Untitled Page
|
Entries tagged with "data breach" |
| | Privacy and Data Security Act of 2007 |  Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.
After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.
Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident. |  | Tags: Privacy Notice breach notification data breach data privacy data security breach privacy | | |
| | Using Insurance Coverage to Mitigate Risks Associated with Data Breaches | Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.
The new policies include coverage for the following claims:
- Failure of network security;
- Wrongful disclosure of private or confidential information;
- Failure to protect confidential or private information; and
- Violations of federal, state, or local privacy statutes.
Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.
Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.
| | Tags: Security Breach breach notification data breach data breach notification data security breach | | |
| | Recent Federal Government Data Breaches | Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975. Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth. In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.
The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records. The TSA purchased credit monitoring services for employees whose data was involved in the breach.
On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft. | | Tags: data breach data privacy data security breach privacy | | |
| | More Food for Thought on Data Breach Notification Laws |  A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:
“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”
However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.
The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.
None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.
| | Tags: data breach data breach notification | | |
| | State Data Encryption Laws Ready to Take Effect | By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data. (Click here for more background on that topic.) While contingency planning in light of these laws (now present in 44 states and the District of Columbia) usually entails some up-front costs in the form of diverted resources and attorney’s fees, the overall cost of implementation has been relatively low. It may be fitting, then, that the perceived benefit of these laws has been similarly minimal, with some estimating only a 2% reduction in identify theft in recent years that can be attributed to data breach notification legislation.
It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.
The Nevada provision is succinct:
A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)
The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.
In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.
As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.
| | Tags: data breach data security | | |
| | State Data Breach Notification Legislative Update | In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.
For the most part, all of the new laws follow what is now a fairly familiar pattern for data breach notification requirements. All require that notice of a breach be provided without “unreasonable delay,” but notice may be delayed to accommodate any pending law enforcement investigations. Notice also is not required under any of the new laws when the data that was accessed was encrypted. All of the laws provide for civil penalties for failure to comply.
However, there are a couple of noteworthy differences. West Virginia and Iowa join a minority of states with laws that do not allow for private causes of action for failure to comply with the notification requirements. In addition, the South Carolina, Virginia and West Virginia enactments contain no express exemption for immaterial breaches, though breaches requiring notice generally are defined to include only those where there is a reasonable risk of harm to the person whose data was accessed.
As always, business handling personal information should continue to remain vigilant regarding any new or revised provisions in the data breach notification laws for the jurisdictions in which they conduct business. There have been no major, new developments regarding the enactment of a national data breach notification law, and, at this point, with so many state laws on the books, it is possible that a federal law either will, if passed, provide only supplementary requirements in addition to the state laws or will fail to reach passage altogether. The longer the state regimes remain in place, the less the likelihood of complete federal preemption on the issue.
Therefore, for the foreseeable future, businesses will need to maintain up-to-date notification procedures that are in compliance with the laws of each state where they operate. It remains advisable to consult with counsel in developing procedures that are consistent with business goals and objectives. | | Tags: breach notification data breach | | |
| | Businesses Fail to Guard Against and Respond to Data Security Breaches at their Peril | A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.
Pharmacy benefits manager Express Scripts is facing a class-action lawsuit filed by an Express Scripts member who alleges that the company failed to use effective measures to protect the secrecy of its members’ confidential information and that it also failed to give reasonable notice of a security breach potentially affecting millions of those members. The complaint alleges that Express Scripts received an extortion demand in October 2008 indicating that an unauthorized third party had gained access to members’ personal data and that some individual members also had received similar threats. The complaint further alleges that Express Scripts failed, in the months following the breach, to send any notifications to its members other than vague statements posted on its website in November.
Currently, businesses with nation-wide operations face a patchwork quilt of federal and state laws regarding both steps required to safeguard personal data as well as steps to be taken in the event of a breach. With regard specifically to post-breach notifications, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands all have enacted their own legislation requiring notification of security breaches involving personal information. Therefore, for large enterprises such as Express Scripts, which is also subject to complex federal rules such as HIPAA, data security planning can be a daunting undertaking.
However, businesses choosing or needing to retain potentially sensitive customer information nevertheless must make appropriate plans. The alternative, as Express Scripts may learn, entails negative publicity as a result of the initial breach, compounded by negative publicity as a result of an inadequate response. That kind of reputational damage can be difficult and costly to repair, especially if or when attorney’s fees and civil damages enter the equation.
All businesses, large and small, that handle confidential customer information must consult with knowledgeable counsel to ensure that they are protecting against and prepared for data security breaches. | | Tags: data breach data security breach | | |
| | Dave & Buster’s Busted |  The FTC recently approved a settlement with Dave & Buster’s, Inc., a restaurant and arcade chain, for the largest recorded data breach of private credit card information.
The hackers responsible for stealing credit card data from Dave & Buster’s gained access through an unsecured wireless Internet router, or wireless access point (WAP). The hackers had sought out businesses with no Internet security password and, after gaining access to the networks, had obtained credit card numbers and customer data in real time as the cards were swiped.
There is a growing trend for the FTC to seek civil damages for lax Internet security in order to encourage businesses to provide additional protective measures for online data, including wireless Internet routers. In addition to the monetary damages Dave & Buster’s will pay to settle the claim related to this data breach, the company will be required to maintain an information security program and to have its security systems professionally audited semi-annually.
Basic information security guidelines can help to prevent this type of breach. It is important to secure passwords, to enable firewall protection, and to institute additional, appropriate security safeguards to protect consumer information. This is especially important when dealing with sensitive financial data. | | Tags: data breach information security | | |
|
|
|