Data security breach

Definition

A data security breach

“

generally refers to an organization's unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers (SSN) or financial information such as credit card numbers.[1]

”

Overview

Data security breaches can take many forms and do not necessarily lead to any consumer injury.

There are a variety of activities that may give rise to data security breaches. Breaches can result from intention actions, including hacking,^[2] employee theft,^[3] theft of equipment (such as laptop computers^[4] and hard drives),^[5] and deception or misrepresentation to obtain unauthorized data.^[6] They can also arise from negligent conduct by the organization that suffered the security breach, including the loss of laptop computers or hard disks,^[7] loss of data tapes,^[8] unintentional exposure of data on the Internet,^[9] and improper disposal of data.^[10]

Security breaches can also arise from an organization’s implementation of software, which the organization reasonably believes to be secure, but which contains vulnerabilities that render it insecure.^[11]

Major security breaches

Major data security breaches have been disclosed by the nation's largest information brokerage firms, retailers, companies, universities, and government agencies.^[12] From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.^[13] Massive data security breaches in 2005, 2006, and 2007 heightened interest in the security of personal information;^[14] in the business and regulation of data brokers; in the liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for third party companies' costs arising from data breaches;^[15] and in remedies available to individuals whose personal information was accessed without authorization.^[16]

Ddata security breaches illustrate (1) the risks associated with collecting and disseminating large amounts of electronic personal information, (2) the increased visibility of data security breaches as a result of [[consumer] notice requirements, and (3) the potential risk of harm or injury to consumers from identity theft crimes (e.g., credit card fraud, check fraud, mortgage fraud, health-care fraud, and the evasion of law enforcement).

According to a June 2007 GAO report,^[17] there is no clear correlation between data security breaches and identity theft:

“

The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts.

”

Information security^[18] and breach notification^[19] requirements are imposed on some entities that own, possess, or license sensitive personal information. Congress, the Executive Branch, the states, and the courts continue to confront the problem of data breaches.

The Federal Trade Commission (FTC) has enforced consumer protection laws to enjoin and remedy lax information security practices.

The President's Identity Theft Task Force reported its final recommendations in April 2007, including the establishment of national standards for entities to safeguard personal data and for notification to consumers of breaches that pose a significant risk of identity theft.^[20]

The payment card industry has also issued security standards and reporting requirements for organizations that handle bank cards.^[21]

The courts are also considering a number of lawsuits filed by consumers and banks based on the Federal Privacy Act and state common law breach of contract and negligence claims. State Attorneys General have also investigated data security breaches.

Many states have enacted laws requiring notice of security breaches of personal data and consumer redress. As of January 2007, 35 states enacted data security laws requiring entities to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality, and integrity of data.^[22] Congress and some states also have enacted credit freeze and fraud alert laws.^[23]

A federal law (the Veterans Affairs Information Security Act of 2006) and federal guidance (2007 Office of Management and Budget memorandum OMB Memorandum M-07-16) were enacted to prevent and respond to federal agency data breaches. They require federal agencies that collect sensitive personal information to implement enhanced information security programs and provide notice to persons affected by data security breaches.

Other federal laws, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, require private sector covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of personal information.

Sample clause

“

Each party acknowledges that, in the course of performance hereunder, they may receive personally identifiable information that may be restricted from disclosure under the Health Insurance Portability and Accountability Act (HIPAA) and/or the Family Educational Rights and Privacy Act (FERPA). Notwithstanding any other provision of this Agreement, each party will be responsible for all damages, fines and corrective action arising from disclosure of such information caused by such party's breach of its data security or confidentiality provisions hereunder.

”

References

1. Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown, at 2.
2. In early 2007, TJX Companies reported unauthorized intrusions into its computer systems that may have led to the disclosure of credit card information and driver’s license numbers on 45.7 million customers. See, e.g., Dan Kaplan, "45.7 Million-Victim TJX Companies Breach Could Lead to Federal Notification Law," SC Mag., Mar. 29, 2007 (full-text).
3. See, e.g., Holly K. Towle, "Let’s Play 'Name that Security Violation!'", 11 Cyberspace Law., Apr. 2006, at 11 (full-text).
4. See, e.g., Robert Ellis Smith, "Laptop Hall Of Shame," Forbes.com, Sept. 7, 2006 (full-text).
5. See, e.g., Dan Kaplan, "TSA Loses Hard Drive With Personal Information of 100,000 Employees," SC Mag., May 7, 2007 (full-text).
6. See, e.g., Federal Trade Comm'n, "ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress" (full-text).
7. See, e.g., David Hubler, "New House VA Committee Chairman Laments Latest Laptop Loss," FCW.com, Feb. 6, 2007 (full-text); "HP Employees Suffer Data Exposure" (Mar. 23, 2006) (full-text).
8. Paul Shread, "Bank's Tape Loss Puts Spotlight on Backup Practices" (Feb. 28, 2005). (full-text).
9. See, e.g., "Data Exposure Response" (Jan. 25, 2007) (full-text).
10. See, e.g., "Debra Black, Rogers Pins Data Dump on Sales Firm," thestar.com, Apr. 9, 2007 (full-text).
11. Michael D. Scott, "Tort Liability for the Vendors of Insecure Software: Has the Time Finally Come?," 67 Md. L. Rev., Issue 2 (2008) (full-text).
12. Personal Data Security Breaches: Context and Incident Summaries.
13. See Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3.
14. See Kenneth M. Siegel, "Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age," 111 Penn St. L. Rev. 779 (2007); Kamaal Zaidi, "Identity Theft and Consumer Protection: Finding Sensible Approaches to Safeguard Personal Data in the United States and Canada," 19 Loy. Consumer L. Rev. 99 (2007).
15. At least six states have introduced bills designed to strengthen merchant security and/or hold companies liable for third party companies' costs arising from data breaches (California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas). See Timothy P. Tobin, "In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States" (full-text). The Minnesota bill was signed into law on May 21, 2007. 2007 Minn. Laws Ch. 108, H.F. 1758.
16. The criminal liability of persons responsible for unauthorized access to computer systems is discussed in Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws.
17. Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown.
18. Information security standards are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes.
19. Data breach notification laws require covered entities to provide notice to affected persons (e.g., cardholders, customers) about the occurrence of a data security breach. For further information, see Sean C. Honeywill, "Data Security and Data Breach Notification for Financial Institutions," 10 N.C. Banking Inst. 269 (2006); Lilia Rode, "Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?," 43 Hous. L. Rev. 1597 (2007); Paul M. Schwartz & Edward J. Janger, "Notification of Database Security Breaches," 105 Mich. L. Rev. 913 (2007); Thomas J. Smedinghoff, "Security Breach Notification — Adapting to the Regulatory Framework," 21 Rev. of Banking & Fin. Servs. 115-24 (Dec. 2005).
20. The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan.
21. The Payment Card Industry (PCI) Data Security Standard (DSS) is an industry regulation developed by VISA, MasterCard, and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. The core of the PCI DSS is a group of principles and accompanying requirements designed to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy.
22. Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. See Nat’l Conf. of State Legislatures, State Security Breach Notification Laws[1]. See also "New Data Security Laws Take Effect in Several States," 75 U.S. Law Week 2388 (Jan. 9, 2007); John P. Hutchins, U.S. Data Breach Notification Law: State by State (2007).
23. Security freeze laws (also referred to as "credit freeze" laws) are a form of identity theft victim assistance. A security freeze law allows a consumer to block unauthorized third parties from obtaining his or her credit report or score. See Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills. The Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. §§1681-1681x, amended the Fair Credit Reporting Act (FCRA), and added provisions designed to prevent and mitigate identity theft, including a section that enables consumers to place fraud alerts in their credit files.

Source

• Data Security: Federal and State Laws, at 1.