Saturday, April 08, 2006

Model Data Breach Notification Procedure and Payment Card Industry information Security Standards (CLE session)

Panelists: Joan Warrington (off cam); Michael Power; Robert Rothman; Jon Armstrong; Tom Laudise (moderator); Peter McLaughlin and Hank Judy (off cam)

Panelist: Jonathan Armstrong (delivering his presentation)

Panelist Joan P. Warrington explained PCI Data Security Standards



Questions from the audience were lively.

Panelists provided an unconventional discussion to company responsibilities to fulfill statutory obligations when data breaches occur.

Tom Laudise noted that the California statute (the "grand daddy" of data breach reporting statutes) overlooks the fact that with web search capabilities, data thieves do not need several kinds of personal data, they need only one important kind such as social security number and can then locate the rest of the data they need in order to make illicit use of the data.

Tom also noted that with so many states now having enacted disparate data breach statutes, it is time for federal legislation to harmonize these obligations. He discussed the pending HR 4127, Data Accountability and Trust Act, and its underlying theme "If you can't protect it, don't collect it." It gives enforcement action authority to the FTC and state attorney generals, which is strongly opposed by financial service companies. He doubts, however, that unless there is a significant data breach for a triggering event that the House will enact any of the competing bills currently pending.

Jonathan Armstrong, from the UK, discussed data breach -- a view from Europe. He noted that there are increasing numbers of data breaches in Europe, and particularly in the use by EU businesses of offshore call centers. He noted that companies seem reluctant to recognize that if you pay employees less, you increase the chances that they will be susceptible to bribes by data thieves. He drew an analogy to a weather map, and noted that there is a strong storm system of threats to data privacy moving west from Eastern Europe. He also provided the graphic example of a person who once told him "you will never understand data privacy until a neighbor of yours has been taken out and shot." Jonathan noted that despite the EU-wide Data Directive, each Member State has implemented its own national version, and that the prosecuting official for a data breach will, therefore, not come from EU headquarters in Belgium, but from the local Member State. In Europe he added that there is "loads of law, but little enforcement", whereas in the US "you have little privacy law, but vigorous enforcement." Mandatory reporting requirements are proliferating, with Norway being the first, where the mandatory report must be to the Norwegian data commission, which then will decide if the company must report to end-users or affected customers. Data reporting laws also have emerged in Hungary, Malta, Sweden and Germany. In most countries, persons have the right to make a "subject access request" -- if they believe they are in a class affected by a data breach, they can submit such a request, and the company must respond within a brief period. In Europe, it is common that prior to handling personal data, a company must register with the Member State's data protection commission.

Robert Rothman emphasized the need during initial diagnosis of a data breach to create a centralized "Fact Sheet" to ensure that one version, not many, becomes the view of the company internally and in contacts with the media. He pointed out that when a company reports a data breach it should give very careful consideration to omitting from such notice any disclosure of information that would alert the data thieves to the significance or value of the platform or stored data that they took.

Michael Power approached the problem as an evidence collection exercise in which the overseeing counsel need to make sure that they can trust everyone involved. He noted this must start with the engagement of a forensic expert. When a company suspects a known person or target who may have stolen the data, he recommends seeking court orders to compel production of their storage devices in order to "ghost" them and review contents to determine if they contain stolen data. He drew the analogy to coming home at night, finding the door had been forced open, and then you have the difficult task of determining what happened -- did the intruders merely walk around, did they party (unlikely), did they go upstairs and take valuables from drawers, etc. Finding out what the data intruders actually did is an important task that needs to be investigated and should not be assumed away. He noted unique issues that arise under Canadian federal and provincial privacy laws. In one instance, he discussed how the team leader (and there MUST be one after a breach) needs to be prepared to deal with the media. He echoed the theme of earlier panelists "Get the Lawyer in Early" if there is a security breach.

Joan Warrington elaborated on that theme emphasizing the risks of class actions and attorneys general investigations. She devoted considerable attention to the Payment Card standards and how clients will increasingly need to grapple with these standards. They emerged, in part, from Visa, which have been approved and adopted by all of the big payment card sponsors -- Amex, MasterCard, etc. They are applicable to all entities that store, process or transmit card holder data. If you go to the websites of these card issuers there are inches thick materials (when printed in hard copy) on compliance with those standards. Several banks, for example, have sued BJ's claiming that they are third party beneficiaries of those standards and seek to recoup funds lost through thefts that originated in data stolen as a result of BJ's alleged failure to comply with those standards.

Hank Judy encouraged counsel to download from the Better Business Bureau and from MISMO websites the primers available on how to handle data breaches (the former is best suited to small businesses, the latter provides a more sophisticated and technologically advanced guide). He highlighted certain issues that can be easily overlooked. Unlike usual thefts where missing items mean something has been stolen, with data "the absence of evidence is not evidence of absence" because hackers are often skillful at compromising data without leaving a trace of their intrusion and leaving the data seemingly intact. There needs to be a person with "unambiguous decision-making authority." Although perhaps counterintuitive to companies fearful of the consequences of a public disclosure, he encouraged the use of a website to provide notice (gets the word out to a wide community, and keeps control of the version released by the company -- and allows a company to combine a good account of the incident, with links to service providers that can help consumers protect themselves from the consequences of the breach, and that allows a company to continuously update its account and such aids as needed). Hank recommended as an example that counsel view a few websites, including this one put out by Georgetown University after an incident.

Questions from the audience, including Michael Khoury's inquiry about how to respond when you advise your client on the best practice responses to the data breach and brings you up short with one or another version of the question, "But isn't that going to cost us a shitload?"

No comments: