European Commission Releases Proposed Revisions to the EU Data Protection Directive

by Mehmet Munur

The European Commission announced the proposed revisions to the EU Data Protection Directive today. The widely expected revisions will create uniformity by using a regulation instead of a directive, remove obligations to notify data protection authorities of data processing activities, require data breach notification, increase fines (up to %2 of a company’s global annual turnover),  streamline access, introduce a right to be forgotten, expand Binding Corporate Rules to processors, and strengthen the Data Protection Authorities. The Article 29 Working Party also issued a press release supporting the new Regulation.


The proposed regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) creates a number of changes based on the Data Protection Directive. While some of the provisions, such as the fines and the right to be forgotten, may prove controversial, other provisions relating to removal of the obligation to notify DPAs will likely be celebrated. The Regulation uses some of the same terms as those defined in the Directive 95/46/EC; however, it also introduces new definitions for terms such as personal data breach, genetic data, biometric data, binding corporate rules, and others. The Regulation also clarifies transparency principle, data minimization principle, and the obligation to obtain consent for processing of personal data. The Regulation also introduces more detailed access rights for individuals adding new elements relating to storage periods of personal information, right of rectification and erasure, data portability, and complaint resolution.  While these protections are likely to bolster the individual’s control over the personal information held by data controllers and processors, it will likely create additional burdens on data controllers and processors to enable the data subjects to exercise these rights.

The Regulation also introduces new obligations on the data controller and data processors. The Regulation will require privacy by design and default, explicitly introduce the principle of accountability, and clarify the responsibilities of joint controllers. The Regulation states that the data processor may be considered a joint data controller in the event it goes beyond the scope of data controller’s instructions. This particular provision appears to be a result of the concerns the Article 29 Working Party had over processors such as SWIFT. The Regulation will also explicitly require the cooperation of both the data controller and the data processor with the Data Protection Authorities. The security obligations of the data controller include the obligation to notify the data subject of the breach of personal data. Currently, that proposal includes a “where feasible, not later than 24 hours after having become aware” provision.  This provision is likely to be revised before the Regulation becomes law to a more reasonable time frame.

The Regulation makes the Data Protection Officer mandatory for the public sector, where processing is carried out by more than 250 people, and where the core activities of the controller or the processor consist of operations that require systemic monitoring of data subjects.  German Data Protection law provided such detailed requirements for the Data Protection Officer. Previously, the creation of such a position decreased the administrative burden on the data controllers and their obligation to notify the Data Protection Authorities with the processing of personal information.  This approach is likely to continue with the new Regulation.

The Regulation also includes further details regarding international data transfers. It specifically mentions Binding Corporate Rules. These rules now specifically refer to a data processor’s, as well as a data controller’s, ability to obtain authorization for Binding Corporate Rules.  This provision should allow service providers to obtain authorizations for BCRs and transfer personal information internationally without having to rely on Standard Contractual Clauses. However, the time and resources required to obtain authorizations for these BCRs may still be substantial. Considering that the Regulation may take some time, as long as a couple of years, to become law, we may not find out about this process for a while. Finally, the Regulation creates the European Data Protection Board that replaces the Article 29 Working Party.  This Board is to ensure the consistent application of the Regulation, review guidelines, recommendations and best practices, and issue opinions, among other responsibilities.

The Regulation comes with both advantages and disadvantages compared to the current regime in place in the EU. On the one hand, the Regulation will likely foster a more uniform approach to data protection in the EU. Once the Regulation becomes law, member states will not be required to transpose it into national law.  This will reduce the local differences in the substance of the law.  However, the Regulation still provides for independent Data Protection Authorities.  These DPAs will ultimately have different interpretations of the Regulation and as it interacts with local law and culture.  However, the European Data Protection Board will hopefully have the effect of creating more uniformity. Many will likely celebrate the end of the notification of DPAs regarding the processing of personal information. These registers of personal information were mostly automated, reviewed by few, yet required the time and resources of many corporations.  Their departure will allow the DPAs and the corporations to work on more substantive privacy and data protection issues.  Assuming that the BCR process is further streamlined, then we can see more companies and services providers getting in line to obtain authorizations.  On the other hand, the right to be forgotten, the increased fines, and the restrictions on the legal basis for processing of personal information will likely draw criticism. Hopefully, in the coming years, the Regulation will be revised to better balance some of the obligations on data controllers.

Read More...

Proposed EU Privacy Rules Concern Businesses

A proposed change to EU privacy law is going to be released this week, proposing a single regulator and increased penalties. It would also include 24 hour data breach disclosure. We will discuss this more once they are released.

Read More...

California Updates its Breach Notification Law

Last week, California governor Jerry Brown signed into law SB 24 which updates California's existing data breach notification law (SB 1386) by adding new requirements for data breach notices sent to affected California residents. The bill was sponsored by State Senator Joe Simitian, whose office provided a fact sheet summarizing the bill's main points:

1. Establishes standard, core content -- such as the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies -- for security breach notices in California;



2. Requires public agencies, businesses, and persons subject to California’s security breach notification law, if more than 500 California residents are affected by a single breach, to send an electronic copy of the breach notification to the Attorney General; and,



3. Requires public agencies, businesses and persons subject to California’s security breach notification law, if they are utilizing the substitute notice provisions in current law, to also provide that notification to the Office of Information Security or the Office of Privacy Protection, as applicable.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...

Stimulus Bill Requires Data Breach Notification Under HIPAA and Signals Broader Enforcement

by Mehmet Munur

The American Recovery and Reinvestment Act that President Obama signed into law on February 17, 2009 includes wide reaching data breach notification provisions for entities covered by the Health Insurance Portability and Accountability Act and organizations servicing those entities. It also has privacy provisions related to sales of protected health information, marketing, fines, and enforcement. The Act is likely to increase joint enforcement activities by the Federal Trade Commission and the Department of Health and Human Services Office for Civil Rights. Such enforcement will likely result in settlements similar to the CVS settlement on February 18, 2009 that arose out of improper disposal of protected health information.

I. Data Breach Notification

The Act places notification obligations on covered entities, business associates, and vendors of personal health records for breaches of protected health information as well as required updates to contracts between covered entities and business associates.

A. Covered Entities

Generally speaking and without using the defined terms of the Act, an entity’s duty to notify arises when it has a breach involving unencrypted personal health information that it processes. The entity must then notify, the individual, the media, and the Secretary of the DHHS within 60 days of finding out about the breach, so long as the law enforcement exception does not apply. In creating these obligations, the Act defines the terms breach, electronic health record, personal health record, and vendors, but retains the earlier definitions of covered entities and business associates from HIPAA. The Act and the obligation to notify will likely become effective for breaches discovered 210 days from its enactment.

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The term has several narrow exceptions related to inadvertent disclosures to authorized users. Most importantly, a breach is deemed to have been discovered on the first date on which it is known or reasonably should have been known to have occurred.

Covered entities still refer to health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Processing, while not a term used in the language of the Act, includes access, maintenance, retention, modification, storage, destruction, using, or disclosing.

Unencrypted personal health information refers to the defined term unsecured protected healthcare information. The portion of term referring to protected healthcare information retains its definition under HIPAA and means individually identifiable health information that is either transmitted by electronic media or maintained in electronic media, or both. Unsecured, on the other hand has two meanings. The Secretary should issue guidance specifying the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals within 60 days. If he does not, then that technology will be a technology developed or endorsed by the American National Standards Institute. Though the Act does not specify that technology, it will probably be the Advanced Encryption Standard used by the Federal government for sensitive documents.

Notification takes 3 forms: individual, media, and the DHHS. Notification must be made without unreasonable delay and within 60 days after its discovery. However, the law enforcement exception can delay such notification if the entity receives and documents a written or oral statement from the DHHS. The burden to prove that the notification was performed according to the Act lies with the covered entity.

Entities must notify each individual whose unsecured protected health information has been, or is reasonably believed by the entity to have been accessed, acquired, or disclosed during the breach. This individual notice may be by first class mail at the last known address of the individual or by email if that is the preference of the individual. If the entity has more than 10 individuals with insufficient or out of date contact information, then it is required to place a conspicuous post on its web page or notice in major print or broadcast media for a period of time that the Secretary specifies. The entity may also notify by phone due to possible imminent misuse of the information.

The entity must notify prominent media outlets serving a state or jurisdiction if the information of more than 500 residents are reasonably believed to have been subject to the breach. The entity must also notify the Secretary. If the breach involves more than 500 individuals, the entity must notify immediately, whereas breaches involving less than 500 individuals may be submitted in an annual log. The Secretary is then required to post breaches involving more than 500 individuals on its website.

The Act delineates the contents of the notifications. They must include a brief description of the events, the date of the events, a description of the types of information involved, the steps the individuals should take to protect themselves from any harm that may result, and procedures for contacting the entity through a toll-free phone number, email address, or website.

The Secretary must also pass interim final regulations on breach notification within 180 days. These regulations will apply to breaches discovered after 30 days after their enactment. These regulations will certainly require covered entities to craft breach response procedures and implement them promptly.

B. Business Associates

Business associates that service covered entities under HIPAA have an obligation to notify the covered entities in the event of a breach. Business associates are now also subject to the same security procedures that covered entities are under HIPAA and these requirements must also be incorporated in their agreements.

The definition of a business associate has not changed with the Act. Business associates still refer to persons that perform or assist any activity involving the use or disclosure of individually identifiable health information or persons performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity. The Act states that the business associates need to notify the covered entities who must then notify the individuals. However, the requirements related to timeliness and the discovery of the breach are the same.

Covered entities will need to amend their contracts with business associates to reflect the provisions of the Act. These amendments must include administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements promulgated by the DHHS. Business associates that receive protected health information may be subject to fines for wrongful disclosures of protected health information. Prior to the Act, HIPAA only made business associates liable to the covered entity for contract breaches.

The Act also contains a whistle blowing provision for business entities and the covered entities they serve. Prior HIPAA regulations stated that a covered entity was non-compliant if it knew of a business associate’s activity that constituted a material breach of the associate’s contractual obligations and did not take reasonable steps to cure them. If the business associate did not cure the problems, the covered entity was required to terminate the contract or, if that was not feasible, inform the secretary. Now, the Act requires that business entities have the same whistle blowing responsibility towards the covered entities they service. Failure to do so is a violation of the Act.

C. Vendors and Non-HIPAA Covered Entities

The breach notification standards also apply to a new kind of entity called vendors under the Act. These are entities other than covered entities that offer or maintain personal health records. A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Google Health and Microsoft HealthVault are examples of such entities.

A vendor’s obligations under the Act are similar to the covered entities’ and business associates’ responsibilities. Vendors must notify individuals and the Federal Trade Commission, instead of the DHHS, of data breaches. The FTC then notifies the DHHS. The methods and timeliness of these disclosures and the definitions of breach and unsecured protected health information are almost identical to the methods and timeliness that covered entities. Violation of this duty to notify is considered an unfair and deceptive trade practice under the FTC Act. Third party services providers that service vendors have an obligation to notify their vendors of any breaches they experience, as well.

The FTC is required to pass regulations related to vendors covered under the Act within 180 days. If, however, Congress passes breach notification laws that directly apply to vendors, then the breach notification provisions of the Act will be overridden. While this provision may be good housekeeping to prevent dual breach notification laws for vendors, it may also be a sign of further breach notification legislation to come from Congress.

II. Marketing, Sale of Protected Healthcare Information, and the Minimum Necessary Standard

The Act has several provisions that restrict marketing activities and create greater privacy protections for individuals. Covered entities will need to revise their privacy practices to accommodate their new responsibilities.

The Act reduces the amount of marketing activities allowed under HIPAA. Communication by covered entities or business associates that is about a product or service and that encourages recipients to purchase or use the product or service are not considered a health care operation under HIPAA unless they are made 1) to describe a health-related product or service, 2) for treatment of the individual, or 3) for case management or care coordination for the individual. If, however, the covered entity or business associate receives direct or indirect payment in exchange for the communication, then the communication is considered marketing. On the other hand, such a communications will still be considered to be a healthcare operation if it describes a drug that the recipient is using and the payment received is reasonable. The Secretary is charged with defining the amount of reasonable compensation through regulations. However, such communication must still be made with a valid authorization. The Act also prohibits the sale of protected health information without a valid authorization. The regulations for these authorization do not change under the Act.

The Act now makes it mandatory to comply with an individual’s request that the entity restrict the use and disclosure of protected health information about the individual to carrying out treatment, payment, or healthcare operations. Prior HIPAA regulations did not require covered entities to agree to such restrictions.

Individuals also have the right to access protected health information in electronic format if the entity maintains that information. The fee for such access cannot exceed labor costs in responding to the request.

Under HIPAA, an entity was required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of that information. The Act further reduces the amount of data in circulation by requiring the Secretary to promulgate regulations based on the limited data set concept that excludes identifiers such as names, addresses, social security numbers, email addresses and similar information to the extent practicable. Such changes will certainly require that covered entities revisit their privacy practices.

III. Fines and Enforcement

The Act also promotes enhanced enforcement through required fines and investigations.

Violations due to willful neglect now require a fine by the Secretary. Furthermore, the Secretary now has an obligation to investigate any complaint of a violation of the Act if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. Most importantly, the Act requires that any civil monetary fine or settlement fund collected relating to privacy and security be transferred to the Office for Civil Rights of the DHHS. This provision will likely create a positive feedback loop where enforcement will result in fines and settlements that will give the OCR more funds to carry out more investigations. Additionally, individuals harmed by such breaches may also receive a percentage of the funds received by the OCR, but this amount will be determined three years from the date of the enactment. The Act also creates four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are effective immediately.

The law can also be enforced by the State Attorneys General. If there is reason to believe that the interests of one or more of the residents of the State is or could be threatened, then the AGs may bring action in federal district court. The courts can, in their discretion, award attorneys fees to the AGs that bring action in federal district courts. However, such state action is limited to circumstances where the Secretary is not already bringing an action. Considering the availability of attorneys fees and the public record of breaches, it is likely that this provision will increase enforcement in cases where the FTC or the DHHS decline enforcement.

IV. Joint Enforcement and CVS’s $2.25 million DHHS Fine

The day after the Act was signed into law, the FTC and the DHHS announced separate settlements with the nationwide pharmacy chain CVS arising out of improper disposal of sensitive personal information. The settlement is significant because it is the first joint investigation by the FTC and the DHHS, involves a health provider, and employee data. Moreover, due to the language of the Act and the cooperation required between the two organizations, it is likely to be a sign of more joint investigations to come.

According to the FTC complaint, during 2006 and 2007 television stations found evidence of CVS’s disposal of names, addresses, dates of birth, bank account numbers, physicians’ names, insurance account numbers and other personal information in unsecured dumpsters in at least 15 cities. Seizing on CVS’s statements that “nothing is more central to our operations than maintaining the privacy of your health information” and that CVS took “this responsibility very seriously,” the FTC argued that CVS’s representations in its notice of privacy practices were false and misleading, likely to cause substantial injury to consumers; therefore, an unfair act or practice. As a result, CVS settled with the FTC and the DHHS in separate settlement agreements.

The FTC settlement is very similar to the other settlements that FTC reached with ChoicePoint, DSW, and TJ Maxx. CVS must create a comprehensive information security program, designate an accountable employee for that program, identify risks, and receive third party assessments of its security procedures for the next 20 years. It is the 24th FTC case that challenges a company’s failure to implement reasonable information security practices.

The DHHS settlement is similar but probably more significant. Under the resolution agreement with the OCR, CVS agreed to pay $2.25 million and implement a robust corrective action plan that includes safeguards for disposal, employee training, and employee sanctions for noncompliance. CVS must comply with this action plan for the next three years, followed by the FTC settlement’s two decade long program. The DHHS Office of Civil Rights press release on the resolution agreement highlights the OCR’s intention to make an example of CVS and its “commitment to strong enforcement of HIPAA Privacy Rule . . . [intended to] spur other health organizations to examine and improve their privacy protections.” The DHHS settlement is the second one of its kind. The previous resolution agreement was with Providence Health Information for $100,000. While the OCR conducts investigations and allows entities to correct HIPAA problems, it had not issued fines of this magnitude.

Vendor breach notifications under the Act will likely spur closer cooperation between the two agencies. OCR’s new obligation to assess fines, conduct investigations in certain cases, and its ability to keep the fines it issues will result in OCR having more resources and incentives to enforce the law. This positive feedback loop will likely result in the FTC and the OCR enforcing the requirements of HIPAA and publicizing them in the future. Therefore, the CVS settlement should provide an incentive for entities of all sizes to satisfy not only their current HIPAA obligations but also their future breach notification requirements.

V. Conclusion

The Recovery and Reinvestment Act creates broad data breach notification requirements for covered entities, business associates, and vendors on a federal level under HIPAA. These entities will need to abide by the regulations that the Secretary of the DHHS will promulgate in the next six months. Further, they will need to abide by the breach notification rules or face fines and settlements by both the FTC and the OCR. Therefore, affected organizations should act quickly to update their breach response plans, revise their privacy policies, stop sales of protected health information without appropriate authorization, and update business associate agreements.

Read More...

Heartland Payment Systems Loses Credit Card Data to Malware

By Mehmet Munur

Heartland Payment Systems, the 6th largest card acquirer in the United States with a processing volume of $51.9 billion, reported that its “investigation uncovered malicious software that compromised data that crossed Heartland’s network.” This data breach is disconcerting because consumers may be unable to pin down the source of the fraudulent transactions and also because Heartland was a Payment Card Industry Data Security Standard compliant acquirer. Heartland will likely be subject to liability from consumers, investors, and the FTC.

Heartland’s data breach may have revealed close to 100 million card numbers. It appears that a malicious software within Heartland’s network collected the data on the magnetic stripes of credit and debit cards. Heartland believes that the security codes or sensitive data, such as driver license numbers or social security numbers, are not a part of the data breach; therefore, the risk of identity theft is minimal. However, the risk of financial loss still exists due to the possibility of placing the magnetic information involved in the data breach on another card and using that card fraudulently. Considering that Heartland services all types of merchants, the largest risk to consumers is that such fraudulent transactions could come from any source and consumers do not have a way of identifying whether any of their cards was involved in the breach.

Another disturbing point for both consumers and corporations is that Heartland was a PCI DSS compliant acquirer. According to its 2008 10-K, Heartland “maintain[ed] current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test [its] systems for vulnerability to unauthorized access.” Furthermore, Heartland encrypted the data stored in its databases but not when the data was in transit across its network. Heartland’s assumption was that its network was secure. As a result of the breach, Heartland’s listing in Visa’s Cardholder Information Security Program is now under review. To remedy the situation, Heartland announced that it would begin encrypting cardholder data throughout its network.

However, encryption is not the silver bullet that will save Heartland—or another acquirer—in the future. While PCI-DSS only requires that cardholder data be encrypted while crossing public networks and when it is stored, it does not require that data be encrypted while crossing an acquirer’s internal network. However, this data must be decrypted at some point in order for it to be processed. Furthermore, due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point. Instead, companies that thrive on data processing must approach data security with comprehensive processes—such as ISO 270002. This is not to say that PCI-DSS is inadequate. Considering that the 6th requirement of PCI-DSS is the development and maintenance of secure systems and applications, it appears that it was Heartland’s implementation of PCI-DSS that failed—not PCI-DSS itself.

Heartland may be subject to legal liability from consumers, the Federal Trade Commission, and investors. A week after the breach, Heartland is already facing a class action lawsuit. TJ Maxx recently settled a similar class action lawsuit arising out of its data breach using its reserve of $178 million. Such a class action lawsuit may prove costly for Heartland as well.

TJ Maxx did not have to pay a fine to the Federal Trade Commission. Heartland may be lucky enough to avoid fines from the FTC, as well. Yet, similar to the TJ Maxx’s FTC settlement, Heartland may be subject to third-party audits as a part of a compliance program for the next 20 years. Heartland may also be able to avoid a lawsuit from its investors. While Heartland’s stock prices have declined from about $18 to $8[1] since the breach became public, it appears to have made the appropriate disclosures as a part of its risk factors in its 10-K:

Unauthorized disclosure of merchant and cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.

Our computer systems could be penetrated by hackers and our encryption of data may not prevent unauthorized use. In this event, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or other similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the Visa and MasterCard networks.

In sum, corporations like Heartland that make their money through processing personal data should invest in data protection using comprehensive processes, especially if the loss of that data may result in financial liability. Such comprehensive processes are likely to better protect corporations and their customers against data breaches.

[1] The connection between data breaches and stock prices declines have been subject to several studies since the ChoicePoint data breach.

Read More...