data security breaches: response - notification - enforcement © 2009 fox rothschild 1 data security...
TRANSCRIPT
1
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Data Security Breaches:Response – Notification – Enforcement
2
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Topics For Discussion
Why do you need a response plan? What is a “data security breach”? Responding to a data security breach State requirements and legislative update Regulatory enforcement and litigation
3
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Statistics
Identity Theft Resource Center reports 656 breaches during 2008, exposing over 35,000,000 records- 47% increase from 2007
Average cost of data breach = $202 per affected consumer- 40% increase from 2005
4
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Recent Data Breaches
Hannaford Grocery (March 2008)- Hacker compromised at least 4.2 million
payment cards in more than 270 stores- Approximately 1,800 reported instances of
fraud related to the breach- Multiple class actions
5
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Recent Data Breaches
Heartland Payment Systems (Jan. 2009)- Malicious software compromised merchant
processing network- Believed to be largest data breach in U.S.
history- At least four class actions:
Issuing banks – breach of obligations under PCI standards and negligence
Consumers – federal statutory claims, breach of contract, negligence and state privacy laws
6
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Recent Data Breaches
Department of Veterans Affairs (May 2006)- Laptop computer and disk stolen from home of VA
employee- Contained personal information of 26.5 million
veterans who served in the military and have been discharged since 1976
- Recovered by FBI with no evidence of unauthorized access
- Under class action settlement, VA agreed to pay $20 million to defendants who were harmed by incident -- either physical manifestations of emotional distress or cost of credit monitoring
7
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is The Objective?Fill In The Gap
Protection Compliance Audits
Criminal prosecution Civil prosecution
How to Manage the Data Security Breach
8
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Why Do You Need AResponse Plan?
Thoughtful and Prepared Reaction
Better Decision Making
Minimized Risk and Loss
9
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is A Data Security Breach?
A breach of the security of the system that involves unencrypted computerized personal information that has been, or is reasonably believed to have been, acquired by an unauthorized person.
State statutes require notification to affected individuals and, in certain instances, regulatory agencies and law enforcement.
10
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is A Data Security Breach?
“Personal information”- First name or initial and last name with one
or more of the following (when either name or data element is not encrypted): Social security number; Driver’s license number; Credit card or debit card number; or Financial account number with information such
as PINs, passwords or authorization codes.
11
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is A Data Security Breach?
“Breach of the security of the system”- Some states expressly require notice of
unauthorized access to non-computerized data New York: “lost or stolen computer or other
device containing information” or “information has been downloaded or copied”
Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”
12
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is A Data Security Breach?
Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements- Certain states require risk or harm
Arkansas: no notice if “no reasonable likelihood of harm to customers”
Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”
13
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
What Is A Data Security Breach?
Distinguish between entity that “owns or licenses” data and entity that “maintains” data- Data owner has ultimate responsibility to
notify consumers of a breach- Non-owners required to notify owners
14
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Collect Relevant Documents and Information
Data location lists Confidentiality agreements Customer contracts Third-party vendor contracts Privacy policy Information security policy Ethics policy Litigation hold template Contact list
15
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Create A First Response Team
Information technology (computer & technology resources)
Information security (physical security & access) Compliance Business heads (consumer information) Human resources (private employee information –
health & medical, payroll, tax, retirement) Legal counsel (in-house and/or outside counsel) Public relations/investor relations
16
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Assign Tasks To Members Of The First Response Team
Establish a point person Identify key personnel for each task Prioritize and assign tasks Calculate timelines and set deadlines Communicate with management Establish attorney-client privilege for investigation
and communications
Project Management Is Critical
17
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Determine The Nature And Scope Of The Breach
Investigate facts Interview witnesses Determine type of information that may have been
compromised Identify and assess potential kinds of liability Identify individuals potentially at risk and determine
state or country of residence
Preserve Company’s Assets, Reputation and Integrity
18
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Understand Data BreachNotice Laws
State laws:- What constitutes personal information?- When is a notice required?- Who must be notified?- Timing?- What information must be included in the notice?- Method of delivering notice?- Other state specific requirements?
Applicable industry-specific laws Applicable international laws
19
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Determine Appropriate Notices
Consumers Employees Law enforcement (Federal/State) Federal regulatory agencies State agencies Consumer reporting agencies Third-party vendors Insurers Media
20
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Prepare State Law Notices
General description of the incident Type of information that may have been
compromised Steps to protect information from further
unauthorized access Contact information (e.g., email address; 1-800
number) Advice to affected individuals (e.g., credit
reporting, review account activity)
21
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Prepare State Law Notices
- Delivery method (e.g., certified letters, e-mail, website)
- Timing of notices- Tailor notices based on recipient- Use single fact description for all notices
22
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - California
State involvement began in California, after series of breaches received national attention
Passed in 2002, went into effect in mid-2003 Requires notice to California residents if data is
lost or stolen Notification must occur whether or not business
has any presence in California
23
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - California
44 states, the District of Columbia, Puerto Rico and the US Virgin Islands now have breach notification laws
Expanded in 1/2009 to include medical and health insurance information
California law may expand further to:- Specific requirements for notice letter, and reporting
to Attorney General of breaches affecting 500 or more
- Require "plain language" breach notices, with description of breach and estimate of number of persons affected
24
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Massachusetts
Went into effect on February 3, 2008 Applies to any person, business or agency that
licenses, maintains, owns or stores PPI Applies to information regardless of physical
form or characteristics (includes paper) Unauthorized access to, or use of, paper files
containing PPI triggers notice requirement Data encrypted at 128-bit or higher algorithmic
process is not a security breach, unless the encryption key is also lost
25
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Massachusetts
Notify affected resident, Attorney General and Director of Consumer Affairs and Business Regulation- Include number of affected individuals, nature of breach
and actions being taken to address incident- Director shall identify any further notifications to
consumer reporting agencies or state agencies Notice given to resident "shall not" include the number
of people affected or nature of the breach Provide option to obtain a police report and "security
freeze"
26
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Massachusetts
Data Destruction Requirements Persons, businesses and agencies must take
certain steps when disposing of records containing PPI in paper or electronic form
Records containing PPI must be destroyed so that PPI "cannot practically be read or reconstructed"
Parties improperly disposing of records may be fined $100 per individual, up to a maximum of $50,000 per event
27
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Massachusetts
Identity Theft Regulations (Update) New regulations will increase level of security
required – effective January 1, 2010 Same "covered entities" will be required to
encrypt data on laptops and removable storage devices, encrypt information transmitted wirelessly or on public network, and meet certain computer hardware requirements
28
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Massachusetts
Information Security Regulations (Update) Every person that licenses, maintains, owns or
stores PPI of a state resident must have a comprehensive information security program
If PPI handled electronically, then information security program must cover computer and wi-fi uses
29
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - Missouri (to watch)
Breach Notification Bill Applies to all businesses in Missouri that own
or license electronic data with a resident's PPI Must notify resident within 30 days of a breach Must notify resident whenever there is
evidence of unauthorized access to PPI In bill (draft) form, creates criminal penalties
30
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State Laws - New Jersey (to watch)
Proposed Revised Computer Security Rules Replaces previously proposed rules under the New
Jersey Identity Theft Prevention Act Now requires a comprehensive, written information
security program to protect PPI Must notify police first if a disclosure/breach If police consent, the persons must be notified of
disclosure/breach "as expeditiously as possible" No requirement to notify individuals if use of the
disclosed information is "not reasonably possible"
31
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
State LawsCost Recovery – Minnesota
If a breach of state law, must reimburse the financial institution that issued any “access device” for costs of reasonable actions undertaken in order to protect PPI, including: (1) cancellation or re-issuance of “access device”; (2) closure of any account and any action to stop payments or block transactions; (3) opening or reopening of any account; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction; and (5) notification of cardholders affected by the breach.
Financial institution may recover payments to cardholders
32
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
European UnionData Protection Directive
“Personal Data” “Processing” The "controller” is responsible for compliance The data protection requirements apply both
when the controller is established within the EU, and when the controller uses equipment situated within the EU in order to process data.
33
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
European UnionePrivacy Directive
Directive on Privacy and Electronic Communications a/k/a ePrivacy Directive
The ePrivacy Directive requires any "provider of publicly available electronic communications services" to (1) provide security of services and (2) maintain confidentiality of information
34
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
European UnionePrivacy Directive
Clearly, Directive covers telecommunications operators and internet service providers
However, why not (and currently being considered):- employers providing employees with e-mail- Internet cafes- hotels providing Internet access to guests- companies providing free wi-fi
35
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
United Kingdom
No law requires notification of an improper disclosure Prosecutions and fines under other laws about failure
to make adequate notification to affected persons Financial Services Authority fined Nationwide Building
Society $2M under Financial Services and Markets Act 2000 for violating principles: (1) reducing the extent to which it is possible for a business carried on by a regulated person … to be used for a purpose connected with financial crime; and (2) firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems
36
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Australia
Australian Legislation: Privacy Act 1988- National Privacy Principles: applies to private organizations- Information Privacy Principles: applies to government agencies
Data Security: private organizations and agencies required to take reasonable steps to protect PPI from disclosure, loss and misuse
Sanctions: Privacy Commissioner can make non-binding declarations dealing with damages and losses. Privacy Commissioner or complainant may seek a federal court order enforcing the determination
Privacy Act does not contain breach notification rules
37
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Germany
Proposed Amendments to German Data Protection Law
PPI includes names, addresses, dates of birth and bank information
PPI may be given to marketers only with specific consent from the individual
If changes become final, businesses would have three years to comply
38
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Prepare Answers To Inquiries
Draft FAQ’s with responses Establish hotline Assign group of contact employees Train employees to respond to inquiries Develop clear escalation path for difficult
questions Track questions and answers
39
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Prepare Press Release
Include the following information:- Facts surrounding the incident- Actions to prevent further unauthorized
access- Steps to prevent future data security
breaches- Contact Information for questions
Review by legal counsel
40
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Consider Offering Assistance To Affected Individuals
Free credit reporting Free credit monitoring with alerts ID theft insurance Access to fraud resolution specialists Toll-free hotline
41
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Enforcement Actions
Federal Trade Commission – Section 5 of FTC Act- Enforce privacy policies and challenge data security
practices that cause substantial consumer injury State Attorney General – State Notification Statutes
- Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .”
- Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”.
Litigation in federal or state courts
42
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
FTC Actions The TJX Companies, Inc.
In January 2007, TJX announced that an unauthorized intruder accessed its computer system, which contained detailed information about customer debit and credit cards.
Breach exposed at least 45 million credit and debit cards
Investigated by FTC, at least 39 states and the Secret Service
43
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
FTC ActionsThe TJX Companies, Inc.
FTC complaint alleged that TJX engaged in “unfair acts or practices” by:- Creating unnecessary risk to personal information by storing
and transmitting it in clear text- Failing to use readily available security measures to limit
wireless access to its networks- Failing to require network administrators and users to use
“strong” passwords or to use different passwords to access different programs, computers, networks
- Failing to use readily available security measures to limit access among computers and the internet (i.e., firewall to isolate card authorization computers)
- Failing to employ sufficient measures to detect and prevent unauthorized access or conduct security investigations
44
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
FTC ActionsThe TJX Companies, Inc.
Consent order (dated July 2008):- Establish, implement and maintain a comprehensive
information security program “reasonably designed to protect the security, confidentiality, and integrity of personal information.”
- Obtain assessments and reports from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.”
- Make available to the FTC (upon request) for inspection and copying documents relating to compliance.
- File with FTC a report setting forth “in detail the manner and form” in which it has complied with consent order.
45
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Other FTC Actions
Other FTC settlements:- ValueClick (civil penalties = $2,900,000)- Goal Financial- Life Is Good - Premiere Capital Lending, Inc.- Reed Elsevier Inc.
46
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
NY Attorney General ActionCS Stars LLC
Theft of computer containing personal information of approximately 540,000 worker’s compensation recipients discovered on May 9, 2006
CS Stars LLC “maintained” personal information CS Stars notified data “owner” of potential breach on
June 29, 2006 Data owner notified appropriate entities and consumers
immediately FBI recovered computer No unauthorized use of personal information
47
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
NY Attorney General ActionCS Stars LLC
Attorney General criticized delay between discovery of missing computer and CS Stars’ notification to data owner
Settlement (April 2007) required CS Stars to:- Implement precautionary measures to safeguard
information- Comply with New York data breach notification
statute in the event of any future breach- Pay $60,000 to cover costs related to investigation
48
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
CT Dept. of Consumer Protection Action Bank of New York Mellon
Lost backup tape containing personal information of more than 600,000 Connecticut residents
Governor of Connecticut directed Commissioner of the Department of Consumer Protection to pursue all remedies available to affected Connecticut residents
BNY Mellon notified each affected consumer and provided 24 months of credit protection
To date, BNY has spent over $3.48 million to provide credit protection
49
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
CT Dept. of Consumer Protection Action Bank of New York Mellon
Settlement required BNY Mellon to:- Reimburse consumers for any funds stolen
as a direct result of breach- Pay $150,000 to the State of Connecticut
50
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
LitigationTypical Claims By Plaintiffs
Plaintiffs (consumers) typically allege the following causes of action:- Common law claims of negligence, breach of
contract, breach of implied covenant or breach of fiduciary duty
- Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts
51
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
LitigationTypical Court Rulings
Plaintiffs fail to show “injury” as a result of data breach.- Pisciotta v. Old Nat’l. Bancorp., 499 F.3d
629 (7th Cir. 2007): Exposure to identity theft without more does not
constitute “injury” Individual does not suffer harm as soon as
information exposed Credit monitoring costs do not constitute injury
52
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
LitigationTypical Court Rulings
Certain courts have dismissed data breach cases on ground of standing.- Randolph v. ING Life Ins. & Annuity Co., 486
F. Supp. 2d 1 (D.D.C. 2007); - Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D.
Ohio 2006); - Forbes v. Wells Fargo Bank, 420 F. Supp.
2d 1018 (D. Minn. 2006).
53
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Litigation Typical Court Rulings
In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007).- Claims brought by issuing banks:
Breach of contract based on alleged violations of Visa and MasterCard’s networks rules
Negligence Massachusetts deceptive or unfair trade
practices Negligent misrepresentation
54
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Litigation Typical Court Rulings
TJX Cos. Retail Sec. Breach Litig. - Dismissed breach of contract – Visa & MasterCard
rules did not provide third-party beneficiary rights to plaintiffs (issuing banks)
- Dismissed negligence – economic loss doctrine- Dismissed deceptive/unfair trade practices – no
basis in FTC Act or GLB Act- Did not dismiss negligent misrepresentation –
implied misrepresentation based on TJX’s participation in credit card networks
55
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
LitigationUnusual Court Rulings
Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008).- Laptop computer stolen, which contained
approximately 800,000 Gap job applications (including name and social security no.)
- Court denied defendant’s motion for summary judgment and held that plaintiff “has alleged injury in fact” to establish standing
- “Increased risk of identity theft” constituted sufficient “injury in fact”
56
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
LitigationUnusual Court Rulings
Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008).- Laptop computer stolen from employer’s pension
consultant, which contained personal information (including name and social security no.)
- Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty
- Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer
57
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Avoid Future DataSecurity Breaches
Limit access to personally identifiable information Encryption Establish privacy compliance program Train and test employees Periodic audits Update and revise procedures Enhance technology to strengthen security and reduce
risk Credential third party vendors
58
Data Security Breaches: Response - Notification - Enforcement
© 2009 Fox Rothschild
Contact Information
Amy C. Purcell, Esquire
215.299.2798