Posted on September 11, 2009 by Mark McCreary

Proposed California Data Breach Law Could Create a Clearinghouse

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.
 

Tags: , , , , ,
Posted on June 24, 2009 by Amy C. Purcell

TJX Reaches Settlement In Data Security Breach Investigation

TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007.  $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach.  TJX will pay $7.25 million in settlement and investigation costs.  The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach.  The settlement also allows state governments to monitor TJX's data security efforts for three years.
 
TJX continues to emphasize that it "firmly believes it did not violate any consumer protection or data security laws."  TJX's chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take "leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry." 
 
TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.
Tags: , , , , , ,
Posted on June 19, 2009 by Amy C. Purcell

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Tags: , , , , , , ,
Posted on June 9, 2009 by Amy C. Purcell

Data Breach Sharing Website Started

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today.  Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

Tags: , , , , , , ,
Posted on May 7, 2009 by Mark McCreary

Data Accountability and Trust Act: Federal Breach Notification, Data Security Policies and File Access Addressed

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

 

Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act.  The definition of “personal information” in DATA is fairly limited in scope, namely because having too broad of a definition (think of the very broad definition used by the European Union) would lead to over-notification if there is a breach, a possibility many fear would lead to complacency if breach notification becomes an everyday occurrence. The current definition under DATA is: an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver’s license number or other State identification number; and (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

However, the definition of “personal information” in DATA is no broader with respect to security policies and procedures, meaning that those firms required to have in place security policies and procedures is likewise limited. While there may be a particular concern about imposing (potentially) costly requirements on firms that hold information less sensitive than that in the definition of “personal information,” there will be a push to expand the definition of “personal information” for purposes of security policies and procedures requirements.

Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act (PDF link), consumers are allowed to point out incorrect “personal information” a firm maintains. That statement alone raises two major flaws in the current legislation. First, the definition of “personal information” is limited and would only allow a review and correction of highly sensitive information. Under FCRA, any reported information is subject to review and correction. Second, there is no clear direction on what is meant by “maintain.” Does information obtained from clearinghouses constitute “maintaining” that information? Most state statutes are interested in possession and/or use of the data, which is a much clearer standard.

DATA will continue to evolve and be adjusted as interested parties provide feedback and suggestion. Whether DATA is the national privacy law that we are all anticipating and, in many ways, hoping for remains to be seen.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , , ,
Posted on May 1, 2009 by Scott L. Vernick

Heartland To Address Data Breach

Next week, at a meeting of the Payments Processing Information Sharing Council, an organization created to share information about threats, risk mitigation and fraud, Robert O. Carr, chairman and chief executive of Heartland Payments Systems Inc., will discuss the company's recent widely reported data breach. The Payments Processing Information Sharing Council is an offshoot of the Financial Services Information Sharing and Analysis Center, a trade group that assists businesses and government agencies share information about data security issues, including network intrusions. A spokesperson for Heartland stated that the "new organization grew out of Bob Carr's feeling that payment processors needed a forum to share information on breaches like the kind that we experienced. Heartland should be able to share information with others in our industry so that an international cyber thief can't use the same malicious software to penetrate another processor."

Tags: , , , , ,
Posted on April 7, 2009 by Mark McCreary

Welcome to the Privacy Compliance and Data Security Blog

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

Tags: , , , , , , , , ,