California Bill Would Create Cyber Security Commission

By Christin McMeley and Jane Whang

In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.

Continue Reading...

FTC's 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

By Adam H. Greene, Rebecca L. Williams, and Sarah S. Fallows

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

Are You a Target?

By Daniel P. Reing

As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.

Continue Reading...

Malware Cited as the Cause of Massive Supermarket Data Breach

By Hozaifa Cassubhai


A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria.  Recently, the Hannaford Bros. grocery chain announced the cause of that breach:  unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.

Continue Reading...

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good ( that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Continue Reading...

California Breach Disclosure Law Now Covers Medical Records

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.

Continue Reading...

Record Number of Data Breaches Reported in 2007, But Optimism Reigns

Posted by Hozaifa Cassubhai

The number of publicly reported data breaches in the United States rose by more than 40 percent in 2007, according to the Identity Theft Resource Center (ITRC), and it appears Microsoft, among others, is taking steps in response.

Continue Reading...

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.

Continue Reading...

iPhone Security Flaw -- First of Many With Nextgen Phones?

Posted by Lance Koonce

We can't say we weren't warned.

Experts have been saying for years that as cell phone technology advanced, so would the risk of security problems (see, e.g., "Ten Dangerous Claims About Smart Phone Security", at  We've already seen purported "hacks" of celebrity phones like that of Paris Hilton, although that was allegedly pulled off in part through an old-fashioned con of a phone company employee. 

Now comes a report in today's New York Times that a team of consultants working for working for Independent Security Evaluators has discovered a flaw in Apple's iPhone that could potentially allow a hacker to take "complete control" over the phone remotely.  The flaw is described in detail at the ISE website.  Given the amount of information that can be stored on an iPhone, this represents a serious risk.   More coverage here.

Continue Reading...

Why Is Database Security Not A Priority?

Posted by Randy Gainer

The daily reports of data regarding individuals being lost or stolen typically emphasize the costs businesses and government agencies will incur to respond to the incidents. TJX, for example, reportedly incurred $20 million in costs during the first three months of 2007 related to the theft of payment card data from its stores in 2005 and 2006.  Given the large number of reported incidents of personal data being lost and stolen, it is surprising that organizations that collect and store large amounts of sensitive information do not take adequate precautions to secure it.

Continue Reading...

State Laws to Shift Some Data Breach Costs to Businesses with Weak Security

 Posted by Randy Gainer

As of May 25, 2007, one state has adopted and five are considering important new data breach laws. The laws will require businesses that fail to implement adequate security to pay some of the costs that others incur if the first business’s failure to implement security measures contributes to the theft of consumers’ personal information. Although the state laws are not uniform, they each address the failure of current federal and state data security statutes to permit businesses to recover such costs. The laws also respond to court decisions that refused to shift costs to businesses whose security contributed to data thefts.

Continue Reading...

New York Enters First Settlement Agreement for Violation of Its Security Breach Notification Law

Posted by Thomas Jeffry

Last Thursday, New York Attorney General Andrew Cuomo announced that his office had entered into its first settlement under that state’s Information Security Breach and Notification Law enacted in 2005.

When it comes to notification that private information on a stolen laptop computer may be compromised, time is not your friend. The New York law requires notification to “the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” In addition, both the owner and licensee of such information has an obligation to disclose, “in the most expedient time possible and without unreasonable delay,” any breach in the security to any New York resident “whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” (New York State General Business Law § 899-aa)   The law includes the common provision that such notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation

Continue Reading...

Feds Not Yet Required to Notify Individuals of Data Breaches, But They Should Be, and Soon

Posted by Joe Addiego

The San Francisco Chronicle recently reported that since 2003, nineteen different federal agencies have suffered the loss or theft of confidential data pertaining to individuals, yet few, if any, of these agencies reported the breaches. The reason? There are no data breach reporting requirements applicable to the federal government, which begs the question, why not? This lack of accountability for the feds is particularly troubling, since thirty three different states already have passed data breach notification laws.

Continue Reading...

Real Estate Services Company Settles FTC Charges Over Confidential Consumer Data

Posted by Ronald G. London

The Federal Trade Commission has announced a proposed consent decree between the government and Nations Title Agency, Inc./Nations Holding Company arising from alleged privacy and security breaches at the companies, as a result the disposal of consumers' confidential data in an unsecured dumpster and hacking of the companies' computers. Nations Title provides a variety of services in connection with financing home purchases and refinancing existing mortgages, while Nations Holding provides real estate services in 44 states. Accord❽ing to the FTC, the companies failed in their promise to consumers to maintain "physical, electronic and procedural safeguards" that protect confidential information, which the companies routinely obtained from banks, real estate brokers, and consumers, and which included names, Social Security numbers, bank and credit card account numbers, and credit histories. The consent decree requires Nations to refrain from making future deceptive claims about its privacy and security measures, to adopt a comprehensive information security program, and to undergo audits by an independent third-party security professional every other year for the next 20 years. This brings to over a dozen the number of cases the FTC has brought challenging data security practices, and it vowed to "bring more if companies continue to fail consumers."

Continue Reading...

We Are Not Alone

Posted by Teena Lee

It should not surprise anyone that the US is not the only country with data security issues. Yet the differing legal regimes in other jurisdictions sometimes provide an opportunity to examine what works and does not work in addressing security problems before similar laws are enacted here.

For example, despite having what are purported to be stricter laws with regard to data protection than the U.S., it would appear companies in the United Kingdom continue to suffer just as much at the hands of criminal hackers as those in the United States. See this recent article from BBC News. Some of the key differences between the UK's data protection laws and the United States counterpart is that all "data controllers", i.e., those who determine what is to happen to personal data in their possession or in the possession of "data processors" holding the information on behalf of the controllers, must register their data processing activities with a state data protection agency, and in some instances, prior consent is required before any data processing can begin. Very generally, while the UK requires a more centralized regime for regulation, the United States relies on a mix of legislation, regulation and self-regulation, and for this reason, the UK (as well as the European Union) has found that the US failed to meet its "adequacy" standard for data protection.

Yet much of the information we have on experiences under different regimes is anecdotal or spotty; it would be interesting to see an apples-to-apples comparison of data breach trends in various jurisdictions that have different protection regimes. Given the plethora of bills floating around Congress, surely someone has done such an analysis (and if not, why not?). If anyone knows of such a report, we would love to post a link here.

And While We're on the Subject of Cars....

Posted by Lance Koonce

There has been a recent spate of thefts of laptops from parked cars, and in particular rental cars parked close to restaurants known to be frequented by business executives. The most prominent of these thefts was of a computer that held sensitive information about nearly 200,000 Hewlett Packard employees. reports that this problem has become so significant around Silicon Valley that "a dozen law enforcement agencies, including local police departments, the FBI and U.S. Customs Department, met to discuss the issue."

Continue Reading...

Wait, That's Not an Airsickness Bag....

Posted by Kraig Baker

The Consumerist writes today about how a McAfee employee (yes, the McAfee involved in making security software) left a CD-ROM disk containing confidential employee data in the pocket of his airplane seat. It's always striking to me how people view their airplane (and train and bus) seats as private space. Many people who would never treat information insecurely in other situations seem to forget these habits when on airplanes. People conduct confidential business discussions with the person next to them, work on confidential documents on laptops with screens visible to passengers around them, and throw away confidential documents with used newspapers and magazines. Everyone is now concerned about the loss of decorum and flight rage that is going to arise from approving the use of mobile telephones on airplanes. As irritating as the use of mobile phones are airplanes will be, think of the concomitant loss of confidential information.

Panelists Discuss Privacy of Personal Information and Provide Tips on Defending Against Security Breaches

Posted by Peerapong Tantamjarik

This morning, I dialed in to a brown bag discussion teleconference sponsored by the American Bar Association Section of Antitrust Law's Computer & Internet Committee, Consumer Protection Committee, held in Washington D.C. The topic of the presentation concerned Information Privacy in the Digital Age. A copy of the flyer can be found here.

The teleconference involved panelists from private law firms, the FTC, and the Chief Compliance and Privacy Officer from ChoicePoint, Inc. It highlighted the ever-increasing attention paid by regulators on data security breaches of personal information and provided an opportunity for the panelists to share their thoughts on ways to improve compliance and how to respond to such breaches. From a chronology of recent privacy breaches, it is clear that victims of hackers run the gamut from private corporations to public agencies.

Continue Reading...

FTC Announces Settlement with ChoicePoint, Inc.

Posted by Peter Mucklestone and Stuart Louie

On January 26, 2006, the Federal Trade Commission announced that a settlement had been reached with consumer data broker, ChoicePoint, Inc. ChoicePoint was charged with (i) violating the Fair Credit Reporting Act (FCRA) by furnishing consumer reports to subscribers who did not have a permissible purpose to obtain them, (ii) failing to maintain reasonable procedures to verity both the subscribers' identities and how such subscribers intended to use such information, and (iii) making false and misleading statements about its privacy policies. As a direct result of these violations, the personal financial records of more than 163,000 consumers were compromised resulting in no less than 800 cases of identity theft.

Continue Reading...

The Uncertain Landscape of Data Breach Notification

Posted by Peter Mucklestone and Stuart Louie

Despite approximately ninety-five publicly known instances of data breaches over the past year at banks, financial institutions, universities, retailers, securities firm, telecoms, data brokers, hospitals and government agencies resulting in an estimated 51,000,000 compromised identities, efforts to create a uniform standard of notification through Congress remain delayed in House and Senate committees and have otherwise stalled until next session.

Continue Reading...

Many Consumers Believe Online Banking to be Too Risky

Posted by Peter Mucklestone and Stuart Louie

Despite significant improvements by Banks and regulators in both (i) educating consumers about fraudulent phishing, pharming, spyware and key logging schemes and (ii) developing technologies and procedures to defend against such practices, consumers still believe that online banking may be too risky. Susanna Montezemolo, a policy analyst at Consumers Union, appreciates the concerns of these consumer noting that, "Consumers can do everything rightて絜ot give out passwords or financial informationて礼nd still become victims."

Continue Reading...

Merchant Bank May be Liable for Costs to Replace Hacked Visa Cards

Posted by Randy Gainer

The United States District Court for the Middle District of Pennsylvania ruled on October 18, 2005, that the bank that processed credit and debit card transactions for BJ's Wholesale Club, Inc. may be liable for the costs that a credit union incurred to replace compromised cards. The ruling came in a lawsuit filed by the Pennsylvania State Employees Credit Union against Fifth Third Bank and BJ's after data thieves hacked into BJ's computers and downloaded credit and debit card data that BJs obtained when it processed card used at its stores. The thieves used the stolen data to create fraudulent cards and used the cards to make purchases. The credit union replaced the cards after cardholders and Visa notified the credit union of the fraudulent charges. The credit union spent about $100,000 to replace more than 20,000 cards.

Continue Reading...

Stalemate in the Battle to Protect Against Internet Credit Card Fraud

Posted by Peter Mucklestone and Stuart Louie

High ranking security experts at both Visa USA Inc. and MasterCard International Inc., two of the world's largest credit-card associations, have suggested that the struggle to protect against the fraudulent use of credit card and accountholder information has reached a stalemate, and those tasked with enforcement are in danger of losing ground. According to recent data compiled by the F.B.I., in 2004, the incidents of internet-related credit card crimes increased by sixty-six percent (66%) and the average reported loss associated with each such incident tripled to $2,400.00.

Continue Reading...

Cops get ChoicePoint Data? reports that a Miami-Dade County police officer has been relieved of duty and is under investigation for allegedly obtaining unauthorized access to Social Security numbers and other personal data on 4,689 people maintained by ChoicePoint Inc. The company reported that the Secret Service was investigating the matter -- at this point, it does not appear that any identity thefts have occurred.

Continue Reading...

Financial Aid Files Compromised in Cal State Database Breach

On August 26, in accordance with California Information Practice Act (SB 1386), California State University sent a letter to 154 students and administrators notifying them of a potential data breach involving student financial aid records housed in the university chancellor's office.

Continue Reading...

Damages Still Required for Data Breach Litigation

With the continuing escalation of data breaches, many believe that private litigation in this area will explode over the coming months. In a recent decision in New York, however, a federal judge ruled that JetBlue Airlines passengers will not be able to recover based on the Airlines' unauthorized disclosure of passenger data to companies working on a federally-funded study of aviation security. The court held that, even though JetBlue violated its own privacy policy, passengers would still be required to show that they suffered harm as a result of the breach . . . and in this case they could not, the court concluded.

Posted by Merrill Baumann

Security Breaches Large and Small

Thus far, this has been the year of massive security breaches, including those at ChoicePoint and CardSystems. As a result, 2005 appears to be shaping up as a national rude awakening to the reality of identity theft, something security experts have been expecting for some time. Some of these breaches have been surprisingly low-tech, such as the physical theft of data storage devices.

A recent article in the Washington Post about the loss of mobile electronic devices reminds us that businesses must literally examine every potential chink in their security armor to assess the risk of data theft.

Posted by Lance Koonce