Posted on March 11, 2010 by Mark McCreary

HSBC Reports Information of 24,000 Account Holders Stolen

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account.  You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness.  But wait, France still has copies of the information.  Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

Tags: , , , , ,
Posted on January 26, 2010 by Mark McCreary

Data Breach Costs Increase to $204 per Compromised Record

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204.  The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

The $204 cost is further broken down: $144 relates to indirect costs, such as losses related to related customer loss and lost of prospective customers. The balance relates to direct costs incurred by organizations, an increase of $10 over the 2008 report.

The source of the data breach was related to third party errors in 42% of the cases. Only 24% of the data breaches were the cause of intentional attacks and breaches. Shockingly, 82% of the breaches studied by the Poneman Institute were of organizations that had multiple data breaches in 2009 of 1,000 records or more. But the good news for the repeat offenders is that the average cost per record is only $198 per record (versus organizations with first time data breaches spending on average $228 per record).

But those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency, and spend on average $219 per record. Those organizations that have a much more organized response spend on average $196 per record.

Organizations that engage third parties to assist in the response and compliance following a data breach actually spend much less per record compromised ($170 versus $230).

In less than half of the cases studied (40%), the response management was managed by the organization’s chief information security officer.
Tags: , , , , ,
Posted on January 22, 2010 by Mark McCreary

Password Security Often Overlooked as Source of Data Breaches

The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.

Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.

But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.

The security firm iMPERVA published a detailed analysis (PDF link) of the passwords obtained through the RockYou.com hack. The above analysis is a good read, and has many suggestions for best practices that you can read there.

The analysis reveals that the top three passwords are 123456, 12345, and 123456789. The fourth must common password? It is Password. It feels odd even writing the foregoing two sentences.

But you are not a hacker, you run a business. You run it well. You do not ignore the details, and you make sure you exactly what every contract says before you sign it. But you probably do not select the “Administrator” password for your business. If your business is named Competent, what are the chances that password is Competent1?  You are probably not responsible for ensuring that the password on the router/firewall between your customer’s personally identifiable information (and your proprietary information) has been changed, and changed to a strong password. You have people that do that. That being said, people are people, etc.

So, what is a strong password? Well, strong passwords are a lot like the way Justice Potter Stewart described pornography: I know it when I see it. There are suggestions about the use and intermingling of letters (uppercase and lowercase), numbers and punctuation, 12-14 characters and non-English words. 3d4$d@Ga1GhS3p is a quickly mashed out password. Yes, nearly impossible to remember, but very difficult to hack and in an era of doing all reasonable things to prevent hacks, a terrific first step. Wikipedia has an easy to read primer on strong password selection here.
 
Tags: , , , , ,
Posted on September 11, 2009 by Mark McCreary

Proposed California Data Breach Law Could Create a Clearinghouse

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.
 

Tags: , , , , ,
Posted on June 24, 2009 by Amy C. Purcell

TJX Reaches Settlement In Data Security Breach Investigation

TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007.  $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach.  TJX will pay $7.25 million in settlement and investigation costs.  The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach.  The settlement also allows state governments to monitor TJX's data security efforts for three years.
 
TJX continues to emphasize that it "firmly believes it did not violate any consumer protection or data security laws."  TJX's chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take "leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry." 
 
TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.
Tags: , , , , , ,
Posted on June 19, 2009 by Amy C. Purcell

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Tags: , , , , , , ,
Posted on June 9, 2009 by Amy C. Purcell

Data Breach Sharing Website Started

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today.  Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

Tags: , , , , , , ,
Posted on May 7, 2009 by Mark McCreary

Data Accountability and Trust Act: Federal Breach Notification, Data Security Policies and File Access Addressed

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

 

Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act.  The definition of “personal information” in DATA is fairly limited in scope, namely because having too broad of a definition (think of the very broad definition used by the European Union) would lead to over-notification if there is a breach, a possibility many fear would lead to complacency if breach notification becomes an everyday occurrence. The current definition under DATA is: an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver’s license number or other State identification number; and (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

However, the definition of “personal information” in DATA is no broader with respect to security policies and procedures, meaning that those firms required to have in place security policies and procedures is likewise limited. While there may be a particular concern about imposing (potentially) costly requirements on firms that hold information less sensitive than that in the definition of “personal information,” there will be a push to expand the definition of “personal information” for purposes of security policies and procedures requirements.

Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act (PDF link), consumers are allowed to point out incorrect “personal information” a firm maintains. That statement alone raises two major flaws in the current legislation. First, the definition of “personal information” is limited and would only allow a review and correction of highly sensitive information. Under FCRA, any reported information is subject to review and correction. Second, there is no clear direction on what is meant by “maintain.” Does information obtained from clearinghouses constitute “maintaining” that information? Most state statutes are interested in possession and/or use of the data, which is a much clearer standard.

DATA will continue to evolve and be adjusted as interested parties provide feedback and suggestion. Whether DATA is the national privacy law that we are all anticipating and, in many ways, hoping for remains to be seen.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , , ,
Posted on May 1, 2009 by Scott L. Vernick

Heartland To Address Data Breach

Next week, at a meeting of the Payments Processing Information Sharing Council, an organization created to share information about threats, risk mitigation and fraud, Robert O. Carr, chairman and chief executive of Heartland Payments Systems Inc., will discuss the company's recent widely reported data breach. The Payments Processing Information Sharing Council is an offshoot of the Financial Services Information Sharing and Analysis Center, a trade group that assists businesses and government agencies share information about data security issues, including network intrusions. A spokesperson for Heartland stated that the "new organization grew out of Bob Carr's feeling that payment processors needed a forum to share information on breaches like the kind that we experienced. Heartland should be able to share information with others in our industry so that an international cyber thief can't use the same malicious software to penetrate another processor."

Tags: , , , , ,
Posted on April 7, 2009 by Mark McCreary

Welcome to the Privacy Compliance and Data Security Blog

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

Tags: , , , , , , , , ,