HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On international data transfers:

It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America.

In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.

 

I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure.

On individual control of data:

 

First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated.

 

Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.

 

Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.

And on the right to be forgotten:

The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.

The announcement from the European Commission comes as the world marks Data Privacy Day.  On its part, the Commission produced this video which focuses on an individual's responsibility to keep certain life details private in light of the harm to career that is possible from too much information being shared. 

As early as December 2007, a ring of hackers, led by notorious cyber-criminal Albert Gonzalez, gained access to Heartland’s computer systems and installed programs that allowed them to obtain the payment-card information stored on those systems. The breach continued over the course of many months before Heartland discovered the rogue programs in January 2009, by which time the hackers had already obtained the payment-card information of approximately 130 million consumers.

As a result of the massive breach, one of the largest ever involving payment-card information, numerous lawsuits were filed against Heartland by both consumers whose payment-card information was compromised and financial institutions that issued payment cards to the affected consumers. Those lawsuits were consolidated and split into two tracks, one that addressed the claims of the consumers and one that addressed the claims of the financial institutions.

Heartland has settled the majority of the lawsuits stemming from the breach. Last year, Heartland settled the consumers’ claims, agreeing to pay up to $175 to each consumer to cover out-of-pocket expenses and charges incurred due to the breach and up to $10,000 to victims of identity theft resulting from the breach.  Heartland also agreed to settlements with the four major payment card brands and the financial institutions that utilize their networks to issue credit to consumers, agreeing to pay $3.6 million to American Express, $60 million to Visa, $41.1 million to MasterCard, and $5 million to Discover. However, the financial institutions were not bound by these settlements unless they chose to accept their terms. Although most financial institutions did so, some determined that the proposed settlements did not adequately cover their losses from the breach and instead elected to reject the settlements and litigate the matter.

The resulting litigation is an on-going class action lawsuit against Heartland. The financial institution plaintiffs alleged that the breach of Heartland’s computer systems resulted from Heartland’s failure to adequately safeguard its computer systems and caused the plaintiffs to incur significant expenses replacing credit and debit cards and reimbursing fraudulent transactions. The financial institution plaintiffs’ complaint (PDF) asserted claims for breach of contract and implied contract; negligence and negligence per se; negligent and intentional misrepresentation; and violations of the consumer-protection statutes in California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington. 

In a December 1, 2011 opinion, Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas granted Heartland’s motion to dismiss (PDF) with respect to all but one of the claims asserted by the financial institution plaintiffs. Judge Rosenthal dismissed the contract claims due to the fact that the plaintiffs were: (1) not in a direct contractual relationship with Heartland; (2) not third party beneficiaries of Heartland’s contracts with other banks; and (3) not entitled to consequential damages. He dismissed the negligence claims because the plaintiffs’ damages were solely economic in nature and thus barred by the economic loss doctrine. The consumer-protection claims were dismissed for various reasons including that the plaintiffs were not “consumers” protected by the state statute.

Heartland’s alleged violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) was the lone claim that survived Heartland’s motion to dismiss. Heartland argued in its motion to dismiss that the plaintiffs lacked standing to assert a claim under the FDUTPA because only consumers, as the word is traditionally used, may assert such claims. In denying Heartland’s motion to dismiss, Judge Rosenthal highlighted that in 2001 the Florida Legislature amended the statutory provision that creates a private right of action for violations of the FDUTPA to use the word “persons” instead of “consumers” when identifying who may bring a claim. To this point, he stated that the “Florida Legislature’s use of word ‘person’ in creating a private right of action suggests a broader reach than the word ‘consumer.’”

Although all of the plaintiffs’ other claims were dismissed, the court granted the plaintiffs leave to amend their claims for breach of contract and implied contract (but only in certain limited situations); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer-protection statutes. However, the claims for negligence and violations of the consumer-protection statutes in New Jersey, New York, and Washington were dismissed with prejudice and without leave to amend. The plaintiffs must file the amended complaint by December 23, 2011.

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    

Rep. Bono Mack, the Chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, called the draft bill “an upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.” The proposed legislation would:

• Preempt the breach notification laws that have been passed in 46 states and the District of Columbia;
• Require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data (in accordance with regulations that would be issued by the FTC);
• Require covered organizations to establish a data minimization plan providing for the elimination of consumers’ personal data that is no longer necessary for business purposes or other legal obligations;
• Require the notification of law enforcement within 48 hours after discovery of a breach, unless the breach was an innocent or inadvertent breach unlikely to result in harm;
• Require companies and other entities to notify the FTC and to begin notifying consumers 48 hours after completing an assessment of a breach (unless the assessment indicates that there is “no reasonable risk of fraud, identity theft, or other unlawful conduct” from the breach); and
• Allow the FTC to issue regulations modifying the definition of “personal information.”  

These requirements would be enforced by the FTC and state attorneys general. The draft bill does not provide for a private right of action, and it specifically exempts from coverage entities subject to GLBA and HIPAA data security requirements. 

At yesterday’s hearing before the Subcommittee on Commerce, Manufacturing, and Trade—which also held a hearing on June 2 regarding the Sony and Epsilon breaches, as well as a general hearing on May 4 about the ongoing threat of data breaches to consumers—reactions to the Bono Mack proposal were mixed. FTC Commission Edith Rodriguez, a witness at the hearing, expressed concern that the draft bill did not set a specific deadline for the risk assessment that a company must complete following a breach. “There out to be some form of cutoff period to ensure that consumers receive appropriate notification,” Rodriguez said. 

One lawmaker criticized the draft bill’s data minimization requirements, noting that data about consumers may be retained for a long period of time for good reason, while others said the proposal went too far by giving the FTC authority to change the definition of personal information and by requiring notification when there is a “reasonable” risk of harm (instead of the narrower “significant” risk standard). 

If the draft legislation is formally introduced in the House—and Bono Mack has said she is hoping to move the bill through the chamber before the August recess—it will join a growing number of privacy and data security bills that have been introduced in Congress this year. Indeed, on the same day as the hearing on the Bono Mack proposal, Senators John Rockefeller and Mark Pryor introduced legislation that would also require companies to safeguard personal information and inform consumers in the event of a breach.  Separately on that day, Senators Al Franken and Richard Blumenthal introduced a bill that would require mobile device makers and app developers to obtain consumers’ express consent before collecting and sharing their location information.  

Contain the breach. As soon as the business becomes aware of a data breach it should take all necessary steps to limit further data loss and should investigate the incident. It should also determine whether to involve law enforcement and should limit traffic into the affected area until security officials or law enforcement investigate.

Convene a response team. Businesses should have a standing security breach response team that includes representatives from the office of the general counsel, information technology security, human resources, internal audit, and public communications. When a breach occurs, the response team should convene without delay. Team composition may vary, according to the type and location of the breach.

Analyze the breach. The business should record all information relevant to the breach; learn and evaluate the cause and effect of the incident; determine whether other systems are at serious risk of future breach; and consider engaging specialized consultants to capture relevant information and perform forensic analysis.

Determine timing requirements. Time is of the essence. Law of many states prescribes time limits for notification of persons data on whom was breached. Expedition is not just sensible; often it is legally mandated.

Collect information promptly. Information that should be gathered promptly includes the date, time, duration, and location of the breach; how the breach was discovered, by whom, and any known details about it; and information on compromised data, including a list of affected individuals by category, data fields, the number of records affected, and which if any data were encrypted.

What next steps should the business take?

Analyze legal implications of the breach. Legal analysis should include analysis of relevant business contracts for notification and other obligations; breach-notification requirements; and pertinent indemnification agreements. The states and countries potentially involved in the breach should be identified with reference to the location of persons and systems affected by the breach. Federal, state, and international statutes and regulations potentially triggered or violated by the breach, and their notification requirements, should be identified.

Contact law enforcement. Where appropriate, contact local or federal law enforcement agencies.

Contact insurance carrier. Review insurance pertinent to the breach; notify the insurance carrier in accordance with policy requirements.

What internal and external breach-related communications should the business make?

A wave of telephone calls, e-mails, and other inquiries should be expected when a breach is reported. Before occurrence of a breach, the business should have a plan for handling such inquiries. Actions to consider include selecting a mode of communication with the public (toll-free 1-800 numbers and/or e-mail address); selecting a mode of communication with interested parties; training and hiring staff for inquiry response, or outsourcing such activities; preparing a script; notifying credit-reporting agencies prior to providing notification to a large group of affected persons (or as required by applicable law); documenting inquiry responses; and preparing Frequently Asked Questions (“FAQs”) for potential online posting.

What should be in the business’s notification plan?

The business should develop a notification plan for affected persons, based on legal requirements and its contractual obligations. The content of notice to affected persons will be dictated by regulation or contract, and public relations considerations should be taken into account. Remember that notices to attorneys general or consumer protection authorities are required in some jurisdictions. Similarly, how notice is delivered (e.g. by mail, or e-mail if the recipient agreed in advance to such notification method) requires a legal determination. Generally, notice should include this information:

• Description of what happened;
• Type of protected data involved;
• Actions the business has taken to protect data from further unauthorized access;
• What the business will do to assist affected persons;
• What affected persons can do to assist themselves;
• Contact information for the business to respond to inquiries (a toll-free 1-800 number should be provided); and
• Contact information for local and federal government authorities.

The business may elect to offer remediation services to assist affected persons after a breach, including credit monitoring services, identify-theft insurance, identity-theft information packets, and/or compensation for identity theft. A number of companies have elected to offer remediation services, although usually such services are not legally required.

What other post-breach actions are indicated?

Prepare for litigation. If litigation is threatened, preservation of relevant documents and information is vital.

Re-assess technology systems, physical and administrative security. The business should conduct an analysis of the breach to determine causes and should review access controls and procedures to ensure that weaknesses have been addressed and resolved.

Perform an assessment. Assess the business's operations to determine necessary revisions to data collection, retention, storage, and processing policies and procedures, so that further breaches are less likely to occur.

Evaluate the business’ response. After the business has responded to the breach, it should evaluate its response and implement changes to improve its effectiveness in preventing and responding to breaches.

Summary

• Have a written post-breach response plan ready and tested before a breach happens.
• Ensure that business officials know what role they will have when a breach happens.
• Have a communications plan regarding breaches.
• Know what regulations, statutes, and contracts cover post-breach obligations.
• When a breach happens, act promptly to prevent further exposure of data.
• Promptly find out what happened and preserve the evidence.
• Involve technology and legal experts as needed.
• Have draft notices that are ready to be customized with reference to the facts.
• Contact law enforcement, credit resorting agencies, and the business's insurance carrier as  appropriate.
• Keep regulators informed, both when required by law and when merely sensible.
• Provide timely notice; legal deadlines are strict.
• Help affected individuals; their goodwill can forestall legal difficulties.
• Update the breach response plan periodically.

Federal Data Breach Notification Requirement including Federal Criminal Penalties and State

Title III, Subtitle B of the currently drafted PDPSA contains a data breach notification requirement in the event of unauthorized access (or reasonable belief that unauthorized access has occurred) to sensitive personally identifiable information (“SPII”) of any resident of the United States.  Notification may be provided in writing, by telephone, or via email (if the affected individual has consented to email notice).  In addition to standard provisions for notice to national credit reporting agencies and media outlets, the proposed law requires notification to the U.S. Secret Service within 14 days if the security breach involves:

·         the acquisition (or is reasonably believed to involve the acquisition) of the SPII of more than 10,000 individuals by an unauthorized person;

·         a database or other system containing the SPII of more than 1,000,000 individuals;

·         a database owned by the federal government; or

·         the SPII of federal law enforcement or national security personnel.

Criminal Penalties for Concealment of a Security Breach

Under the current draft of PDPSA, knowing concealment of a security breach that results in economic damage to any person would be subject to criminal penalties including fines and imprisonment for up to 5 years.  See PDPSA § 102.  Notification may be exempted if a written certification that notification would damage national security or hinder a law enforcement investigation is transmitted to, reviewed by, and approved by the Secret Service.  While this provision appears to be intended to increase the number of reported breaches, the risk of criminal prosecution depends upon a showing of economic damage to an individual.  Historically, courts have found it quite difficult to trace economic harm to a specific data breach.  Nevertheless, the specter of criminal sanctions would be impossible to ignore. 

Encryption Safe Harbor

The draft legislation contains a safe harbor from the notification requirement if a risk assessment concludes that there is no significant risk of harm to individuals because the compromised data was encrypted or otherwise rendered indecipherable or inaccessible.  See PDPSA § 312(b).  Safe harbor risk assessments must be provided to the Secret Service within 45 days of discovery.  Covered entities may rely upon the risk assessment if the Secret Service has not informed the entity otherwise within 10 days thereafter.  This continues the trend of breach notification laws designed to encourage encryption of sensitive information, particularly on backup tapes, laptops, and other portable devices.  It should be noted that the proposed law explicitly includes access controls among the list of ways to render SPII inaccessible, which would be a noticeable evolution in breach notification law.  Ultimately, it would be left to the discretion of the Secret Service to determine whether any access controls were sufficiently secure to render the risk of public harm insignificant. 

Fraud Prevention Program Exemption

The draft PDPSA does not require notification for breaches that involve only credit card numbers or security codes if the covered entity participates in a fraud prevention program designed to block unauthorized transactions before they are charged to an individual’s account.  See PDPSA § 312(c).  However, if the breach involves any other form of SPII or credit card numbers combined with an individual’s name, entities are still obligated to provide appropriate notice.

Justice Department and State AGs Authorized to Pursue Civil Enforcement Actions

In addition to the criminal penalties discussed above, the United States Department of Justice and state Attorneys General would be authorized to bring civil enforcement actions for violations of the data breach notification rules.  See PDPSA §§ 317-318.  The draft PDPSA authorizes equitable relief and civil penalties of up to $1,000 per day per affected individual up to a maximum value of $1,000,000 per violation unless the violation is found to be willful or intentional.  Similar to the criminal penalties provision, this appears to be intended to increase the number of breaches that are reported to the public, as well as indirectly incentivize covered entities to harden security measures protecting SPII. 

Broad Preemption Clause

The provisions of the draft PDPSA expressly preempt all federal and state data breach laws.  See PDPSA § 319.  If passed into law, this clause would establish one uniform breach notification regime for all entities engaged in interstate commerce, superseding the existing patchwork of state notification laws as well as the federal health data breach notification requirements recently introduced by the HITECH Act.

Expansive Definition of Sensitive Personal Identifiable Information

The draft PDPSA contains a definition of SPII that is more expansive than existing data security and breach notification regimes.  SPII includes the following categories of data:

1.       A financial account number or credit/debit card number with the associated security code or PIN.

2.       A person’s first name and last name or first initial and last name combined with:

a.       a non-truncated Social Security Number or government identification number;

b.       unique biometric data;

c.       unique account identifier, electronic identification number, user name, or routing code combined with any associated security code or password required to obtain money, goods, services, or any other thing of value; or

d.       any two of

                                                               i.      home address or telephone number,

                                                             ii.      mother’s maiden name, and/or

                                                            iii.      month, day, and year of birth.

See PDPSA § 3(12).  Accordingly, the required data security program and data breach notification procedures would apply to a greater amount of information than current regulatory schemes.  For example, a table of user names and passwords maintained by a web merchant may be subject to a covered entity's information security program and breach notification requirements, which would ordinarily not be the case under current state and federal law.  This may be particularly true for merchants that allow customers to use email addresses as their user ID because many email addresses contain the first and last name or first initial and last name of the user.  Similarly, web merchants that allow users to select freeform user IDs may find that many customers use their actual names.