Since February 2005, approximately 100 million records containing personal information have been subject to a security breach.  More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft.  The state provisions are not uniform, and are often difficult to reconcile.  Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform.  One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information. 

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws.  Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

Tags:

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:

• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.

Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

Tags:

 Private businesses are not the only victims of theft relating to confidential information.  In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975.  Burglars stole the laptop from the employee’s home.  The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth.  In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records.  The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk.  The FTC attorneys were working on a case, and were authorized to have the laptops.  The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated.  The laptops did not contain any information about FTC employees or government officials.   Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities.  The FTC offered free credit monitoring for 110 people as a result of the theft.

Tags:

A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.

Pharmacy benefits manager Express Scripts is facing a class-action lawsuit filed by an Express Scripts member who alleges that the company failed to use effective measures to protect the secrecy of its members’ confidential information and that it also failed to give reasonable notice of a security breach potentially affecting millions of those members. The complaint alleges that Express Scripts received an extortion demand in October 2008 indicating that an unauthorized third party had gained access to members’ personal data and that some individual members also had received similar threats. The complaint further alleges that Express Scripts failed, in the months following the breach, to send any notifications to its members other than vague statements posted on its website in November.

Currently, businesses with nation-wide operations face a patchwork quilt of federal and state laws regarding both steps required to safeguard personal data as well as steps to be taken in the event of a breach. With regard specifically to post-breach notifications, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands all have enacted their own legislation requiring notification of security breaches involving personal information. Therefore, for large enterprises such as Express Scripts, which is also  subject to complex federal rules such as HIPAA, data security planning can be a daunting undertaking.

However, businesses choosing or needing to retain potentially sensitive customer information nevertheless must make appropriate plans. The alternative, as Express Scripts may learn, entails negative publicity as a result of the initial breach, compounded by negative publicity as a result of an inadequate response. That kind of reputational damage can be difficult and costly to repair, especially if or when attorney’s fees and civil damages enter the equation.

All businesses, large and small, that handle confidential customer information must consult with knowledgeable counsel to ensure that they are protecting against and prepared for data security breaches.

Tags:

Costly Privacy Breaches in 2009

Network security failures have led to some of the largest breaches of private financial and personal data in 2009.

Heartland Payment Systems reached a settlement with American Express for $3.6 million after a security breach revealed 130 million credit and debit card numbers, affecting nearly 4.2 million people. Several class action lawsuits are currently pending.

• Although Heartland Payment Systems exposed private financial data for American Express customers that resulted in a multi-million dollar settlement, American Express faced its own privacy breach in Phoenix, Arizona. A company employee enabled accomplices to withdraw more than $1 million by supplying PIN numbers, account information, and credit and debit card numbers.
• In 2008, a Countrywide Financial employee copied data onto a flash drive with the intention of selling nearly 2 million customer records. One year later, after Bank of America acquired Countrywide, it discovered a man posing as an Air Force reservist had obtained thousands of account numbers, resulting in a loss of $500,000.
• One of the top security breaches did not result from hacking, but rather the implementation of a skimming device on ATMs. Chase Bank discovered a skimmer had been placed on ATMs, recording the magnetic strip information and taking small amounts of money from customer accounts, totaling nearly $1.8 million.
• RBS Worldpay experienced a similar breach after hackers obtained financial data and cloned ATM cards, stealing nearly $9 million from more than 130 ATMs.
• An unknown source managed to obtain and sell Capitol One Bank’s customer information online. Using counterfeit cards, and customer information, the crime ring collected more than $650,000 from ATMs in Minnesota.
• Accounting departments should carefully scrutinize employee payrolls after PayChoice, a payroll processing company, was alerted that their system had been compromised after customers reported that fake employee names appeared on their payrolls. The extent of financial information is not currently known.
• The Bank of New York Mellon learned that employee information should be protected from hackers and theft. A man used more than 150 identities of bank employees to take $1.1 million. The theft targeted charities, non-profit organizations, and other entities.
• Internet services providers should take heed from the beach at Network Solutions, where a code implanted on the company’s web servers tracked and copied financial information from hosted online stores. Nearly 573,000 credit and debit card accounts were compromised.

Companies should work with counsel and other qualified consultants to take extra precautions to protect web servers and restrict employee access to private personal and financial data to prevent cybercrime.

Tags: