Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
G is for the Gramm-Leach-Bliley Act and the new model privacy notice form
H is for HIPAA and the HITECH Act, which impose privacy and data security obligations on health care providers and their business associates
I is for the International Association of Privacy Professionals, IAPP
J is for John and Jane Doe, anonymity - is there any such thing?
K is for Kearney v. Salomon Smith Barney Inc, California Supreme Court (2006), requiring two-party consent for recording or eavesdropping on telephone conversations, even if only one of the participants is in a two-party consent state
L is for Legislation -- will there be a federal breach notification law in 2010 (other than HITECH) that will preempt the state data breach notification laws?
M is for Massachusetts and its new data security regulations, 201 CMR 17.00 et seq., effective March 1, 2010
N is for Nevada and its new encryption law, SB 227, effective January 1, 2010
O is for Outsourcing, and the need for due diligence and contractual provisions to safeguard personally identifiable information (and other kinds of sensitive information) shared with third parties. See, e.g., Massachusetts 201 CMR 17.00 et seq. and California Civil Code section 1798.81.5. Oh yes, and don't forget the Cloud in this context - are you putting data in the cloud? Have you done your due diligence?
P is Personally Identifiable Information or PII -- what IS it anyway? Depends where you live.
Q is for Questions, Q & A, and the Q in FAQ: ASK QUESTIONS early and often about how your organization will use personal information of customers and/or employees in its business operations.
R is for Radio Frequency Identification or RFID and locational privacy issues - should organizations be able to use RFID to track customers/products?
S is for SO many things -- Social Networking, Social Security numbers, Surveillance, Spam, . . .
T is for Telemarketing, Text Messages, and the TCPA -- do you have opt-in for your mobile marketing campaigns?
U is for the UK ICO, which will order companies to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act
V is for the Video Privacy Protection Act or VPPA, the basis for a recent privacy class action filed against Netflix in the Northern District of California
W is for Website Privacy Policies, required under California law for any website that collects information from California residents, Cal. Bus & Prof. Code section 22575 et seq. When was the last time you updated yours? Is it accurate?
X is for XXXXX -- Redact the information!
Y is for Yes, You can implement a successful data protection program in Your organization
Z is for Zango, the adware distributor that settled FTC charges that it used unfair and deceptive methods (FTC Act Section 5) to download adware and block consumer efforts to remove it
Happy Data Privacy Day!
Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Relevant Facts
The Supreme Court Decision arises out of a payment card breach of BJ’s Wholesale Club, Inc. (“BJs”) involving approximately 9.2 million payment cards and millions of dollars in fraud. The plaintiffs in this case are credit unions and their insurer who incurred costs to reissue the payment cards that were impacted by the breach (as well as costs for fraudulent charges that arose out of the breach). The plaintiffs allege that thieves were able to compromise BJ Wholesale Club’ s systems because BJs and their acquiring bank (Fifth Third Bank) breached two sets of contractual obligations. With respect to BJs, the plaintiffs alleged that BJs breached their contract with Fifth Third bank, which prohibited the storage of the magnetic stripe data after authorization of card transactions. In turn, the plaintiffs alleged that Fifth Third breached its Membership Agreement with Visa and Mastercard requiring Fifth Third to ensure that merchants like BJs did not store magnetic strip data post-authorization.
Alleged Claims and the Supreme Court’s Decision
The plaintiffs alleged several causes of action against BJs and Fifth Third, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). The lower court had granted the defendants a motion to dismiss all of the plaintiff’s causes of action, and the Supreme Court was asked to review the lower court’s decision. Ultimately, as described below, the Supreme Court agreed with the lower court’s decision and upheld it.
Breach of Contract – 3rd Party Beneficiary Theory
The plaintiff’s alleged that they were the intended third party beneficiary of two separate contracts. First, the Merchant Agreement between BJs and Fifth Third prohibited the storage of magnetic card data, and the plaintiffs alleged they were the beneficiaries of, and should be able to enforce, the agreement against BJs. Second, the plaintiffs also alleged that they were the intended third party beneficiaries of the Membership Agreement between Fifth Third and Visa/Mastercard. Pursuant to the Membership Agreement, Fifth Third agreed to ensure that its merchants did not store magnetic stripe data.
Unfortunately for the plaintiffs, the Merchant Agreement contained the following language:
This Agreement is for the benefit of, and may be enforced only by [Fifth Third] and [BJ’s] and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, and third party.
Despite this language, the plaintiffs maintained that the prohibition against storing magnetic stripe data was intended to benefit them. Citing a lower court judge who had indicated that any benefits to the plaintiffs in the Merchant Agreement were incidental, and relying on the specific intent referenced in the disclaimer, the Supreme Court upheld the dismissal of the breach of contract claim based on BJs Merchant Agreement.
With respect to the Membership Agreements between Fifth Third and the card brands, the Supreme Court held that the plaintiffs’ third party beneficiaries allegations were conculsory in nature and not supported by any facts establishing Visa or Mastercard’s intent to have them as beneficiaries able to enforce the Membership Agreemwent. While Visa and Mastercard’s operating regulations did not have a specific third party beneficiary disclaimer, both Visa and Mastercard, reserved the right to interpret and enforce such regulations. The Supreme Court viewed this as indicating an intent to prohibit enforcement of the Membership Agreement by others like the plaintiff (the Supreme Court viewed that as consistent with the TJX decision). Interestingly, this case involved the same facts as another BJ Wholesale Club in federal court that allowed the plaintiff-banks to proceed with a third party beneficiary claim. In the Federal case, Visa and Mastercard representatives actually testified at deposition that operating regulations around magnetic stripe data were intended to protect the participants in the system, including issuers. However, the Supreme Court found that the plaintiffs failed to submit that deposition testimony into the court record so that testimony apparently was not considered by the Supreme Court.
Negligence – Economic Loss Doctrine
The Supreme Court did not address whether BJs or Fifth Third, for purposes of a negligence theory, had a duty to employ reasonable security with respect to cardholder data. Rather, the Supreme Court relied on the economic loss doctrine to dismiss the plaintiff’s negligence claim. Under the economic loss doctrine, plaintiffs cannot recover using a theory of negligence unless physical harm or harm to property exists (as opposed to pure “economic loss”). The plaintiffs argued that tangible harm did exist because the physical credit cards had to be reissued after the BJs breach. On this issue, the Supreme Court again followed the BJ Wholesaler’s decision rendered in Federal district court (see the 3rd Circuit Appellate Decision upholding that rationale), which held that reissuance costs are economic in nature even if related to a physical card. In this case the cards themselves were not harmed since consumers could still use them after the breach. Rather, the Supreme Court found that the plaintiffs chose to cancel the cards for the purpose of avoiding future economic loss.
Fraud and Negligent Misrepresentation
The Supreme Court also rejected the plaintiff’s fraud and negligent misrepresentation claims. The basis for these claims was again tied to the defendant’s contractual promises to comply with the card brands’ operating regulations. In disposing of the fraud claim, the Supreme Court noted that the plaintiffs admitted neither BJs nor Fifth Third made any direct representations to the plaintiffs indicating that they were storing magnetic stripe data. Moreover, despite alleging that they would have changed their behavior had they known about the risk of magnetic stripe exposure, the reality was that the plaintiffs continued to participate in the Visa and Mastercard system. There was no evidence that the plaintiffs would have acted any differently had they been aware that BJs was storing magnetic stripe data.
With respect to the negligent misrepresentation claim, the Supreme Court cited case law indicating that failure to perform a contract does not equate to a negligent misrepresentation claim. Moreover, false statements of opinion or conditions to exist in the future cannot support a negligent misrepresentation claim. In this case, dismissal was warranted because there was no evidence that BJs never intended to comply with its Merchant Agreement at the time it entered into it.
In addition, the Supreme Court held that even if entering into an agreement constituted a representation of compliance with the magnetic stripe disposal requirements, there was no evidence that plaintiffs’ alleged reliance on that representation was justifiable. The Supreme Court essentially held that no reasonable person would rely on the regulations prohibiting the storage of magnetic stripe data. The court pointed to evidence indicating that the participants in the payment card system expected that the operating regulations would be breached because Visa and Mastercard instituted a system of fines and penalties for non-compliance. In addition, the plaintiffs’ purchase of insurance to cover credit card fraud was listed as evidence that plaintiffs anticipated this type of fraudulent activity. Finally, the plaintiffs had received numerous alerts from Visa and Mastercard concerning payment card breaches and fraud involving compromised magnetic stripe data (I find this reasoning very convoluted, at best. The existence of rules to deter certain behavior seems to create some certainty that such behavior should not be happening).
M.G.L. Chapter . 93A, section 11
Since the plaintiffs’ M.G.L. Chapter . 93A, section 11, equitable indemnification and subrogation claims were all based on the dismissed fraud and negligent misrepresentation claims, they were also dismissed. Interestingly, unlike the First Circuit Appellate court’s decision in the TJX matter, the Supreme Court did not consider whether the plaintiffs had a viable cause of action based on the “unfairness” prong of the Massachusetts’ law (e.g. whether BJs information security was so poor that it constituted an “unfair practices).
Conclusion
This case is yet another in the increasingly long series of cases that allow retailer plaintiffs to escape liability arising out of data breach litigation at the motion to dismiss phase. What lessons does it hold for the various payment card stakeholders?
On the merchant side, for any agreement where the merchant is making promises about data security or PCI compliance, make sure there is a strong disclaimer of third party beneficiaries. This will cut issuing banks off on that theory fairly early. Also on the merchant side, be careful of what you say about security and compliance with card brand rules and operating regulations. To the extent a merchant makes representations concerning security (especially direct representations), they may be opening themselves up to misrepresentation claims. The consequences could be serious since negligent misrepresentation and fraud claims are not barred by the economic loss doctrine (and at least one court has provided those theories some legs).
From the issuing banks’ point of view, the question becomes whether litigation is worth it in this context. This is especially true now that both VISA and Mastercard (*I believe, their regulations are not all public) have explicit recovery mechanisms within their systems that can allow an issuing bank to recover without going to court. VISA and Mastercard have both tightened up their contracts and operating regulations to disclaim third party beneficiary theories (although if an issuing bank is to pursue such a theory make sure to get the deposition testimony from the Visa and Mastercard officials referenced in the 3rd Circuit’s BJs Wholesale case). One area for issuing banks to take a harder look at is State unfair/deceptive trade practice acts. As mentioned above at least one high court has indicated that inherently poor security may amount to an unfair practice. This line of thinking also happens to be consistent with several high profile FTC actions , including of course one involving BJ Wholesale Club.
Analyzing the Risk-Based Factors of Massachusett's Data Security Law
SearchSecurity.com published an article by me yesterday (a copy can be found here the original is here) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.
While a legal exercise is necessary for determining compliance with any and all statutes that mandate security or privacy requirements, the Massachusetts regulation's hybrid approach (e.g. specific controls mandated with a general risk-based hedge) potentially complicates the analysis. Without a legal analysis to interpret and apply the risk-based factors and resolve ambiguities in the regulation, or a legal understanding of how regulators, judges and plaintiff's counsel may interpret the regulation, companies run a serious liability risk. Moreover, companies may get into trouble if they fail to document their rationale -- if/when a breach occurs or regulators come knocking the organization must be able to explain their risk-related decisions and how they complied with the law. The task is further complicated because risk is a moving target for organizations. As the company gets bigger or retains more personal information, or when new attacks or technologies arise, the company must reevaluate its risk, and the WISP and controls it has in place to address that risk.
To minimize legal risk, compliance efforts should all be performed under attorney-client privilege to shield certain compliance communications from class action lawyers, regulators and courts. In short, companies need to treat compliance with the Massachusetts regulation (and other security laws) as a legal exercise as much as a security exercise. The main question in this specific context is: "if something goes wrong, do we have a reasonably defensible legal position concerning our WISP and security controls in light of the law?"
Code or Clear? Encryption Requirements (Part 2)
In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
State Security and Breach Notification Laws
Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.
All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”
Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.
Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.
Massachusetts
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.
The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.
Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.
The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:
“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .
(5) Encryption of all personal information stored on laptops or other portable devices . . .”
The level and type of encryption are not specified.
Nevada
Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.
The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.
Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”
“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:
‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.
HITECH
Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.
HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:
“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”
Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.
Red Flags
The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.
The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
