Bellwether or Bust? Washington Governor Signs Payment Card Data Breach Liability Provisions Into Law

Posted on April 13, 2010 by Brendon Tavelli

On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota (see our post here) to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually (referred to in PCI parlance as “level 1” merchants) who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result. H.B. 1149 also includes a provision to make vendors of card processing software and equipment liable to financial institutions for these costs to the extent such damages are proximately caused by the vendor’s negligence. The amount of such damages, of course, will depend on the particular breach.

H.B. 1149’s safe harbors and exemptions, however, help to minimize the scope and potential impact of the new law. For example, the new law exempts businesses that are certified as compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) at the time of a breach. Most large merchants and card processors are well-acquainted with PCI DSS requirements and have already implemented safeguards aimed at PCI DSS compliance. So the new law should not require Herculean efforts or wholesale changes to covered entities’ cardholder information security programs. However, their liability exposure for losses arising from non-compliance is increased as a result of H.B. 1149.

Entities also are not liable if the payment card information was encrypted at the time of the breach.

The bill signed by Governor Gregoire does not include provisions from earlier versions of the bill that would have, among other things, prohibited covered entities from retaining cardholder data without the express consent of customers and held such entities liable in the event of a breach involving unencrypted cardholder data about more than 5,000 individuals. Likewise, a provision that would have allowed merchants to charge an extra two cents for each payment card transaction in order to cover the cost of insurance against potential liabilities under the law did not survive in the enacted version of the legislation.

With the enactment of H.B. 1149, Washington joins Minnesota as the only state to statutorily impose liability for breach-related costs on negligent merchants, payment card processors and vendors. It also distinguishes itself from the handful of other states in which attempts to enact such laws have failed; states like California, where Governor Schwarzenegger vetoed a similar measure in 2007. Additionally, with the adoption of H.B. 1149, Washington joins Nevada in its quest to incorporate parts of the PCI DSS into its state law. As we previously wrote, Nevada exempts certain entities that are PCI DSS compliant from some of the state’s encryption requirements.
Tags: , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,

Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted on June 5, 2009 by Sara Krauss

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.
Tags: , , , , , , , , , , , , ,

Seven Days Is All She Wrote . . .

Posted on May 25, 2009 by Proskauer Rose LLP

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation.  Last week, the governor of Maine, emphasizing the importance of providing notice "as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," as articulated in the existing statute, amended that state's data breach notification law.  The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.  The amended language can be found here.  It becomes effective 90 days following adjournment of Maine's 124th Legislature.

Tags: , , , , , , , , , ,

Third Time's a Charm for "Data Accountability and Trust"? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

Posted on May 12, 2009 by Jennifer Roche

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

H.R. 2221 provides for notification following discovery of a breach of security of a system maintained by any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. The bill would require notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Importantly, the bill expressly preempts state laws regarding data breach notification. Preemption of state laws, such as those in California that contain different “trigger” language governing when notification is required, was one reason the bill struggled when initially introduced in 2005.

Where notification is required, the bill specifies methods for and required content of notification. Written, or in some circumstances, email, notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

Other provisions in the bill call for regulations to be promulgated governing the establishment of policies and procedures regarding practices to protect data containing personal information by those who own or possess such information. State laws regarding information security practices on the treatment of such data also would again be subject to preemption. Additionally, the bill contains specific provisions covering information brokers – requiring that brokers supply their security policies to the FTC either in conjunction with a breach notification or upon the Commission’s request. Under the proposed Act, information brokers would be required to allow each individual whose personal information it maintains to review his or her own data for accuracy.

Rep. Boucher (D-Va), who is planning to introduce a bill addressing how information collected online is stored and used, and Rep. Rush are planning to hold a hearing this summer to discuss how their bills “intersect.”

Stay tuned.
Tags: , , , , , , , , ,

2008 Study: Cost of Data Breaches Continues to Rise

Posted on February 25, 2009 by S. Montaye Sigmon

A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen. 

Lost Business Largest Component of Data Breach Costs
The results of the Study suggest that companies are learning to manage costs associated with detecting and responding to data breaches, but have not yet learned how to prevent loss of business after a data breach occurs. According to the Study, the largest component of data breach costs continues to be the cost of lost business, which results from both the abnormal turnover of customers following a data breach and the diminished rate of acquisition of new customers.[1] In 2008, the lost business component comprised almost 69% of the breach costs – that percentage represents a continuing trend of lost business comprising an increasingly higher proportion of data breach costs. 

Costs of Detecting and Responding to Breach Steady

Meanwhile, the costs of detecting and reporting a breach, providing notifications after a breach, and responding to a breach (activities like credit card monitoring, communicating recommendations to customers to minimize the harm cause by a breach, or re-issuing a new card or account number), either remained flat or slightly decreased from 2007 to 2008, possibly due to companies having a more mature privacy or information security programs allowing them to detect and respond to data breaches more efficiently than a few years ago. 

 

Additional Study Facts:

  • Approximately 35% of all data breach incidents involved lost or stolen laptop computers or other mobile data devices, such as memory sticks.
  • More than 88% of all cases in the 2008 Study involved insider negligence.
  • Data breaches involving malicious acts are more expensive than breaches involving negligent acts, costing some $26 per customer record.
  • First-time data breaches are more expensive than subsequent breaches, costing some $243 per customer record versus $199 per customer record for companies that have experienced previous data breaches.

Knowing the potential cost of a data breach should allow companies to more accurately weigh the potential cost against the cost of putting policies, training, and other security measures such as encryption in place before any breach happens.


[1] Perhaps not surprisingly, healthcare and financial service companies that experienced data breaches have the highest rate of customer turnover. The Study surmises that such higher rates of turnover are likely due to customers having a higher expectation of protection for and privacy of their financial and healthcare records.
Tags: , , , , , ,

Breach Litigation Developments Webinar

Posted on December 19, 2008 by Proskauer Rose LLP

Early this month I discussed recent developments in data breach litigation at a webinar hosted by Debix.  You can listen to the webinar at any time by following the instructions here.

All of us in Proskauer's Privacy and Data Security Practice Group wish you a peaceful and happy holiday.

Tags: , , , , , , , ,

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

H.B. 208 and S.B. 194)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

DHS Says Infrastructure More Vulnerable to Cyber Attacks; Private Businesses Told to Be Vigilant

Posted on January 2, 2008 by Scott J. Carpenter

Businesses are on notice to pay more attention to computer security in order to protect business assets and private information, and to thwart infiltrations that threaten interconnected computers.  And help is available from the United States Computer Emergency Readiness Team (“US-CERT”).

Department of Homeland Security (“DHS”) Secretary Michael Chertoff and Assistant Secretary of Cybersecurity Greg Garcia recently warned that an uptick in cyber attacks  reveal a growing threat to critical U.S. infrastructure and private networks. Garcia warned that hackers “are making massive efforts to compromise computer systems on a global scale,” a reference to the fifty percent in crease in cyber-attacks between 2006 and 2007.  Chertoff called upon businesses to help protect networks and infrastructure from infiltration and data theft.  Secretary Chertoff remarked, “There's no question this is the vulnerability of the 21st century.”

These comments came on the heals of a growing number of reported cyber incidents, including one recent attack on a U.S. federal nuclear weapons laboratory. According to the New York Times, “an unknown group of attackers sent targeted e-mail messages to roughly 1,100 [laboratory] employees,” and “about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.” The New York Times article also reported that the US-CERT issued an advisory notice stating that “the level of sophistication and the scope of these cyber security incidents indicate that they are coordinated and targeted at private sector systems.” 

Many attacks come in the form of infected e-mails and e-mail attachments – namely Trojan e-mails, which use seemingly harmless files to gain access to unauthorized information. Once a network user is compromised, an attacker can infect other areas of the network and remotely collect sensitive data such as usernames and passwords. US-CERT also warns that attackers manipulate innocent and unknowing websites to link users to other malicious sites that can then provide the attackers with access to restricted data.

Currently, DHS and US-CERT provide information to businesses regarding cyber threats such as suspect Internet signatures. Such signatures should be added to Intrusion Device Systems or other detection  to prevent attacks. DHS and US-CERT also recommend that network users take extreme caution when dealing with unsolicited e-mails, particularly e-mails with suspicious attachments or links. 

 For more information on US-CERT and cyber security, you may visit US-CERT’s website at http://www.us-cert.gov/index.html.
Tags: , , , , ,

Governor Schwarzenegger Says No to California A.B. 779

Posted on October 14, 2007 by Proskauer Rose LLP

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,

Massachusetts Is 39th State to Mandate Breach Notification

Posted on August 16, 2007 by Proskauer Rose LLP

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

The law defines "personal information" as a resident's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number, 2) driver's license number or state-issued identification card number, or 3)  financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The new law can be found here.

Tags: , , , ,

Breach Law Data

Posted on August 3, 2007 by Proskauer Rose LLP
We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included).  We also provide links, or uploaded copies, where available.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 4-1-11 et seq.)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Michigan (S.B. 309)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-42-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Washington (WASH. REV. CODE § 19.255.010)

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

For a helpful compilation of state laws addressing credit freezes and Social Security numbers, and proposal federal legislation addressing identity theft, see Congressional Research Service Report for Congress, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, June 1, 2007.
Tags: , , , , ,

Oregon Becomes 38th State to Adopt Breach Notification Law

Posted on July 31, 2007 by Proskauer Rose LLP

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

The bill defines "breach of security" as the "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person" (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, "after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach."

For purposes of the bill, "personal information" is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data "would be sufficient to permit a person to commit identity theft."

Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data." An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.

Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

The full text of S.B. 583 is available here.
Tags: , , , ,

Consumer Unable to Demonstrate Injury Based on Credit Monitoring Costs in Data Breach Case

Posted on June 14, 2007 by Proskauer Rose LLP

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.   

On August 27, 2005, the defendant, Litton Loan Servicing LP, experienced a break-in involving the theft of more than $60,000 of computer equipment. The perpetrators took six unmarked hard drives, four of which contained the personal information of 229,501 people, including the plaintiff Patricia Kahle. The police conducted an investigation and Litton hired a private investigator who conducted a separate investigation. Litton provided notice of the theft to each person whose information was on the stolen hard drives approximately four weeks after the break-in. The notice included the type of information stolen, a Federal Trade Commission website that could be of assistance, and a toll free contact number at Litton. The notice also recommended that affected consumers place a fraud alert on their credit file.

Kahle did not place a fraud alert on her credit report after the theft, and had no knowledge of unauthorized use of her personal information. There was some evidence to suggest that Kahle had purchased credit monitoring services before the theft. Kahle claimed she would need credit monitoring for many years, at great financial expense to her, as a result of the Litton incident.

The Court relied heavily on Key v. DSW, Inc., 454 F.Supp.2d 684 (D. Ohio 2006), and Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018 (D. Minn. 2006), in granting Litton's motion for summary judgment. In Key, unauthorized persons obtained access to DSW’s confidential financial information. The plaintiff alleged negligence, breach of contract, conversion and breach of fiduciary duty. The Key court dismissed the plaintiff’s claims for lack of standing, finding that the plaintiff had presented no evidence that anyone planned on using her financial information or identity, and that any potential injury depended on the plaintiff’s information being accessed and used for unlawful purposes. The Forbes Court ruled against the plaintiffs because, like Kahle, they did not show a present injury or a reasonably certain future injury to support damages for alleged increased risk of harm.

Kahle claimed her case was different from Key and Forbes. She pointed out that, in those cases, the defendant had offered free credit monitoring, and that the Forbes plaintiffs were notified immediately of the breach, whereas Litton took four weeks to issue notifications. The Court rejected these arguments, noting that Forbes did not consider whether credit monitoring was offered when it granted summary judgment to the defendant, and that Key was silent on the issue.

The court concluded that “any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.”

Thus, district courts continue to reject attempts by consumers to impose tort liability on businesses experiencing data breaches. However, as explained in our May 29 post here, legislators in a number of states are considering bills – and Minnesota has already passed legislation – that would transfer the risk of such incidents to merchants by allowing card-issuing financial institutions to recover for the “costs of reasonable actions” to protect its cardholders’ information and continue to provide services to its cardholders after a breach.
Tags: , , ,

New York Attorney General Tags Worker's Compensation Claims Service Provider for Seven Week Delay in Security Breach Notification

Posted on May 11, 2007 by Brendon Tavelli

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.

New York’s security breach notification law, like other such laws, requires a business that maintains private information that it does not own to notify the data’s owner when this information may be compromised. The data owner must then notify potentially affected consumers. New York’s law also requires notice to the state’s Attorney General, Consumer Protection Board, and Office of Cyber Security. The timing of the notification is a particularly important aspect of many states’ security breach notification laws, including New York. Subject to law enforcement needs, New York requires notice to data owners “immediately following discovery” and to affected consumers “in the most expedient time possible and without unreasonable delay.”   

CS STARS first noticed that a computer containing the names, addresses, and Social Security numbers of New York consumers was missing on May 9, 2006. However, CS STARS did not notify New York Special Funds Conservation Committee (“NYSFCC”), the data owner, of the potential breach until June 29, 2006. The company notified the FBI that same day, and the following day notified the proper state agencies. Notices to potentially affected consumers, however, did not begin mailing until July 18, 2006 pursuant to the FBI’s request and N.Y. Gen. Bus. Law § 899-aa(4), which explicitly allows a business to delay notification if a law enforcement agency determines that such notification will impede a criminal investigation.

The FBI recovered the missing computer, which had been taken by an employee of a cleaning contractor, on July 26, 2006. No consumers’ information was improperly accessed. Nonetheless, Attorney General Cuomo felt that the lengthy delay between discovering the theft and issuing the proper notifications “would have been ample time [for identity thieves] to victimize hundreds of thousands of consumers.” 

CS STARS’ settlement requires the company to implement precautionary measures to safeguard private information, comply with the state’s notification law in the event of any future breach, and pay $60,000 to cover costs related to the investigation. CS STARS did not admit to any violation of law.
Tags: , , , ,

Social Security Numbers for Sale

Posted on April 5, 2007 by

The protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public on the Secretary’s website, so that lenders and creditors could verify the availability of personal property used as collateral. Approximately one-third of the state’s two million UCC filings contained SSNs. Secretary of State Debra Bowen immediately shut off web-based access to the UCC filings and took down the offending part of the website.

Colorado also recently addressed an identical problem with its UCC filing website. Several years ago, the state redacted SSNs from 610,000 filings and issued new UCC forms that do not require SSNs. However, many financial institutions continued to use the old forms. Like California, Colorado took down its filing website. At the same time, Massachusetts Secretary of State William Galvin reportedly has refused to remove similar UCC filings.

The other major SSN story this week was that Texas Governor Rick Perry signed into law a bill, H.B. 2061, that permits county and court clerks to disclose, "in the ordinary course of business," SSNs contained in documents those clerks possess. It has been reported that the legislation was a reaction to a February 23 ruling by Texas Attorney General Greg Abbott that such disclosures were violations of state and federal privacy laws and were punishable by prison terms and fines.

The developments in California, Colorado, and Texas are surprising, in part because the unauthorized acquisition of computerized data including SSNs, in conjunction with a first name or first initial and last name, constitutes a security breach triggering notification requirements in those states. Cal. Civ. Code §§ 1798.29, 1798.82; Colo. Rev. Stat. § 6-1-716; Tex. Bus. & Comm. Code § 48.002(1)(a). The new Texas legislation appears to permit SSN disclosure by county and court clerks, notwithstanding any other applicable Texas law.
Tags: , ,