Privacy Compliance & Data Security

Data Breach Costs Increase to $204 per Compromised Record

Mark McCreary — Tue, 26 Jan 2010 07:13:00 -0500

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204. The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

The $204 cost is further broken down: $144 relates to indirect costs, such as losses related to related customer loss and lost of prospective customers. The balance relates to direct costs incurred by organizations, an increase of $10 over the 2008 report.

The source of the data breach was related to third party errors in 42% of the cases. Only 24% of the data breaches were the cause of intentional attacks and breaches. Shockingly, 82% of the breaches studied by the Poneman Institute were of organizations that had multiple data breaches in 2009 of 1,000 records or more. But the good news for the repeat offenders is that the average cost per record is only $198 per record (versus organizations with first time data breaches spending on average $228 per record).

But those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency, and spend on average $219 per record. Those organizations that have a much more organized response spend on average $196 per record.

Organizations that engage third parties to assist in the response and compliance following a data breach actually spend much less per record compromised ($170 versus $230).

In less than half of the cases studied (40%), the response management was managed by the organization’s chief information security officer.

Password Security Often Overlooked as Source of Data Breaches

Mark McCreary — Fri, 22 Jan 2010 06:50:00 -0500

The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.

Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.

But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.

The security firm iMPERVA published a detailed analysis (PDF link) of the passwords obtained through the RockYou.com hack. The above analysis is a good read, and has many suggestions for best practices that you can read there.

The analysis reveals that the top three passwords are 123456, 12345, and 123456789. The fourth must common password? It is Password. It feels odd even writing the foregoing two sentences.

But you are not a hacker, you run a business. You run it well. You do not ignore the details, and you make sure you exactly what every contract says before you sign it. But you probably do not select the “Administrator” password for your business. If your business is named Competent, what are the chances that password is Competent1? You are probably not responsible for ensuring that the password on the router/firewall between your customer’s personally identifiable information (and your proprietary information) has been changed, and changed to a strong password. You have people that do that. That being said, people are people, etc.

So, what is a strong password? Well, strong passwords are a lot like the way Justice Potter Stewart described pornography: I know it when I see it. There are suggestions about the use and intermingling of letters (uppercase and lowercase), numbers and punctuation, 12-14 characters and non-English words. 3d4$d@Ga1GhS3p is a quickly mashed out password. Yes, nearly impossible to remember, but very difficult to hack and in an era of doing all reasonable things to prevent hacks, a terrific first step. Wikipedia has an easy to read primer on strong password selection here.

2009 Most Notorious Data Breaches

Mark McCreary — Thu, 07 Jan 2010 09:01:56 -0500

With 2009 (thankfully) behind us, we should take a minute to look back before moving on. As most people recognize and accept, history tends to repeat itself and 2009 is a great year to learn from others' mistakes and missteps.

Computerworld created a "2009 data breach hall of shame" recently that is an excellent read if you would like an overview of the most notorious data breaches of 2009. None of us should lose sight of the thousands (if not tens of thousands) of smaller and unreported data breaches that occur every year.

I will not restate the work down by Computerworld, but I do believe that the RockYou breach is the most egregious. Assuming all of the facts as reported in various media outlets are true, the idiotic (ignorant is just not the right word) storage of passwords in plain text (rather than in an encrypted form) highlights just how far companies have yet to go to understand even the most basic principles of data protection.

Let's all hope for a safer, more compliant year in 2010 if, for no other reason, so that our own personal information is not released into the wilds. Happy new year.

Online Privacy Regulation Comes Front and Center at FTC, and Will Quickly Fade

Mark McCreary — Sat, 19 Dec 2009 11:31:12 -0500

A standing room meeting organized by the Federal Trade Commission (FTC) in Washington on Monday, December 7th, highlighted a crucial divide in the discussion over the regulation of online privacy. The New York Times provides an excellent summary of the mainstream newsworthy aspects of the meeting.

While the take away may be that the FTC is taking a more serious look at online privacy and net neutrality, the reality is that any oversight is not going to happen anytime soon. Not anytime soon as in years, if ever. Policy making as the solution is not going to address any immediate concerns or problems.

What may be of more interest is the deep divide between the parties with a vested interest in the outcome of the discussion, namely, the consumer/consumer advocates and parties making money from information that may one day be regulated.

Consumers generally have no idea what information or Internet usage habits are being shared, or how it is being shared. Sure, legitimate businesses state clearly in privacy policies and disclosures what is going to happen with your information. Less scrupulous companies lie in those policies and statements. But you don’t read those policies or disclosures. Nobody does.

Consumer/privacy advocate groups do read those policies and disclosures, and they speak for consumers. But the consumer often feels he or she has no real vested interest in the use of the most benign of that information. Why do I care if information about what movies I rent gets made public in an anonymous manner? You probably do not care.

You would care if that information about you concerned your sexual orientation, which is a personal matter that you have felt personal enough to keep to yourself. An exploit in Netflix’s database exposed that information about one woman (according to her), and she sued.

The businesses that make money off of your information and Internet usage habits stand to lose money. Lots and lots of money. Groups like Google, the Direct Marketing Association, Facebook and even those URL shortening services that aggregate data to sell reports on what is hot in Internet traffic.

And the answer for those groups that stand to lose money if the current “opt-out” approach is abandoned? Turn off cookies. Do not sign up for services that disclose personal information in exchange for you to use the providers’ services. The web site will not “function” properly with the cookies turned off? Well, you do not have to use the web site. You do not want anything about your use shared? Hey, don’t use Facebook. You are concerned about law enforcement accessing your Internet history without probable cause or reasonable suspicion of wrongdoing (specifically, without a warrant)? There must be alternatives to Comcast and FIOS, right?

Most people do not want governmental regulation of more and more activities, but most people will also admit that where rights are trampled, government regulation is often the best tool to stamp it out. Most businesses do not want regulation, period.

The debate is going to get heated, it is going to be protracted and it is going to expose who has an interest and what sacrifices (often of others) they are willing to make. We look forward to seeing how the debates unfold. If it is anything like the underreported FTC meeting in Washington almost two weeks ago, the debate will be interesting with no clear winner (unless the status quo remains, in which businesses brokering data continue to win).

Alleged that Sprint Provided Law Enforcement Customer GPS Data over 8 Million Times

Mark McCreary — Wed, 02 Dec 2009 07:25:28 -0500

Ars Technica reported yesterday about a graduate student at Indiana University's School of Informatics and Computing that has compiled documents and recordings obtained through Freedom of Information Act requests that support that Sprint/Nextel has provided GPS location data about Sprint’s wireless customers to law enforcement over eight (8) million times in just over one year.

The number itself may be misleading, as there does not appear to be any confirmation that this was about eight million different wireless customers, or even eight million separate requests. For example, if the GPS location data refreshes every minute, tracking one individual for 24 hours could account for 1,440 of the aggregate number. There appears to be a mix of approximately 110 Sprint employees and contractors handing these law enforcement requests, so it is possible that the number of requests is as extraordinary as it appears.

But the troubling aspect of this revelation may not be whether the number is eight million wireless customers or eight wireless customers, but rather the access system described in the reports. Apparently, law enforcement can log into a Sprint web portal and obtain the information (for a fee, of course). The ability of law enforcement to obtain the information without showing probably cause has long been decided, and law enforcement can obtain an appropriate court order and the telecommunications companies will typically provide call and text message logs, even GPS data. With this Sprint web portal, it is entirely unclear (and improbable) that law enforcement is obtaining the GPS data with an order. It may be that Sprint is serving this information on is wireless customers without requiring the customary trap & trace order. It is likely that Sprint is able to provide this information about its wireless customers to law enforcement without requiring a warrant (ever read your carrier’s terms and conditions of service?).

AT&T has approximately 81.6 million wireless customers, and Verizon has approximately 89 million wireless customers. Sprint has approximately 48.3 million wireless customers. With AT&T and Verizon having a combined 3.5 times more wireless customers than Sprint (which does not include T-Mobile and the multiple regional carriers), this report does beg the question of how often is customer GPS data provided by all wireless carriers to law enforcement without a warrant. This report also raises the question of how much will these numbers skyrocket when/if other carriers start making access for law enforcement so easy and presumably available without warrant.

You should decide for yourself how much weight should be given to this report, and a response from Sprint may be forthcoming. The report does highlight that customer wireless information is being requested a received by law enforcement in increasing numbers (with Sprint’s web portal possibly being the most accessible yet, resulting in the huge surge in requests).

It is also up to each of us to decide whether the “if I am doing nothing wrong, what do I care,” or the “enough already with Big Brother” response is appropriate. But before you answer the question, think about how that response may change when reports of abuse start emerging (“Well, Mark, my brother-in-law is a cop and he requested and learned for me that according to your GPS data you were not sick on Monday but at the golf course.”)

Give the Ars Technica

article

a read. It is a true eye opener.

FTC Extends Red Flag Rules Enforcement Until June 1, 2010

Mark McCreary — Tue, 03 Nov 2009 09:28:46 -0500

The FTC has again extended enforcement of the Red Flag Rules, this time until June 1, 2010.

This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.

The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

ABA SCORES VICTORY WITH ATTORNEY EXEMPTION FROM RED FLAG RULES

Mark McCreary — Fri, 30 Oct 2009 10:19:58 -0500

The United States District Court for the District of Columbia ruled that the Red Flag Rules are not applicable to attorneys engaged in the practice of law.

The complaint, filed in late August 2009, argues that the FTC overstepped its statutory authority by imposing the Red Flag Rules on attorneys engaged in the practice of law.

The ruling is another victory by the American Bar Association when it comes to exempting attorneys from rules regarding the handling of financial and/or sensitive information. It would seem that the FTC would have made adjustments to its definitions of “creditor” to make it clear that attorneys should be included in its regulations, but that clarification may need to be addressed at the Congressional level to avoid future ambiguity.

If Congress does present future legislation, or an amendment to existing legislation, that specifically includes attorneys, it will be interesting to see how the ABA argues that attorneys should be exempted from these these types of federal consumer protection statutes.

The BLT: The Blog of LegalTimes reports that it is expected that the FTC will appeal the ruling.

EXEMPTIONS UNDER FTC RED FLAG RULES AMENDMENT PASSES THE HOUSE

Mark McCreary — Thu, 22 Oct 2009 08:19:02 -0500

Representative John Adler’s (D-NJ) amendment to the FTC Red Flag Rules, an act titled “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” passed the House of Representatives on October 20, 2009.

Currently, the Red Flag Rules go into effect on November 1, 2009.

Set forth in full below, the bill exempts health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, from complying with the Red Flag Rules.

The Adler amendment will have little effect on the litigation brought in August by the American Bar Association because of its limited scope.

CALIFORNIA'S PROPOSED STRENGTHENED DATA PRIVACY LAW TERMINATED

Mark McCreary — Tue, 13 Oct 2009 07:37:34 -0500

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

Proposed California Data Breach Law Could Create a Clearinghouse

Mark McCreary — Fri, 11 Sep 2009 17:28:10 -0500

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.

Identity Theft Regulations in Massachusetts May Get Small Business Friendly

Mark McCreary — Tue, 18 Aug 2009 07:34:09 -0500

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF). A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC). Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

The Information Security and Privacy Advisory Board Issues Federal Privacy Recommendations

Mark McCreary — Tue, 28 Jul 2009 18:02:23 -0500

The Information Security and Privacy Advisory Board (the “Board”), known from the late 1980’s until 2002 as the Computer System Security and Privacy Advisory Board, has released its expected report with recommendations on updating privacy law and policy in light of technological advancements. The Board’s report, titled “Toward a 21^st Century Framework for Federal Government Privacy Policy,” (PDF), makes several recommendations at the federal government level to address longstanding deficiencies in current practices, as follows:

Amendments to the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 are needed to:
- Improve Government privacy notices
- Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records
- Clearly cover commercial data sources under both the Privacy Act and the E-Government Act
Government leadership on privacy must be improved
- OMB should hire a full‐time Chief Privacy Officer with resources
- Privacy Act Guidance from OMB must be regularly updated
- Chief Privacy Officers should be hired at all “CFO agencies”
- A Chief Privacy Officers’ Council should be developed
Other changes in privacy policy are necessary
- OMB should update the federal government’s cookie policy
- OMB should issue privacy guidance on agency use of location information
- OMB should work with US-CERT to create interagency information on data loss across the government
- There should be public reporting on use of Social Security Numbers

Citing a lack of leadership from Congress, the failure to update federal laws and regulations, and the breakneck speed of technological evolution, the Board appeared critical that “only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”

Whether this report will be the catalyst of sweeping privacy reform from the Obama administration that many have expected remains to be seen.

PCI Security Standards Council Issues Guidelines

Amy C. Purcell — Thu, 23 Jul 2009 08:51:58 -0500

The Payment Card Industry Security Standards Council, which administers the PCI standards, has issued guidelines for applying its protocols to wireless technology. These Guidelines will help merchants incorporate wireless networking equipment without compromising data security. The Guidelines consist of nine requirements that provide guidance for testing and deploying wireless networks. Specifically, the Guidelines will help merchants to understand methods to secure their wireless networks. In addition, the Council formed a special interest group to develop recommendations for businesses to increase wireless security and reduce the potential for hackers to access wireless networks.

Payment Card Industry Data Security Standard Comes to Nevada

Mark McCreary — Wed, 01 Jul 2009 12:07:18 -0500

Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.

Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.

Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.

It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.

Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.

TJX Reaches Settlement In Data Security Breach Investigation

Amy C. Purcell — Wed, 24 Jun 2009 18:09:04 -0500

TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007. $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach. TJX will pay $7.25 million in settlement and investigation costs. The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach. The settlement also allows state governments to monitor TJX's data security efforts for three years.

TJX continues to emphasize that it "firmly believes it did not violate any consumer protection or data security laws." TJX's chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take "leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry."

TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

Amy C. Purcell — Fri, 19 Jun 2009 10:20:53 -0500

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Data Breach Sharing Website Started

Amy C. Purcell — Tue, 09 Jun 2009 09:20:13 -0500

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today. Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

Data Governance Resource - From the IT Perspective

Mark McCreary — Fri, 29 May 2009 15:47:06 -0500

Microsoft recently announced its new Trustworthy Computing: Data Governance web site at Tech•Ed.

According to Microsoft, it is promoting data governance because:

“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.

Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.

Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”

Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.

Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.

As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.

Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.

European Commission Takes Action on RFID Tags

Mark McCreary — Thu, 14 May 2009 10:58:21 -0500

The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.

On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual's fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).

Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.

The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:

Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.

Without prejudice to the obligations of data controllers, in accordance with Directives 95/46/EC and 2002/58/EC, Member States should ensure that operators develop and publish a concise, accurate and easy to understand information policy for each of their applications. The policy should at least include: (a) the identity and address of the operators, (b) the purpose of the application, (c) what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored, (d) a summary of the privacy and data protection impact assessment, (e) the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.
Member States should ensure that operators take steps to inform individuals of the presence of readers on the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders. The sign should include the identity of the operator and a point of contact for individuals to obtain the information policy for the application.
On the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders, operators should inform individuals of the presence of tags that are placed on or embedded in products.
When conducting the privacy and data protection impact assessment as referred to in points 4 and 5, the operator of an application should specifically determine whether tags placed on or embedded in products sold to consumers through retailers who are not operators of that application represent a likely threat to privacy or the protection of personal data.
Retailers should deactivate or remove at the point of sale tags used in their application unless consumers, after being informed of the policy referred to in point 7, give their consent to keep tags operational. Deactivation of the tags should be understood as any process that stops those interactions of a tag with its environment which do not require the active involvement of the consumer. Deactivation or removal of tags by the retailer should be done immediately and free-of-charge for the consumer. Consumers should be able to verify that the deactivation or removal is effective. (Not applicable if the privacy and data protection impact assessment concludes that tags that are used in a retail application and would remain operational after the point of sale do not represent a likely threat to privacy or the protection of personal data. Nevertheless, retailers should make available free-of-charge an easy means to, immediately or at a later stage, deactivate or remove these tags.)
Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.
Members States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to inform and raise awareness among public authorities and companies, in particular SMEs, of the potential benefits and risks associated with the use of RFID technology. Specific attention should be given to information security and privacy aspects.
Member States should cooperate with industry, relevant civil society stakeholders and the Commission to stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Federal Circuit Court Of Appeals Rules That TJX Litigation May Proceed On State Law Claims

Scott L. Vernick — Wed, 13 May 2009 09:19:45 -0500

The First Circuit Court of Appeals has ruled that, by accepting credit cards for payment, retailer TJX and its processing bank, Fifth Third, could have negligently misrepresented to credit and debit card issuers that their data security practices were in compliance with the security protocols established by VISA and MasterCard operating regulations. The First Circuit also ruled that, based on either on the issuers' claim of negligent misrepresentation or a possible violation of Section 5 of the Federal Trade Commission Act, TJX and Fifth Third could have engaged in deceptive practices in violation of Chapter 93A of Massachusetts General Law. While Chapter 93A may require egregious conduct, systemic recklessness, as distinct from deliberate wrongdoing or self-benefit, may be sufficient to sustain a claim.

After a security breach in 2005, in which computer hackers gained access to TJX's wireless network and compromised the security of more than 45 million customer accounts, credit and debit card issuers filed suit against TJX and Fifth Third to recover losses they sustained as a result of fraudulent use of cardholder information.