an encryption scheme that is maybe outdated and maybe relatively easy for a sophisticated hacker to get through, nevertheless, it could qualify as encryption for statutory purposes. What do you know about that, Rob?
Scott: Yes, I agree with everything Chris said. Encryption technology is usually measured in bits, the standard is either 128 or 64 bit encryption. I don’t think that matters at all. I think the difference between whole disk versus file level encryption will be very important because it will be very difficult when the laptop goes missing, for example, to prove that the particular data in question was encrypted if, for example, you encrypt only some portions of the hard drive versus others. So, I encourage clients to pick whatever encryption platform they like. I like the sort of on board, the hard drive is sort of the emerging standard, but make sure that whatever you’re using, you’re using whole disk and not file level encryption.