The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

2014 Verizon Data Breach Report Paints a Sobering Picture of the Information Security Landscape

The 2014 Verizon Data Breach Investigations Report (DBIR) was released on April 22, providing just the sort of deep empirical analysis of cybersecurity incidents we’ve come to expect from this annual report. The primary messages of this year’s DBIR are the targeting of web applications, continued weaknesses in payment systems, and nine categories of attack patterns that cover almost all recorded incidents. Further, despite the attention paid to last year’s enormous data breach at Target, this year’s data shows that attacks against point of sale (POS) systems are actually decreasing somewhat. Perhaps most importantly, the underlying thread that is found throughout this year’s DBIR is the need for increased education and application of digital hygiene.

Each year’s DBIR is compiled based on data from breaches and incidents investigated by Verizon, law enforcement organizations, and other private sector contributors. This year, Verizon condensed their analysis to nine attack patterns common to all observed breaches. Within each of these patterns, Verizon cites the software and vectors attackers are exploiting, as well as other important statistics such as time to discovery and remediation. The nine attack patterns listed in the DBIR are POS intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial-of-service (DoS) attacks, and cyber-espionage. Within industry verticals, most attacks can be characterized by only three of the nine categories.

Attacks on web applications attacks were by far the most common threat type observed last year, with 35% of all confirmed incidents linked to web application security problems. These numbers represents a significant increase over the three-year average of 21% of data breaches from web application attacks. The DBIR states that nearly two thirds of attackers targeting web applications are motivated by ideology, while financial incentives drive another third. Attacks for financial reasons are most likely to target organizations from the financial and retail industries. These attacks tend to focus on user interfaces like those at online banking or payment sites, either by exploiting some underlying weakness in the application itself or by using stolen user credentials. To mitigate the use of stolen credentials, the DBIR advised companies to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in this year’s report.

The 2014 DBIR contains a wide array of detailed advice for companies who wish to do a better job of mitigating these threats. The bulk of this advice can be condensed into the following categories:

  • Be vigilant: Organizations often only find out about security breaches when they get a call from the police or a customer. Log files and change management systems can give you early warning.
  • Make your people your first line of defense:  Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.
  • Keep data on a ‘need to know basis’: Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.
  • Patch promptly: Attackers often gain access using the simplest attack methods, ones that you could guard against simply with a well-configured IT environment and up-to-date anti-virus.
  • Encrypt sensitive data: Then if data is lost or stolen, it’s much harder for a criminal to use.
  • Use two-factor authentication: This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.
  • Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.

These recommendations are further broken down by industry in the DBIR, but they largely come down to a liberal application of “elbow grease” on the part of companies and organizations. Executing on cyber security plans requires diligence and a determination to keep abreast of continual changes to the threat landscape, and often requires a shift in culture within a company. But with the FTC taking a more aggressive interest in data breaches, not to mention the possibility of civil suits as a response to less-than-adequate data security measures, companies and organizations would do well to make cyber security a top priority from the C-Suite on down.

Advertisements


1 Comment

FTC v. Wyndham Update

Edit (Feb. 5, 2014): For a more recent update on this case, please see this post.

On November 1, Maureen Ohlhausen, a Commissioner at the Federal Trade Commission (FTC), held an “ask me (almost) anything” (AMAA) session on Reddit. There were no real surprises in the questions Commissioner Ohlhausen answered, and the AMAA format is not well-suited to lengthy responses. One interesting topic that did arise, however, was the FTC’s complaint against Wyndham Worldwide Corporation, and Wyndham’s subsequent filing of a motion to dismiss the FTC action against them. Commissioner Ohlhausen declined to discuss the ongoing litigation, but asserted generally that the FTC has the authority to bring such actions under Section 5 of the FTC Act, 15 U.S.C. § 45. While there were no unexpected revelations in the Commissioner’s response, I thought it presented an excellent opportunity to bring everyone up to speed on the Wyndham litigation.

On June 26, 2012, the Federal Trade Commission (FTC) filed a complaint in Arizona Federal District Court against Wyndham Worldwide Corporation, alleging that Wyndham “fail[ed] to maintain reasonable security” on their computer networks, which led to a data breach resulting in the theft of payment card data for hundreds of thousands of Wyndham customers, and more than $10.6 million in fraudulent charges on customers’ accounts.  Specifically, the complaint alleged that Wyndham engaged in deceptive business practices in violation of Section 5 of the FTC Act by misrepresenting the security measures it undertook to protect customers’ personal information. The complaint also alleged that Wyndham’s failure to provide reasonable data security is an unfair trade practice, also in violation of Section 5.

On August 27, 2012, Wyndham  responded by filing a motion to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the statutory authority to “establish data-security standards for the private sector and enforce those standards in federal court,” thus challenging the FTC’s authority to bring the unfairness count under the FTC Act. In their October 1, 2012 response, the FTC asked the court to reject Wyndham’s arguments, stating that the FTC’s complaint alleged a number of specific security failures on the part of Wyndham, which resulted in two violations of the FTC Act. The case was transferred to the Federal District of New Jersey on March 25, 2013, and Wyndham’s motions to dismiss were denied. On April 26, Wyndham once again filed motions to dismiss the FTC’s complaint, again asserting that the FTC lacked the legal authority to legislate data security standards for private businesses under Section 5 of the FTC Act.

At stake in this litigation is the FTC’s ability to bring enforcement claims against companies that suffer data breach due to a lack of “reasonable security.” What is unique in this case is Wyndham’s decision to fight the FTC action in court rather than make efforts to settle the case, as other companies have done when faced with similar allegations by the FTC. For example, in 2006, the FTC hit ChoicePoint Inc. with a $10 million penalty over data breach where over 180,000 payment card numbers were stolen. The FTC has also gone after such high-profile companies as Twitter, HTC, and Google based on similar facts and law. These actions resulted in out-of-court settlements.

If Wyndham’s pending motions to dismiss are denied, and the FTC ultimately prevails in this case, it is likely that the FTC will continue to bring these actions, and businesses will likely see an increased level of scrutiny applied to their network security. If, however, Wyndham succeeds and the FTC case against them is dismissed, public policy questions regarding data security will likely fall back to Congress to resolve.

Oral argument for the pending motions to dismiss are scheduled for November 7. No doubt many parties will be following these proceedings with great interest.


Leave a comment

Connecticut Enacts Law Restricting Access to Credit Reports

In late July 2011, Connecticut passed a law restricting employers’ access to employee’s or potential employee’s credit reports. Public Act No. 11-223 prohibits employers from requiring an employee or prospective employee to consent to a credit report request as a condition of employment, unless one of the following conditions is met:

  • The employer is a financial institution;
  • A credit report is required by law;
  • The employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee’s employment; or
  • A credit report is substantially related to an employee’s current or potential job or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related.

The new statute defines “substantially related to an employee’s current or potential job” to include a number of situation where an employee or potential employee would have managerial or fiduciary responsibilities, or would have access to personal information, confidential business information, or other sensitive data. Connecticut’s statute becomes effective October 1, 2011. This law is similar to employer credit report restrictions that have recently been enacted in other states, such as Illinois and Oregon.


Leave a comment

Massachusetts AG Announces $7500 Settlement with Bank for Data Breach

The Massachusetts Attorney General recently announced a $7,500 settlement with Belmont Savings Bank following a data breach in which an unencrypted backup computer tape was lost after an employee failed to follow the bank’s policies and procedures.  This tape contained the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents.

The tape was lost in May 2011, when an employee left it on a desk rather than storing it in a vault for the night.  Surveillance footage showed that the tape was then thrown away by the cleaning crew.  The tape was most likely incinerated by the bank’s waste disposal company, and the bank has indicated that it has no evidence that the Massachusetts residents’ personal information had been acquired or used by an unauthorized person.

In addition to the $7,500 penalty, the settlement requires Belmont Savings Bank to mitigate the risk of future data breaches by:

  • Ensuring the proper transfer and inventory of backup computer tapes containing personal information;
  • Storing backup computer tapes containing personal information in a secure location; and
  • Effectively training its employees on the bank’s policies and procedures for maintaining the security of personal information.

This is the second announcement this year by the Massachusetts Attorney General’s office of a settlement as a result of a data breach. 


Leave a comment

Ninth Circuit Determines the Meaning of “Electronically Printed” Under FACTA

On May 24, 2011, the United States Court of Appeals for the Ninth Circuit determined that an email receipt was not an “electronically printed” receipt as used by the Fair and Accurate Credit Reporting Act (“FACTA”). Under FACTA, entities are prohibiting from printing “more than the last 5 digits of the [credit or debit] card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. Sec. 1681c(g)(1). This restriction only applies to “receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.” Id. Sec. 1681c(g)(2).

In Simonoff v. Expedia, Inc., Simonoff claimed that Expedia violated FACTA by including the expiration date of his credit card on an email receipt for an online transaction. To be a violation of FACTA, an email displayed on a computer screen would have to be considered an “electronically printed” receipt. Upholding the district court’s decision and agreeing with a previous Seventh Circuit decision regarding this issue, the Ninth Circuit determined that the plain meaning of “print” and “electronically printed” does not include email displayed on a computer screen.

Specifically, the Ninth Circuit found that the ordinary meaning of “print” involves a “physical imprint onto paper or another tangible medium.” The court also found that the term “electronically” clarifies the “manner of printing by differentiating receipts printed with electronic devices from receipts printed by hand; it does not change the definition of ‘print.’” Further, the court looked to Congress’s intention in enacting FACTA and determined that “Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts.” The court also looked to other factors of the FACTA statute, such as “the staggered implementation schedule that applies to physical devices that print paper receipts, and the limitation of the statute to receipts produced at the point of the sale or transaction,” to determine the meaning of “electronically printed.” Accordingly, the court determined that “[t]he text of FACTA simply leaves no room to doubt that ‘electronically printed’ receipts include only receipts impressed onto a tangible medium by electronic devices at the point of the sale or transaction, not receipts that are electronically transmitted to an email account or displayed on a computer screen.”


Leave a comment

ZIP Codes are Personal Information Under California’s Song-Beverly Credit Card Act.

In a unanimous decision released February 10, 2011 in Pineda v. Williams-Sonoma (S178241),  the California Supreme Court held that a ZIP code is “personal information” under California’s Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Credit Card Act”).  Therefore, businesses may not request or require that a cardholder provide a ZIP code during a credit card transaction and then record the ZIP code, unless the transaction falls under an exception in the Act.
 
The plaintiff in Pineda sued Williams-Sonoma alleging that when she made a purchase at one of its stores using her credit card, the cashier requested her ZIP code and recorded it. The complaint also alleged that Williams-Sonoma subsequently used the plaintiff’s name and ZIP code to find her full address and add her to its marketing database. 
 
The Pineda case involved interpreting the section of the Song-Beverly Credit Card Act which restricts collection of information from consumers during a credit card transaction and the section defining personal identification information. The relevant portion of Sections 1747.08(a)(2) and 1747.08(b) provide as follows:
 
(a)(2)   “[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . (2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." [emphasis added]
 
(b)               "Personal identification information" is defined as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The California Supreme Court decided to hear the Pineda case after the lower courts had ruled that collection of a ZIP code alone was not personal identification information and, therefore, was not covered by this prohibition in the Song-Beverly Credit Card Act. The lower courts based their decisions on reasoning similar to that in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008), which also held a ZIP code, without more, does not constitute personal identifying information in large part because a ZIP code pertains to a group of individuals, in contrast to a complete address or a phone number which are specific to an individual. 
 
The California Supreme Court rejected the lower courts’ reasoning and held that personal identification information includes a cardholder’s ZIP code “in light of the statutory language, as well as the legislative history and evident purpose of the statute.” In its statutory analysis, the Court concluded that “address” should be broadly construed “as encompassing not only a complete address, but also its components.”   The Court noted that this broad interpretation is consistent with the “expansive language” used in the Act and with the rule that remedial statutes should be liberally construed in favor of their protective purpose. After its review of the legislative history of the Song-Beverly Credit Card Act, the Court concluded that the Act is “intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”
 
Questions Raised By the Decision
.
The Song-Beverly Credit Card Act has been significant over the last several years because it provides a private right of action and statutory damages of up to $250 for the first violation and $1000 for each subsequent violation. After the decision in Florez v. Linen N Things, 108 Cal.App.4th 447 (2003), there have been numerous class actions filed against retailers under the Song-Beverly Credit Card Act that have resulted in settlements.
 .
The Court’s decision in Pineda, particularly the interpretation of the purpose of the Song-Beverly Credit Card Act, raises several important questions and considerations, including the following:
.
·         The ability of businesses to solicit and record information during credit card transactions that is not necessary to the transaction. For example, consideration should be given to other types of data beyond ZIP code that will be covered as personal identification information. 
·         How to interpret the exception in section 1747.08(c)(4) which allows collection of personal identification information for a special purpose incidental but related to the credit card transaction, such as shipping, delivery, servicing or installation or special orders. The questions after Pineda will be what would be other “special purposes” and if the collection is not for a special purpose, is it “necessary” for the credit card transaction. 
·         Whether the Act applies to return transactions, as has been considered in several state and federal court rulings in California. See, e.g., Romeo v. Home Depot USA, Inc., No. 06-CV-1505, 2007 WL 3047105, 2007 U.S. Dist. LEXIS 77144 (S.D. Cal. Oct. 16, 2007); Korn v. Polo Ralph Lauren Corp., 644 F. Supp. 2d 1212 (E.D. Cal. 2008); TJX Cos., Inc. v. Super. Ct., 163 Cal. App. 4th 80 (2008); Absher v. AutoZone, Inc., 164 Cal.App.4th 332 (2008).  These prior ruling reviewed section 1747.08(a)(3) and determined that the Song-Beverly Credit Card Act did not apply to return transactions.  The Court was not considering this particular issue in Pineda or the same subsection, so those decisions should stand and an argument can be created that the additional information is necessary for fraud protection purposes.   It will, however, be important that consideration is given before the information collected for special purposes or returns, is also used for marketing purposes.
·         Whether the Act applies to online transactions, as was considered in Saulic v. Symantec Corp., 596 F.Supp.2d 1323 (C.D.Cal. 2009).  The court in Saulic held that the Act does not apply to online transactions based upon a narrow reading of 1747.08, and its reasoning may be called into question after Pineda


Leave a comment

Lame Duck Privacy Bills

In the last two weeks of 2010, President Obama signed the following three acts addressing privacy:

 

Red Flags Program Clarification Act of 2010

 

President Obama signed the “Red Flag Program Clarification Act of 2010,” S. 2987, (“Clarification Act”) on December 18, 2010, which became Public Law No: 111-319.  The Clarification Act narrows the definition “creditor” under the Fair Credit Reporting Act (FCRA) by adding a definition to Section 615(e), 15 U.S.C. § 1681m(e), to address issues with the breadth of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flag Rule”). 

 

The FTC’s Red Flag Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act, under which the FTC and other agencies were directed to draft regulations requiring “creditors” and “financial institutions” with “covered accounts” to implement written identify theft prevention programs to identify, detect and respond to patterns, practices or specific activities—the so called “red flags”—that could indicate identify theft.   The FTC interpreted the definition of “creditor” to include entities that regularly permit deferred payment for goods and services, which included lawyers, doctors, and other service providers not typically considered to be “creditors.”  This interpretation led to lawsuits by professional organizations, including the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants, challenging the FTC’s position that the Red Flags Rule should apply to its members.

 

The Clarification Act limits the definition of creditor to entities that regularly and in the ordinary course of business: (i) obtain or use consumer credit reports, (ii) furnish information to consumer reporting agencies, or (ii) advance funds to or on behalf of a person.  The definition of creditor specifically excludes creditors that “advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  However, the Clarification Act also allows the definition of creditor to be expanded by rules promulgated by the FTC or other regulating agencies to include creditors which offer or maintain accounts determined to be subject to a reasonably foreseeable risk of identity theft. 

 

S. 2987 was introduced and by Senator John Thune (R-S.D.) and co-sponsored by Mark Begich (D-Alaska) on November 30, 2010, and the Senate unanimously approved the bill the same day.  An identical companion bill was introduced in the House, H.R. 6420, by Representatives John Alder (D-N.J.), Paul Broun (R-Georgia), and Michael Simpson (R-Idaho) on November 17, 2010.  S. 2987 passed the House on December 7, 2010.

 

The FTC had previously delayed enforcement of the Red Flags Rule several times, most recently in May 2010 when it delayed enforcement through December 31, 2010.  The FTC’s Red Flags Rule website, http://www.ftc.gov/redflagsrule, notes that the FTC will be revising its Red Flags guidance to reflect the Clarification Act changes.

 

Social Security Number Protection Act of 2010

 

            President Obama also signed the “Social Security Number Protection Act of 2010,” S. 3789, on December 18, 2010, which became Public Law No: 111-318.  S. 3789 was introduced by Senator Dianne Feinstein (D-Cali.) and co-sponsored with bipartisan support, including Senator Judd  Gregg (R-N.H.).  The Act aims to reduce identity theft by limiting access to Social Security numbers, according to a statement from Senator Feinstein.

 

            The Act prohibits any federal, state, or local agency from displaying Social Security numbers, or any derivatives of such numbers, on government checks issued after December 18, 2013.  The Act also prohibits any federal, state or local entity agency from employing prisoners in jobs that would allow access to Social Security numbers after December 18, 2011.

 

            S. 3789 unanimously passed in the Senate on September 28, 2010, and passed in the House by voice vote under suspension of its rules on December 8, 2010. 

 

Truth in Caller ID Act of 2009

            On December 22, 2010, President Obama signed into law the “Truth in Caller ID Act,” S. 30, which became Public Law No: 111-331.  The Caller ID Act is intended to combat the problem of caller ID “spoofing” where identity thieves alter the name and number appearing as caller ID information in an attempt to trick people into revealing personal information over the phone.

 

            The Caller ID Act amended Section 227 of the Communications Act of 1934, 47 U.S.C. § 227, to make it illegal to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm.  However, the Caller ID Act specifically prohibits anything in it from being construed as preventing or restricting any person from using caller ID blocking. 

 

The Federal Communications Commission (“FCC”) is required to prescribe regulations to implement the Act within six months.  The Caller ID Act specifically exempts law enforcement activity and caller ID manipulation authorized by court order, and it also allows the FCC to define other exemptions by regulation.  

 

            The FCC can impose civil forfeiture penalties of up to $10,000 per violation, or $30,000 for each day of continuing violation, up to a cap of $1,000,000 for any single act or failure to act.  Willful and knowing violations of the Caller ID Act can result in criminal penalties including the same monetary penalties and up to a year in prison.

 

S. 30 was introduced by Senator Bill Nelson (D-Fla.) on January 7, 2009, and passed in the Senate on February 23, 2010.  The bill was approved in the House on December 15, 2010 by voice vote under suspension of its rules.  S. 30 was very similar to H.R. 1258 introduced by Representatives  Eliot Engel (D-N.Y.) and Joe Barton (R-Tex.) and passed by the House on April 14, 2010, according to a statement released by Representative Engle.