Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

The following was recently posted in substantially the same form on the Fox Rothschild LLP HIPAA, HITECH and Health Information Technology blog.

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the "SEC”), includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

 The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade.  Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college.  Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread.  The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems.  Apparently, 17 different computer systems are presently being analyzed.  The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers' customers.  Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

• Print
• Comments
• Trackbacks
• Share Link

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010.  The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files.  After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers.  An additional four months was spent reanalyzing the numbers and performing forensic analysis.  Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students. 

The breach was discovered only three days after it occurred, approximately April 8, 2010.  Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General.  Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here. 

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

• Print
• Comments
• Trackbacks
• Share Link

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person.  What was the haul?  According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That's right, 77 million people.  This is one of the largest Internet data losses in history.  We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don't fret too much, the data was encrypted and we did not lose the decryption key."  Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking.  We have seen companies with best practices still suffer at the hands of hackers or rogue employees.  Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected.  The disclosure of the data breach to customers directly was on April 26th.  The data breach apparently occurred between April 17 and April 19.  It has been reported that Sony discovered the breach on April 20th.  There was a gap of six days between discovery and disclosure.  Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement.  To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose.  However, Sony did not explain that law enforcement cooperation was the reason for the delay.  It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in. 

If you or your children are on one of these services, you need to pay particular attention to this story as it develops.  You (the keyword being "you") need to monitor your bank accounts and credit cards - frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now).  For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games - almost nothing went wrong in that movie).  In any event, your children that go to business school will enjoy reading the future case study on this one.

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $10 over the 2009 average to $214 per customer record compromised in a data breach, which is $12 more than the 2008 average of $202 per customer record. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its sixth Annual Study: U.S. Cost of Data Breach (Available Here - PDF link), declaring that the average cost per compromised customer record rose to $214.  The report is sponsored by Symantec Corporation.  Excellent materials such as an infographic, summaries, blog entries, a podcast and slide presentation can be found on Symantec's web site here.

Before getting into the numbers, you should note that Symantec is offering a Data Breach Risk Calculator.  The foregoing calculator is NOT for the feint of heart, so consider yourself warned.  That being said, the calculator is a powerful tool that considers several factors when estimating data breach costs to businesses.

The report is based on 51 reported data breaches in the United States (other country reports are also published) in 2010, ranging from 4,200 to approximately 105,000 records in 15 different industries. Of the breaches studied, organizations paid a low of $780,000 ($750,000 in 2009), and a high of $35.3 Million ($31 Million in 2009) in connection with the breach response. The average cost to an organization from a data breach increased from $6.65 Million in 2008, and $6.75 Million in 2009, to $7.2 Million in 2010 (Summary).

The cost breakdown for breach response among lost business, ex-post response, notification and detection & escalation is eye-opening and, if nothing else, should be motivational to businesses to address problems before they arise.

Source: Poneman Institute/Symantec Corporation

According to the report and infographic that was published, the source of the data breach was related to negligence in 41% of the cases. 31% of the data breaches were the cause of intentional and malicious attacks, up seven percent from 2009.  Breaches due to third party mistakes dropped three percent to 39%.  Encryption as a post-breach remedy remained the most popular, up three percent to 61%

As in prior years, those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency (e.g., they do not have a breach response plan in place), and spend on average $268 per record, up significantly from the 2009 average of $219 per record. Those organizations that took longer to respond paid $174 per record on average.

The news regarding data breach costs and impacts continues to worsen and shows no sign of improving or slowing.

• Print
• Comments
• Trackbacks
• Share Link

The recent hacking of Gawker Media’s servers and subsequent release of nearly one and one-half million user names, email addresses and passwords has put a new spotlight on two particular brands of web users: The One Password User and The Terrible Password User.

In case you lost the news of the Gawker hack between the news of Wikileaks, and the related “takedowns” of several popular web sites, it is understandable. It has been an incredible couple of weeks on the hacking/denial-of-service front.

If you did miss the news, and you are a registered user of the web sites Gawker, Gizmodo, Lifehacker, Deadspin, Jezebel, Kotaku, Jalopnik or i09, then you better listen up. Hackers were able to steal a reported 1.25 million accounts, including half a million email addresses and 185,000 decrypted passwords. In other words, it is a big deal. Want to see if your email address is in the online database published by the hackers, Slate has you covered by clicking here.  Excellent resource.

Yes, we should call ourselves what we are. We are lazy. We refuse to remember multiple passwords for multiple web sites. We know there is a risk to engaging in this practice but do it anyway. We are idiots.

The hack is being reported as an example of users using terrible passwords. The most popular password (as reported by The Wall Street Journal here) of users was “123456” with “password” a distant second. Should we take away from this that at least most users have heard the warnings about using “password” as a password?

Another issue being discussed, but not on the same level as the terrible password issue, is the one-size-fits-all approach that users take with their password. Consider the scenario that you have a GMail account. More often than not, your user account on most web sites will be either the full GMail email address or the user name (the part before the @gmail.com). If you had a Gawker account, then there is a significant chance that your email address and password for Gawker is now published and available online to anyone able to use Google.

How hard do you think it will be for criminals to create a computer script that will plug in your email address and password into major web sites to see if your account can be accessed? Wachovia account? Twitter account (this actually happened the other day)? eTrade brokerage account? Facebook account? You get the picture.

The final step here is what applies to your organization. What if within those email addresses from Gawker there is a user’s work email address? (There is. LOTS of them.) And what if the password used to register the Gawker account is the same as the password for the corporate user account? Are we that far removed from a criminal seeing a corporate domain in that Gawker database and giving the foregoing scenario a shot? What, your organization requires that users change passwords every 90 days? Well, you have nothing to worry about…as long as the Gawker account was not created in the last 90 days. Or the user did not recycle a prior password that happened to be the one in use when the Gawker account was created.

Maybe it is time to “re-“emphasize to your employees that they are not to use their corporate passwords anywhere. As a Human Resources matter, you may also want to prohibit employees from using their work email address on personal web sites (this is excellent advice for many reasons, but not often followed by employees even when in place). Finally, you may also want to consider a Gawker-specific announcement about (1) the same email address used at multiple web sites, (2) sophisticated password usage and (3) changing their corporate password if it was used at any other web site.
 

• Print
• Comments
• Trackbacks
• Share Link

Organized crime has been known as a group responsible for trading in stolen, personally identifiable information. The recent 2010 Verizon Data Breach Investigations Report (PDF link) reports that organized criminals were responsible for 85% of all data breaches caused by external agents. As a whole, data breaches caused by external agents comprise 70% of all data breaches, and 98% of all record compromised. Statistics, analysis and recommendations pepper the 66-page report.

The Verizon Report also noted that 98% of all breaches came from servers, 85% of attacks were considered highly difficult, 61% of data breaches were actually discovered by third parties, 86% of parties with compromised systems had evidence in their log files that a breach had occurred, 96% of breaches were avoidable through simple or intermediate steps of fixes, and 79% of parties with compromised systems that were subject to PCI-DSS had not achieved compliance.

• Print
• Comments
• Trackbacks
• Share Link

Do you recall that little data breach that Educational Credit Management Corporation (ECMC) had a couple of weeks ago?   That "theft" of data that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers was big news in data breach circles.  We reported about it here.

Well, hope springs eternal as I was pinged today by ECMC's PR firm letting me know that the storage medium was recovered and "law enforcement officials" do not believe that the personal information was compromised.  (Savvy move, Weber Shandwick.)

I hope, for the sake of the borrowers if nothing else, that none of the information was accessed.  I also hope that experts can determine that nobody accessed information (which probably can be done if we are talking about a thumb drive or hard drive, probably much less likely if we are taking about a DVD, fingerprints notwithstanding).

Maybe some encryption firm is making a lot of money from ECMC as we speak and that Congress is noticing this apparent dodged bullet and will use it to advance a toothy, federal breach notification law. 

The full press release is available if you click Continue Reading below.

• Print
• Comments
• Trackbacks
• Share Link

ECMC reported last Friday, March 26th, that a data theft occurred over the weekend of March 20-21 from ECMC's headquarters.  During this breach, which has been termed a "theft," data was stolen that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers.  ECMC did note in its press release that no "bank account or other financial information" was stolen, which may not come as a huge relief to those affected considering the types of data that was stolen.

What is not clear is whether the information was encrypted, although it is not difficult to conclude that the information almost certainly was not encrypted in light of the public announcement and credit reporting.  The media on which the records were contained, although not specifically identified, was referred to as "portable media."

ECMC's president and CEO, Richard Boyle, said in the statement "[w]e deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information."

ECMC is a guarantor of federal student loans.  It is offering, gratis, the now-customary credit monitoring service from one of the major credit reporting bureaus (Experian, in this case).

ECMC reports that it delayed its public announcement at the direction of the law enforcement divisions.

This data breach of ECMC's records further highlights the vast gap between state-level data encryption requirements that are emerging and the lack of the same at the federal level.

• Print
• Comments
• Trackbacks
• Share Link

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account.  You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness.  But wait, France still has copies of the information.  Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204.  The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

• Print
• Comments
• Trackbacks
• Share Link

The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.

Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.

But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.

• Print
• Comments
• Trackbacks
• Share Link

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.
 

• Print
• Comments (1)
• Trackbacks
• Share Link

• Print
• Comments
• Trackbacks
• Share Link

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

• Print
• Comments
• Trackbacks
• Share Link

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today.  Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

• Print
• Comments
• Trackbacks
• Share Link

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

• Print
• Comments
• Trackbacks (1)
• Share Link

Next week, at a meeting of the Payments Processing Information Sharing Council, an organization created to share information about threats, risk mitigation and fraud, Robert O. Carr, chairman and chief executive of Heartland Payments Systems Inc., will discuss the company's recent widely reported data breach. The Payments Processing Information Sharing Council is an offshoot of the Financial Services Information Sharing and Analysis Center, a trade group that assists businesses and government agencies share information about data security issues, including network intrusions. A spokesperson for Heartland stated that the "new organization grew out of Bob Carr's feeling that payment processors needed a forum to share information on breaches like the kind that we experienced. Heartland should be able to share information with others in our industry so that an international cyber thief can't use the same malicious software to penetrate another processor."

• Print
• Comments
• Trackbacks
• Share Link

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

• Print
• Comments
• Trackbacks
• Share Link