Last State Without a Breach Notice Law? Not Mississippi
Yesterday, Mississippi Governor Haley Barbour approved Mississippi's first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota). Here are the most important basics:
- Who must be notified? Notification must be made to individuals only, no government regulators or credit reporting agencies;
- What is notice-triggering PII? Personal information has the classic definition based on the original California SB 1386 before California's addition of medical information and health insurance information. Thus, notice is required by Mississippi if a breach involves a name with Social Security number, driver's license, or account number in combination with any required security code, access code or password that would permit access to an individual's financial account);
- Is there a risk of harm threshold? Yes. Unlike California and many other states, there IS a risk of harm threshold for breach notification: "Notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals."
The law does not take effect until July 1, 2011.
Dave & Buster's Busted: Another Allleged Failure to Implement "Reasonable Security"
We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. Here is the Agreement Containing Consent Order. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.
Dave & Buster's collects from consumers the following kinds of card information to obtain authorization for payment card purchases: credit card account number, expiration date, and an electronic security code for payment card authorization. The restaurant collects this information at in-store terminals, transfers the data to its in-store servers, and then transmits the data to a third-party credit card processing company. The FTC alleges the the hacker was successful because Dave & Buster's:
(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;
(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;
(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;
(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and
(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.
The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.
Not surprisingly, the FTC alleged these failures to implement "reasonable security" constituted an unfair act or practice in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).
Like many other similar FTC settlements, this one requires that Dave & Buster's establish and maintain a comprehensive information security program and obtain independent audits by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, for (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order.
Dave & Buster's' comprehensive information security program must include the following, and more:
A. the designation of an employee or employees to coordinate and be accountable for the information security program;
B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.
Incidentally, for those of you, like me, who are fascinated (yes, it is true, I admit it) by the many and differing definitions of "Personal Information" out there in this country, you may be interested to note the FTC's definition for purposes of this settlement:
“Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number; (g) a credit card or debit card account number; (h) a persistent identifier, such as a customer number held in “cookie” or processor serial number, that is combined with other available data that identifies an individual consumer; or (i) any information that is combined with any of (a) through (h) above.
We fully expect to see more FTC action in this area. Stay tuned for settlement number 28.
Are We Living in a Post-Disclosure, Opt-In World?
Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck. The question presented: "Has Internet Gone Beyond Privacy Policies?" The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent.
The dilemma remains - if consumers don't want to read privacy policies, what would constitute true notice and consent? And, in the Web 2.0 world with consumers' insatiable appetite for on-demand, customized and interactive content, how can that process be handled in a manner that is both meaningful and consumer-friendly? What do consumers really want? And are their expectations regarding privacy simply inconsistent with the modern realities of social networking? Just yesterday, the blogosphere was abuzz with news of the Facebook CEO's comments at the Crunchies Awards that "[p]eople have really gotten comfortable sharing more information and different kinds but more openly and with more people."
At the end of the day, the real question (and answer) may have more to do with what constitutes "personal information," what consumers "reasonably" expect in today's world, and whether the sharing and use of certain kinds of information should be regulated.
In our current legal structure, even though such information flows around the world at breakneck speed, the definition of personal information ultimately depends on where you reside - and that, in turn, has grown out of social and cultural expectations. In the United States this has traditionally meant information that can be used to identify and victimize you (i.e., identity theft) - Social Security number, financial account number, and now, to a growing extent, medical information - although, in some new state statutes, the definition is much more broad. In Europe, the answer, for cultural and historical reasons, continues to be much more expansive, encompassing just about anything that can identify an individual.
So when an individual shares information on Facebook about his or her favorite music, or holiday plans, or the color of a piece of clothing, does that constitute "personal information"? What are consumers' reasonable expectations about how that information, if disclosed publicly -- or not so publicly (e.g., to one's "friends") -- should be used? And should the government regulate the sharing and use of such information by data brokers, social networks, cloud computing vendors, and advertisers?
Last year, the FTC introduced self-regulatory principles for behavioral advertising, but issued a warning that advertisers had one last chance before the FTC would take further steps to regulate. Has that time come? Mr. Vladeck told the New York Times today that the FTC will issue a report in June or July. Chairman Leibowitz said:
I have a sense, and it’s still amorphous, that we might head toward opt-in.
What would such opt-in look like and how would it operate? Is any opt-in solution manageable in the online world? Can any proposed model keep up with rapid changes in technology and consumer expectations? And will this focus on online privacy issues affect and/or eclipse the progress of the many pending federal data security and breach notification bills?
We shall see.
