North Carolina Updates its Data Breach Notification Law and Credit Reporting Laws

On July 17, North Carolina amended its data breach notification law and changed some credit freeze and credit monitoring requirements.

The new law, S.B. 1017, makes two small changes to North Carolina’s notification requirements. First, it requires telling the state Attorney General about breaches of any size, not just those that affect more than one thousand people. Second, it requires the notifications to include contact information for the consumer reporting agencies (CRAs), the FTC, and the North Carolina Attorney General’s office.

The statute still has the same notification triggers as before: it applies to any business that “owns or licenses” personal information. The law applies to businesses that own or license data, but the statute’s definition of a “security breach” is not limited to breaches of information the business owns or licenses. It may just be a quirk of wording, but it looks like the law requires any business that owns or licenses data to notify people affected by any security breach. In fact, there’s nothing in the language saying that companies only have to disclose their own breaches:

N.C. Gen. Stat. § 75-65(a): Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. . . .

I doubt that’s the intention of the law, but there’s the language: companies that own or license data shall notify the affected person that “there has been a security breach.” So, maybe it’s a business’s duty to inform consumers that a competitor has been breached?

Also note the statute’s broad interstate reach, pulling in “any business that conducts business in North Carolina that owns or licenses personal information in any form.” It doesn’t even bother to limit the reach of the statute to businesses that own or license personal information about North Carolina residents.

The law’s big changes are to consumer credit reporting. It made quite a few changes to the state’s security freeze law. It reduced the time Consumer Reporting Agencies (CRAs) can take to initiate or remove a freeze from five days to three, gives CRAs fifteen minutes to temporarily lift a freeze once the consumer has requested a temporary lift by phone or e-mail (if the request is by mail, the CRA has three days), prohibits the CRAs from charging for placing, removing, or temporarily lifting a credit freeze unless the request was by mail (the old law allowed charging $10 per request), and requires that credit reports under a freeze say that the freeze does not reflect a negative score, history, report, or rating.

Finally, the law adds a “Credit Monitoring Services Act,” which might as well be titled the “freecreditreport.com” act. It requires anyone who provides credit monitoring or obtains a credit report on behalf of a consumer for a fee to give clear and conspicuous notice of the consumer’s right to a free credit report.

Published in:  on August 4, 2009 at 9:31 am Leave a Comment

Missouri Joins the List of States with Data Breach Notification Laws

Missouri finally passed a data breach notification law this year as part of an omnibus crime bill, H.B. 62. That brings the number of states without data breach notification laws to five: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota.

The law itself is pretty standard, at least as much as anything with fifty-five versions can be called “standard.” It requires anyone with personal information about a Missouri resident to notify the resident of a breach of security, defines “personal data” as any of the usual suspects plus a name (although, as John Bambenek points out, a name isn’t actually needed to steal money from someone’s checking account with ACH), requires the notice to be made “without unreasonable delay,” and allows safe harbors for encryption and cases where the data handler determines identity fraud is not likely. Notification can be written, by phone, or with certain electronic notice. The law allows substitute notice if personal notice would cost over $100,000, if more than 50,000 people are affected, or if there isn’t enough contact information to contact people directly. A data handler who has to notify more than one thousand people also has to alert the media, the attorney general’s office, and the credit reporting agencies. Enforcement is by the attorney general, with a civil penalty of $50,000 per breach for willful violations.

Senator Feinstein’s national data breach notification bill hasn’t emerged from committee since she introduced it in January. It’s now a bit of a race to see which happens first: a nationwide breach notification bill, or the remaining states passing their own versions.

Published in:  on July 24, 2009 at 9:33 pm Leave a Comment

Nevada Updates Encryption Law; Adds PCI Requirement

Last October, a Nevada law took effect that requires encryption of all personal information in transit. Perhaps in response to criticisms of that law, Nevada just updated the law—and added a PCI compliance requirement.

The new law repeals the previous encryption statute, and adds a new one to Nevada Revised Statutes section 603A. The previous law was criticized for not clearly defining “encryption;” the new law tries to fix that by defining encryption as something adopted by NIST or any other “established standards setting body”:

(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.

Although “adopted” is not necessarily the word I’d use to describe FIPS approval of encryption protocols, the Nevada legislators should get credit for paying some attention to key management.

Unfortunately, Nevada did not do so well when it decided to add a PCI DSS requirement to the law. Unlike Minnesota, which requires compliance with a specific narrow provision of PCI DSS, Nevada simply mandated compliance with the whole standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

In computer programming lingo, that’s PCI by reference, and it’s a huge delegation of power by the Nevada legislature to the PCI Standards Council. The PCI Standards Council is not elected, nor is it appointed by elected officials. Giving the force of law to anything the PCI Standards Council says raises constitutionality questions. At least the law said “with respect to those transactions,” so the PCI Standards Council only has the power to enact laws related to payment processing. If the Standards Council decides that all payment processors must pay the Standards Council $1 billion per year, that would only have the force of Nevada law if the payments are related to transactions. Maybe.

The other problem with the new law is that still applies to any “data collector doing business in” Nevada. It does not apply only to transactions through Nevada, or to transactions involving Nevada residents, but to anyone with business in Nevada. Suppose my business is located in Missouri, but sets up a booth at a Las Vegas trade show every year. Is that “doing business” in Nevada? Are my Missouri-only transactions now subject to the Nevada law?

Nevada’s law lacks the penalties prescribed in Minnesota’s law. The Minnesota law allows card issuers to recover the cost of replacing cards due to a data breach; Nevada’s law includes no such provision. Instead, the penalties for not complying with PCI DSS are the same as for a data breach: the breached entity can sue the data thief, and the attorney general can get an injunction against anyone violating the statute.

Even without that penalty, however, the official codification as a statutory requirement could make PCI DSS the basis of a negligence per se claim. When it applies, negligence per se allows a plaintiff to skip the whole “reasonable person” evaluation of a standard of care in a negligence suit by pointing to a statute. For example, a pedestrian hit by a driver running a red light could point to the statutes requiring people to obey traffic signals as showing that the driver was negligent per se. The statutory PCI DSS requirement might do the same thing for that standard: allow plaintiffs to say that PCI DSS itself establishes the standard of data security due care. In practice, however, it may not matter, because plaintiffs have had too much problem showing cause-in-fact and harm to ever reach the standard-of-care questions.

Even so, the PCI DSS requirement-by-reference is troubling, and a little sloppy. Legislating technology is hard: write something that’s too general, and it can become meaningless; write something that’s too specific, and you have to re-write the law every year. But that’s no excuse for giving up by pointing to a private standard and saying, “do that.”

Published in:  on June 23, 2009 at 10:52 am Leave a Comment

Court Rules that LifeLock Violates California’s Unfair Competition Laws

A federal district court in California has granted partial summary judgment in Experian Information Services, Inc. v. Lifelock, Inc., holding that LifeLock violates the state’s Unfair Competition Law.

LifeLock—infamous for its TV ads in which the founder puts his Social Security Number on the side of trucks—exploits an opportunity in fraud protection law. 15 U.S.C. § 1681c-1 allows “a consumer, or an individual acting on behalf of or as a personal representative of a consumer” to put a free ninety-day fraud alert on her credit file. This “initial” fraud alert requires the consumer to claim “a suspicion that [she] has been or is about to become a victim of fraud or related crime.” The law also allows for an “extended” alert, which lasts for seven years, but requires that the consumer have suffered actual fraud. What LifeLock does is place and renew initial fraud alerts every ninety days on behalf of customers, creating a sort of permanent initial fraud alert.

Experian doesn’t like that, partly because it has to expend resources processing all those repeating fraud alerts. So it sued LifeLock, claiming unfair competition, among a host of other complaints. The court agreed.

Its reasoning, in a nutshell, was this: the credit freeze law only allows fraud alerts to be placed by the consumer or an individual acting on her behalf. According to the legislative history of § 1681c-1, the word “individual” was specifically chosen over “person” so that individuals such as family members, attorneys, and guardians could place fraud alerts, but not companies (which are legally considered to be “people”). The court found that language to show a public policy against companies placing fraud alerts. Because the “unfair” business practices prohibited by California’s Unfair Competition Law include not only illegal practices, but also those contrary to public policy, the court found LifeLock’s placement of initial fraud alerts on behalf of individuals to be an unfair business practice, and thus illegal.

What’s interesting about this ruling—other than its implications for LifeLock—is that it reached its result without ever considering whether permanent initial fraud alerts themselves are contrary to the statute. It only says that organizations cannot place fraud alerts. But what about the practice of continually renewing an “initial” fraud alert so that it’s essentially permanent? The statute seems to contemplate specific remedies under specific situations: if you think you might be at risk of fraud, you get a ninety day alert that puts some restrictions on anyone who pulls your credit report. If you have been the victim of fraud, you get a seven-year alert with stricter restrictions. Arguably, if Congress had intended to allow for a permanent fraud alert, it would have provided for one. This ruling doesn’t address that issue.

This doesn’t seem to slam the door on all permanent initial fraud alerts. An individual consumer could always call all three credit reporting agencies every ninety days to place the fraud alert herself. She could also have an attorney, acting as her personal representative, do it for her. What this ruling says is that organizations can’t place fraud alerts: only individuals. It also effectively outlaws LifeLock’s business in California—or will, once the appeals are exhausted.

Published in:  on May 30, 2009 at 11:22 pm Comments (1)

IT Consulting Firm Sued for Certifying CardSystems as CISP Compliant

There’s a new variety of post-breach lawsuit. We’ve seen consumers sue merchants, banks sue merchants, and banks sue banks. Now, a bank has sued an IT consulting firm for certifying CardSystems as CISP compliant. Professional malpractice suits are nothing new in medicine or law practice, but we have not yet seen many security consultants sued for malpractice. That may change as standards and certification become more important.

CardSystems was a payment processor that experienced a massive security breach in 2005. Intruders compromised tens of millions of credit card numbers, leading to millions of dollars in fraudulent charges. In the wake of the breach, banks canceled and re-issued thousands of credit cards. Mastercard and Visa terminated their contracts with CardSystems, and CardSystems eventually filed for bankruptcy. It was the first example of a data breach killing a major company.

Merrick Bank is an acquiring bank, which means that it contracts with merchants to handle their credit card sales. Merrick used CardSystems to process those payments. Because the card association operating agreements make acquiring banks reimburse losses created by card processors, Merrick paid about $16 million to the associations after the CardSystems breach.

But Merrick does not just blame CardSystems for the breach. It also blames Savvis, the IT consulting firm that certified CardSystems’s compliance with Visa’s Cardholder Information Security Program (CISP). In May 2008, Merrick sued Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. Last week, the federal district court in Missouri transferred the case to Arizona and joined it with some similar cases, which is why a year-old case is being reported as if it were new.

New or not, the lawsuit is another example of an unfortunate tendency to equate compliance with security. I blogged before about a PCI DSS trainer who said that no one who was PCI DSS compliant had ever been breached—implying, if not directly stating, that PCI DSS compliance creates perfect security. Unfortunately, that seems to be the official line: Robert Russo, Director of the Payment Card Industry Data Security Standards Council, said much the same thing in Congressional testimony in March (p. 8: “[No] entity that has been subject to a data breach . . . was also in full compliance with the PCI DSS at the time of the breach”). Calling something a magic cure-all is a sure sign of snake oil; the PCI Council would do well to stop selling PCI DSS as a magic elixir.

Security assessment malpractice suits could have a long-term effect on the way assessments are conducted. Version 1.1 of PCI DSS started allowing compensating controls that permit compliance even when some requirements are not met. An assessor that requires strict adherence to PCI DSS requirements, with no allowance for compensating controls, can always point to those requirements when faced with a negligence claim. But when an assessor certifies compliance using compensating controls, it exercises more independent judgment, creating room for a negligence claim. The result could be less use of compensating controls.

There could also be some positive effects. Compliance requirements without liability for assessors make it too tempting for both parties to rush through the process. Sloppy consultants will assess as quickly as possible then hop to the next paying assessment. Some clients, more interested in the certification than security, will shop for the lowest-priced certification they can find. Not all assessments are like that, but security certifications make them more likely. Malpractice liability gives the consultant something to think about other than how quickly he can get paid for calling someone secure. But even security consultants who do things right need to be careful about how they structure engagement contracts, because these lawsuits will probably become more common.

One lesson for security consultants, and especially PCI assessors, is to be careful with engagement contracts. Savvis is not being sued by a client, but by a customer of a client—someone with whom Savvis had no contractual relationship. A limitation of liability and disclaimer of warranty have no force against someone who is not a party to the contract. A consulting firm would therefore want an indemnification clause in its contract, which would require the client to protect the consultant against anyone else in a claim arising from the engagement. But indemnification clauses aren’t always possible, and the client probably wants the assessor to indemnify it.

Of course, the risks are lower if the negligence claims fail. Negligence cases against processors and merchants have not fared well overall; it would seem even harder to recover against an assessor who certified a breached organization. The assessor could always raise the “Richard Russo defense” by blaming the breached organization for post-assessment changes. The basic negligence case is also harder: the plaintiff would have to show not only that the breached organization was negligent, but that the assessor knew or should have known that the breached organization was non-compliant at the time of the assessment, and that certification of the organization rose to the level of negligence. Proximate cause is probably harder to show, because the causality chain is the breached organization’s chain plus whatever was wrong with the assessment. Apportionment of fault could also be an issue: how much fault lies with the assessor for certifying compliance, and how much lies with the company for being non-compliant? The answer would be fact-specific, but the issues suggest that a case against an assessor would not be an easy win.

Issues like these are probably why PCI DSS assessors must carry cyber-risk and privacy liability insurance (QSA Validation Requirements v.1.1a, p. 40). The more people think that certification is all there is to security, the more the firms who provide those certifications will have to deal with lawsuits like these.

Published in:  on May 27, 2009 at 7:07 pm Comments (1)
« Older Entries
Newer Entries »