Recently, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) continued his committee’s examination of the way data brokers collect and share personal information. The Senator sent a letter to one data broker seeking additional information about the broker’s customer vetting practices and how it shares consumer information with those customers. As the basis for the letter, Senator Rockefeller cited news reports alleging that a company acquired in March 2012 by the data broker receiving the letter had sold data to an identity theft scheme. At least one report suggested that the alleged activity continued after the broker conducted its due diligence and completed the acquisition. The Senator’s letter also poses follow up questions based on the broker’s response to the Senator’s original October 2012 request to numerous data brokers, which the Senator expanded to include other industry participants in September 2013.
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
Recently, the Organization for Economic Cooperation and Development (OECD) released updates to its privacy guidelines, with a focus on (i) practical implementation of privacy protection through risk management, and (ii) addressing the global dimension of privacy through improved interoperability. The revised guidelines, which the OECD describes as the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles, incorporate new concepts related to (i) national privacy strategies, (ii) privacy management programs, and (iii) data security breach notification. The new guidelines also reflect the organization’s modern views with regard to trans-border data flows, organizational accountability, and privacy enforcement.
On September 4, the FTC announced its first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – what the FTC refers to as the “Internet of Things.” The company, which markets video cameras designed to allow consumers to monitor their homes remotely, agreed to settle the FTC’s allegation that its security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. The FTC claimed that the company marketed its products as “secure” when, according to the FTC, they had faulty software that potentially allowed for online viewing and listening. The company resolved the complaint without paying a penalty, but agreed to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The agreement also requires the company to obtain third-party assessments of its security programs every two years for the next 20 years, and prohibits the company from (i) misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit and (ii) misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit. The FTC is planning an “Internet of Things” workshop for later this year.
Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.
On September 2, the U.S. Court of Appeals for the Fifth Circuit restored a group of financial institutions’ negligence claim against a payment processor in Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013). The restored claim relates to a 2008 data breach of a payment processor’s systems that exposed 130 million credit card numbers to cyberthieves. As a result of the breach, the institutions incurred costs to replace consumers’ compromised credit cards and to refund fraudulent charges. The ruling reversed the district court, which held that New Jersey’s economic loss doctrine barred the institutions’ negligence claim and limited them to seeking contractual remedies from the payment processor. The Fifth Circuit ruled that negligence claims for such losses are permitted where, as here, there is a distinguishable class of plaintiffs who are owed a duty and the defendant is not exposed to boundless liability.
On July 25, the DOJ announced the indictment of five individuals accused of conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses. The DOJ believes the defendants and others conspired to use a “SQL injection attack” to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world. Once started, the attacks could last months while the defendants worked to steal user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders, and subsequently sell the data to end-users who used the data to make fraudulent ATM withdrawals or credit card purchases. The DOJ’s action was based on the findings of an extensive Secret Service investigation.
On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.
Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to prioritize enforcement investigations of breaches involving unencrypted personal information. The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.
The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account - user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
On June 13, the OCC published a booklet titled “A Common Sense Approach to Community Banking,” which offers best practices the agency believes distinguish high-performing community banks from those that barely survive or fail. The booklet, which previously was distributed to national banks and federal thrifts and now is available on the OCC’s website, focuses on three interrelated areas: (i) risk assessment and management, (ii) strategic planning, and (iii) capital planning. Earlier in the week, the OCC hosted a webinar on cyber threats and vulnerabilities to raise awareness for community banks, and provided a collection of existing regulatory guidance that addresses actions banks should take to help mitigate the risks associated with information security.
On June 12, the FTC issued revised guidance to help firms comply with its Red Flags Rule, which requires covered firms to monitor for and respond to certain “red flag” warnings of customer identify theft. The updated guide reflects changes made to the rule last year to more narrowly define the types of creditor subject to the rule.
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.