: information security law : Info Law Group

Home > information security law >

Posted on July 25, 2011 by Boris Segalis

Federal Information Security and Breach Notification Law Approved by House Trade Subcommittee

On July 20, 2011, the U.S. House of Representatives Energy and Commerce Committee’s Trade Subcommittee approved the Secure and Fortify Electronic Data Act (the “SAFE Data Act”). The Act would require any business that maintains personal information to implement an information security program and notify affected individuals in the event of an information security breach. The SAFE Data Act would preempt the over 45 existing state information security and breach notification laws and task the Federal Trade Commission with developing information security rules implementing the Act.

Some legislators and advocates have criticized as too narrow the definition of “personal information” that is within the scope of the Act. Specifically, the Safe Data Act would require breach notification only when an individual’s name, phone number or credit card number is compromised along with a Social Security number, driver's license number or other government-issued ID. This definition is significantly narrower than the personal information within the scope of the numerous existing state breach notification laws. One of the concerns is that because the Safe Data Act would preempt existing state information security and breach notification laws, the passage of the Act would lead to less protection for consumers.

Existing state breach laws typically require notification when an individual's first name or initial and last name are compromised in conjunction with a Social Security number, driver’s license number, government-issued ID number or a financial account number. In practice, the gap between state breach laws and the Safe Data Act is even wider. This is because companies operating nationwide affected by a multi-state breach often follow the broadest notification requirements among the various state laws. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, taxpayer ID or biometric data alone (without the individual’s name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act. Committee members expect the bill to evolve to address this and other concerns as it moves through Congress.

InfoLawGroup Says:

While there are disagreements regarding the specifics, the Trade Subcommittee’s approval of the Safe Data Act (especially while Congress is paralyzed by the debt ceiling negotiations) suggests strong support for federal information security legislation. For businesses, perhaps the most significant aspect of the Act is the preemption of over 45 existing state information security and breach notification laws. The preemption provision would provide much needed certainty for businesses in addressing information security breaches that currently are subject to the multitude of state requirements.

Tags: Breach, Data Privacy Law or Regulation, FTC, InfoLawGroup, Information Security, InformationLawGroup, Privacy, Privacy Law, SAFE Data Act, Segalis, data protection, information law group, information security breach, information security law, information security program, security breach, state breach law

Posted on October 3, 2009 by David Navetta

Massachusetts' Revised Personal Information Security Regulation (201 CMR 17.00)

Massachusetts' Office of Consumer Affairs & Business Regulation (OCABR) recently released a revised version of its "Standards for the Protection of Personal Information of Residents of the Commonwealth" (the "Regulation"). This August 2009 version modifies the February 2009 version of the Regulation. The press release and the FAQs released by OCABR appear updated to address some of the changes in the regulations.

UPDATE (082509): On his blog, Uncommon Sense Security, Jack Daniel shares his insight from the security perspective.

For ease of reference, ILG has taken the time to create a REDLINED VERSION showing the revisions in the new Regulation. The redlines indicate changes between the February 2009 version and the August 2009 version of the Regulation. Also included below is a summary of some of the more significant changes.

Owns and Licenses v. Stores and Maintains Personal Information.

In the prior version of the regulation, companies that "owned, licensed, stored or maintained" personal information were subject to the Regulation. Now, only companies that own or license personal information are within the scope of the Regulation. The Regulation defines "owns or licenses" as follows:

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

As such, it appears that organizations that handle personal information when not in connection with the provision of good or services, or in connection with employment, would not be subject to the Regulation. This could perhaps encompass a person or company holding personal information for purely personal reasons.

Written Information Security Program.

The new Regulation builds in some flexibility with respect to the requirement of a written security program. Now such program must contain:

administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.

This appears to be designed to provide leeway for smaller organizations and other companies that do not pose much risk with respect to personal information. In fact, this is confirmed to some degree by the FAQs released by OCABR, which indicate:

the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC's Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

"Technically Feasible."

In the prior version of the Regulation, companies were required to encrypt files containing personal information transmitted across public networks or wirelessly only if it was technically feasible to do so. The new Regulation expands the concept of "technically feasible" to apply to all of the items listed in the "Computer System Security Requirements" subsection of the Regulation.

What this means in practice is that none of those specific controls of this section of the Regulation are now required unless it is "technically feasible" to implement them. Again, this appears to be an attempt to provide some flexibility for small companies. However, it also may provide cover for larger businesses that have complex IT environments.

The key issue here is the meaning of "technically feasible." One problem with the term for organizations subject to the Regulation is that it focuses on technical aspects rather than "cost feasibility" or "business feasibility." One could argue that practically anything is technically feasible if you don't take price into account or potential disruptions or problems with business practices and activities.

While the term is not defined in the Regulation for some reason, the FAQs define "technically feasible" as follows:

“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

This definition does not necessarily help because it is not clear what is meant by "reasonable means" in this context, and whether resource and business constraints factor into the analysis. Significantly, unlike in the context of a written infosec program, the Regulation does not explicitly reference the "resources available" to the company as one of the factors for determining whether something is "technically feasible." ISC believes that this concept is vague and the OCABR would have been better served using an approach similar to the one used for the WISP.

New Service Provider Definition and Obligations.

The Regulation now includes a specific definition of "service provider":

Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that "Service provider" shall not include the U.S. Postal Service.

It appears that by using the word "directly" they wanted to eliminate companies that might incidentally receive personal information. However, based on the language of the statute these companies would still be directly subject to the regulation if they "own or license" personal information. As such, service providers may have both contractual obligations and direct obligations to comply with the Regulation.

Significantly the duties with respect to service providers have also been narrowed. Previously the Regulation imposed an obligation to take reasonable steps to "verify" that service providers could implement the required security. The word "verify" has been dropped. Added to the new Regulation is an obligation to have a contract in place with service providers requiring them to implement and maintain appropriate security measures around personal information. This requirement only applies to contracts entered into after March 1, 2010 (it does not indicate what is to happen with contracts that renew after March 1, 2010). Notably, the old version of the Regulation required companies to "ensure" that their service providers complied with the Regulation.

Deleted Specific WISP Requirments.

The old version of the Regulation required the WISP to impose a "minimum necessary use" limitation with respect to personal information, and a mandated "personal information" inventory be performed. Those specific obligations have been deleted (however, they could still be required in general with respect to a WISP).

In all, by attempting to impose a "risk-based" framework, the Regulation appears to provide more flexibility and leeway. Nonetheless, the Regulation is still vague in some areas and companies of all sizes and complexities will have to analyze whether and how the law applies to their organization. The Regulation will also complicate relationships with service providers, who are likely to have to go through a more rigorous "due diligence" process and also enter into more stringent contracts imposing security obligations.

There are additional changes that you can observe in the redlined version. If you have any additional input on the potential impact of these changes, please provide a comment so we can further discuss (and I can update this post as necessary).

Tags: Data Privacy Law or Regulation, information security law, legislation, Massachusetts, personally identifiable information, service provider

Posted on July 3, 2009 by David Navetta

TJX Settles with State Attorneys General for $9.75 Million

The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State's respective consumer fraud and deceptive practices laws (a copy of the settlement document can be found: HERE). This is a summary of the TJX settlement.

Monetary Settlement Breakdown

The total monetary settlement amounted to $9.75 million, which is broken down as follows:

$5.5 million to the Attorneys General for State consumer protection activities related to data security or otherwise, including consumer education and outreach, prevention or monitoring programs, consumer protection enforcement, litigation, local consumer aid funds, consumer protection enforcement funds and public protection funds

$2.5 million to develop a "data security fund" to be used by the States to research the benefits of data security technology and develop best practices, protocols, policies or model legislation or regulations concerning data security or data security technology, develop and implement programs, education and outreach for consumers with respect to data security, and for other efforts to examine data security matters and to protect consumer privacy

$1.75 million in fees and costs associated with the States' investigation of the TJX breach

This brings the total reportedly paid out for settling various actions against TJX to approximately $75 million (this does not include forensic expense, attorney fees, etc.).

Information Security Program

In addition to monetary payments, the settlement also requires TJX to "implement and maintain a comprehensive Information Security Program reasonably designed to protect the security, confidentiality and integrity of Personal Information." The general description of the mandated program essentially matches the information security program required pursuant to TJX's consent order with the FTC.

However, this settlement goes beyond the general requirements of the FTC's consent order and mandates specific information security controls and actions, including:

Replacement of all WEP based wireless systems with WPA wireless systems (or equivalent)

No storage of sensitive authentication information related to payment cards (e.g. magnetic stripe track data, PIN numbers/PIN Blocks, and CVC2/CVV2/CID numbers)

Segmentation of TJX networks storing, processing or transmitting Personal Information (including Cardholder Information) from the rest of TJX's network

"Security password management" for the portions of the TJX computer system that store, process or transmit Personal Information

Implementation of a security patching protocol for the portions of the TJX computer system that store, process or transmit Personal Information

Use of Virtual Private Networks/encryption for transmitting Personal Information

Anti-virus software

Intrusion detection systems

Access control measures

The order indicates that the previously mentioned requirements alone do not necessarily amount to reasonable actions to protect Cardholder or Personal Information. The settlement sets a 120 day deadline for TJX to implement the required information security program. TJX must also have a third party security assessor to create a report certifying compliance. The first report of the third party assessor is due 180 days after the settlement agreement date, and subsequent assessments must occur on a biennial basis (although TJX does not need to provide them to that AGs unless requested). TJX's obligations with respect to the information security program (and other requirements of the settlement) are to last for 20 years.

Breach Notification

The settlement requires TJX to provide notice to the relevant attorney general 10 days after it has provided notice to its customers of any breach of personal information. The settlement sets forth several categories of information that must be provided to the attorneys general.

TJX Payment Card Security Advocate

This is where the settlement agreement gets more interesting. As a condition of the settlement, TJX essentially has to advocate for improvements in the security of the payment card system. In particular, TJX must contact Visa and Mastercard and its acquiring bank and volunteer to participate in pilot programs for testing new security-related payment card technology (such as chip-and-PIN technology). TJX also must take steps encourage the payment card industry to achieve "end-to-end" encryption of cardholder data (all the way through the bank authorization process). TJX must take such steps within 180 days and must submit a report to the Attorneys General indicating TJX's progress.

Tags: Breach, Breach Notice, Encryption, PCI, Payment Card Breach Laws, consumer fraud, information security law

Posted on June 23, 2009 by David Navetta

Nevada Law Incorporates PCI and Provides a Liability Safe Harbor

Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.

In contrast to the Minnesota law (which only partially incorporated one subsection of PCI), the Nevada amendment requires "data collectors" doing business in Nevada to comply with the entire PCI standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Unfortunately there is a built in ambiguity in the law since neither the PCI standard itself, nor the PCI Security Standards Council set the PCI compliance date. Rather, that is done by each card brand. Ignoring that glitch, obviously, by incorporating PCI into its law, Nevada has explicitly given the PCI "the force of law." This could have significant legal implications: see more HERE and HERE.

The Nevada amendment also appears to create a partial "safe harbor" for compliance with the law (and by extension PCI):

3. A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

While it is apparent that this language precludes liability for damages under the Nevada statute itself, it may also have wider application. In other words, would this language bar a "regular" negligence lawsuit arising out of a security breach as long as the data collector was PCI compliant? "Damages" in a breach of contract lawsuit? The broad language used ("shall not be liable for damages") suggests a solid argument exists for a "safe harbor" (even if compliance with the PCI standard itself was not "reasonable security") against any cause of action not involving "gross negligence" or "intentional misconduct." More research, and potentially case law, will be necessary before the scope of this safe harbor is clarified.

Tags: Breach Notice, PCI, PCI Council, Plastic Card Protection Laws, Plastic Card Security Laws, information security law, legislation, negligence

Posted on March 21, 2008 by David Navetta

Article Exploring PCI-related Risks in the Hannaford Breach

Interestingly, some reporters are digging deeper to explore the implications of a PCI-compliant company suffering a payment card breach: see here.

I think we don't have all the information so we everybody is engaging in various levels of speculation. However, we do know two facts: (1) compliance with PCI was represented in Hannaford's privacy policy (last visited 3-21-2008); and (2) there was a breach exposing cardholder data. In my view, here are some of the possibilities (in no particular order of likelihood, and by no means an exclusive list):

(1) the qualified security assessor (QSA) (or internal assessor) may have misinterpreted or loosely interpreted a section of the PCI standard (and the reality was there were security weaknesses);

(2) the PCI compliance may have been old or outdated (e.g. they may have been PCI compliant 9 months ago, but perhaps added new systems that were not secured consistently with PCI);

(3) Hannaford may not have provided all of the information to the QSA (assuming one was used) that it needed to validate its decision (e.g. this could include mistakes in defining which parts of Hannaford's networks were in-scope/out-of-scope);

(4) Hannaford may have been 100% PCI compliant and reasonably secure in general and just got unlucky (e.g. there is no such thing as 100% perfect security). Under this scenario, Hannaford would argue that it was not negligent because it did all the right things and that unfortunately these things just happen.

(5) Hannaford and/or its QSA may have had a security weakness or questions about an ambiguity and may have had either the PCI Council, its upstream payment processor or its merchant bank give a bad interpretation.

The interesting issue will be, assuming that some sort of negligence is shown, who was/is ultimately responsible? Hannaford? The QSA? A merchant bank that accepted Hannaford's certification?

Much more to come on this one.

Update: well that was quick. The class actions come flooding in.

Tags: Breach Notice, Hannaford, PCI, Payment Card Breach Laws, Plastic Card Protection Laws, information security law

Posted on March 5, 2008 by David Navetta

Legislative Update: 2 New Plastic Card Protection Bills Pending (Alabama and Iowa)

Plastic Card Protection laws continue to be proposed in state legislatures. This time its Alabama and Iowa that are jumping into the fray with bills that incorporate the Payment Card Industry ("PCI") Data Security Standard and/or provide financial institutions with the legal right to seek reimbursement for costs associated with payment card security breaches. However, the Iowa and Alabama bills provide some new wrinkles.

Alabama SB 382. Here are some of the wrinkles in the Alabama bill:

(1) Personal Information Deletion Requirement. Requires the deletion/destruction of personal information that is "longer necessary to be retained."

(2) PCI Tie-In - PCI Section 3.2.. The bill prohibits the storage "in either encrypted or unencrypted form, subsequent to authorization, the card security code data, the PIN verification code data, the full contents of any track of a magnetic stripe or data chip, card-validation code, or value, or any other security information in a manner that permits access to an individual financial account." This is essentially the same duty as section 3.2 of the PCI Standard. Note this language appears to go beyond payment card security since it relates to "any other security information that permits access to an individual financial account." This language could possibly include passwords for online banking sites, online payment sites and other access codes tied to financial accounts (beyond credit card accounts).

(3) Financial Institutions Recovery of Reasonable Costs. Like other Plastic Card Protection laws, in the event the of a violation of the law and a security breach exposing personal information, the Alabama bill provides bank with the right to reimbursement for the reasonable costs of actions taken "to protect the personal information and account information of the customer or to continue to provide financial services to the customer," including the costs to reissue cards, open/close accounts, contacting cardholders and refunds or credits made to customers.

(4) Private Cause of Action. In a new twist the bill specifically provides a private cause of action for financial institutions against those that "are responsible for the security breach." The financial institution may receive not only actual damages, but also incidental and consequential damages, as well as court costs and reasonable attorney fees. Significantly, this language may help financial institutions recover damage elements that would be very difficult to recover under a traditional negligence claim.

Iowa S.S.B 3183. Here are some of the wrinkles in the Iowa bill:

(1) PCI Tie-In - Entire PCI Standard. The Iowa bill requires compliance with the entire PCI Standard by any entity that accepts a payment card in connection with transactions in the ordinary course of business. However, the bill also indicates that the Iowa attorney general must adopt rules necessary to implement the bill, including identifying the payment card industry standards to be applied.

(2) PCI Certification. Financial institutions initiating an action must request a certification of compliance from the party that suffered the security breach. The certification must be made by a payment card industry approved independent auditor. It appears that an action cannot be commenced against an entity that has not been found in violation of the PCI Standard.

(3) Financial Institutions Recovery of Reasonable Costs. The bill provides for the right to recover similar damage components as those in the Alabama bill.

(4) Attorney Fees for Prevailing Party. The bill provides that the prevailing party in an action will be entitled to recover attorney fees. However, if the prevailing party is an entity that has refused to certify PCI compliance it cannot recover attorney fees.

BOTTOMLINE:the legal liability will change radically if these bills get passed (like the Minnesota and Connecticut laws, as well as the bill in Washington State that has passed one house).

Tags: Alabama, Iowa, Payment Card Breach Laws, Plastic Card Protection Laws, information security law

Posted on January 8, 2008 by David Navetta

Sears Privacy/Security Double Whammy.

After the resolution of some aspects of the TJX matter in 2007, it looks like another huge retailer has stepped on the privacy/security porcupine for 2008.

Privacy: Sears is suffering some bad press for allegedly placing "spyware" on its customer's computers that allows Sears (and Kmart) to track their Internet usage, including websites visited, searches engaged in and the headings of emails (click here for story)

Security: In addition, Sears has been sued in a $5 million class action for an alleged security breach related to its managemyhome.com website. Apparently, the website allowed any user to type in a customer's name, addresss and phone number (or some combination thereof) and get a complete history of that customer's purchasing history at Sears (click here for story)

So, question to my readers, in the ever-increasing world of e-commerce, how much tracking of customer behavior/Internet usage is too much? And when should it be permissible (if ever) to engage in the type of activity Sears was engaged in?

P.S. Copy of the complaint can be found here.

Tags: Lawsuit, Sears, Spyware, consumer fraud, information security law, privacy

Posted on January 4, 2008 by David Navetta

Stollenwerk v. Tri-West Health - Rise of the Phoenix?

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case

One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs' attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9^th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.

Stollenwerk Background & District Court's Ruling

In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt - hereinafter "ID Theft Plaintiff") alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica - hereinafter "Credit Monitoring Plaintiffs"), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.

In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.

The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.

The Appellate Court's Decision

In November 2007, the Appellate Court reversed the District Court's decision concerning the ID Theft Plaintiff, but upheld the lower court's ruling on the Credit Monitoring Plaintiffs.

The Credit Monitoring Plaintiffs

With respect to the Credit Monitoring Plaintiffs, the 9^th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:

"In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."

The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.

The ID Theft Plaintiff

The Appellate Court's opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings - the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.

On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:

Possession: the ID Theft Plaintiff provided Tri-West with his information;

Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;

Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 - 4 months after the burglary);

Timing - Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and

Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.

The 9^th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.

Conclusion

The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9^th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.

The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9^th. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs' bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.

Tags: Breach Notice, Damages, Identity Theft, Privacy, Tri-West, information security law, negligence

Posted on November 5, 2007 by David Navetta

TJX -- Banks File Expert Opinion

This is a very interesting read. The banks suing TJX retained an expert (former security guru for MasterCard) to opine on TJX's failure to follow security standards. In particular, PCI. You can find the expert opinion that was filed with the court here: Bank Expert Opinion

A few interesting points:

PCI is being set up as the legal standard of due care. It does not appear that compliance was very close in this one, but for cases on the fringe, we are going to have courts deciding what compliance with PCI means; and

the expert used reports generated by TJX's own security auditors against TJX.

On number (2), I always advise my clients to attempt to get their audits under the umbrella of attorney-client privilege (or work product). Basically, retain the security assessor as an expert to assist with legal/regulatory compliance review. This it at least gives an argument of attorney-client privilege and may allow companies like TJX to keep these extremely damaging reports out of evidence (although admittedly the privilege is often leaky). Not sure if that was done in the TJX matter (if it was, does anybody know how they lost the privilege?)

Tags: Attorney-Client Privilege, Privacy Law, TJX, information security law

Posted on November 2, 2007 by David Navetta

TJX Motion to Dismiss Bank's Claims

I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link

Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.

However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.

While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.

Tags: Breach of Contract, Motion to Dismiss, Privacy Law, TJX, Third Party Beneficiary, information security law, negligence

Posted on October 3, 2007 by David Navetta

FACTA Privacy Lawsuit Developments - Companies Sued for Online Credit Card Receipts

This month's newsletter follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance LLC ("ISC") explored in its April and June 2007 newsletters (What You Don't Know Just Might Hurt You. - April 2007; FACTA Privacy Class Action Lawsuit Developments - Bad News and Good News for Merchants). Recently plaintiffs have filed lawsuits against companies displaying credit card receipts on the consumer's computer screen (not printed on a paper receipt), and at least one court has denied a merchant's motion to dismiss a case based on online credit card receipts. In other words, the FACTA credit card receipt prohibitions may not be limited to paper receipts.

FACTA Summary

As discussed previously by ISC, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and prohibits printing a credit card's expiration date on the receipt. FACTA specifically provides:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

***

(2) LIMITATION.--This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.

15 U.S.C. 1681c(g) (emphasis supplied). A single willful violation of FACTA could result in damages ranging from $100 to $1,000 without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Recent Suits Filed Against Online Companies

In a complaint filed August 8, 2007 in the U.S. District Court for the Southern District of Florida, plaintiffs alleged that after they purchased iPods and other electronic equipment from Apple Computer Inc. online, the company provided receipts that included the full credit or debit card number used to make the purchase (Maria v. Apple Computer Inc., S.D. Fla., 1:07-cv-22040-AJ, complaint filed 8/8/07).

In addition, in a complaint filed in the U.S. District Court for the Southern District of Illinois, plaintiffs alleged they received receipts with their full payment card number information after they paid for hotel reservations and services online through a subsidiary of Expedia Inc. (Sutton v. Expedia Inc., S.D. Ill., No. 3:07-cv-00547-GPM-DGW, complaint filed 7/31/07).

These lawsuits may have been initiated because of a recent ruling against Stubhub Inc. in a FACTA lawsuit.

Stubhub Ruling: On-Screen Credit Card Receipt Qualifies as "Printed"

Stubhub, Inc., an online ticket broker, was sued for a violation of FACTA based on an electronically generated credit card receipt, and the plaintiff in that case survived a motion to dismiss the case. In July 2007, the U.S. District Court for the Central District of California ruled that a credit card expiration date appearing on an electronically generated receipt qualifies as "printed" for purposes of FACTA (Vasquez-Torres v. Stubhub Inc., C.D. Cal., No. CV 07-1328, motion to dismiss denied 7/2/07).

Since the term "print" was not defined in FACTA, Stubhub and the court looked to common dictionary usage for guidance on the definition. Stubhub cited Webster's Third New International Dictionary, which defines "print" in part as "to make an impression in or upon." The court held that even under Stubhub's definition, Stubhub had "made an impression upon" a computer screen when it displayed the credit card expiration date. The court also cited Merriam-Webster's Collegiate Dictionary (10th ed. 2002, p. 924), which defined "print" as "to display on a surface (as a computer screen) for viewing."

In addition, the court held that its ruling was consistent with the purposes of FACTA: to prevent identity theft in all its forms. The court reasoned that a narrow interpretation limited to paper-printed records did not comport with the broad goals of FACTA in combating identity theft. The court stated that if Congress intended to exclude receipts printed on a computer screen, it could have explicitly done so as it did for the exclusion of "transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card."

Conclusion

While some of the recent rulings on class certification may have slowed down the FACTA lawsuits for plaintiffs, the potential for lawsuits with respect to online credit card receipts poses considerable challenges to organizations. Just getting sued and having to incur substantial fees to defend the suit could be an expensive and distracting proposition. Companies, working with attorneys and IT professionals, should conduct an inventory of their online consumer systems to determine whether any of their websites or portals displays credit card confirmations or receipts with expiration dates or credit card numbers in excess of the last five digits. If such information is displayed, organizations should seek to technologically disable that display. In addition, service providers (e.g. ecommerce payment processors, hosters, application service providers) that may be working with companies displaying credit card information using the service provider's systems, should consider informing their customers of FACTA and adding contract terms to protect themselves from FACTA liability.

Tags: FACTA, Privacy Law, information security law

Posted on July 25, 2007 by David Navetta

FACTA Privacy Class Action Lawsuit Developments - Bad News and Good News for Merchants

This month's post follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance explored in April 2007 newsletter (What You Don't Know Just Might Hurt You. - April 2007). In bad news for merchants defending these FACTA suits, the U.S. Supreme Court ("USSC") upheld a broad interpretation of "willful violation" of FACTA. However, in good news for merchants, citing potential bankruptcy-inducing damages ranging from $340 million to $3.4 billion, a U.S. District Court in California refused to certify a 3.4 million person class alleging FACTA violations

FACTA Summary

As discussed in April, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card's expiration date on the receipt. A single willful violation of FACTA could result in damages ranging from $100 to $1,000 (FACTA is incorporated into and part of the Fair Credit Reporting Act ["FCRA"]), without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Perhaps the key issue to date for these cases is the meaning of "willful violation." In two separate FRCA cases in a different context (Geico v. Edo and Safeco Ins. v. Burr), the U.S. Court of Appeals for the Ninth Circuit ruled as follows:

In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers' rights.

Both of these Ninth Circuit cases were appealed to the USSC, which was asked to rule on whether the Ninth Circuit's interpretation of "willful violation" was valid. The general consensus among commentators was that the Ninth Circuit's interpretation would make it less difficult to collect statutory damages for FACTA credit card receipt violations, and that a narrow interpretation had the potential to cripple these FACTA class action suits for plaintiffs.

U.S. Supreme Court's Ruling on "Willful Violations" Under FACTA

In Geico and Safeco, the class plaintiffs alleged that the insurance company defendants violated the FCRA by failing to provide notice of insurance policy changes based on the plaintiffs' credit scores. The plaintiffs argued that "willful violation" included not only "knowing" violations of FCRA, but also reckless disregard of FCRA statutory duties. Turning to precedent interpreting similar language in other statutes and under common law, the USSC ruled against the insurance companies and concluded that the Ninth Circuit's ruling was correct: one can "willfully violate" FRCA by knowingly violating the statute or acting in reckless disregard of the FCRA obligations.

In short, the USSC adopted a more lenient standard of proof for plaintiffs to establish FCRA obligations. Plaintiffs will still face obstacles in proving recklessness disregard. However, a merchant's claim that it did not know of the FACTA requirements may not serve as a complete bar; plaintiffs will likely be able to present evidence concerning the merchant's efforts to discover its FACTA obligations and whether or not the merchant should have known about the FACTA credit card requirements.

FACTA Class Action Certification Denied

In good news for merchants, in May 2007 the U.S. District Court for the Central District of California rejected a motion to certify a class action in Spikings v. Cost Plus, Inc. The Court focused on whether a class action would be superior to other methods of adjudication as required under Rule 23(b)(3) of the Federal Rules of Civil Procedure. The Court cited other cases ruling that Rule 23(b)(3)'s "superiority requirement" was not met where the defendant's liability "would be enormous and completely out of proportion to any harm suffered by the plaintiff." It also listed other cases that generally denied class certification, including an FCRA case, where the damages would be "absurd" relative to harm suffered.

In this case, the Court noted that if the class was certified the potential statutory penalties ranged from $340 million to $3.4 billion (based on a penalty ranging from $100 to $1000 per violation for 3.4 million class defendants), despite the fact that the lead plaintiff testified that it did not suffer any actual damages. The court noted that the entire Cost Plus organization was worth approximately $316 million and that a judgment on a class action in this case for even the minimum fine would bankrupt it. The Court further noted that Cost Plus began truncating its credit card receipts as soon as it became aware of the technical violation of FACTA, and that it was possible for the class plaintiffs to file individual suits to recover damages. Finally, the court noted that certifying the class opened the potential for abuse by plaintiffs' attorneys in the form solicitation of unnecessary litigation. Based on the foregoing, the Court denied the plaintiffs' motion for class certification.

Conclusion

While the USSC's decision concerning "willful violation" of FACTA may be disappointing for merchants under suit, if the Spikings decision survives appeal the "teeth" associated with these lawsuits may have been extracted. The same logic that applied in the Cost Plus matter could apply to other retailers that face insolvency if they lose a class action suit. Its hard to imagine courts desiring to put some of the top U.S. retail brands out of business when no actual harm has been shown to have occurred. Paradoxically the reason that these suits are being filed in the first place (the large number of plaintiffs and the potential for a large pay-off for plaintiffs' attorneys through class action) is the same reason they may ultimately be unsuccessful. If plaintiffs' lawyers cannot proceed using the class action mechanism it will not likely be cost effective to pursue individual cases.

Nonetheless, it is premature to come to any firm conclusions on the reasoning set forth in the Spikings decision since it will likely be appealed and there also may be other district courts across the country that could rule differently. If Spikings is overruled, the USSC's decision may provide plaintiffs' counsel with significant arguments and settlement leverage. At the bare minimum, until some of these issues are resolved by higher courts, merchant-defendants will have to incur significant legal fees to fight these matters.

InfoSecCompliance will keep you updated concerning any other material developments in this matter.

Tags: FACTA, Privacy Law, information security law

Posted on June 7, 2007 by David Navetta

Minnesota's "Plastic Card Security Act"

A Direct Path to Merchant Liability for Payment Card Security Breaches

As reported in ISC's March 2007 Newsletter, States like Massachusetts and a handful of others (five in total, including: MA, IL, CT, TX and MN) are considering bills that provide financial institutions (e.g. banks and credit unions) with the ability to sue organizations that expose payment card data due to a security breach ("Payment Card Breach Laws"). These proposed Payment Card Breach Laws provide banks with the right to reimbursement from merchants for costs associated with payment card security breaches, including for the cost to reissue credit cards (allegedly $20 - $50 per card). In short, under Payment Card Breach Laws, when a merchant suffers a breach it could be liable for thousands or even millions of dollars. Taking an extreme example, in the TJX matter, 45 million cards where allegedly exposed - the cost to reissue assuming $20 per card is $900 million. For smaller or medium companies that lose thousands or tens of thousands of card numbers, the impact could jeopardize their solvency.

On May 21, 2007, Minnesota became the first State to pass such a law -- Minnesota's Plastic Card Security Act (H.F. 1758 -- the "Act") is a landmark statute that may radically increase the risk of liability and alter the security practices of retailers and service providers handling payment card data. In this issue, ISC summarizes the Act and outlines some of the issues and challenges arising out of it.

1. The Plastic Card Security Act

Subdivisions 1 and 2 of the Act, which prohibit the retention of certain payment card data for more than forty-eight (48) hours, first take effect on August 1, 2007. Subdivisions 3 and 4 of the law, which provides the right to reimbursement and allow financial institutions to file lawsuits to recover costs associated with a payment card security breach do not apply until August 1, 2008, and only apply to security breaches occurring after that date.

A. "The 48-hour Rule" -- Payment Card Retention Limitations (Subdivisions 1 and 2)

Subdivisions 1 and 2 of the Act attempt to address the problem of payment card security breaches by prohibiting companies that accept payment cards from retaining card security code data, PIN verification code numbers or the full contents of any track of magnetic stripe data ("Sensitive Authentication Data"), subsequent to forty-eight (48) hours after authorization of a transaction. Stated more simply, to comply with the Act, companies accepting payment cards must destroy or delete Sensitive Authentication Data within 48 hours of authorizing a transaction with such data (the "48-hour rule").

This Act also applies to entities using service providers that store, process or transmit payment card data - a merchant that provides Sensitive Authentication Data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule.

Coincidentally (or perhaps not so coincidentally) the Payment Card Industry Data Security Standard, v. 1.1 ("PCI Standard") also references and has rules surrounding Sensitive Authentication Data. Section 3.2 of the PCI Standard (as well as the Preface) prohibits the storage of Sensitive Authentication Data subsequent to authorization (even if encrypted). Unlike the Act, the PCI Standard does not specify a timeframe during which the merchant may retain Sensitive Authentication Data - by its silence, the PCI Standard arguably appears to require the destruction or deletion of Sensitive Authentication "immediately" after authentication. Therefore, as discussed below, PCI compliance (where there has been a tight interpretation of the section 3.2 requirements) may effectively act as a "quasi-safe harbor" from liability under the Act.

B. Financial Institution's Right to Reimbursement

The Act uses violation of the 48-hour rule as the trigger for financial institutions to recover when there is a security breach exposing payment card data. Subdivision 3 provides that when an entity that has violated the 48-hour rule suffers a security breach (or its service provider suffers a breach), any financial institution that issued payment cards affected by such breach is entitled to reimbursement of the costs of "reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders."

Stated more simply, merchants holding Sensitive Authentication Data for more than 48 hours that suffer a security breach must reimburse "issuing banks" reasonable costs to protect cardholder information and continue servicing cardholders. Such costs could include (but are not limited to) costs in connection with:

cancellation or reissuance of payment cards affected by the breach;

closure of accounts affected by the breach;

opening or reopening of accounts affected by the breach;

refunds or credits to cardholders to cover the costs of unauthorized transactions; and

notification of cardholders affected by the breach.

In addition, such financial institutions are entitled to recover costs for damages paid by them to cardholders injured by the breach (e.g. essentially an indemnification right in the event the financial institution is sued or settles with a cardholder).

Subdivision 4. of the Act (Remedies) provides financial institutions with a private right of under section 8.31 subdivision 3a. of Minnesota's laws (basically a consumer protection statute). In addition to a right to bring a suit to recover damages and equitable relief, subdivision 3a provides the financial institution with the right to seek costs of investigation and attorney fees. The Act states that the financial institution's private right of action is in the public interest and indicates that the remedies are cumulative and do not restrict any other rights or remedies available.

2. Analysis

This law presents some very interesting issues and challenges for companies accepting payment cards.

A. Direct Path to Liability -- Low Harm Threshold - "Costs of Reasonable Actions"

Where the worlds of data security and the law meet, to date and despite many lawsuits, there have been very few instances of courts finding legal liability for security breaches. In fact, issuing banks have previously tried to sue retailers for payment card data breaches, but the courts presiding over those cases rejected the banks' third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss). In short, there was no legal theory that clearly provided a right for issuing banks to recover - that hurdle has been jumped by the passage of the Act.

Now issuing banks have specific statutory rights to reimbursement and indemnity, as well as a private right of action to enforce those rights. The only requirements are as follows: (1) the entity is in violation of the 48-hour rule; (2) it suffers a breach of personal information affecting payment cards; and (3) the issuing financial institution incurs costs of reasonable actions to protect or continue servicing cardholders. There is no requirement that the merchant have acted intentionally, willfully, recklessly or negligently.In fact, it does not appear that the financial institution even has to establish that Sensitive Authentication Data was exposed.

As far as reimbursable costs are concerned, the issuing financial institution need not establish that the costs it incurs are necessary, just that the costs arise out of "reasonable" actions. The issuing financial institutions are not explicitly required to show that they will suffer harm or fraud if they do not take the actions (although this would factor into what constitutes "reasonable actions"). Their actions can be completely precautionary in nature so long as they are reasonable. In addition, there is a high likelihood that a court would view the list of example provided in the statute as representing examples of "reasonable actions" and perhaps a minimum list of what financial institutions are entitled reimbursement for. With the costs to reissue cards allegedly ranging from $20-50 per card, the costs of reissuance alone could be substantial (e.g. banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of payment cards based on the TJX breach).

B. Nationwide Applicability -- Scope Beyond Minnesota?

Does the Minnesota law have a nationwide applicability? The answer is "maybe" for persons or entities doing business in Minnesota and elsewhere in the United States. Unlike Minnesota's consumer-oriented breach notice law, which requires notice to Minnesota residents whose personal information may have been acquired by an unauthorized person (See H.F. 2121), the Act is not limited to Minnesota residents. Rather, it applies to "persons or entit[ies] conducting business in Minnesota" and unauthorized acquisition of computerized personal information (regardless of the residency associated with that information). Therefore, by the plain words of the statute, it may be possible that a company simply doing business in Minnesota, which suffers a breach in California, could trigger duties under the Act.Of course there may be jurisdictional issues that preclude suit in Minnesota or application of Minnesota law, but the issue is complex and far from clear.

C. Service Provider Liability

Unfortunately for merchants that use service providers to handle payment card data, the Act still applies if their service provider suffers a breach. What this means for practical purposes is that merchants must ensure that their service providers have processes in place to comply with the 48-hour retention rule. This may be problematic: if the service provider does not have those processes in place it may charge merchants to comply. Moreover, despite the August 1, 2007 start date for the Act, it may take some time to modify systems and processes to achieve compliance.

Finally, the Act will require merchants to add new contractual duties to their service provider contracts that mandate compliance with the Act and most importantly, provide for indemnification. Significantly the Act makes the merchant responsible for the breach, and does not provide a direct route for banks to go after service providers unless "accepting an access device [payment card] in connection with a transaction." Merchants will have to add indemnification language to shift the risk of loss for breaches that are the service provider's fault. For existing relationships, merchants may have to reopen contract negotiations.

D. Personal Information Requirement

One potential limitation of the Act is the definition of "personal information." The Act requires the acquisition of personal information by an unauthorized person to be triggered. In this context, personal information includes an individual's first (or first initial) and last name, in combination with account number or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual's financial account. Therefore, if a breach occurs that only exposes payment card data, but does not expose the combination of data listed in the definition of "personal information," the Act may not apply. It is unclear whether companies can segregate this data to avoid the combination that triggers the Act - merchants should confer with their internal or external security professionals to further explore this and other risk-reducing measures.

E. No Encryption "Safe Harbor"

Unlike Minnesota's breach notice law applying to consumers (see H.F. 2121) which only applies to breaches of "unencrypted" personal information, the Act does not provide an "encryption" safe harbor. In other words, the Act applies even if Sensitive Authentication Data stored more than 48-hours is encrypted. It appears that the drafters have decided that the only way to avoid applicability of the law is to destroy or erase Sensitive Authentication Data. Significantly, section 3.2 of the PCI Standard also discounts encryption of this data.

F. Relationship to the PCI Standard - PCI "Quasi-Safe Harbor?"

Is compliance with the Act impacted in any way if a merchant or service provider is compliant with the PCI Standard. Strict compliance with the PCI Standard may effectively create a quasi safe-harbor to avoid liability under the Act. Both the Act and the PCI Standard prohibit the retention of Sensitive Authentication Data, however the Act allows retention of such data for 48 hours, while section 3.2 of the PCI Standard prohibits storage of such data completely after authentication (some qualified security assessors have said that VISA's time limit is 24 hours - however this is not explicitly stated anywhere). Therefore, if an entity is compliant with the PCI Standard, so long as section 3.2 of the PCI Standard has been strictly interpreted and followed (e.g. immediate deletion or destruction), they should also be in compliance with the Act's 48-hour retention rule.

The problem of course is that it is possible that some entities (or their qualified security assessors) may have interpreted section 3.2 more loosely, potentially allowing Sensitive Authentication Data to be retained beyond 48 hours. Therefore, entities that are PCI Compliant should not automatically conclude that they are compliant with the Act. They should check with their internal or external security assessors to determine how long Sensitive Authentication Data is stored and how strictly they interpret rule 3.2. Moreover, for future PCI security assessments, entities should at least consider imposing a 48-hour retention limitation on Sensitive Authentication Data retention if they want to be aligned with the Act.<

3. Conclusion

The Plastic Card Security Act and similar Payment Card Breach laws are likely to significantly impact the data security risks and liability associated with handling payment card data. For one of the first times in U.S. history, a direct liability path exists for a large segment of U.S. businesses that suffer security breaches involving payment card data. The true impact will not be known until these laws are used, but, especially for small or medium companies heavily reliant on payment card transactions, a careful examination of security practices and service provider contracts is recommended to achieve compliance with the Act. In addition, for those merchants that have not yet complied with the PCI Standard, now is the time to get serious.

As with many data security-related laws and regimes, compliance and risk management is a multi-disciplinary exercise. Entities should retain an attorney to assist with interpreting the Act and modifying service provider contracts to align with the Acts 48-hour rule. Security professionals should be asked to assist with achieving the data retention requirements, as well as working toward PCI compliance (and strict compliance with section 3.2). Finally, this is an area where information security and privacy liability insurance has clear and direct value. Companies should look at their current policies to determine whether coverage exists, and should consider security and privacy policies available in the market that are directly geared toward covering such liability. Taking these steps will provide a solid foundation to begin addressing the risk associated with the Act and other Payment Card Breach Laws that get passed.

Tags: Breach Notice, PCI, Payment Card Breach Laws, Privacy Law, credit cards, information security law

Posted on May 1, 2007 by David Navetta

What You Don't Know Just Might Hurt You.

"As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."

--Donald Rumsfeld, Feb. 12, 2002

Regardless of what one thinks of Donald Rumsfeld's tenure as Secretary of Defense, these words hold a pearl of wisdom that applies to organizations struggling to comply with privacy and security laws. One of the major difficulties for modern organizations working with private personal information is simply knowing what privacy and security laws apply to their operations. This problem is exacerbated by the fact that, even for smaller- and medium-sized organizations, modern commerce often involves transacting with consumers in multiple legal jurisdictions (e.g. local, State, Federal and international). In short, since privacy and security laws from several jurisdictions may apply, it is highly likely that a lot of "unknown unknowns" exist, which can cause adverse impacts. This month's newsletter explores an instance where unknown unknowns may have come into play in the privacy context, and how organizations can begin to address the problem.

Too Much Information?

FACTA Credit Card Receipt Class Action Suits a Cause for Serious Concern.

In what appears to be a classic case of "unknown unknowns," a rash of over 100 class action lawsuits have been filed in California alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"). Section 15 U.S.C. § 1681c(g) of FACTA limits the information that can be printed on an electronically printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card's expiration date on the receipt. Organizations were provided with a three-year grace period to comply with this Federal law (December 4, 2006 was the first date that compliance was required).

A single willful violation of FACTA (which is incorporated into and part of the Fair Credit Reporting Act ["FCRA"]) could result in damages ranging from $100 to $1,000. Plaintiffs are also entitled to actual damages if they can prove a negligent violation of the FACTA. With companies processing millions of credit card transactions each year the damage potential for these lawsuits is staggering.

These class action suits have been filed against companies such as: Urban Outfitters; IKEA; Chanel Inc.; Toys-R-Us Delaware Inc.; Oakley, Inc.; Rite Aid Corp.; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc. Lawsuits are also spreading outside of California - two lawsuits were filed on March 14, 2007 in the Western District of Pennsylvania.

Thus far, many of the cases have survived motions to dismiss. Defendants have argued that dismissal is warranted because, while section 1681c(g) of FACTA applies to "cardholders," private rights of action are only available to "consumers" under section 1681n of FCRA. This argument was rejected by California courts when raised by Oakley, Inc. and IKEA.

The success of these cases could ultimately hinge on the meaning of "willfully fails to comply" under section 1681n of FCRA. Two 9^th Circuit cases (the Federal Appellate Court for California and other western States) have ruled on the meaning of "willfully." In Geico v. Edo, the court alluded to a "recklessness" standard:

In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers' rights. A company will not have acted in reckless disregard of a consumers' rights if it has diligently and in good faith attempted to fulfill its statutory obligations and to determine the correct legal meaning of the statute and has thereby come to a tenable, albeit erroneous, interpretation of the statute. In contrast, neither a deliberate failure to determine the extent of its obligations nor reliance on creative lawyering that provides indefensible answers will ordinarily be sufficient to avoid a conclusion that a company acted with willful disregard of FCRA's requirement. Reliance on such implausible interpretations may constitute reckless disregard for the law and therefore amount to a willful violation of the law (emphasis added).

This interpretation differs from interpretations in other Federal Appellate Districts, and this issue has now been argued before the U.S. Supreme Court (additional Supreme Court briefs and other information can be found here). If the Supreme Court disagrees with the 9^th Circuit's (and the 3^rd Circuit's) interpretation of "willfully," then these class actions may be difficult for plaintiffs to win (it is doubtful that plaintiffs will be able to establish actual damages to recover for "negligent" failure to comply with FCRA).

Many corporate defendants reported that they were "surprised" by the FACTA credit card receipt requirements despite the three-year grace period to achieve compliance. That seems like a plausible explanation considering that most rational companies, had they known of this requirement, would most likely have chosen to limit the information on their credit card receipts rather than face a potential fine of up to $1000 per violation and expensive attorney fees to defend class action lawsuits. Nonetheless, these companies are now experiencing the risks and expense associated with unknown privacy laws.

What should companies do to address "unknown unknowns" when it comes to privacy laws?

Organizations are not omnipotent - they cannot possibly know all things at all times at all places. However, they can take action to minimize their risk of unknown privacy and security laws, including: (1) designing their privacy programs consistent with Fair Information Practice Principles; (2) acquiring resources to stay on top of privacy and security regulations and case law; and (3) insuring against the unknown.

Fair Information Practice Principles. While the legal requirement to limit credit card receipt data may not be intuitive to all companies, there are certain general activities that rational actors know could get them into trouble when it comes to handling customer information. For example, selling or collecting personal information without notice or consent can obviously be problematic, and as a result there are laws that address those general categories of privacy violations. Addressing general privacy activities and principles can decrease risk even if specific regulatory requirements are unknown.

In fact many, if not most, privacy and security-related laws reflect the principles and framework set forth in the Fair Information Practice Principles ("FIPP"). FIPP includes: notice/awareness, choice/consent, access/participation, security/integrity and enforcement/redress. If FIPP is the goal and the organization strives to meet that goal with due diligence, that organization will likely have reduced its regulatory privacy risks (relative to organizations that do not consider FIPP).

The problem, of course, is that FIPP does not address every single detail of every privacy law. Some organizations that follow FIPP may have missed the specific requirements of FACTA or may not be aware of the specific notices (and fines) required under the CAN-SPAM Act, HIPAA, GLB and other more obscure laws. These class action lawsuits demonstrate how compliance to FIPP can help. Those companies diligently concerned about the security/integrity prong of FIPP, even without knowledge of FACTA's specific legal requirement, may have made an independent determination that truncating credit card numbers on receipts is a good practice to secure credit card information from identity theft. In fact, some organizations likely adopted this practice prior to the FACTA law as the result of due diligence with general privacy principles.

Due Diligence Investigation. Legal violations arising out of privacy or security incidents increasingly threaten organizations in terms of reputation damage, legal fees and damage awards. In fact, more and more companies are dedicating specific resources toward addressing privacy and security legal compliance. The first step is establishing accountability within the organization by creating a manager solely responsible for privacy compliance (a C-level executive with direct reporting to the CEO is a best case), and providing he or she with a budget. The lead privacy compliance officer should hire or work with attorneys to develop a formal process for inventorying the personal information the company handles, tracking the flow of that information across jurisdictions from collection to storage/disposal and determining the laws that apply to the organization.

Companies should attempt to address the lowest hanging fruit first. In certain industries, such as finance and healthcare, comprehensive privacy laws exist such as GLB and HIPAA. If the personal information of European or Canadian companies is at issue, the national privacy law of those countries should be considered.

Determining the applicability of privacy and security laws requires a continuous effort that considers changes in both the organization's internal privacy practices and the law. Those responsible for privacy compliance should engage in frequent and comprehensive communications with business managers whose units collect and handle personal information. Companies should track laws and legislation, and subscribe to privacy and security reporters and websites (feel free to contact me for a list of sources). A person who can make the link between organizational practices and changes in privacy laws, and how those practices laws might impact the organization, should be dedicated to tracking internal practices and privacy laws.

Privacy and Security Liability Insurance - Risk Transfer. Insurance is a very important tool for managing the "unknown unknowns." For companies that operate across multiple jurisdictions, it is virtually impossible to know every law and how every part of an organization is reacting or failing to react to that law. This means that residual risk exists that must either be tolerated by the organization or transferred to a third party.

Privacy and security liability insurance is an excellent tool for decreasing a company's risk load under these circumstances. While the uncertainty inherent in complying with every security or privacy law still exists for insurers, insurers can spread their risk across thousands of organizations. Moreover, even if aggregated events occur, as long as the insurer has a good financial rating, they should be able to absorb the loss. Even insurance companies without the highest financial ratings are typically reinsured by large reinsurers who are able to weather adverse situations.

The ability of insurers to underwrite privacy and security liability risks in a world where such risks are sometimes "unknown" addresses the main problem of modern organizations. Instead of expending huge amounts of resources to achieve an unattainable level of "perfect security," or researching, discovering and analyzing every possible privacy law that applies to them, insurers can take the risk and help their insureds avoids those expenses.

That is not to say that insurers will insure companies with bad privacy practices or poor information security. To be insurable, at a minimum, "reasonable" security and privacy practices must be present (and what is reasonable can vary from insurer to insurer). Nonetheless, most companies that can establish "due diligence," and have practices and policies adhering to FIPP and generally accepted security standards such as ISO 17799, will likely be insurable.

There are two key challenges for companies that want to use insurance as a risk management tool in this context. First is implementing security and privacy practices that meet a level of reasonableness at the lowest price. As long as insurance is available, spending more to achieve "more than reasonable" privacy/security may not be cost-effective. Moreover, large security and privacy overhauls can be disruptive to business. The risk avoided by implementing costly controls can be transferred for the price of an insurance policy which typically costs less than the controls.

Second, and perhaps most important for an organization that wants to manage risk through insurance, is ensuring that the privacy and security insurance policy it chooses actually covers the risks the organization desires to transfer. If it does not, the organization will be left handling the costs of that risk on its own. It takes a concerted effort by risk managers and key business stakeholders to understand not only the potential risks, but also how they might impact the organization if the risk is realized.

On the other side of the equation, since the current crop of security and privacy policies vary in their approach and coverage scope, it is not always easy to get a clear picture of what is covered. Organizations should make sure they have good brokers or insurance consultants who understand the specific risks of their company and the insurance products available to cover such risks. In all, if some time and effort is taken to understand the range of security and privacy insurance options, insurance can be a very cost-effective and efficient tool for dealing with "unknown unknowns."<

Conclusion

While the risks and problems associated with unknown privacy or security regulations may never be fully solved, the awareness of organizations and the skill and talent available to address the problem are probably at their highest. Companies simply need to acknowledge the fact that unknown unknowns exist in the privacy world, and dedicate time and resources toward at least converting them into "known unknowns." Even unaddressed privacy laws are better than unknown laws because at least the organization is aware of some risk and presumably has factored it into their overall risk management scheme. Organizations that are serious about understanding the full scope of their risk need to engage in a due diligence investigation, and need to at least try to adhere to common industry privacy practices and security standards. Companies should also seriously consider transferring their residual risk rather than engaging in potentially never-ending and expensive attempts to "eliminate" their risk. When these steps are taken, organizations can decrease the risk and loss associated with unknown security and privacy laws.

Tags: FACTA, FCRA, Privacy Law, information security law, privacy

Posted on April 28, 2007 by David Navetta

Proposed Massachusetts Security Breach Notice Law Creates Additional Liability for Companies Accepting Credit Cards.

For companies that store or process credit card data, the legal landscape may be getting a little more risky.

Similar to breach notice laws passed in thirty-five other States, a proposed Massachusetts bill (H. 213) requires notice to residents of the State if, as the result of a breach of system security, "misuse of information about a Massachusetts resident has occurred or is reasonably likely to occur." The bill also requires entities that do not own or license personal information (which appears to include service providers working on behalf of the company that originally collected the information) to report to the owner or licensee of the personal information.

However, the bill goes a step further and requires organizations to reimburse banks for banks' "reasonable actions" in response to a data security breach where notice is required. Reimbursable costs include:

the cancellation or reissuance of any credit card issued by any bank or access device;

the closure of any deposit, transaction, share draft or other account and any action to stop payments or block transactions with respect to any such account;

the opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and

any refund or credit made to any customer of the bank as a result of unauthorized transactions.

This new remedy may be related to recent unsuccessful lawsuits by banks seeking to recover the costs of reissuing credit cards exposed as the result of a security breach.

In 2005 B.J. Wholesalers suffered a security breach and was sued by several "issuing banks" to recover costs to reissue credit cards (B.J. Wholesalers faced suits by four banks alleging millions of dollars in losses). However, the courts presiding over those cases rejected the banks' third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss)

More recently, TJX Companies (holding company of such retailers as TJ Maxx, Homegoods and Marshalls and headquartered in Massachusetts) was sued by an Alabama-based AmeriFirstBank Inc. bank in the wake of a security breach. AmeriFirstBank alleges that it costs the bank approximately $20 to reissue a single card. News reports indicate that the breach may have exposed more than 40 million credit cards and approximately 60 banks have been notified of potential exposure. Some of these banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of credit cards based on the TJX breach.

This Massachusett's bill may not be an isolated event -- other States and the Federal government are reportedly considering similar legislation according to this credit union source.

What might this mean in terms of managing information security risk?

For companies handling credit card information it means a fairly direct path to legal liability if a breach exposes credit card information. The legislation is not limited to a narrow definition of retailer, but applies to the "commercial entities" (broadly defined). Assuming damages of $20 for each card reissued, if a breach involves several thousands or millions of cards, the potential damages could be staggering. For smaller organizations a potential security breach could result in bankruptcy. For larger retailers with millions of credit cards stored, it could result in tens of millions of dollars in damages.

Moreover, the standard of proof for banks is arguably not very high. First, there must have been a security breach that resulted in the misuse of information about a Massachusetts resident, or such a misuse is reasonably likely to occur. Second, the banks actions must have been "reasonable actions," which includes those broad actions listed above. Therefore, a decision to report arguably guarantees that the organization will have to reimburse some bank costs. Ironically, since consumers do not have a direct remedy in the statute, the law may produce a strong incentive to avoid reporting to consumers if there is uncertainty as to whether misuse has occurred.

What should companies do to if a law like this is passed?

From a risk management perspective, organizations should conduct a risk analysis to determine how much credit card information they are handling, and whether it is subject to being stolen in large quantities. Since the potential liability for a breach could be enormous, the justification for enhanced security should be present. Regardless, companies should work hard toward at least achieving PCI compliance if handling credit card data. Since companies may be liable if their service provider suffers a breach, they should work to assess the controls of those service providers (or only work with those that are certified as PCI compliant.)

In addition, the existence of a law like this creates a very strong argument for insurance to transfer the risk of loss. Risk managers should check their insurance policies to determine if any coverage exists under their current forms, and should consider the purchase of information security and privacy policies. Some policies now provide coverage for liability arising out of a security breach and with respect to the costs of providing notice of a security breach.

From a legal perspective, it appears that legal liability could arise out of a breach related to a third party service provider. Therefore, attorneys for companies collecting credit card information and passing it on to service providers for processing must make sure that there are contractual duties to maintain adequate security, report security breaches and potentially indemnify for losses (in fact the PCI Standard actually requires the development of contract terms that mandate compliance with the PCI Standard). In addition, attorneys need to be versed in the details of such laws so they can provide good counseling when a suspected security incident occurs.

Conclusion.

It is very interesting that the liability potential for security breaches is now being pushed from the commercial side (while being pushed more slowly from the consumer side). If a bill such as H. 213 is passed it has the potential to radically change the information security risk management dynamic for companies handling credit cards. There will be strong interests on both sides (banks versus retailers) that will push for and against a scheme like this, so it is unlikely that it will be passed in its current form. Nonetheless, it will be very interesting to see if and how these laws develop further, and it is important for risk managers to pay close attention to the progress of bills of this type.

Tags: Breach Notice, PCI, Privacy Law, TJX, credit cards, information security law

Info Law Group - privacy. security. technology. intellectual property.

New York Office

244 Fifth Avenue, Suite 2580

New York, NY 10001

Tel:

646.389.1289

Denver Office

1117 S. Clarkson St.

Denver, CO 80210

Tel:

303.325.3528

Los Angeles Office

1500 Rosecrans Ave., Suite 500

Manhattan Beach, CA 90266

Tel:

310.706.4121

Salt Lake Office

5962 S. Fontaine Bleu Dr

Salt Lake City, UT 84121

Tel:

801.953.3858

Connecticut Office

21B Hoydens Hill Road

Fairfield, CT 06824

Tel:

203.292.0667

Chicago Office

225 W. Washington, 22nd Floor

Chicago, IL 60606

Tel:

312.204.7199

Technology lawyers & attorneys at Information Law Group, offering services related to privacy, data security, intellectual property, information technology, compliance, litigation, incident response, outsourcing, e-commerce, new media, workplace privacy, software licensing, merchant agreements, privacy policies, electronic signatures, cloud computing, risk management, social networking policies, direct marketing, transborder data flow, security litigation and identity theft.

Stollenwerk Background & District Court's Ruling

The Appellate Court's Decision

The Credit Monitoring Plaintiffs

The ID Theft Plaintiff

Conclusion

FACTA Summary

Recent Suits Filed Against Online Companies

Stubhub Ruling: On-Screen Credit Card Receipt Qualifies as "Printed"

Conclusion

FACTA Summary

U.S. Supreme Court's Ruling on "Willful Violations" Under FACTA

FACTA Class Action Certification Denied

Conclusion

A Direct Path to Merchant Liability for Payment Card Security Breaches

1. The Plastic Card Security Act

A. "The 48-hour Rule" -- Payment Card Retention Limitations (Subdivisions 1 and 2)

B. Financial Institution's Right to Reimbursement

2. Analysis

A. Direct Path to Liability -- Low Harm Threshold - "Costs of Reasonable Actions"

B. Nationwide Applicability -- Scope Beyond Minnesota?

C. Service Provider Liability

D. Personal Information Requirement

E. No Encryption "Safe Harbor"

F. Relationship to the PCI Standard - PCI "Quasi-Safe Harbor?"

3. Conclusion

Too Much Information?

FACTA Credit Card Receipt Class Action Suits a Cause for Serious Concern.

What should companies do to address "unknown unknowns" when it comes to privacy laws?

Conclusion

What might this mean in terms of managing information security risk?

What should companies do to if a law like this is passed?

Conclusion.

@InfoLawGroup - InfoLawGroup's most recent Twitter posts

Stay Connected with Tanya Forsheit

Stay Connected with David Navetta

Stay Connected with W. Scott Blackmer

Stay Connected with Boris Segalis

Stay Connected with Jamie Rubin

Stay Connected with Justine Gottshall