PCI Security Standards Council Unveils New Data Security Standards

Posted on November 6, 2010 by Kevin Khurana

On Thursday, October 28, 2010, the Payment Card Industry Security Standards Council (the “Council”) promulgated version 2.0 of its Data Security Standard (“PCI DSS”) which sets forth data security standards for payment card processers. The Council also updated its Payment Application Data Security Standard (“PA DSS”) which sets forth data security standards for software vendors that develop payment applications. Each new Data Security Standard will take effect on January 1, 2011.

In its summaries of the changes to each Data Security Standard, the Council makes clear that the majority of the changes arose from the need to clarify the intent of certain requirements, provide additional explanations or definitions, and ensure that the standards were up to date with emerging threats and changing markets.  

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

  • Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
  • Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
  • Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
  • Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.
Tags: , , , , , ,

Netflix Sued for "Largest Voluntary Privacy Breach To Date"

Posted on December 28, 2009 by Natalie Newman

On December 17, 2009, a class action suit was filed against online movie rental giant, Netflix, Inc., in the United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.”

According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint sites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers. 

 

Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”

 

The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”

 

The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)). 

 

In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)). 

 

The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.

 

In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).

 
Tags: , , , , ,

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

 

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential. 

 

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

 

One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.

 

According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.

 

The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.

 

Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.

 

 
Tags: , , , , , , ,

No Doubt No Reasonable Suspicion Required -- Laptops Now Fair Game at the Border

Posted on May 5, 2008 by Proskauer Rose LLP

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

Arnold never claimed that the government’s search of his laptop damaged it in any way, therefore not invoking the "exceptional damage to property" exception to suspicionless searches. Further, although Arnold did raise the "particularly offensive manner" exception, the court found there was nothing in the record to "indicate that the manner in which the CBP officers conducted the search was ‘particularly offensive’ in comparison with other lawful border searches." The customs officers simply asked Arnold to boot up his laptop and looked at what was there. The court failed to discern any meaningful distinction between such a search and suspicionless searches of travelers’ luggage at the border.

The court also refused to adopt Arnold’s analogy to a search of a home, noting that the Supreme Court has rejected applying Fourth Amendment protections afforded to homes to property "‘capable of functioning as a home’" simply due to its size. The Court also rejected the notion that the quality or nature of the container merited a distinction in this case. A laptop, the court reasoned, is more like a mobile home than a home or office; the Supreme Court has refused to treat a mobile home differently from other vehicles due to the fact that it is readily movable and the expectation of privacy with respect to a car is significantly less than that relating to a home or office. The court also noted that case law does not support a finding that a search is particularly offensive due to the storage capacity of the object.

Finally, the court rejected Arnold’s argument that the First Amendment requires reasonable suspicion for a border search where the risk is high that expressive material will be exposed. The court refused to create a split with the Fourth Circuit’s decision in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005). The Fourth Circuit declined to "carve out a First Amendment exception to th[e border search] doctrine because such a rule would: (1) protect terrorist communications ‘which are inherently ‘expressive’’; (2) create an unworkable standard for government agents who ‘would have to decide—on their feet—which expressive material is covered by the First Amendment'; and (3) contravene the weight of Supreme Court precedent refusing to subject government action to greater scrutiny with respect to the Fourth Amendment when an alleged First Amendment interest is also at stake."

Needless to say, the Ninth Circuit’s decision in Arnold has significant implications for anyone who travels with unencrypted confidential and/or personally identifiable information on a laptop or other electronic storage device. Companies with personnel who routinely travel with such sensitive information must reevaluate information security policies and consider measures that will protect such information from unauthorized access during international travel. It is not a given that affected entities and individuals can wipe laptops and other storage devices clean of such information prior to travel. Such procedures may create practical problems and inefficiencies, and even run afoul of legal or litigation holds requiring the preservation of data in a particular form.
Tags: , , , , , , , , , , , , , , ,