In October 2012, VISA quietly released new operating regulations which retroactively phased out VISA’s Account Data Compromise Recovery (ADCR) Process, and replaced it with the Global Compromised Account Recovery (GCAR) Program (see page 802 of VISA’s operating regulations for a full description of GCAR). For those that have not dealt with the ADCR, it is … Continue Reading
At the RSA Confrence 2012, David Navetta discussed compliance topics, including why PCI liability matters to the card brands, the effect of the HIPAA enforcement rule and international breach notification laws. Watch the discussion here.… Continue Reading
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
… Continue Reading
Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations.
… Continue Reading
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.
… Continue Reading
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.
… Continue Reading
In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland’s proposed settlement with Visa. This appears and to be an attempted end-run around the proposed … Continue Reading
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a … Continue Reading
With the recent news of several restaurants teaming up to sue point-of-sale system provider Radiant Systems (a copy of the complaint can be found here) for failing to comply with the PCI Standard, it appears that some merchants may be in a mood to strike back in the aftermath of a payment card security breach. This … Continue Reading
Under Mastercard’s new rules concerning merchant level definitions, apparently companies that were previously level 4 merchants (and did not have to do a PCI assessment unless requested by their acquiring bank) have been converted to level 3 merchants (which do need to conduct at least a self assessment). More details here. Mastercard announces fine regime … Continue Reading
The following FAQs address the encryption and PCI compliance requirements of Nevada’s Security of Personal Information Law, which were added pursuant to a recent amendment to the law. The rest of the FAQ is linked to here.… Continue Reading
On July 7, 2009, Merrick Bank filed its response to Savvis’ motion to dismiss. I have not had a time yet to analyze the brief, but will do so in the near future. In the meantime, if any readers would like to share their insight, please submit a comment!… Continue Reading
InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the … Continue Reading
The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State’s respective consumer fraud and deceptive practices laws (a copy of the settlement document … Continue Reading
As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem’s security assessment company (Savvis). The suit alleges that Savvis negligently certified CardSystem’s security as compliant with Visa’s Card Information Security Program (“CISP”), and negligently represented that CardSystems was compliant. Earlier this month Savvis filed … Continue Reading
Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law. … Continue Reading
(NOTE: cross-posted at Branden Williams’ Security Convergence Blog) As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system. One of the key areas I get involved in is service provider relationships, and in particular section … Continue Reading
The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system. The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship). The … Continue Reading
As detailed in ISC’s first post on the Hannaford case, I detailed the District Court’s rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches. The net result of the Court’s analysis was the existence of three possible theories of recovery for the consumer plaintiffs: Breach of implied contract … Continue Reading
I had missed the original filing of this complaint, but have now been able to obtain a copy of it. Essentially a lawsuit by a bank against Savvis for allegedly making a mistake in certifying CardSystems as CISP compliant. The complaint alleges $16 milion in damages, which essentially are the amounts that Merrick (acquiring bank) … Continue Reading
The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via … Continue Reading
Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market: [Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of … Continue Reading
In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.” Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment. Well, the Court made its … Continue Reading