Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security Breaches: Response – Notification – Enforcement.

Similar presentations


Presentation on theme: "Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security Breaches: Response – Notification – Enforcement."— Presentation transcript:

1 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security Breaches: Response – Notification – Enforcement

2 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 2 Topics For Discussion  Why do you need a response plan?  What is a “data security breach”?  Responding to a data security breach  State requirements and legislative update  Regulatory enforcement and litigation

3 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 3 Statistics  Identity Theft Resource Center reports 656 breaches during 2008, exposing over 35,000,000 records - 47% increase from 2007  Average cost of data breach = $202 per affected consumer - 40% increase from 2005

4 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 4 Recent Data Breaches  Hannaford Grocery (March 2008) - Hacker compromised at least 4.2 million payment cards in more than 270 stores - Approximately 1,800 reported instances of fraud related to the breach - Multiple class actions

5 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 5 Recent Data Breaches  Heartland Payment Systems (Jan. 2009) - Malicious software compromised merchant processing network - Believed to be largest data breach in U.S. history - At least four class actions:  Issuing banks – breach of obligations under PCI standards and negligence  Consumers – federal statutory claims, breach of contract, negligence and state privacy laws

6 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 6 Recent Data Breaches  Department of Veterans Affairs (May 2006) - Laptop computer and disk stolen from home of VA employee - Contained personal information of 26.5 million veterans who served in the military and have been discharged since Recovered by FBI with no evidence of unauthorized access - Under class action settlement, VA agreed to pay $20 million to defendants who were harmed by incident - - either physical manifestations of emotional distress or cost of credit monitoring

7 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 7 What Is The Objective? Fill In The Gap  Protection  Compliance  Audits  Criminal prosecution  Civil prosecution How to Manage the Data Security Breach

8 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 8 Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss

9 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 9 What Is A Data Security Breach?  A breach of the security of the system that involves unencrypted computerized personal information that has been, or is reasonably believed to have been, acquired by an unauthorized person.  State statutes require notification to affected individuals and, in certain instances, regulatory agencies and law enforcement.

10 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 10 What Is A Data Security Breach?  “Personal information” - First name or initial and last name with one or more of the following (when either name or data element is not encrypted):  Social security number;  Driver’s license number;  Credit card or debit card number; or  Financial account number with information such as PINs, passwords or authorization codes.

11 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 11 What Is A Data Security Breach?  “Breach of the security of the system” - Some states expressly require notice of unauthorized access to non-computerized data  New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied”  Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”

12 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 12 What Is A Data Security Breach?  Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements - Certain states require risk or harm  Arkansas: no notice if “no reasonable likelihood of harm to customers”  Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”

13 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 13 What Is A Data Security Breach?  Distinguish between entity that “owns or licenses” data and entity that “maintains” data - Data owner has ultimate responsibility to notify consumers of a breach - Non-owners required to notify owners

14 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 14 Collect Relevant Documents and Information  Data location lists  Confidentiality agreements  Customer contracts  Third-party vendor contracts  Privacy policy  Information security policy  Ethics policy  Litigation hold template  Contact list

15 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 15 Create A First Response Team  Information technology (computer & technology resources)  Information security (physical security & access)  Compliance  Business heads (consumer information)  Human resources (private employee information – health & medical, payroll, tax, retirement)  Legal counsel (in-house and/or outside counsel)  Public relations/investor relations

16 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 16 Assign Tasks To Members Of The First Response Team  Establish a point person  Identify key personnel for each task  Prioritize and assign tasks  Calculate timelines and set deadlines  Communicate with management  Establish attorney-client privilege for investigation and communications Project Management Is Critical

17 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 17 Determine The Nature And Scope Of The Breach  Investigate facts  Interview witnesses  Determine type of information that may have been compromised  Identify and assess potential kinds of liability  Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity

18 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 18 Understand Data Breach Notice Laws  State laws: - What constitutes personal information? - When is a notice required? - Who must be notified? - Timing? - What information must be included in the notice? - Method of delivering notice? - Other state specific requirements?  Applicable industry-specific laws  Applicable international laws

19 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 19 Determine Appropriate Notices  Consumers  Employees  Law enforcement (Federal/State)  Federal regulatory agencies  State agencies  Consumer reporting agencies  Third-party vendors  Insurers  Media

20 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 20 Prepare State Law Notices  General description of the incident  Type of information that may have been compromised  Steps to protect information from further unauthorized access  Contact information (e.g., address; number)  Advice to affected individuals (e.g., credit reporting, review account activity)

21 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 21 Prepare State Law Notices - Delivery method (e.g., certified letters, e- mail, website) - Timing of notices - Tailor notices based on recipient - Use single fact description for all notices

22 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 22 State Laws - California  State involvement began in California, after series of breaches received national attention  Passed in 2002, went into effect in mid-2003  Requires notice to California residents if data is lost or stolen  Notification must occur whether or not business has any presence in California

23 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 23 State Laws - California  44 states, the District of Columbia, Puerto Rico and the US Virgin Islands now have breach notification laws  Expanded in 1/2009 to include medical and health insurance information  California law may expand further to: - Specific requirements for notice letter, and reporting to Attorney General of breaches affecting 500 or more - Require "plain language" breach notices, with description of breach and estimate of number of persons affected

24 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 24 State Laws - Massachusetts  Went into effect on February 3, 2008  Applies to any person, business or agency that licenses, maintains, owns or stores PPI  Applies to information regardless of physical form or characteristics (includes paper)  Unauthorized access to, or use of, paper files containing PPI triggers notice requirement  Data encrypted at 128-bit or higher algorithmic process is not a security breach, unless the encryption key is also lost

25 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 25 State Laws - Massachusetts  Notify affected resident, Attorney General and Director of Consumer Affairs and Business Regulation - Include number of affected individuals, nature of breach and actions being taken to address incident - Director shall identify any further notifications to consumer reporting agencies or state agencies  Notice given to resident "shall not" include the number of people affected or nature of the breach  Provide option to obtain a police report and "security freeze"

26 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 26 State Laws - Massachusetts Data Destruction Requirements  Persons, businesses and agencies must take certain steps when disposing of records containing PPI in paper or electronic form  Records containing PPI must be destroyed so that PPI "cannot practically be read or reconstructed"  Parties improperly disposing of records may be fined $100 per individual, up to a maximum of $50,000 per event

27 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 27 State Laws - Massachusetts Identity Theft Regulations (Update)  New regulations will increase level of security required – effective January 1, 2010  Same "covered entities" will be required to encrypt data on laptops and removable storage devices, encrypt information transmitted wirelessly or on public network, and meet certain computer hardware requirements

28 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 28 State Laws - Massachusetts Information Security Regulations (Update)  Every person that licenses, maintains, owns or stores PPI of a state resident must have a comprehensive information security program  If PPI handled electronically, then information security program must cover computer and wi-fi uses

29 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 29 State Laws - Missouri (to watch) Breach Notification Bill  Applies to all businesses in Missouri that own or license electronic data with a resident's PPI  Must notify resident within 30 days of a breach  Must notify resident whenever there is evidence of unauthorized access to PPI  In bill (draft) form, creates criminal penalties

30 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 30 State Laws - New Jersey (to watch) Proposed Revised Computer Security Rules  Replaces previously proposed rules under the New Jersey Identity Theft Prevention Act  Now requires a comprehensive, written information security program to protect PPI  Must notify police first if a disclosure/breach  If police consent, the persons must be notified of disclosure/breach "as expeditiously as possible"  No requirement to notify individuals if use of the disclosed information is "not reasonably possible"

31 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 31 State Laws Cost Recovery – Minnesota  If a breach of state law, must reimburse the financial institution that issued any “access device” for costs of reasonable actions undertaken in order to protect PPI, including: (1) cancellation or re-issuance of “access device”; (2) closure of any account and any action to stop payments or block transactions; (3) opening or reopening of any account; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction; and (5) notification of cardholders affected by the breach.  Financial institution may recover payments to cardholders

32 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 32 European Union Data Protection Directive  “Personal Data”  “Processing”  The "controller” is responsible for compliance  The data protection requirements apply both when the controller is established within the EU, and when the controller uses equipment situated within the EU in order to process data.

33 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 33 European Union ePrivacy Directive  Directive on Privacy and Electronic Communications a/k/a ePrivacy Directive  The ePrivacy Directive requires any "provider of publicly available electronic communications services" to (1) provide security of services and (2) maintain confidentiality of information

34 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 34 European Union ePrivacy Directive  Clearly, Directive covers telecommunications operators and internet service providers  However, why not (and currently being considered): - employers providing employees with - Internet cafes - hotels providing Internet access to guests - companies providing free wi-fi

35 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 35 United Kingdom  No law requires notification of an improper disclosure  Prosecutions and fines under other laws about failure to make adequate notification to affected persons  Financial Services Authority fined Nationwide Building Society $2M under Financial Services and Markets Act 2000 for violating principles: (1) reducing the extent to which it is possible for a business carried on by a regulated person … to be used for a purpose connected with financial crime; and (2) firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems

36 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 36 Australia  Australian Legislation: Privacy Act National Privacy Principles: applies to private organizations - Information Privacy Principles: applies to government agencies  Data Security: private organizations and agencies required to take reasonable steps to protect PPI from disclosure, loss and misuse  Sanctions: Privacy Commissioner can make non- binding declarations dealing with damages and losses. Privacy Commissioner or complainant may seek a federal court order enforcing the determination  Privacy Act does not contain breach notification rules

37 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 37 Germany Proposed Amendments to German Data Protection Law  PPI includes names, addresses, dates of birth and bank information  PPI may be given to marketers only with specific consent from the individual  If changes become final, businesses would have three years to comply

38 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 38 Prepare Answers To Inquiries  Draft FAQ’s with responses  Establish hotline  Assign group of contact employees  Train employees to respond to inquiries  Develop clear escalation path for difficult questions  Track questions and answers

39 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 39 Prepare Press Release  Include the following information: - Facts surrounding the incident - Actions to prevent further unauthorized access - Steps to prevent future data security breaches - Contact Information for questions  Review by legal counsel

40 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 40 Consider Offering Assistance To Affected Individuals  Free credit reporting  Free credit monitoring with alerts  ID theft insurance  Access to fraud resolution specialists  Toll-free hotline

41 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 41 Enforcement Actions  Federal Trade Commission – Section 5 of FTC Act - Enforce privacy policies and challenge data security practices that cause substantial consumer injury  State Attorney General – State Notification Statutes - Connecticut: “Failure to comply... shall constitute an unfair trade practice...” - Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”.  Litigation in federal or state courts

42 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 42 FTC Actions The TJX Companies, Inc.  In January 2007, TJX announced that an unauthorized intruder accessed its computer system, which contained detailed information about customer debit and credit cards.  Breach exposed at least 45 million credit and debit cards  Investigated by FTC, at least 39 states and the Secret Service

43 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 43 FTC Actions The TJX Companies, Inc.  FTC complaint alleged that TJX engaged in “unfair acts or practices” by: - Creating unnecessary risk to personal information by storing and transmitting it in clear text - Failing to use readily available security measures to limit wireless access to its networks - Failing to require network administrators and users to use “strong” passwords or to use different passwords to access different programs, computers, networks - Failing to use readily available security measures to limit access among computers and the internet (i.e., firewall to isolate card authorization computers) - Failing to employ sufficient measures to detect and prevent unauthorized access or conduct security investigations

44 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 44 FTC Actions The TJX Companies, Inc.  Consent order (dated July 2008): - Establish, implement and maintain a comprehensive information security program “reasonably designed to protect the security, confidentiality, and integrity of personal information.” - Obtain assessments and reports from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” - Make available to the FTC (upon request) for inspection and copying documents relating to compliance. - File with FTC a report setting forth “in detail the manner and form” in which it has complied with consent order.

45 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 45 Other FTC Actions  Other FTC settlements: - ValueClick (civil penalties = $2,900,000) - Goal Financial - Life Is Good - Premiere Capital Lending, Inc. - Reed Elsevier Inc.

46 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 46 NY Attorney General Action CS Stars LLC  Theft of computer containing personal information of approximately 540,000 worker’s compensation recipients discovered on May 9, 2006  CS Stars LLC “maintained” personal information  CS Stars notified data “owner” of potential breach on June 29, 2006  Data owner notified appropriate entities and consumers immediately  FBI recovered computer  No unauthorized use of personal information

47 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 47 NY Attorney General Action CS Stars LLC  Attorney General criticized delay between discovery of missing computer and CS Stars’ notification to data owner  Settlement (April 2007) required CS Stars to: - Implement precautionary measures to safeguard information - Comply with New York data breach notification statute in the event of any future breach - Pay $60,000 to cover costs related to investigation

48 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 48 CT Dept. of Consumer Protection Action Bank of New York Mellon  Lost backup tape containing personal information of more than 600,000 Connecticut residents  Governor of Connecticut directed Commissioner of the Department of Consumer Protection to pursue all remedies available to affected Connecticut residents  BNY Mellon notified each affected consumer and provided 24 months of credit protection  To date, BNY has spent over $3.48 million to provide credit protection

49 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 49 CT Dept. of Consumer Protection Action Bank of New York Mellon  Settlement required BNY Mellon to: - Reimburse consumers for any funds stolen as a direct result of breach - Pay $150,000 to the State of Connecticut

50 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 50 Litigation Typical Claims By Plaintiffs  Plaintiffs (consumers) typically allege the following causes of action: - Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty - Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts

51 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 51 Litigation Typical Court Rulings  Plaintiffs fail to show “injury” as a result of data breach. - Pisciotta v. Old Nat’l. Bancorp., 499 F.3d 629 (7th Cir. 2007):  Exposure to identity theft without more does not constitute “injury”  Individual does not suffer harm as soon as information exposed  Credit monitoring costs do not constitute injury

52 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 52 Litigation Typical Court Rulings  Certain courts have dismissed data breach cases on ground of standing. - Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007); - Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006); - Forbes v. Wells Fargo Bank, 420 F. Supp. 2d 1018 (D. Minn. 2006).

53 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 53 Litigation Typical Court Rulings  In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007). - Claims brought by issuing banks:  Breach of contract based on alleged violations of Visa and MasterCard’s networks rules  Negligence  Massachusetts deceptive or unfair trade practices  Negligent misrepresentation

54 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 54 Litigation Typical Court Rulings  TJX Cos. Retail Sec. Breach Litig. - Dismissed breach of contract – Visa & MasterCard rules did not provide third-party beneficiary rights to plaintiffs (issuing banks) - Dismissed negligence – economic loss doctrine - Dismissed deceptive/unfair trade practices – no basis in FTC Act or GLB Act - Did not dismiss negligent misrepresentation – implied misrepresentation based on TJX’s participation in credit card networks

55 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 55 Litigation Unusual Court Rulings  Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008). - Laptop computer stolen, which contained approximately 800,000 Gap job applications (including name and social security no.) - Court denied defendant’s motion for summary judgment and held that plaintiff “has alleged injury in fact” to establish standing - “Increased risk of identity theft” constituted sufficient “injury in fact”

56 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 56 Litigation Unusual Court Rulings  Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008). - Laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no.) - Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty - Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer

57 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 57 Avoid Future Data Security Breaches  Limit access to personally identifiable information  Encryption  Establish privacy compliance program  Train and test employees  Periodic audits  Update and revise procedures  Enhance technology to strengthen security and reduce risk  Credential third party vendors

58 Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 58 Contact Information Amy C. Purcell, Esquire


Download ppt "Data Security Breaches: Response - Notification - Enforcement © 2009 Fox Rothschild 1 Data Security Breaches: Response – Notification – Enforcement."

Similar presentations


Ads by Google