Published by Al Saikali

In 2005, a company called ChoicePoint, which collected personal and financial information for millions of consumers, was the victim of a security breach.  Criminals stole from ChoicePoint personal information for more than 145,000 individuals.  The floodgates opened and a variety of other corporations and organizations revealed similar data breaches that had resulted in unauthorized access to the personal information of 52 million individuals.

As a result of the ChoicePoint breach, states began enacting data breach notification laws that required companies and organizations to disclose major data breaches.  California was the first such state, and its law has been the model for data breach notification laws all over the country.  See  Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82   In fact, the only states that do not currently have data breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

This blog post discusses how these data breach notification laws operate generally, keeping in mind that there are some differences from state to state.  The most important issues are who/what is protected by the laws, when is a data breach considered to have occurred so that the law is triggered, when should notification take place and what must the notice contain, and what are the penalties for failure to comply with the laws.

What/who is protected by data breach notification laws?  The laws protect the “personal information” of a state’s residents.  Personal information is usually defined as a person’s name in combination with some other private information such as a social security number, driver’s license number, account/credit card number, medical information, or health insurance information.  Some states have expanded the definition to include biometric data, fingerprints, retina images, and DNA profiles.  Personal information does not include publicly available information such as publicly available property information or criminal records.  The laws apply to any person or business that conducts business in the state where the law exists, including businesses not located in the state that are collecting information about the state’s residents, and any state agency that owns or licenses personal information.

When are the data breach notification laws triggered?  Data breach laws typically apply when there is an unauthorized acquisition of computerized data.  It includes a wide range of activity, from the intentional (hacking, theft, and corporate espionage, for example) to the negligent (losing a hard drive containing private customer information, or misdirecting electronic information).  Most data breach notification laws, however, do not apply to data that is encrypted (though the level of encryption and whether encryption is required at rest and/or in motion, is not clear) and sometimes the laws do not apply if the information is redacted.

When should notification of the data breach take place?  Once a company has determined that it was a victim of a data breach, it must usually provide notice of the breach to those individuals whose data has been accessed in an unauthorized manner.  Some states provide a specific deadline for when notice must take place, but many states simply require that disclosure take place within “the most expedient time possible and without unreasonable delay.”  An organization’s disclosure can usually be delayed if it would impede an ongoing criminal investigation.  In some states, notice is not required if, after an independent investigation or consultation with law enforcement, there is a determination that the breach did not result in harm to consumers.  In certain states there is a requirement for service providers who suffer data breaches to notify the companies that hired them of the breach.

What must be in the notice?  If a determination is made that notice must be provided, then the data breach notification laws usually provide how that notice must be provided (i.e., what information should be in the notice).  The notice should be clear, and as easy to understand as possible.  The notice should explain what information was accessed and it may need to include a credit reporting agency’s telephone number.  Many states require that notice of the breach also be provided to the state Attorney(s) General.

What are the penalties for failure to comply?  If an organization does not comply with the requirements of a data breach notification statute it can be subject to significant administrative penalties of thousands of dollars per day after the disclosure deadline.  Additionally, many states have created a private cause of action (i.e., you can be sued) for not following the data breach notification requirements.

In short, it is important, once an organization suspects that it might be the victim of a data breach, to immediately engage legal counsel to assist in determining whether the breach requires disclosure and, if so, how and when the disclosure should take place.  It should be evident from the above information that the data breach notification laws vary from state to state, so any disclosure notice should be tailored with all relevant state and federal data breach notification laws in mind.  The fact that there are so many different data breach notification statutes is a compelling reason why Congress should step in and pass legislation that makes the data breach notification requirements more uniform.  Congress previously considered such legislation, but it did not become law.

Speaking of federal data breach notification laws, in addition to the state laws governing data breach notifications, there are also federal and international laws that govern data breaches.  Those laws impose even more notification requirements.  They will be discussed in the next post.  Stay tuned.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Yesterday I had the opportunity to speak with Colin O’Keefe of LXBN TV regarding the recent major data breach involving Global Payments Inc. In the interview, I explain the background of the breach, which impacted all major credit cards, the lessons companies can learn from the breach and exactly who bears the burden—financially and otherwise—of the unfortunate situation.

 

DISCLAIMER:  The opinions expressed in the video represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Another massive high profile data breach was in the news this past week. MasterCard, Visa, American Express, and Discover, as well as other banks and franchises were affected.  Significantly, the breadth of the effect was not a result of separate attacks against each bank, but rather a hacking of one common third-party service provider—Global Payments Inc—which processes credit card payments and acts as a “middle man” between the consumer and the bank. The extent of the data breach is not yet fully known, but MasterCard, Visa, and American Express all suffered decreases in the value of their stocks when news of the data breach broke.  Global Payments released a statement that the intrusion was limited to North America and affected up to 1.5 million cards.

If you are a business that maintains sensitive client and proprietary information, there are several important lessons to be learned from this data breach:

  • When you hire a third-party service provider or vendor, you need to know what measures that vendor is taking to protect your data and the data of your customers.  What policies and procedures has the vendor implemented to maintain the security of data you share with it?  What contractual or other legal remedies do you have against the vendor should something happen to the data?  Is the vendor insured for such a loss?
  • Your company’s defenses to a data breach are only as strong as its weakest link. For example, it may not matter very much that your company has adopted the most state-of-the-art, expensive, top-flight security measures if a service provider is not taking equally strong measures to protect the same data.  As Tom Kellerman, a vice-president at Trend Micro, a computer security company, told the New York Times:  “Hackers are well aware that these [payment processing] systems don’t have the same sophisticated levels of security as the banks.  The payment processors have become their Achilles’ heel.”  According to that same article, this was the second known breach that Global Payments has suffered within the last 12 months.
  • It is interesting how the news of this data breach broke — it appears to be the result of a blog post on Krebs on Security, rather than as a result of the work of a major national newspaper or other traditional news entity.  The work of bloggers in this sphere is increasingly impressive. Krebs is just one example.  Databreaches.net is another blog that maintains an impressive record of significant data breaches and further demonstrates the continued explosion of data breaches worldwide.  I would also recommend author Christopher Danzig, who writes frequently for Above the Law and other national and regional publications.
  • It is wrong to simply assume that because the breach occurred, it could have been prevented, or that Global Payments was not doing all it could to prevent the breach from occurring in the first place.  Again, a quote from the NYT article is instructive because it shows the complicated relationship between the banks, the payment processors, the merchants, and the customers:  “‘These folks work night and day to secure their systems, but they are connected to millions of merchants around the country and nothing is absolutely foolproof,’ said Thomas Goldsmith, a spokesman for the Electronic Transactions Association, a trade group.”
  • According to Krebs on Security, the Global Payments breaches occurred as early as January 2011 and then again between January 21, 2012, and February 25, 2012, and at least the first breach appears to have been a “sustained breach” (hackers captured data about 24 million unique transactions on an ongoing basis for the last year), yet news of the breach was not made public until now.  Indeed, were it not for the blog post, one might wonder how long it would have taken for this information to otherwise become public. It may be that Global Payments could not confirm that it had in fact suffered a breach and did not know the source or extent of the intrusion until very recently.  In any event, interesting issues relating to whether, when, and how Global Payments should have disclosed the information are all implicated.
  • Another issue is who will bear the financial burden for the breach? The banks? Global Payments?  The hosting provider for Global Payments?  The merchants? The consumers?  Perhaps a combination of some or all.  The financial burden does not simply mean potential legal liability, but also includes the far greater costs of public relations consequences, damage to reputation and brand, and the cost of remediation and implementing new security measures.  The issue of the financial and public relations fallout will be interesting to follow.

In short, the Global Payments data breach is another example of a high profile data breach that corporations worldwide would do well to learn from.  Arguably the most important lesson? KNOW WHAT YOUR VENDORS ARE DOING TO KEEP YOUR DATA SAFE!

5/6/12 UPDATE:  A May 3, 2012, article in the Wall Street Journal reveals that Global Payments may have underestimated the number of cardholders who were affected by the recent data breach as well as the breadth of the breach.  Initially, Global Payments stated that less than 1.5 million card numbers were accessed.  Now, it appears the breach may have affected as many as 7 million users.  The increase appears to be a result of new information showing that the hackers had access to the customer data since the spring of 2011, far earlier than the January 2012 estimate provided by Global Payments.  As the Journal points out, “[t]he data breach’s wider scope underscores how hard it is to assess the damage that follows hacker attacks.”

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This final blog entry in the series about economic cyber-espionage focuses on what, if anything, the government can do and is doing to limit cyber attacks that result in the theft of billions dollars worth of intellectual property and confidential proprietary information.

The issue of cyber-espionage is receiving attention from the highest levels of government.  For example, the report that was the basis for this series was prepared by the Office of the National Counterintelligence Executive, which is part of the Office of the Director of National Intelligence.  It is staffed by senior counterintelligence and other specialists from across the national intelligence and security communities.  The Intelligence Authorization Act for Fiscal Year 1995 requires that the President biennially submit to Congress updated information on the threat to U.S. industry from foreign economic collection and industrial espionage.  This report was submitted to Congress pursuant to that obligation.

The issue is gaining significant attention in the U.S. media, for legitimate reasons.  Loren Thompson, a contributor for Forbes magazine recently authored an article entitled “U.S. headed for Cyberwar Showdown with China in 2012.”   In it, Mr. Thompson points out that even though cyber-espionage is “being executed by a relatively small number of agents linked to the general staff of China’s People’s Liberation Army, the damage they are inflicting on U.S. security and economic competitiveness is judged to be extensive.”  But as Thompson points out, the question is what, if anything, can be done about it.

Part of the problem appears to be identifying precisely who is engaging in these cyber attacks.  According to a report by Siobhan Gorman in the Wall Street Journal the Obama Administration has had some success in identifying some of the key operatives in the Chinese cyber campaign (though the Chinese claim that such allegations are “totally ungrounded” and that Chinese law “clearly prohibits hacking”).  I highly recommend the article to anyone interested in a deeper investigation into allegations of Chinese cyber-espionage.

Yet, Mr. Thompson with Forbes posits, the administration has taken little offensive action against China because “it doubts confrontational tactics will produce positive results.” But given the billions dollars in economic information being lost to the Chinese intrusions and the possibility of far worse attacks, it is far more likely that the administration will be forced to be more openly aggressive.

In addition to the issue increasingly gaining the attention of the executive branch, Congress is considering competing legislation that would seek to limit the risk or cyber attacks.  The Cybersecurity Act of 2012 (S.2105), introduced by Senators Lieberman and Rockefeller, would give the Department of Homeland Security regulatory authority over companies with computer systems crucial to the nation’s economic and physical security.  Republicans have proposed alternative legislation called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (“SECURE IT”).  Crudely defined, the Republican alternative relies on companies voluntarily sharing threat data through certain cybersecurity centers.  In exchange, companies would receive incentives, such as protection from civil lawsuits and exemption from public disclosure.  It is unclear whether Congress will ultimately pass either piece of legislation.

UPDATE:  60-Minutes recently aired a very interesting story on the Stuxnet virus, which is a virus believed to have been used offensively to attack Iranian nuclear plants.  The piece is particularly relevant to this series of blog entries because it discusses the increased trend in international espionage through cyber attacks.  I highly recommend the story to those of you interested in this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The U.S. Circuit Court of Appeals for the First Circuit recently weighed in on the causes of action and damages that are (and are not) cognizable in a data breach case.  In Anderson v. Hannaford Bros. Co., No 10-2384 (1st Cir. Oct. 20, 2011), the plaintiffs were customers of a grocery store chain.  The grocery store chain used an electronic payment processing system that was breached by hackers, allowing the hackers to steal up to 4.2 million credit and debit card numbers and identifying information of the stores’ customers.  Many of the plaintiffs had unauthorized charges against their credit/debit card accounts.  Several were charged replacement card fees by their banks to replace their credit/debit cards.  The customers sued the grocery store chain.

The plaintiffs’ lawsuit was based on several causes of action:  breach of implied contract, breach of implied warranty, breach of duty of a confidential relationship, failure to advise customers of the theft of their data, strict liability, negligence, and violation of Maine’s Unfair Trade Practices Act.  In its 35-page opinion, the First Circuit analyzed each of these causes of action and held that only the negligence and implied contract causes of action were viable.

The Plaintiffs sought various types of damages, including the cost of replacement cards, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, time and effort spent reversing unauthorized charges and protecting against further fraud, and costs incurred for purchasing identity theft/card protection insurance and credit monitoring services. The First Circuit held that only the plaintiffs’ claim for mitigation expenses (like the consumer’s purchase of credit reports or credit insurance) and card replacement costs consumers incurred were recoverable.

Civil lawsuits arising from data breaches are a new and developing area of the law, and this new opinion is important because it is among the first U.S. Circuit Court opinion to analyze the issues of the proper causes of action and recoverable damages, and to do so in depth.  The decision is also important because, as journalist Jaikumar Vijayan wrote in an article for Computerworld, the case is “a rare instance of a court siding with consumers in a data breach lawsuit.”  It is certainly worth a read for anyone interested in these issues, and it should be an exciting time for anyone who practices in this area because we are watching the law develop from the beginning.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.