Today, November 14, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its new data security regulations. The regulations had been slated to take effect on January 1, 2009. Some aspects of the regulations are now scheduled to become enforceable on May 1, 2009 and others will not be enforced until January 1, 2010.
Quoting from a press release issued by the OCABR today :
The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.
The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.
The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended toJanuary 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs.
If you or your company have “personal information” concerning any Massachusetts resident (including information about your own employees), be prepared for a significant undertaking than may well effect the way you do business. The Commonwealth of Massachusetts has issued regulations pursuant to the state’s data breach notification law, and they are slated to go into effect on January 1, 2008. And while the notification law is largely consistent with the laws enacted by most other states, the regulations truly set Massachusetts apart.
The new regulations require any entity that maintains “personal information” regarding any Massachusetts resident to develop and implement a comprehensive, written information privacy plan that details how such information will be protected and secured. The business must also designate an employee to be responsible for the plan. This much might have been expected.
What sets the Massachusetts regulations apart, however, are their scope and specificity. The regulations list no less than twenty separate requirements for the plan, which mandate steps such as the training of all employees, the encryption of personal data on all laptops and mobile devices, the certification of all third-party service providers to ensure their appropriate treatment of personal information, and the institution of systems to monitor for data breaches and implement appropriate anti-virus software and up-to-date security patches.
The regulations purport to apply to anyone holding personal information about Massachusetts residents, whether or not they themselves operate or do business in Massachusetts. As an initial matter, this covers virtually every business with a Massachusetts employee, since the combination of names and Social Security numbers qualify as “personal information.” Companies outside of Massachusetts that process Massachusetts’ residents personal information — which would include virtually every retailer — are also within its scope. Further, service providers who work with any such companies will effectively be forced to comply with the regulations as well, since covered entities may only share personal information with service providers who themselves are compliant with the new mandates. Lawsuits regarding the extra-jurisdictional reach of these regulations are sure to come.
At a recent Boston Bar Association event, David Murray — the general counsel of the Massachusetts agency responsible for the new regulations — responded to questions regarding them. His responses indicated that they are, indeed, as broad as their language suggests. For example, Murray’s view is that existing long-term agreements with third-party service providers are subject to the regulations, which essentially means that relationships between Massachusetts companies and the vendors they use to handle “personal information” will likely require additional due diligence and potentially a renegotiation of contract terms. Murray, responding to comments pointing out how dramatic changes will be required by the new requirements, said simply “The regulations will not fit in with what is currently being done.”
Given the rapidly approaching January 1 deadline and the enormity of the task at hand, many believe that the Commonwealth will have little choice but to delay enforcement for six months or more. Further, the Attorney General’s Office, which will be in charge of enforcing the regulations, may take a “go slow” approach to clamping down. However, businesses should not dawdle in attacking this issue: First, implementation of the new information security plan will take time and resources, and even a six month delay in the deadline will not give much breathing room. Second, independent of the AG’s enforcement strategy, the new regulations may well become a de facto standard against which hacked businesses are measured in civil suits. Business who find that customers’ credit card and financial account information has been lost or hacked may find themselves fielding more questions about their compliance from class action trial lawyers than from the Attorney General’s Office.
The system is screaming for a unification of the more than forty different regimens being implemented by various states across the country. Whether these regulations are sufficiently bold as to move Congress to act has yet to be seen, but the election and the financial crisis may well leave data security legislation as a low priority at the federal level. The prudent businessperson will neither assume that the Commonwealth will delay implementation of these regulations for any substantial period of time, nor rely on the federal cavalry to ride in at the last minute to save the day.
Below is a white paper detailing the regulations in more detail:
The Commonwealth of Massachusetts’ Office of Consumer Affairs and Business Regulations has issued a report regarding data breach notifications made under the state’s recently enacted law, Massachusetts General Laws Chapter 93H. You can read the report below:
The report looks back on the 10 months during which the law has been in effect. Under the law, entities who have suffered a data security breach must notify the Attorney General’s Office of Consumer Affairs and Business Regulation. That office has received 318 such notices, of which only 3% involved data that was encrypted when breached. More than 60% of the notices concerned breaches occasioned by intentional acts such as theft.
The lessons to be learned are clear: hackers and other dedicated individuals willing to search for and steal data are becoming more prevalent, yet the use of encryption to protect data is apparently not. To the extent this report is a fair snapshot of data breach trends generally, it appears that plenty of work remains to be done by business.
The Department of Justice issued an indictment involving the hacking of computer systems of nine major U.S. retailers. It purports to be the largest such case ever brought by the Department.
The indictment, brought in Boston, alleges that one Albert Gonzalez and others used a sophisticated attack that involved breaking into the retailers’ wireless networks and subsequently stealing credit card and other information using “sniffer” programs. The retailers involved include Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, OfficeMax, Sports Authority, and TJX Companies. Their actions allegedly involve the theft of more than 40 million credit card numbers, some of which were sold on the Internet and some of which were used to create counterfeit cards to “cash out” the accounts.
The Department of Justice has issued a press release, which can be found here. The indictment itself is available below:
The United States Court of Appeals for the Third Circuit has issued a ruling in Sovereign Bank v. Fifth Third Bank and BJ’s Wholesale Club, Inc., exploring the relative responsibilities and obligations of banks involved in credit card security breaches. It addresses the complex relationships between the credit card company (here, Visa), the banks who issued the credit cards (“Issuers,” such as party Sovereign Bank), the retailers who accept the credit cards (“Merchants,” such as BJ’s) and the banks who work with the Merchants to process credit card transactions (“Acquirers,” such as party Fifth Third Bank). The relationships are governed in part by Visa’s Operating Regulations, which set out standards regarding the use and retention of credit card information.
Generally, losses resulting from fraudulent credit card charges are the responsibility of the Issuing Bank, but that liability can shift to the Acquirer if it resulted from the Acquirer’s violation of Operating Regulations. Sovereign, an Issuer, claimed that happened because Fifth Third’s merchant, BJ’s, failed to destroy information gleaned from customers’ swiped credit cards after it had been used.
The decision explored in depth whether the contractual relationship between Visa and Fifth Third was intended to benefit Issuing Banks such as Sovereign, giving them a right to sue. The Third Circuit, overturning the lower court, concluded that Sovereign could at least make the argument. It also held, however, that Sovereign could not sue BJ’s for negligence, since the losses were purely economic and there was no “third party beneficiary” argument it could construct to reach the retailer.
The matter has been sent back to the lower court for further proceedings. The decision may be found here:
A recent study by researchers at the Heinz School of Public Policy at Carnegie Mellon University questions whether data breach notification laws are effective in reducing identity theft. According to a research paper on the issue, identity theft accounted for losses of $56 billion in 2005, with 30% of those thefts resulting from data breaches. More than 40 states have passed laws calling for consumer notification in the event of a known breach to combat the problem, but the research concludes that “data breach disclosure laws reduce identify thefts by 5 for every 10 million people,” a number it describes as “not statistically significant.” While the paper also notes that such laws may account for a reduced magnitude of losses, or increased security vigilance by business, it does strongly suggest that the wave of data breach notifications laws are far from a silver bullet. We can expect hacked servers and stolen laptops to pose a risk for businesses and consumers for some time to come.
As of early June, at least 24 civil cases had been filed against Hannaford, in states as diverse as Florida, Pennsylvania and Maine. On June 9th the Judicial Panel on Multidistrict Litigation “centralized” these cases (and any that might be filed later) in the Federal District Court for the District of Maine. In theory, this will simplify pre-trial proceedings: discovery will take place under the oversight of one judge, and will be consolidated to avoid duplication. The cases will then be sent back to their courts of origin for trial, at least in theory. In practice, it rarely works out that way, and the “pretrial” court ends up resolving the case, either through settlements, summary judgment rulings, or rulings on class certification.
Following on the heels of last year’s settlements in the TJX litigation, this is the case to watch as this area of law evolves. Hannaford is the second “mega” security breach in the United States (there have been hundreds of relatively minor breaches), and we can expect substantial legal and judicial resources to go into this litigation.
The Hannaford breach was announced on Monday, March 17, 2008, but at least a couple of law firms let no grass grow under their feet. The first lawsuit was filed in Maine two days later. A copy of the complaint is below.
Today, it is the rare business that does not keep private and personal information of some sort about others. Companies are regularly entrusted with maintaining the confidentiality of customers’ banking and credit account information, employees’ social security numbers, patients’ health information, and myriad other categories of personal data. Often, that information is stored electronically. Frequently, it resides on equipment connected to the Internet.When sensitive personal data is lost or exposed, an immediate response is required. Deciding what to do next can be daunting. There is no unified federal law covering this issue; individual states are left to address it themselves. To date, 39 states, the District of Columbia and Puerto Rico each have their own statute specifically imposing obligations on organizations that have suffered a data security breach. And each one is different. Since most breaches involve data from multiple jurisdictions, numerous inconsistent laws are often at issue. In addition, a data security breach also presents unique technical and public relations challenges.This site is intended as a resource for businesses and the people who represent them, to give them insight into this complex and developing area. The site is sponsored by Gesmer Updegrove LLP, a law firm that has represented clients on intellectual property, privacy and technology matters since before the birth of the Internet. It has advised clients who have suffered data security breaches, and counseled others about preventing them. Among the firm’s clients is the Payment Card Industry (PCI) Security Standards Council, the organization responsible for establishing data security standards for the credit card industry.
We hope to provide you with a lawyer’s-eye-view of data security, but this web site should not be confused with legal advice. Particuarly in an area as complex and evolving as this, you should consult with a qualified legal professional before making any decisions about minimizing risk and exposure before a breach, or addressing legal responsibilities and liability afterwards. Should you wish to reach an attorney at Gesmer Updegrove LLP for assistance, you can find contact information here.
The life insurance division of London-based HSBC reported losing data discs with personal information about 370,000 company customers, the BBC reports. The information includes their names, dates of birth, and coverage information, although it apparently did not include banking data. The data was not encrypted. Britain’s Financial Services Authority has been informed and may be looking into the matter.
