On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 3, Iowa Governor Terry Branstad signed SF 2259, which amends the state’s data breach notice law to add a requirement that businesses that experience a data breach notify the state attorney general’s office within five days of discovering or being notified of the breach. Previously, state law required that businesses notify only consumers after discovery or notification. Several existing exemptions to the consumer notice requirement, including for businesses subject to Title V of the Gramm-Leach-Bliley Act, also apply to the attorney general notice requirement. SF 2259 also amends (i) the definition of “breach of security” to cover personal information maintained in any medium that was transferred to that medium from computerized form, e.g., printed records originally maintained in electronic form; and (ii) the definition of “personal information” to include encrypted, redacted, or otherwise protected data. The changes take effect July 1, 2014.
Data Breach Class Settlement Approved After Eleventh Circuit Held Identity Theft Following Breach Presents Cognizable Injury
Recently, the U.S. District Court for the Southern District of Florida approved a class settlement in a case in which the plaintiffs claimed financial harm from a health care company’s failure to protect their personal information. Resnick v. AvMed Inc., No. 10-24513 (S.D. Fla. Feb. 28, 2014). The settlement follows a September 2012 decision from the U.S. Court of Appeals for the Eleventh Circuit, in which the court reversed the district court’s dismissal of the case and held that because the complaint alleged financial injury, and because monetary loss is cognizable under Florida law, the plaintiffs alleged a cognizable injury. The court explained that the plaintiffs demonstrated “a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence” because the plaintiffs plead that they were careful in protecting their identities and had never been victims of identity theft. The settlement requires the company to pay $3 million, with each class member receiving up to $10 for each year they paid an insurance premium, up to a maximum of $30. The company also agreed to implement new data security measures.
Last week, as part of the White House’s initiative on “big data” and privacy (led by John Podesta), the White House Office of Science and Technology Policy issued a request for information seeking public input regarding broad privacy-related issues. The request defines “big data” as “datasets so large, diverse, and/or complex, that conventional technologies cannot adequately capture, store, or analyze them.” It seeks comments on a number of issues, including: (i) the public policy implications of the collection, storage, analysis, and use of big data; (ii) the types of uses of big data that could measurably improve outcomes or productivity with further government action, funding, or research, and uses of big data that raise the most public policy concerns; (iii) the technological trends or key technologies which will affect the collection, storage, analysis and use of big data, and whether any are particularly promising for safeguarding privacy; (iv) how the policy frameworks or regulations for handling big data should differ between the government and the private sector; and (v) issues raised by the use of big data across jurisdictions. Comments are due by March 31, 2014.
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
State Banking Associations Object To Senators’ Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
On February 27, California Attorney General Kamala Harris issued a guide to assist small businesses in defending against the threat of cybercrime. The guide, which was developed with the California Chamber of Commerce and Lookout, a mobile security company, stresses that small businesses should assume that they are a target for cybercrime and act accordingly. In addition to providing actionable steps to prevent cyber-attacks, the guide encourages every small business to develop a “game plan” for responding to the inevitability of an actual incident: “Experience has shown that many organizations wait until they have actually suffered a serious data breach before attempting to come up with a process for dealing with such a situation – which amounts, effectively, to building an airplane in the air.”
On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.
On February 5, the House Homeland Security Committee unanimously approved H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (the NCCIP). The NCCIP builds on many of the ideas set forth in the February 2013 Presidential Executive Order on cybersecurity. The bill seeks to enhance cybersecurity readiness in governmental and private institutions, in part, by facilitating information sharing and a “public-private collaboration” between government agencies and “critical infrastructure owners” and by promoting “cross-sector coordination and sharing of threat information” through NIST. The bill directs NIST to develop voluntary best practices that include individual privacy and civil liberty protections. The NCCIP also amends the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) to provide liability protections for those selling or providing agency-approved cybersecurity technology to customers.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
On January 28, the CFPB issued a consumer advisory in response to recent reports of data breaches at several large retailers. In addition to providing tips for consumers in the wake of a retail breach, the advisory encourages card holders to submit complaints about debit and credit card issuers’ inadequate responses to consumer charge disputes related to data breaches.
The advisory is the first public response from the CFPB on data breach issues. It follows a request last month from Senator Chuck Schumer (D-NY), a member of the Senate Banking Committee, that the CFPB conduct an investigation of the data breach and issue a “full report on the findings of its investigation — informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.” Schumer also asked Director Cordray to “take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. . . . The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process.”
Numerous congressional committees share jurisdiction over data breach issues. The Senate Banking Committee will be among the first to act with a hearing scheduled for February 3, 2014 that will feature governmental witnesses, as well as the views of the retailer and banking industries.
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
Recently, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) continued his committee’s examination of the way data brokers collect and share personal information. The Senator sent a letter to one data broker seeking additional information about the broker’s customer vetting practices and how it shares consumer information with those customers. As the basis for the letter, Senator Rockefeller cited news reports alleging that a company acquired in March 2012 by the data broker receiving the letter had sold data to an identity theft scheme. At least one report suggested that the alleged activity continued after the broker conducted its due diligence and completed the acquisition. The Senator’s letter also poses follow up questions based on the broker’s response to the Senator’s original October 2012 request to numerous data brokers, which the Senator expanded to include other industry participants in September 2013.