Posted on October 21, 2008 by Joseph I. Rosenbaum

The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Nevada’s law requires businesses to encrypt personally identifiable information about their customers that is transmitted electronically. So credit card information and other personal information sent by email, SMS text message or other digital means must be encrypted. Under the Nevada law, companies that comply but still have a breach, would have a statutory limit on their liability for damages (i.e., $1,000 per customer per occurrence). But companies that don’t comply would have unlimited civil liability. If these statutes establish the standard by which businesses are judged in protecting sensitive consumer data, then those standards could easily form the basis of a civil argument that a business owner failing to comply has been negligent.

Massachusetts has also enacted measures that, effective in January, will require businesses that gather personal information about its residents to encrypt sensitive data on portable devices such as laptops and wireless devices. These new laws are intended to protect residents and consequently apply to companies out of state that have either customers or operations there. Companies concerned about compliance, even small companies, have started to worry about these new laws—computers that have encrypted hard drives, software that automatically encrypts information, and even tracking devices embedded into portable computers and similar mobile devices, are becoming increasingly popular.
Tags: , , , ,
Posted on September 21, 2008 by Joseph I. Rosenbaum

Data Breach. Cause for Alarm or a Big Yawn?

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

Tags: , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

Coping With COPPA

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.

Tags: , , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

Who Pays For the Data Security Breach?

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

Tags: , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

You Would Think They Would Know Better

Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.

The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.

Tags: , , , ,
Posted on June 15, 2008 by Joseph I. Rosenbaum

Data, Data Everywhere, But Hackers Drop into Secure Websites

Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.
 

Connecticut, after yet further large-scale data security breaches, has approved legislation, effective Oct. 1, 2008, which will require all businesses to have and display a privacy policy that explains how the business protects Social Security numbers. Businesses must safeguard data and documents with personal information from misuse by third parties, and violations trigger a $500 penalty—penalties per incident can total up to $500,000. While unintentional violations do not give rise to penalties, “unintentional” is likely to refer to lapses in the execution of a policy, not to companies without policy or a failure to implement a policy. Do you need help developing a privacy policy, information retention and disposal procedures? Need to comply with the new law in Connecticut and those of well over 30 states that have enacted data breach and data security and protection laws in the past few years? Call 212.702.1303 or email Joe Rosenbaum.

Did you read the article above about word-of-mouth advertising regulations in the UK? Then read the report entitled “Guidance on Data Security Breach Management,” sponsored by the UK Ministry of Justice and issued by the UK Information Commissioner’s Office (“ICO”). The report suggests a big difference between UK and U.S. data protection laws regarding best practices concerning data security breach notification.

In the United States, government operates on the presumption that a consumer is always better off when notified of a data security breach. The UK report explores the potential danger of “over-notifying” and asks if notification actually helps or simply creates anxiety, without the ability to allay the fears created, and postulates, “Not every incident will warrant notification, and notifying the whole 2 million strong customer database of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work.” If consumers are barraged by data breach notices, with multiple notices to consumer reporting agencies and law enforcement officials, isn’t it more likely that people will start to ignore them? Read the full report.

Reed Smith has a global footprint, with lawyers who keep up to date in and across jurisdictions. Assumptions about the propriety, legal adequacy or efficacy of a response to a data breach may prove as disastrous as a breach itself. For companies that do business across state, provincial, regional and/or national boundaries, citizens of multiple jurisdictions may be involved. You need to know the correct responses. Need help? Contact Joe Rosenbaum to find out how Reed Smith’s privacy and data security team can meet your needs.
Tags: , , ,
Posted on May 19, 2008 by Joseph I. Rosenbaum

Data Security Breach - Who Are You Going to Call?

The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Reed Smith has a Data Security Group that keeps track of these laws in the United States and throughout the world.

Tags: , , ,
Posted on January 15, 2008 by Joseph I. Rosenbaum

Test Data? Really?

Are you using real customer data for testing? In a recent survey, well over 60 percent of IT professionals use live customer data for application testing and for software development. Guess how many IT professionals outsource application testing (and share live data with the testing company)—about 50 percent. Worried about sensitive data? Compliance with data breach statutes? Privacy concerns? Is this a potential gap in the security wall many companies build around their networks? You bet. Could it be a big compliance, legal and regulatory problem? Bigger bet. While live customer data is obviously the most representative for testing, it’s also the most risky. What can you do? Use fake data. Anonymize or sanitize real data. Use encryption. Limit access and strengthen contract, monitoring and audit controls. We know privacy and security, regulation and compliance. Call us.

Tags: , ,
Posted on December 4, 2007 by Joseph I. Rosenbaum

Financial Supermarket? No. Financial Advertising Supermarket? Well, Maybe...

Years ago, a number of companies hoped that by offering to simplify financial record-keeping and collect your financial information in one place, consumers would find it easier than trying to keep track of all of the numbers, codes and IDs they have to contend with in the real world. The concept fizzled, primarily because there was resistance to giving one website all the information—putting all your nest eggs, so to speak, in one basket. Now, some companies are hoping to revive the concept, this time with the lure of education, advertising and sponsorship.

Although the basic idea remains, the new aggregation model uses sponsored links—recommendations based on an analysis of consumer data and financial information—all geared to educating consumers about the availability of financial products and services. Just as search engines accumulate information about browsing—to prioritize and serve advertising believed to be of higher value to the individual—these new sites use the same model to recommend financial services. If you use a credit card to purchase airline tickets, the site might recommend or display an advertisement for an affinity credit card tied to an air carrier or one which offers points for your purchases. Use an overdraft line of credit for your checking account? You might see an advertisement or recommendation to consider a home equity line of credit to potentially lower your tax bill while you borrow.

While advertising-supported revenue models may have greater appeal from an economic viewpoint and may attract financial institution sponsors and advertisers, these sites still have to overcome consumer discomfort with making all—or a significant portion—of their nonpublic financial information available at a single point of aggregation. With the identity theft, data breach and privacy issues front and center in the past few years, one has to wonder if the power of advertising can overcome that anxiety.

Tags: , , , ,
Posted on November 7, 2007 by Joseph I. Rosenbaum

Want to Know What to Do After a Data Breach?

Read “After a Data Breach: Navigating the tangle of state notification laws can be exasperating—and costly” an Oct. 29, 2007 article by Jennifer McAdams, posted on ComputerWorldI was interviewed and quoted in the article. I have helped numerous companies navigate the tangled web of state laws and regulations that have appeared in the past few years, and the ATM Law group tracks and keeps up-to-date on developments in state and federal law concerning this important issue.

Tags: ,
Posted on June 1, 2006 by Joseph I. Rosenbaum

Data Protection/Breach Disclosure Laws

In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay uned.

Tags: , , ,
Posted on March 22, 2005 by Joseph I. Rosenbaum

Did Anyone at ChoicePoint Read the February '04 Issue of Legal Bytes?

Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.

The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!

Tags: , ,
Posted on January 25, 2005 by Joseph I. Rosenbaum

California's a Trendsetter----This Time it's Privacy

No longer merely the source of new fashion trends or technology movements (or McDonald’s), California is quickly becoming the thought leader in protecting consumer privacy. Two new laws, one which deals with personal information given to third parties for marketing (SB27) and another which obligates businesses to adhere to certain security requirements for using and storing personal information, both came into effect January 1, 2005. The new law requires businesses with 20 or more employees to give consumers detailed disclosures about not only what customer information they have shared with third parties, but also the contact information for and descriptions of those parties. Want to avoid the disclosure obligations? Simple. Allow your customers a free opt-out election from having their personal information shared. That said, you will still have to let your customers know how and to whom they can inquire about these requirements – even if your business offers the opt-out choice to consumers. By the way, if you are already subject to the stricter requirements of California’s financial privacy act, you are exempt. While there are some additional exemptions, they are narrow, and anyone doing business in California shouldn’t be too quick to conclude they are exempt without consulting legal counsel. California’s Office of Privacy Protection has drafted a set of recommended practices which attempts to harmonize the requirements of this new act with the California online privacy act, the state’s financial privacy provisions, the federal Gramm-Leach-Bliley Act, HIPAA, and European Union privacy directives. Good luck.

Do you or your contractors have sensitive personal information (e.g., names and addresses in combination with social security numbers and PIN numbers) that could lead to identity or financial theft if compromised? What about medical information about a person’s diagnosis and treatment? Start ensuring you have “reasonable” practices to protect that information from unauthorized access, use, modification and disclosure—and it doesn’t matter if the information is on paper or in electronic form. Both are covered. While the legislative history makes it clear that no one particular standard is “the standard” for “reasonable” security, a company will need to designate a specific individual who is responsible for the company’s security program, and will need to establish a security task force—including a compliance officer and legal counsel. To avoid running afoul of the standards, not only must practices and a task force be implemented, but companies will also have to demonstrate they periodically test and monitor how the security measures are working, make risk assessment, and fine-tune their security measures to keep them updated appropriately. Need employee training? Need help implementing background checks, confidentiality agreements, encryption and record retention/destruction requirements, and disciplinary measures? Call the lawyers at Reed Smith. We can help.

Remember California’s security breach notification law (we told you about this and you get another prize if you can identify the back-issue in which we did so)? That law requires businesses to disclose security lapses. This new law creates a new duty and standard of care. Lawsuits arising from breaches in security (you remember California’s Business and Professions Code section 17200) can now use AB1950 as a discovery prod to determine if your business has used and effectively maintains reasonable security measures.

Consider this: California has already passed more than a dozen laws to protect privacy—many of which have now spawned federal legislation, some already passed and others in process. SB186 bans unsolicited e-mail and AB1769 bans text messaging advertisements to cell phones and pagers. AB1733 mandates consent from customers before a wireless carrier can list their phone numbers in a 411 directory, and SB1436 restricts keystroke monitoring software, website tracking software, and software that attempts to control personal computers.

Tags: , ,