Data Security Breaches: A New Form of Shoplifting

By Theodore J. Kobus III, Esq., tkobus@bakerlaw.com

Data security and privacy issues are in the headlines nearly every day. Unfortunately, the retail sector has become a priority target for data thieves because of the amount of personal data collected by retailers and the lack of control many retail chains have at the franchise level. Retailers have also suffered significantly due to the recession – resulting in reductions in staff and computer upgrades – reductions that can be costly! As consumer spending bounces back, don’t forget that you need to renew efforts to safeguard the data you maintain and understand how privacy laws may impact your relationship with your customers.

Over 46 laws now require notification when a data breach occurs.

During 2010, there were several retail chains that were victim to hackers and other data thieves. In retail, personal data at risk includes customer names, credit card numbers, credit card expiration dates, dates of birth, driver’s license numbers, passport numbers, and bank account information.

The U.S. currently has 46-plus notification laws in place that require notification when a data breach occurs. The laws are triggered not by the location of the business, but rather the location of the person whose data was affected. State regulators may need to be notified as well as your merchant bank if credit cards are involved. When a breach occurs, an organization’s reputation is at risk. There are significant decisions to be made involving crisis management, communication with customers, and involvement of law enforcement. These decisions are not easy and the organization should seek contribution and consideration from the C-Suite.

There is no shortage of proposed data security legislation.

At last count, there are at least 15 pending bills in Congress that contain the phrase “data security.” The list of disparities between states’ notification statutes is lengthy – and while it provides justification for a single federal law – any federal law will not necessarily be helpful to organizations faced with breaches or their customers.

It is difficult to say whether or not organizations would be better off navigating the maze of state laws, or facing a federal statute that leaves the organization vulnerable in litigation or a regulatory investigation.

After being introduced four times by Senator Patrick Leahy (D-Vt.), The Personal Data Privacy and Security Act of 2011 has gained traction and was approved by the Senate Judiciary Committee. The legislation is intended to replace the 46-plus notification laws in the U.S. that are in effect related to data breach notification requirements. The very large (and well publicized) breaches that occurred in 2011 have been a motivating factor for the continued push toward a national strategy to protect personal information. If passed, the law would apply to both private organizations and government agencies.

Some key provisions include:

  • Preemption of most state data breach laws;
  • Federal Trade Commission (FTC) and attorney general enforcement and penalties;
  • Notification by mail, telephone or e-mail;
  • Media notification when 5,000 or more individuals are involved;
  • Notification to the Secret Service within 14 days in certain circumstances; and
  • Third-party contractor requirements.

While it is clear that pending legislation is aimed at making organizations more cognizant of their obligations to protect personal information of customers and employees, there are provisions in these bills that are not practical or helpful – including to those affected by breaches. So many notification letters are being sent (both voluntarily and because of a statutory requirement) that consumers are becoming immune to the message in the letter, often discarding the notification immediately in the trash. As such, the focus should not be on how fast or when an organization needs to notify an individual, but rather how companies can better protect themselves from a breach happening in the first place.

The regulators are watching.

Over the past 10 years, major retailers have seen investigations led by the FTC regarding privacy issues and the level of technology used to protect customer data. The FTC oftentimes targets representations in a company’s privacy policies. One of the settlements entered into last year also related to violations of the United States-European Union (U.S.-EU) Safe Harbor Framework which allows U.S. companies to collect data about EU residents in a manner that will provide an adequate level of privacy protection. Settlements with the FTC can result in 20 years of privacy audits.

The FTC is not the only active regulator. Enforcement actions by state Attorneys General are also on the rise. In Massachusetts, probably the strictest state when it comes to data security requirements, a settlement required a restaurant chain to pay $110,000 in penalties, as well as to prove compliance with the Massachusetts data security regulations and the Payment Card Industry Data Security Standards (PCI DSS).

Moreover, it is not uncommon for retailers to collect data about its customers and provide such data to third parties for targeted marketing and other reasons. Too often, however, the privacy policies in place are either inadequate on the corporate level, the franchise level, or both. Often, customers are not provided an opportunity to opt-out of having their information collected, and the customers do not know the extent to which information is being collected and distributed. As the FTC and state Attorneys General increase their efforts to target companies with inadequate privacy policies and practices, and consumer spending begins its recovery from the recession, now is the time to revisit whether your policies need to be updated. Additionally, the credit card brands are serious about PCI compliance – accordingly, education of employees is critical so that incidents involving credit card data can be investigated timely and reported when appropriate to your merchant bank. Not only will these steps help to protect your customers, they will protect your brand.

Ted Kobus is national co-leader of the privacy, security and social media team at Baker & Hostetler LLP. He frequently discusses privacy topics on the firm’s blog at Dataprivacymonitor.com; also, follow him on Twitter @tedkobus. He can be reached at (212) 271-1504 or tkobus@bakerlaw.com.