PCI DSS — Insights — InfoLawGroup LLP

As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.

damages, data breach, Hannaford, motion to dismiss Hannaford data breach payment card PCI DSS, payment card, PCI DSS

Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case

By InfoLawGroup LLP on October 24, 2011

In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the "Court of Appeals") held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.

Binding Corporate Rules, Canada, Cloud, data protection, EU Data Protection Directive, international, outsourcing, PCI DSS, privacy, privacy impact assessment, security measures

A Privacy Checklist for Global Enterprises

By W. Scott Blackmer on October 21, 2010

Scott Blackmer provides a "discovery" checklist for global enterprises handling personal data from multiple jurisdictions, as well as advice on a global approach to privacy compliance and risk management.

damages, Hannaford, litigation, payment card, PCI DSS, security breach

"Damages" Last Stand - Maine Supreme Court Puts an End to the Hannaford Bros. Breach Suit

By InfoLawGroup LLP on September 22, 2010

The Maine Supreme Court has rendered its opinion on the "damages" issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that "time and effort" alone spent to avoid or remediate reasonably foreseeable harm do not constitute "a cognizable injury for which damages may be recovered." In this blogpost we take a closer look at the Court's rationale.

Breach, fiduciary duty, Heartland, litigation, negligence, payment card, PCI DSS, third party beneficiary

Heartland Bank and Keybank's Motion to Dismiss

By InfoLawGroup LLP on July 13, 2010

Breach, call center, credit monitoring, cyber insurance, data security, insurance, notification

Insurers Deny Coverage for Breach Notice Costs (and why companies should consider cyber insurance coverage and why brokers should offer it)

By InfoLawGroup LLP on June 10, 2010

It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University's hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage's insurance broker (the broker that placed the insurance coverage with Colorado Casualty).

AICPA, best practices, BITS, cloud computing, COBIT, contracts, FIPS, information security, ISO 27001, ISO 27002, NIST, outsourcing, PCI DSS, SAS 70, SP 800-53, standards

Information Security Standards and Certifications in Contracting

By W. Scott Blackmer on May 26, 2010

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.

Breach, data security, HB 1149, notification, PCI DSS, plastic card security act, Regulation

FAQ on Washington State's PCI Law

By InfoLawGroup LLP on March 24, 2010

encryption, Nevada, PCI DSS, Safe Harbor, security measures

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law

By InfoLawGroup LLP on March 10, 2010

ADCR, banking, Breach, Heartland, PCI DSS, security breach litigation, settlement

Issuing Banks File Class Action Suit Against Acquiring Banks in Heartland Breach Matter

By InfoLawGroup LLP on January 21, 2010

Breach, Heartland, Payment Card Industry Digital Security Standard, PCI DSS, settlement, TJX

Quickhits: Heartland Settles With Visa for $60 Million

By InfoLawGroup LLP on January 08, 2010

ADCR, BJ, BJ Wholesale Club, Breach, card, Club, damages, doctrine, economic, economic loss doctrine, fraud, Hannaford, litigation, loss, Massachusetts, mastercard, negligence, payment, payment card, PCI DSS, PCI DSS litigation, retailers, TJX, unfair practices, unfair practices Massachusetts visa mastercard ADCR, visa, Wholesale

Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

By InfoLawGroup LLP on December 23, 2009

payment card, payment card security breach litigation, PCI DSS, PCI DSS heartland, security breach litigation

Quickhits: AMEX settles with Heartland Payment Systems for $3.6 Million

By InfoLawGroup LLP on December 22, 2009

litigation, payment, payment card, PCI DSS, PCI DSS Radiant Systems, Radiant, Savvis, security breach litigation, security breach litigation service provider, service provider, Systems

The Merchants Strike Back?

By InfoLawGroup LLP on December 03, 2009

210 CMR 17-00, breach notification, creditors, driver's license, FACTA, Fair Credit Reporting Act, FCRA, financial account, FIPS, FTC, generally accepted, health information, HIPAA, HITECH, key management, laptops, Massachusetts, medical data, Nevada, payment card, Payment Card Industry Digital Security Standard, PCI DSS, portable devices, public networks, Red Flags, Red Flags Rule, Security, social security number, SSN, wireless

Code or Clear? Encryption Requirements (Part 2)

By W. Scott Blackmer on October 01, 2009

In the last post, I talked about the role of encryption in fashioning a "reasonable" security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.

Chicago

Washington D.C.

Los Angeles

Austin