Nevada Updates Encryption Law; Adds PCI Requirement

Last October, a Nevada law took effect that requires encryption of all personal information in transit. Perhaps in response to criticisms of that law, Nevada just updated the law—and added a PCI compliance requirement.

The new law repeals the previous encryption statute, and adds a new one to Nevada Revised Statutes section 603A. The previous law was criticized for not clearly defining “encryption;” the new law tries to fix that by defining encryption as something adopted by NIST or any other “established standards setting body”:

(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.

Although “adopted” is not necessarily the word I’d use to describe FIPS approval of encryption protocols, the Nevada legislators should get credit for paying some attention to key management.

Unfortunately, Nevada did not do so well when it decided to add a PCI DSS requirement to the law. Unlike Minnesota, which requires compliance with a specific narrow provision of PCI DSS, Nevada simply mandated compliance with the whole standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

In computer programming lingo, that’s PCI by reference, and it’s a huge delegation of power by the Nevada legislature to the PCI Standards Council. The PCI Standards Council is not elected, nor is it appointed by elected officials. Giving the force of law to anything the PCI Standards Council says raises constitutionality questions. At least the law said “with respect to those transactions,” so the PCI Standards Council only has the power to enact laws related to payment processing. If the Standards Council decides that all payment processors must pay the Standards Council $1 billion per year, that would only have the force of Nevada law if the payments are related to transactions. Maybe.

The other problem with the new law is that still applies to any “data collector doing business in” Nevada. It does not apply only to transactions through Nevada, or to transactions involving Nevada residents, but to anyone with business in Nevada. Suppose my business is located in Missouri, but sets up a booth at a Las Vegas trade show every year. Is that “doing business” in Nevada? Are my Missouri-only transactions now subject to the Nevada law?

Nevada’s law lacks the penalties prescribed in Minnesota’s law. The Minnesota law allows card issuers to recover the cost of replacing cards due to a data breach; Nevada’s law includes no such provision. Instead, the penalties for not complying with PCI DSS are the same as for a data breach: the breached entity can sue the data thief, and the attorney general can get an injunction against anyone violating the statute.

Even without that penalty, however, the official codification as a statutory requirement could make PCI DSS the basis of a negligence per se claim. When it applies, negligence per se allows a plaintiff to skip the whole “reasonable person” evaluation of a standard of care in a negligence suit by pointing to a statute. For example, a pedestrian hit by a driver running a red light could point to the statutes requiring people to obey traffic signals as showing that the driver was negligent per se. The statutory PCI DSS requirement might do the same thing for that standard: allow plaintiffs to say that PCI DSS itself establishes the standard of data security due care. In practice, however, it may not matter, because plaintiffs have had too much problem showing cause-in-fact and harm to ever reach the standard-of-care questions.

Even so, the PCI DSS requirement-by-reference is troubling, and a little sloppy. Legislating technology is hard: write something that’s too general, and it can become meaningless; write something that’s too specific, and you have to re-write the law every year. But that’s no excuse for giving up by pointing to a private standard and saying, “do that.”

Published in: on June 23, 2009 at 10:52 am Leave a Comment

Court Rules that LifeLock Violates California’s Unfair Competition Laws

A federal district court in California has granted partial summary judgment in Experian Information Services, Inc. v. Lifelock, Inc., holding that LifeLock violates the state’s Unfair Competition Law.

LifeLock—infamous for its TV ads in which the founder puts his Social Security Number on the side of trucks—exploits an opportunity in fraud protection law. 15 U.S.C. § 1681c-1 allows “a consumer, or an individual acting on behalf of or as a personal representative of a consumer” to put a free ninety-day fraud alert on her credit file. This “initial” fraud alert requires the consumer to claim “a suspicion that [she] has been or is about to become a victim of fraud or related crime.” The law also allows for an “extended” alert, which lasts for seven years, but requires that the consumer have suffered actual fraud. What LifeLock does is place and renew initial fraud alerts every ninety days on behalf of customers, creating a sort of permanent initial fraud alert.

Experian doesn’t like that, partly because it has to expend resources processing all those repeating fraud alerts. So it sued LifeLock, claiming unfair competition, among a host of other complaints. The court agreed.

Its reasoning, in a nutshell, was this: the credit freeze law only allows fraud alerts to be placed by the consumer or an individual acting on her behalf. According to the legislative history of § 1681c-1, the word “individual” was specifically chosen over “person” so that individuals such as family members, attorneys, and guardians could place fraud alerts, but not companies (which are legally considered to be “people”). The court found that language to show a public policy against companies placing fraud alerts. Because the “unfair” business practices prohibited by California’s Unfair Competition Law include not only illegal practices, but also those contrary to public policy, the court found LifeLock’s placement of initial fraud alerts on behalf of individuals to be an unfair business practice, and thus illegal.

What’s interesting about this ruling—other than its implications for LifeLock—is that it reached its result without ever considering whether permanent initial fraud alerts themselves are contrary to the statute. It only says that organizations cannot place fraud alerts. But what about the practice of continually renewing an “initial” fraud alert so that it’s essentially permanent? The statute seems to contemplate specific remedies under specific situations: if you think you might be at risk of fraud, you get a ninety day alert that puts some restrictions on anyone who pulls your credit report. If you have been the victim of fraud, you get a seven-year alert with stricter restrictions. Arguably, if Congress had intended to allow for a permanent fraud alert, it would have provided for one. This ruling doesn’t address that issue.

This doesn’t seem to slam the door on all permanent initial fraud alerts. An individual consumer could always call all three credit reporting agencies every ninety days to place the fraud alert herself. She could also have an attorney, acting as her personal representative, do it for her. What this ruling says is that organizations can’t place fraud alerts: only individuals. It also effectively outlaws LifeLock’s business in California—or will, once the appeals are exhausted.

Published in: on May 30, 2009 at 11:22 pm Comments (1)

IT Consulting Firm Sued for Certifying CardSystems as CISP Compliant

There’s a new variety of post-breach lawsuit. We’ve seen consumers sue merchants, banks sue merchants, and banks sue banks. Now, a bank has sued an IT consulting firm for certifying CardSystems as CISP compliant. Professional malpractice suits are nothing new in medicine or law practice, but we have not yet seen many security consultants sued for malpractice. That may change as standards and certification become more important.

CardSystems was a payment processor that experienced a massive security breach in 2005. Intruders compromised tens of millions of credit card numbers, leading to millions of dollars in fraudulent charges. In the wake of the breach, banks canceled and re-issued thousands of credit cards. Mastercard and Visa terminated their contracts with CardSystems, and CardSystems eventually filed for bankruptcy. It was the first example of a data breach killing a major company.

Merrick Bank is an acquiring bank, which means that it contracts with merchants to handle their credit card sales. Merrick used CardSystems to process those payments. Because the card association operating agreements make acquiring banks reimburse losses created by card processors, Merrick paid about $16 million to the associations after the CardSystems breach.

But Merrick does not just blame CardSystems for the breach. It also blames Savvis, the IT consulting firm that certified CardSystems’s compliance with Visa’s Cardholder Information Security Program (CISP). In May 2008, Merrick sued Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. Last week, the federal district court in Missouri transferred the case to Arizona and joined it with some similar cases, which is why a year-old case is being reported as if it were new.

New or not, the lawsuit is another example of an unfortunate tendency to equate compliance with security. I blogged before about a PCI DSS trainer who said that no one who was PCI DSS compliant had ever been breached—implying, if not directly stating, that PCI DSS compliance creates perfect security. Unfortunately, that seems to be the official line: Robert Russo, Director of the Payment Card Industry Data Security Standards Council, said much the same thing in Congressional testimony in March (p. 8: “[No] entity that has been subject to a data breach . . . was also in full compliance with the PCI DSS at the time of the breach”). Calling something a magic cure-all is a sure sign of snake oil; the PCI Council would do well to stop selling PCI DSS as a magic elixir.

Security assessment malpractice suits could have a long-term effect on the way assessments are conducted. Version 1.1 of PCI DSS started allowing compensating controls that permit compliance even when some requirements are not met. An assessor that requires strict adherence to PCI DSS requirements, with no allowance for compensating controls, can always point to those requirements when faced with a negligence claim. But when an assessor certifies compliance using compensating controls, it exercises more independent judgment, creating room for a negligence claim. The result could be less use of compensating controls.

There could also be some positive effects. Compliance requirements without liability for assessors makes it too tempting for both parties to rush through the process. Sloppy consultants will assess as quickly as possible then hop to the next paying assessment. Some clients, more interested in the certification than security, will shop for the lowest-priced certification they can find. Not all assessments are like that, but security certifications make them more likely. Malpractice liability gives the consultant something to think about other than how quickly he can get paid for calling someone secure. But even security consultants who do things right need to be careful about how they structure engagement contracts, because these lawsuits will probably become more common.

One lesson for security consultants, and especially PCI assessors, is to be careful with engagement contracts. Savvis is not being sued by a client, but by a customer of a client—someone with whom Savvis had no contractual relationship. A limitation of liability and disclaimer of warranty have no force against someone who is not a party to the contract. A consulting firm would therefore want an indemnification clause in its contract, which would require the client to protect the consultant against anyone else in a claim arising from the engagement. But indemnification clauses aren’t always possible, and the client probably wants the assessor to indemnify it.

Of course, the risks are lower if the negligence claims fail. Negligence cases against processors and merchants have not fared well overall; it would seem even harder to recover against an assessor who certified a breached organization. The assessor could always raise the “Richard Russo defense” by blaming the breached organization for post-assessment changes. The basic negligence case is also harder: the plaintiff would have to show not only that the breached organization was negligent, but that the assessor knew or should have known that the breached organization was non-compliant at the time of the assessment, and that certification of the organization rose to the level of negligence. Proximate cause is probably harder to show, because the causality chain is the breached organization’s chain plus whatever was wrong with the assessment. Apportionment of fault could also be an issue: how much fault lies with the assessor for certifying compliance, and how much lies with the company for being non-compliant? The answer would be fact-specific, but the issues suggest that a case against an assessor would not be an easy win.

Issues like these are probably why PCI DSS assessors must carry cyber-risk and privacy liability insurance (QSA Validation Requirements v.1.1a, p. 40). The more people think that certification is all there is to security, the more the firms who provide those certifications will have to deal with lawsuits like these.

Published in: on May 27, 2009 at 7:07 pm Comments (1)

Minnesota and Online Gambling

Minnesota’s Department of Public Safety has sent letters to eleven large ISPs, instructing them to block about 200 online gambling sites. The DPS’s requests are problematic on a number of fronts.

First, the DPS relies on 18 U.S.C. § 1084(d) for its authority. That section gives law enforcement the ability to have phone companies disconnect services used for illegal gambling. The actual language is more complicated than that, of course: there’s a notice requirement before take-down, the alleged gambling operation can still fight the order in court, and it applies not just to phone companies but to any common carrier. And there’s the first problem: ISPs aren’t common carriers. Things might be simpler if they were—the whole “net neutrality” debate would be mostly moot, for starters. But they aren’t. By its plain language, § 1084(d) doesn’t apply to them.

Even if it did apply, there’s another textual problem. The statute says the common carrier must “discontinue or refuse, the leasing, furnishing, or maintaining” of the facility it provides. In short, the common carrier can disconnect its customer. But none of the 200 online gambling sites are likely to be located in the U.S., much less on the ISPs’ networks, so they can’t just disconnect them. That’s why the DPS wants the ISPs to block the sites. But the statute the DPS relies on doesn’t authorize blocking, only disconnection.

One could argue that blocking is merely a less disruptive form of disconnection, but I think that argument should fail. A disconnection order presents straightforward questions of jurisdiction (i.e., is the customer someone the state can tell the common carrier to disconnect?), but those questions are more complicated when blocking sites that aren’t in the country. Because blocking is done by IP address, it’s likely to harm innocent web sites that share the same infrastructure; that’s less of a risk with disconnection. Finally, blocking, unlike disconnection, does not require any relationship between the ISPs and the blocked addresses. A disconnected customer knows he’s been disconnected (even without the notice requirement), and knows who to complain to (and, if necessary, sue for reconnection). If eleven ISPs block a website, the website owner would have to persuade or sue all eleven of them to get them to stop. In short, the mechanics and impact of blocking are quite different from disconnection, and shouldn’t be covered under the same term.

The Minnesota request looks clumsy compared to the New York Attorney General’s similar efforts to have ISPs block child pornography sites. The New York AG wisely tried to avoid problems with state restriction of speech by asking ISPs to block sites voluntarily, with only the subtlest hint that things would not be so pleasant if ISPs refused. But Minnesota came right out and said it: “we are the state, and we’re telling you to do this.” So there’s no question that it’s state action; now the only question is whether it’s unconstitutional. Why would the state do that, when some ISPs have shown that they’re willing to block sites voluntarily?

New York’s AG also made another smart choice: it picked on child pornography, not online gambling. You won’t find many people to defend child pornography, but online gambling has lots of proponents, including the Interactive Media Entertainment & Gaming Association, who just got a new pet cause, and Congressman Barney Frank, who will be introducing legislation to repeal the current three-year ban on online gambling. By targeting gambling, Minnesota ensured that the blocking won’t happen without a fight.

Minnesota seems to be rushing into a battlefield already strewn with the bodies of other would-be blockers. Kentucky’s attempt to take over online gambling domain names was blocked (it’s appealing the decision). In 2002, Pennsylvania tried to force ISPs to block sites with child porn, but that law was struck down as unconstitutional. Interestingly, a remnant of an early failed attempt to regulate Internet speech—the Communications Decency Act—shields ISPs from being held liable for content carried over their networks. With so many failed attempts in the past, it’s no wonder Minnesota had to look to a novel theory of law.

Still, I think the state would have had much less trouble—and as much or more success—if it had followed New York’s lead and just asked nicely.

Update, 5/5/09:I got confused on my voluntary ISP agreements. Qwest’s agreement was with the National Center on Missing and Exploited Children; New York’s Attorney General doesn’t seem to have been involved. New York convinced several ISPs to voluntarily remove some Usenet newsgroup hierarchies, which is a different matter entirely.

Published in: on May 1, 2009 at 11:38 am Comments (2)

A Quick Reminder that Not All Identity Fraud Involves Computers

Another day, another breach announcement. No news there, but this one is tied to reports of misuse. A woman was arrested in Irving, Texas in January for “fraudulent use or possession of identifying information and two charges of credit card abuse.” The information she used for the frauds seems to have come from good old-fashioned dumpster diving.

It’s a lesson in the need to shred sensitive information, and a reminder that identity fraud comes from lots of sources, many of which have nothing to do with hacking. It’s also notable because of the time frame: the information came from a benefits report run in 2000, and the 64 people affected all worked with the district in the 2000-2001 school year. So either someone got the report years ago and has slowly been using the data, or (more likely) the report was thrown away relatively recently. Either way, it illustrates how difficult it can be to analyze how data loss leads to fraud: if the suspect hadn’t said where she got the reports, who knows how long it would have taken to find out what these 64 people had in common?

Published in: on April 14, 2009 at 9:09 pm Leave a Comment
« Older Entries