Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In its summaries of the changes to each Data Security Standard, the Council makes clear that the majority of the changes arose from the need to clarify the intent of certain requirements, provide additional explanations or definitions, and ensure that the standards were up to date with emerging threats and changing markets.  

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

• Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
• Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
• Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
• Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.

E-Verify is a joint effort between the Department of Homeland Security and the Social Security Administration that provides an Internet-based verification system for employers to determine the work status of their employees. Concerns have been raised about the burdens on both employers and employees under the mandated use of E-Verify. Employers are concerned about the cost of yet one more obstacle to hiring and maintaining employees and about the possibility of losing qualified employees or potential employees as a result of E-Verify’s 5 percent error rate. Employees face losing current or potential jobs as a result of these false negatives, which are caused by either clerical errors or identity theft. And because E-Verify doesn’t screen against identity theft, some commentators have expressed concern that its increased use will incentivize illegal workers to engage in such theft as an alternative to using false or fabricated information.

On December 23, 2008, Proskauer filed a complaint—on behalf of the U.S. Chamber of Commerce; Associated Builders and Contractors, Inc.; the Society for Human Resource Management; the American Council on International Personnel; and HR Policy Association—in the United States District Court for the District of Maryland, claiming that the Federal Contractor Rule is an unconstitutional usurpation of Congress’s power and is in conflict with Congressional statutes. In response to this litigation, the federal government has delayed the implementation of the contractor rule several times. On January 28, 2009, the government moved for the district court to stay the proceedings until the Obama Administration could review the rule and determine whether it wanted to implement or abandon it. The court granted the motion and agreed to stay the proceedings, ultimately extending the stay until August 17, 2009.

Six months later, the Obama Administration has decided to move forward with the implementation of the rule. In a press release on July 8, 2009, Department of Homeland Security Secretary Janet Napolitano announced the Administration’s intent to implement the rule, praising its ability to aid in immigration law enforcement. The rule is scheduled to take effect on September 8, 2009. The press release also announced the Administration’s plans to propose a new regulation which would rescind the 2007 "No-Match" Rule, which requires employers to take action against employees who provide information on their W-2 form that does not match information in the Social Security Administration’s database.

Following Homeland Security’s official announcement, the government has reported to the district court its intentions to “retain the Final Rule and its current applicability date of September 8, 2009” and “defend this litigation as appropriate upon the termination of the stay.” In order to “facilitate a ruling on the pending motion prior to the Final Rule taking effect,” the court issued an order lifting the stay. Litigation is scheduled to resume with briefs to be filed this month and a summary judgment hearing on August 28, 2009.

Elsewhere in Washington, D.C., the United States Senate has also weighed in in favor of E-Verify. On July 8, 2009, Senator Jeff Sessions of Alabama succeeded in amending a Department of Homeland Security appropriations bill to make E-Verify a permanent program and to mandate federal contractors use the system. Senator David Vitter of Louisiana also successfully moved to amend the bill to forbid the Department of Homeland Security from rescinding the Federal Contractor Rule or the No-Match Rule. The Senate version of the bill with these two amendments was approved of by a vote of the Senate on July 9, 2009. Conferees from the House of Representatives and the Senate will determine whether these amendments remain in the final bill to be presented to President Obama for his signature.

The pending case is Chamber of Commerce of the U.S. v. Napolitano, No. AW-08-344 (D. Md. filed Dec. 23, 2008). The DHS appropriations bill is H.R. 2892, 111th Cong. (2009).

Proskauer summer associate Shawn Ledingham contributed to this post. 

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id. 

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.) 

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8. 

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft.  See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).