In one of the largest FTC-state coordinated settlements on record, LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services. LifeLock and its principals will also be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service. The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

To read more about this settlement, view the FTC’s press release here. The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and here.

The deadline for compliance with the Massachusetts regulations for the protection of personal information is March 1, 2010. To view a complete copy of the regulations, click 201CMR1700reg.pdf.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) originally promulgated these regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The purpose of these regulations is to require business practices that minimize the risk of future data breaches and to ensure better protection of that personal information.

If your business holds personal information, as defined by these regulations, you should closely review these regulations to ensure that you are in compliance.

Data Privacy Day is January 28, 2010.  Data Privacy Day 2010 is a division of The Privacy Projects, a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection with key stakeholders; to the development and promotion of privacy standards;  and to the promotion of collaboration, cooperation and shared responsibility in the areas of individual data protection and commercial management of personal information.

According to its website, Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy.  In 2009, both the U.S. Senate and House of Representatives recognized January 28th as National Data Privacy Day.

Over the past few years, privacy professionals, corporations, government officials and representatives, academics, and students in the United States, Canada, and 27 European countries have participated in a wide variety of privacy-focused events and educational initiatives in honor of Data Privacy Day.  They have conducted discussions, examined materials and explored technologies in an effort to bring information privacy into our daily thoughts, conversations and actions.

Data Privacy Day has also provided an opportunity to promote teen education and awareness about privacy challenges when using mobile devices, social networking sites and other online services.

For more information about Data Privacy Day or The Privacy Projects, click here.

The Massachusetts Supreme Judicial Court issued an order on January 7, 2010 regarding the protection of specific personal information collected and maintained by the Massachusetts judicial branch in accordance with M.G.L. c. 93H.

The Order requires protection of specified personal information, as defined by M.G.L. c. 93H, of all individuals, including non-residents.  Each appellate court, the Trial Court and any court affiliate
that owns, stores or maintains such personal information is required to develop and implement an information security program to protect personal information from a data breach.

According to the Order, the program is to ensure that courts and court affiliates collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained.

The SJC’s Order sets out the details of what such information security program shall include.  The Order also provides for departmental reviews of the collection and maintenance of personal information; review of the manner in which personal information is electronically stored; and requires that all contracts entered into by the judicial branch contain provisions regarding data breach notification and require compliance with court information security programs.

Compliance with the Order is required by September 1, 2010.  To see the SJC’s complete Order on the Protection of Personal Information, click here.

A mortgage broker who discarded consumers’ personal financial records in a publicly- accessible dumpster paid a $35,000 civil penalty to settle Federal Trade Commission charges.

According to an FTC complaint filed in December 2008, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. In addition, two mortgage brokerage companies he previously owned failed to provide reasonable and appropriate security for sensitive consumer information, despite promising they would do so.

In addition to the $35,000 penalty, the settlement order also provides that the defendant is barred from misrepresenting measures taken to protect sensitive consumer information and failing to take reasonable measures to protect credit report information during its disposal. The order also requires the defendant to employ a comprehensive information security program for sensitive consumer information, and to hire an independent, third-party security professional to review the program every year for 10 years to ensure that it meets or exceeds the order’s requirements.

To read the compete FTC Press Release on the settlement, click here.

Connecticut Attorney General (AG) Richard Blumenthal announced that he is suing Health Net of Connecticut for a data breach resulting in the exposure of patient medical records and financial records of 446,000 Connecticut enrollees, which were allegedly stored on an unecrypted portable computer disk drive that disappeared from the company’s office in Shelton, Conn on or about May 14, 2009.

This case will mark the first action by a state general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorizes state attorneys general to enforce HIPAA.

For more information about this data breach, click here for the complete story on HealthImaging.com.

At a meeting with New York Times staff, the chairman of the F.T.C., Jon Leibowitz, and David Vladeck, chief of the commission’s Bureau of Consumer Protection, discussed online privacy and the news business, among other topics. Both individuals have indicated that they expect the FTC to take a more active role in safeguarding consumer privacy. This may also be in light of the pending federal legislation the Data Accountability and Trust Act.

Among topics covered at the meeting were that few people actually read website privacy policies and questions regarding use of consumer data with respect to its use by data brokers, data aggregators, social networks, cloud computing and mobile marketing. (These subjects will be part of a Jan. 28 F.T.C. roundtable on privacy, held in Berkeley, Calif.)

For more information, read the New York Times blog about their meeting with the F.T.C. here. http://mediadecoder.blogs.nytimes.com/2010/01/11/ftc-has-internet-gone-beyond-privacy-policies/

On December 11, 2009, the Massachusetts SJC affirmed the dismissal of claims against BJ’s and Fifth Third Bank by plaintiff credit unions and an insurance company arising out of a data breach that exposed magnetic strip data of credit and debit cards of 9.2 million BJ’s customers.

In Cumis Insurance Society, Inc., et al. v. BJ’s Wholesale Club, Inc., et al., 107 credit unions and Cumis Insurance Society brought suit against BJ’s and Fifth Third alleging that thieves were able to obtain the card information from BJ’s computer systems because BJ’s and its acquiring bank, Fifth Third, breached their contractual obligations, both to each other and to Visa and MasterCard, by storing the magnetic strip data from the back of the cards after a card transaction had been authorized or declined. The plaintiff credit unions sought damages incurred for the cost of replacing the compromised cards. Cumis sought to recover the funds paid to the credit unions to reimburse them for the fraudulent use of the cards.

The credit unions asserted claims for breach of contract on the theory that they were intended third-party beneficiaries of BJ’s contract with Fifth Third Bank and of the Visa and MasterCard regulations that were incorporated into the contract, which specifically included a prohibition on retaining magnetic strip data after a cardholder’s transaction is completed. The SJC affirmed the dismissal of the breach of contract claims finding that plaintiffs failed to establish that there was any intention by BJ’s or Fifth Third that the credit unions were supposed to be the beneficiaries of their contract. In addition, the credit unions could not recover under Visa and MasterCard regulations (specifically, prohibiting the storage of magnetic strip data) because Visa and MasterCard retained the enforcement of their regulations for themselves.

The SJC also affirmed the dismissal of plaintiffs negligence claims on the grounds of the economic loss doctrine, which prohibits recovery under a negligence theory when the only harm sustained is economic in nature.

Finally, the SJC affirmed the dismissal of plaintiff’s fraud and negligent misrepresentation claims. Plaintiffs theory was that they relied on BJ’s required compliance with the Visa and MasterCard regulations to not store the magnetic strip data. The SJC found that plaintiffs could not show BJ’s ever made any direct representations to the plaintiffs regarding its compliance with the Visa and MasterCard regulations that would support these claims.

The discussion of the fraud and negligent misrepresentation claims in this case are the most interesting aspect of the decision. The SJC found that even if plaintiffs could establish that defendants made representations about their compliance with the Visa/MasterCard regulations to the plaintiffs, the plaintiffs could not have reasonably relied on those representations because the Visa/MasterCard regs explicitly include a fine for failing to comply. Quite simply, the system was designed with the expectation that such data breaches would occur. In addition, the SJC noted that the plaintiffs even insured themselves against such fraudulent losses, showing that plaintiffs expected such a data breach to occur. Finally, the SJC noted that the plaintiffs had ongoing knowledge of noncompliance with the magnetic strip regulation because they received notifications from Visa and MasterCard regarding compromised accounts due to improper retention of magnetic strip data.

Ultimately, there was no theory under which the credit unions could recoup their losses stemming from the data breach.

On December 17, 2009, Heartland Payment Systems announced that it would pay American Express $3.6 million to resolve charges stemming from a 2008 breach of Heartland’s payment system network the AP reported.

Heartland’s data breach was the result of hackers using installed spying software on Heartland’s computer network. These hackers also attacked 7-Eleven and Hannaford Brothers Supermarkets. The Department of Justice allege that these hackers managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford.

Heartland has still not reached resolution of its disputes with other card brands, such as Visa and MasterCard, arising out of this data breach, but clearly, such additional settlements will cost Heartland additional millions.

On December 8, 2009, the U.S. House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill is similar in nature to multiple state breach notification laws that have already been passed. It includes the following:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number
(ii) Driver’s license number or other State identification number
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details of this bill include:

• The Federal Trade Commission would be the responsible enforcement agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an exemption for data encryption. In addition, the FTC will define other exemptions if the bill become law. The FTC will also be tasked with posting data breaches on their website on a case-by-case basis if the FTC deems it is in the public interest.