DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL

Transcription

1 DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL State AGs have been very active in the leadership of data privacy protection initiatives across the country, and have dedicated considerable time and resources to the issue. Indeed, the National Association of Attorneys General has recently made the issue of consumers data privacy the core theme of their annual Presidential Initiative Summit twice ( Privacy in the Digital Age for the summit and Protecting Our Digital Lives: New Challenges for Attorneys General for ) and many states, including California, Connecticut, Indiana, and Massachusetts, have established task forces or specialized branches within their AGs offices, dedicated solely to data privacy investigation and enforcement efforts. The retail industry has been at the center of much of this thought leadership and regulatory consideration, as well publicized data breaches at companies such as Target and Home Depot have made front page news. The statistics may justify this heightened scrutiny on the retail industry s data privacy practices. In 2013, 26% of all data breaches reported to the California AG s office came from the retail sector. These breaches resulted in the exposure of 15.4 million records, accounting for 84% of the total records breached in the state of California. This was the second year in a row that the retail section was the largest contributor of data breaches. It is clear that consumers data privacy issues are directly in the crosshairs of AGs across the United States and this target will not be shifting in the foreseeable future. Therefore, companies that deal with such consumer data, particularly those in the retail industry, are well advised to keep apprised of the enforcement efforts and trends coming the state AG s offices. State AGs Enforce Data Privacy Legislation Unique to Each State Each state approaches data security regulations in its own way, requiring companies to be aware of the unique requirements of the various states from which their customers reside. Currently, every state, save for Alabama, New Mexico, and South Dakota, has a state data breach statute [NOTE THIS LINK GOES TO THE BAKER STATE BY STATE SURVEY] to be enforced by the state s AG. In addition to regulating the responses to data breaches, many states demand that affirmative security requirements be in place to protect personal information. The bulk of these affirmative security requirements demand that states utilize reasonable security procedures to safeguard the sensitive data. For example, California requires entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Cal Civ Code (b)(emphasis added). The California statute goes on to require that businesses disclosing personal information to a third party must contractually obligate that third party to implement and maintain reasonable security procedures and to properly dispose of records containing personal information when disposal is needed. Similarly, section of Texas s Business and Commerce Code states a business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. Tex. Bus. & Com.

2 Code (emphasis added). Other states with similar provisions affirmatively mandating that security measures be implemented and maintained include Arkansas (Ark. Code Ann (a & b)), Colorado (Colo. Rev. Stat. Ann ), Connecticut (Conn. Gen Stat (a)), Maryland (MD. Commercial Law Code Ann ), Nevada (Nevada Rev. Stat. 603A.210), Oregon (Oregon Rev. Stat. 646A.622), Rhode Island (Rhode Island Stat.; (3)), and Utah (Utah Code Ann ). Typically, entities subject to these provisions rely upon industry best practice to determine what is considered reasonable. Massachusetts has gone further than mandating that reasonable measures be put in place and maintained, and instead demands specific practices of entities collecting and using its residents personal information. If an entity handles a Massachusetts resident s personal information, under 201 CMR 17.00, that entity must establish an information security program which must include: Secure user authentication protocols including: (a) control of user IDs and other identifiers; (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; Secure access control measures that: (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; Reasonable monitoring of systems, for unauthorized use of or access to personal information; Encryption of all personal information stored on laptops or other portable devices; For files containing personal information on a system that is connected to the Internet, there must be reasonably up to date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information; Reasonably up to date versions of system security agent software, which must include malware protection and reasonably up to date patches and virus definitions, or a version of such software that can still be supported with up to date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and Education and training of employees on the proper use of the computer security system and the importance of personal information security. Violations of these regulations can result in penalties up to $5,000 for each violation affecting a Massachusetts resident, along with injunctive relief, attorneys fees and the reasonable costs of

3 investigation and litigation. Further, entities subject to this statute must further ensure that their third party service providers comply with these regulations. Massachusetts is not alone in enacting robust data security legislation to be enforced by its AG. Indeed, protecting the Californians privacy rights is noted as one of the California AG s top priorities. California was the first state to enact data breach legislation back in 2002, and is continuously on the forefront of data privacy legislative efforts. Key legislation that is subject to the AG s enforcement efforts include: The "Shine the Light" law (CA Civil Code ), which outlines procedures for companies to follow when a California resident requests to know what of their personal information has been shared with third parties, as well as specific language that companies doing business with California residents (regardless of the company s location) must include in their privacy policies. The Security Breach Notice requirements (Cal. Civ. Code , , and ), which requires businesses, state agencies, and local government agencies that experience a breach, or the reasonable expectation that there has been a breach, to issue notices containing specific information about the breach to those impacted individuals. AB 1710, which amended California s data breach laws to require that businesses that offer identity theft protection services, to provide those services at no charge and for at least 12 months. In addition to enforcing these privacy statutes, the California state AG s office regularly issues best practice guidance and other pieces of thought leadership, which in turn demonstrates the AG s enforcement priorities and concerns. Key areas of concern for the California AG include: Ensuring that operators of commercial web sites and online services that collect personally identifiable information create, maintain, and publish accurate privacy policies that comply with the requirements of the California Online Privacy Protection Act of Protecting children s information online through compliance with the Children s Online Privacy Protection Act. Policing privacy concerns arising with the increasing prevalence of mobile apps. State AGs across the country have been very active in the data privacy space. For example, the AGs of New York and Washington have recently pushed for updates to their respective states data privacy legislation, the AG of Illinois has called on Congress to enact a national data breach notification law, the Connecticut AG publicly sought meetings with leading companies to discuss privacy concerns about new products, and AGs across the country have regularly joined forces with each other to investigate breaches. Examples of Enforcement Efforts by State AGs Joint State AGs Enforcement Activity:

4 Zappos.com In January 2015, Zappos, an online clothing and shoe realtor settled a 2012 hacking breach with nine AGs representing Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio, and Pennsylvania. The no fault assurance of voluntary compliance resulted in a monetary payment from Zappos to the AGs and Zappos assurance of complying with a set of data security obligations ranging from providing reports of compliance with certain privacy regulations to having an independent audit conducted and establishing annual information security training to relevant employees. Home Depot, Inc. In September 2014, Home Depot announced that hackers had compromised the company s computer network, noting that they had no evidence that debit card PIN numbers had been compromised. The day after Home Depot s announcement, the AGs of California, Connecticut, and Illinois announced that they would be jointly leading an investigation, with regulators in Iowa and New York also participating. ebay, Inc. In February and March of 2014, online auction giant, ebay, experienced a large scale cyberattack that may have affected tens of millions of users, possibly over one hundred million users. In response, multiple state AGs have announced their interest in the breach and ebay s response, with the AGs of Connecticut, Florida, and Illinois stepping into the lead role for the investigation. Target Corporation After Target announced in December 2013 that hackers had gained access to at the personal information of at least 70 million customers, state AGs have taken the lead in conducting an investigation (though the FTC has announced that it has also initiated an investigation into the retail giant). Multiple states are actively engaged in this ongoing investigation, with the AGs of Connecticut, Illinois, and New York taking the lead. Neiman Marcus Group Ltd. LLC Following on the heels of the massive Target data breach, in January 2014, Neiman Marcus revealed that its systems had being hacked and consumer data had been exposed to intruders. State AGs immediately took notice of this breach, with the AGs of Connecticut and Illinois announcing that they would lead the investigations. LivingSocial Inc. In April of 2013, LivingSocial, a daily deals website, revealed that hackers had gained access to the personal information of its 50 million customers, which includes about 29 million American users. In May of that year, the Connecticut and Maryland AGs publicly initiated an investigation into the breach via a letter requesting Living Social to submit detailed information concerning the breach, the privacy systems in place, and the company s response to the breach. TJX Companies, Inc. In June 2009, TJX Companies, Inc. entered into a settlement agreement with 41 state AGs to resolve a massive security breach that lasted from 2005 to 2007 (this settlement is independent from the settlement the company reached with the FTC). Through this breach, it is believed that intruders gained access for hundreds of millions of debit and credit cards. The terms of the settlement require that TJX pay the states $9.75 million and implement an updated information security program. Individual State AG Enforcement Activity:

5 TD Bank The Massachusetts AG announced in December 2014 that a settlement was reached with TD Bank addressing a data breach whereby the bank lost back up tapes containing sensitive personal data for over 90,000 Massachusetts customers as well as the bank s failure to timely notify the AG s office and the impacted Massachusetts customers of the breach. The AG asserted that TD Bank initiated an internal investigation when it discovered the lost tapes, but failed to issue notices as required until about eight months after the discovery. The terms of the settlement include a payment of $825,000 by TD Bank, as well as assurances of future compliance with relevant Massachusetts laws regarding data security. Aaron s Inc. In October 2014, the California AG announced a $28.4 million settlement with the rent to own giant, to resolve the California AG s allegations that Aaron s Inc. violated the California rent to own law by engaging in improper billing practices and California data privacy law by permitting its franchised stores to install spyware onto computers rented to its customers which allowed the franchised stores to monitor the physical location of the computer, track keystrokes, and capture screenshots. Snapchat, Inc. In June 2014, the Maryland AG announced a settlement with mobile app company, Snapchat, for alleged deceptive trade practices and violations of COPPA. When announcing the settlement, the Maryland AG noted that "[c]ompanies that operate on the Internet or on mobile devices, especially those popular among youth, have a responsibility to protect their users' privacy and to be up front about what personal information they collect and the permanency of uploaded files." The settlement dictates that while Snapchat accepts no liability for any of the allegations of wrongdoing, it shall pay $100,000 to the state, in addition to undertaking various compliance efforts to ensure adherence to all relevant regulations. Kaiser Foundation Health Plan, Inc. In February 2014, Kaiser agreed to a stipulated final judgment following the California AG s filing a complaint the month before, charging the company violated the California code by failing to prevent a data breach and subsequently failing to timely notify the compromised individuals. The California AG charged that following the discovery at a thrift store of an unencrypted USB drive containing over 20,000 employee records, Kaiser spent the following 6 months conducting an internal investigation before it began to notify the affected individuals. The final judgment ordered Kaiser to pay a total of $150,000 and to update its data security practices including by providing notification of any future breach on a rolling basis (meaning that the company is ordered to provide notice as soon as is reasonably possible after identifying a portion of the total individuals affected by the breach, and then to continue to notify individuals as they are identified throughout and until the completion of the investigation). Shelburne Country Store In January 2014, Shelburne Country Store was notified of a data security breach to its website that had occurred in While the company promptly repaired the breach, it failed to notify the 721 individual customers who had used the website to process 770 credit card payments, until the Vermont AG notified the store of its obligation to provide notice. Following this violation, the Vermont AG fined Shelburne Country Store $3,000, and required the company to adopt new information security and legal compliance programs.

6 Natural Provisions, Inc. In September 2013, the Vermont AG announced a settlement with Natural Provisions, a health foods grocery chain, which included a penalty to the state and a requirement to upgrade the company s security systems following the chain s failure to comply with the Vermont breach response legislation. PulsePoint In July 2013, the New Jersey AG announced a $1 million settlement with PulsePoint, an online advertising company, after determining that the company had improperly placed cookie on consumers computers that would bypass the security settings of web browsers and allow third party advertisers to target ads based on the consumers online habits. The settlement further required PulsePoint to implement privacy controls and procedures, have an independent party conduct privacy audits over the course of 5 years, among other obligations. Schnuck Markets Inc. Following the March 2013 announcement of a data security breach caused by a cyberattack, the Missouri AG investigated the grocery chain for several months. Although the attack compromised 2.4 million payment cards used in 79 stores, the Missouri AG ultimately determined that Schnucks did not violate the Missouri data security laws, but was, in fact, a victim itself.