In connection with a class action lawsuit filed against Michaels Stores Inc., the United States District Court for the District of Massachusetts certified to the Supreme Judicial Court of Massachusetts three questions: (1) whether a ZIP code constitutes personal identification information; (2) whether, under the Massachusetts statute prohibiting collection of personal identification information during a credit card transaction, a plaintiff may pursue a claim without any evidence of identity theft; and (3) whether, under the statute a "credit card transaction form" includes an electronic transaction form. Earlier this week, the Supreme Court answered "yes" to all three of these questions. A copy of the Court's opinion is attached here. The Supreme Court's decision will likely open the door to more lawsuits against retailers in Massachusetts. Plaintiffs may now file actions against retailers who collect ZIP code information during a credit card transaction and, consistent with the Supreme Court's broad interpretation of personal identification information, plaintiffs may try to expand the definition of personal identification information even further to include other types of information. In addition, the Supreme Court's decision has lowered the bar for plaintiffs who struggle to prove that they have been injured in these cases. Under the Supreme Court's ruling, a plaintiff no longer needs to demonstrate that he or she has suffered identity theft in order to maintain a cause of action. Significantly, the Court stated that receipt of unwanted marketing materials or the sale of a consumer's personal identification information to a third-party can constitute an injury sufficient to maintain an action. As a result of the Supreme Court's decision, retailers in Massachusetts should review and evaluate their data collection practices.
On a topic near and dear to my heart, I read an article at Law360 on Friday that was a real eye opener. Not because I am concerned about my backyard (we have a CTO that is very on top of these issues), but because of the number of law firms that apparently do not have their networks secure.
I have no intention of restating the article from Law360, but I do want to state the premise that should make private practice attorneys (and, frankly, lots of General Counsel) click through: "Over the past five years, sophisticated cyber attackers have expanded their intrusions at government and defense-related targets to go after researchers, manufacturers, nonprofits and law firms, according to a January report by information security firm Mandiant Corp."
Let me put that another way. The emails about collecting alimony from the ex-wife in Cambodia about the deadbeat ex-husband is not where your risks end. Hackers are now targeting law firms for hacking and data theft. And why not? If a hacker cannot hack into a Fortune 100 company network, go to the law firm network where all of those transaction documents and SEC filings reside.
Read the article for yourself.
This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.
The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.
Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.
We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.
President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.
California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”
Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.
The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.
At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”
Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.
While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.
- Amendments to the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 are needed to:
- Improve Government privacy notices
- Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records
- Clearly cover commercial data sources under both the Privacy Act and the E-Government Act
- Government leadership on privacy must be improved
- OMB should hire a full‐time Chief Privacy Officer with resources
- Privacy Act Guidance from OMB must be regularly updated
- Chief Privacy Officers should be hired at all “CFO agencies”
- A Chief Privacy Officers’ Council should be developed
- OMB should issue privacy guidance on agency use of location information
- OMB should work with US-CERT to create interagency information on data loss across the government
- There should be public reporting on use of Social Security Numbers
Citing a lack of leadership from Congress, the failure to update federal laws and regulations, and the breakneck speed of technological evolution, the Board appeared critical that “only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”
Whether this report will be the catalyst of sweeping privacy reform from the Obama administration that many have expected remains to be seen.
Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.
Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.
Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.
It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.
Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.
According to Microsoft, it is promoting data governance because:
“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.
Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.
Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”
Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.
Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.
As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.
Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.
On Friday, May 1, 2009, Heartland Payment Systems Inc. announced that it is again compliant with the Payment Card Industry Data Security Standard. In April 2008, a compliance audit determined that Heartland was PCI compliant but, sometime after that, Heartland fell out of compliance. In January 2009, the payment processor reported that it was the victim of a what became a widely-reported security breach. Effective May 4, 2009, VISA will again list Heartland as a validated service provider.
UPDATE: Whether it is because of the economy, or a fear that the Red Flags Rules affects far more retailers than may be understood, the FTC has granted a further delay of enforcement of the Red Flags Rules until August 1, 2009. Additionally, the FTC will issue a template for lower risk covered entities. The most recent update can be read here.
This time, nobody can accuse the Federal Trade Commission (“FTC”) and other agencies of implementing new requirements that sneak up on us. These particular regulations (the “Red Flags Rules”), which require that financial institutions and creditors develop and implement written identity theft prevention programs, were issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration ("NCUA"), as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 go into effect on August 1, 2009. Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009.
The Red Flags Rules require that a program be put in place by financial institutions and creditors that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” The purpose of the Red Flags Rules is to help avoid identity theft.