1 / 58

Data Security Breaches: Response – Notification – Enforcement

Data Security Breaches: Response – Notification – Enforcement. Topics For Discussion. Why do you need a response plan? What is a “data security breach”? Responding to a data security breach State requirements and legislative update Regulatory enforcement and litigation. Statistics.

lali
Download Presentation

Data Security Breaches: Response – Notification – Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security Breaches:Response – Notification – Enforcement

  2. Topics For Discussion • Why do you need a response plan? • What is a “data security breach”? • Responding to a data security breach • State requirements and legislative update • Regulatory enforcement and litigation

  3. Statistics • Identity Theft Resource Center reports 656 breaches during 2008, exposing over 35,000,000 records • 47% increase from 2007 • Average cost of data breach = $202 per affected consumer • 40% increase from 2005

  4. Recent Data Breaches • Hannaford Grocery (March 2008) • Hacker compromised at least 4.2 million payment cards in more than 270 stores • Approximately 1,800 reported instances of fraud related to the breach • Multiple class actions

  5. Recent Data Breaches • Heartland Payment Systems (Jan. 2009) • Malicious software compromised merchant processing network • Believed to be largest data breach in U.S. history • At least four class actions: • Issuing banks – breach of obligations under PCI standards and negligence • Consumers – federal statutory claims, breach of contract, negligence and state privacy laws

  6. Recent Data Breaches • Department of Veterans Affairs (May 2006) • Laptop computer and disk stolen from home of VA employee • Contained personal information of 26.5 million veterans who served in the military and have been discharged since 1976 • Recovered by FBI with no evidence of unauthorized access • Under class action settlement, VA agreed to pay $20 million to defendants who were harmed by incident -- either physical manifestations of emotional distress or cost of credit monitoring

  7. What Is The Objective?Fill In The Gap • Protection • Compliance • Audits • Criminal prosecution • Civil prosecution How to Manage the Data Security Breach

  8. Why Do You Need AResponse Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss

  9. What Is A Data Security Breach? • A breach of the security of the system that involves unencrypted computerized personal information that has been, or is reasonably believed to have been, acquired by an unauthorized person. • State statutes require notification to affected individuals and, in certain instances, regulatory agencies and law enforcement.

  10. What Is A Data Security Breach? • “Personal information” • First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes.

  11. What Is A Data Security Breach? • “Breach of the security of the system” • Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”

  12. What Is A Data Security Breach? • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements • Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”

  13. What Is A Data Security Breach? • Distinguish between entity that “owns or licenses” data and entity that “maintains” data • Data owner has ultimate responsibility to notify consumers of a breach • Non-owners required to notify owners

  14. Collect Relevant Documents and Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Contact list

  15. Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Compliance • Business heads (consumer information) • Human resources (private employee information – health & medical, payroll, tax, retirement) • Legal counsel (in-house and/or outside counsel) • Public relations/investor relations

  16. Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical

  17. Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity

  18. Understand Data BreachNotice Laws • State laws: • What constitutes personal information? • When is a notice required? • Who must be notified? • Timing? • What information must be included in the notice? • Method of delivering notice? • Other state specific requirements? • Applicable industry-specific laws • Applicable international laws

  19. Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies • Consumer reporting agencies • Third-party vendors • Insurers • Media

  20. Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity)

  21. Prepare State Law Notices • Delivery method (e.g., certified letters, e-mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices

  22. State Laws - California • State involvement began in California, after series of breaches received national attention • Passed in 2002, went into effect in mid-2003 • Requires notice to California residents if data is lost or stolen • Notification must occur whether or not business has any presence in California

  23. State Laws - California • 44 states, the District of Columbia, Puerto Rico and the US Virgin Islands now have breach notification laws • Expanded in 1/2009 to include medical and health insurance information • California law may expand further to: • Specific requirements for notice letter, and reporting to Attorney General of breaches affecting 500 or more • Require "plain language" breach notices, with description of breach and estimate of number of persons affected

  24. State Laws - Massachusetts • Went into effect on February 3, 2008 • Applies to any person, business or agency that licenses, maintains, owns or stores PPI • Applies to information regardless of physical form or characteristics (includes paper) • Unauthorized access to, or use of, paper files containing PPI triggers notice requirement • Data encrypted at 128-bit or higher algorithmic process is not a security breach, unless the encryption key is also lost

  25. State Laws - Massachusetts • Notify affected resident, Attorney General and Director of Consumer Affairs and Business Regulation • Include number of affected individuals, nature of breach and actions being taken to address incident • Director shall identify any further notifications to consumer reporting agencies or state agencies • Notice given to resident "shall not" include the number of people affected or nature of the breach • Provide option to obtain a police report and "security freeze"

  26. State Laws - Massachusetts Data Destruction Requirements • Persons, businesses and agencies must take certain steps when disposing of records containing PPI in paper or electronic form • Records containing PPI must be destroyed so that PPI "cannot practically be read or reconstructed" • Parties improperly disposing of records may be fined $100 per individual, up to a maximum of $50,000 per event

  27. State Laws - Massachusetts Identity Theft Regulations (Update) • New regulations will increase level of security required – effective January 1, 2010 • Same "covered entities" will be required to encrypt data on laptops and removable storage devices, encrypt information transmitted wirelessly or on public network, and meet certain computer hardware requirements

  28. State Laws - Massachusetts Information Security Regulations (Update) • Every person that licenses, maintains, owns or stores PPI of a stateresident must have a comprehensive information security program • If PPI handled electronically, then information security program must cover computer and wi-fi uses

  29. State Laws - Missouri (to watch) Breach Notification Bill • Applies to all businesses in Missouri that own or license electronic data with a resident's PPI • Must notify resident within 30 days of a breach • Must notify resident whenever there is evidence of unauthorized access to PPI • In bill (draft) form, creates criminal penalties

  30. State Laws - New Jersey (to watch) Proposed Revised Computer Security Rules • Replaces previously proposed rules under the New Jersey Identity Theft Prevention Act • Now requires a comprehensive, written information security program to protect PPI • Must notify police first if a disclosure/breach • If police consent, the persons must be notified of disclosure/breach "as expeditiously as possible" • No requirement to notify individuals if use of the disclosed information is "not reasonably possible"

  31. State LawsCost Recovery – Minnesota • If a breach of state law, must reimburse the financial institution that issued any “access device” for costs of reasonable actions undertaken in order to protect PPI, including:    (1) cancellation or re-issuance of “access device”;    (2) closure of any account and any action to stop payments or block transactions;    (3) opening or reopening of any account;     (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction; and    (5) notification of cardholders affected by the breach. • Financial institution may recover payments to cardholders

  32. European UnionData Protection Directive • “Personal Data” • “Processing” • The "controller” is responsible for compliance • The data protection requirements apply both when the controller is established within the EU, and when the controller uses equipment situated within the EU in order to process data.

  33. European UnionePrivacy Directive • Directive on Privacy and Electronic Communications a/k/a ePrivacy Directive • The ePrivacy Directive requires any "provider of publicly available electronic communications services" to (1) provide security of services and (2) maintain confidentiality of information

  34. European UnionePrivacy Directive • Clearly, Directive covers telecommunications operators and internet service providers • However, why not (and currently being considered): • employers providing employees with e-mail • Internet cafes • hotels providing Internet access to guests • companies providing free wi-fi

  35. United Kingdom • No law requires notification of an improper disclosure • Prosecutions and fines under other laws about failure to make adequate notification to affected persons • Financial Services Authority fined Nationwide Building Society $2M under Financial Services and Markets Act 2000 for violating principles: (1) reducing the extent to which it is possible for a business carried on by a regulated person … to be used for a purpose connected with financial crime; and (2) firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems

  36. Australia • Australian Legislation: Privacy Act 1988 • National Privacy Principles: applies to private organizations • Information Privacy Principles: applies to government agencies • Data Security: private organizations and agencies required to take reasonable steps to protect PPI from disclosure, loss and misuse • Sanctions: Privacy Commissioner can make non-binding declarations dealing with damages and losses. Privacy Commissioner or complainant may seek a federal court order enforcing the determination • Privacy Act does not contain breach notification rules

  37. Germany Proposed Amendments to German Data Protection Law • PPI includes names, addresses, dates of birth and bank information • PPI may be given to marketers only with specific consent from the individual • If changes become final, businesses would have three years to comply

  38. Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers

  39. Prepare Press Release • Include the following information: • Facts surrounding the incident • Actions to prevent further unauthorized access • Steps to prevent future data security breaches • Contact Information for questions • Review by legal counsel

  40. Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline

  41. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act • Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes • Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” • Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts

  42. FTC Actions The TJX Companies, Inc. • In January 2007, TJX announced that an unauthorized intruder accessed its computer system, which contained detailed information about customer debit and credit cards. • Breach exposed at least 45 million credit and debit cards • Investigated by FTC, at least 39 states and the Secret Service

  43. FTC ActionsThe TJX Companies, Inc. • FTC complaint alleged that TJX engaged in “unfair acts or practices” by: • Creating unnecessary risk to personal information by storing and transmitting it in clear text • Failing to use readily available security measures to limit wireless access to its networks • Failing to require network administrators and users to use “strong” passwords or to use different passwords to access different programs, computers, networks • Failing to use readily available security measures to limit access among computers and the internet (i.e., firewall to isolate card authorization computers) • Failing to employ sufficient measures to detect and prevent unauthorized access or conduct security investigations

  44. FTC ActionsThe TJX Companies, Inc. • Consent order (dated July 2008): • Establish, implement and maintain a comprehensive information security program “reasonably designed to protect the security, confidentiality, and integrity of personal information.” • Obtain assessments and reports from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” • Make available to the FTC (upon request) for inspection and copying documents relating to compliance. • File with FTC a report setting forth “in detail the manner and form” in which it has complied with consent order.

  45. Other FTC Actions • Other FTC settlements: • ValueClick (civil penalties = $2,900,000) • Goal Financial • Life Is Good • Premiere Capital Lending, Inc. • Reed Elsevier Inc.

  46. NY Attorney General ActionCS Stars LLC • Theft of computer containing personal information of approximately 540,000 worker’s compensation recipients discovered on May 9, 2006 • CS Stars LLC “maintained” personal information • CS Stars notified data “owner” of potential breach on June 29, 2006 • Data owner notified appropriate entities and consumers immediately • FBI recovered computer • No unauthorized use of personal information

  47. NY Attorney General ActionCS Stars LLC • Attorney General criticized delay between discovery of missing computer and CS Stars’ notification to data owner • Settlement (April 2007) required CS Stars to: • Implement precautionary measures to safeguard information • Comply with New York data breach notification statute in the event of any future breach • Pay $60,000 to cover costs related to investigation

  48. CT Dept. of Consumer Protection Action Bank of New York Mellon • Lost backup tape containing personal information of more than 600,000 Connecticut residents • Governor of Connecticut directed Commissioner of the Department of Consumer Protection to pursue all remedies available to affected Connecticut residents • BNY Mellon notified each affected consumer and provided 24 months of credit protection • To date, BNY has spent over $3.48 million to provide credit protection

  49. CT Dept. of Consumer Protection Action Bank of New York Mellon • Settlement required BNY Mellon to: • Reimburse consumers for any funds stolen as a direct result of breach • Pay $150,000 to the State of Connecticut

  50. LitigationTypical Claims By Plaintiffs • Plaintiffs (consumers) typically allege the following causes of action: • Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty • Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts

More Related