DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Transcription

1 Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security breaches are on the rise, and so too is litigation and enforcement action -- sometimes against the perpetrators (if they can be identified), but also against the companies whose data was compromised. Equally if not more important is the potential damage to a company s reputation and goodwill as a result of a consumer information security breach. Information security breaches can occur in a number of ways, such as through the physical loss of electronic hardware (such as a stolen laptop computer, a Blackberry inadvertently left in a taxicab or a misplaced USB flash drive), through invasive and illegal tactics (such as Internet hacking) or simply as a result of human error (for example, a customer service representative who unsuspectingly discloses consumer information). A company s employees, consultants, and vendors also may improperly access, use or disclose customer information, which can also constitute a security breach under some state and federal laws. The consequences of a data security breach can be severe. In January of this year, the TJX Companies (the parent company of several retail stores including T.J. Maxx and Marshalls) disclosed that computer hackers broke into its computer system and obtained the credit card numbers and other personal information of more than 45 million customers. In the ten months since TJX first disclosed the security breach, more than 30 private lawsuits have been filed, government agencies initiated investigations and the company expended considerable financial resources to investigate, contain, litigate and settle consumer complaints -- upwards of $1.6 billion according to the estimate of one security firm. 1 This incident, among others, demonstrates that data security breaches are an area of significant and steadily-increasing risk for companies.

2 In today s data-driven business world, implementing information security programs to prevent potential data breaches, and having a plan in place to rapidly respond to a potential data intrusion, are essential. This article presents certain high-level recommendations in this area, and should be a useful primer for corporate management and counsel. Nevertheless, in this constantly-changing area there is no substitute for careful examination of each company s unique facts and circumstances with the participation of management, information technology personnel and knowledgeable counsel. Recommendation 1: Understand Existing State and Federal Regulation and How it Impacts your Company As an initial matter, corporate management and counsel must analyze and understand the applicable law, both to assess how it impacts the company s day-to-day operations and to enable the company to respond in a rapid and informed manner in the event of a data security breach. Furthermore, given that the relevant legal landscape is evolving, this analysis should occur on a continuing basis. Over the past few years, Congress has proposed several pieces of federal legislation aimed at addressing this developing issue specifically and comprehensively, but no such federal law has yet been enacted. Until a more comprehensive federal statute is passed (and potentially preempts varying state laws), companies must survey and understand the obligations imposed by several potentially-applicable laws: Federal Legislation. Several industry-specific statutes impose information security standards and notification obligations on covered companies. For example, the Financial Modernization Act of 1999 (the Gramm-Leach-Bliley Act), which applies to financial services firms, the Telecommunications Act of 1996, which applies to telecommunications carriers, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which applies to companies operating in the health care industry, establish minimum information security protocols. Similarly, the Fair and Accurate Credit Transactions Act of 2003, which applies to any entity over which the Federal Trade Commission has jurisdiction, imposes standards for the disposal of consumer information and requires the implementation of reasonable measures to protect against unauthorized access to or use of consumer information in connection with the disposal of such information. Consequently, businesses operating in these regulated areas must evaluate existing business practices and the security of their information systems in light of federal standards, as well as understand their obligations in the event of a data breach. State Statutes. More than 35 states have passed some version of a consumer information security statute establishing standards for the maintenance of customer data and/or protocols for notifying consumers when a company believes an information breach has occurred. Complying with the particular requirements of dozens of state statutes, many of which directly conflict, can prove particularly challenging for companies that operate nationwide. For example, Hawaii s statute provides that notice of a security breach shall describe the incident in general terms and the type of personal information subject to unauthorized access (see Haw. Rev. Stat. 487N-2), while the Massachusetts statute expressly provides that the consumer notification shall not include the nature of the breach or the number of Massachusetts residents affected (see Mass. H. No to be codified at Mass. Gen. Laws ch. 93H, 1-8). International Standards. Businesses that operate internationally also may be subject to data security and notification regulations in countries other than the United States. For example, two directives currently governing data security in the European Union impose minimum information security thresholds that require, among other things, the implementation of technological and organizational measures to protect personal data against accidental or unlawful disclosure or access. Although those directives currently do not mandate notification of individual consumers in the event of a data breach, such notification systems have been proposed. In addition to potentially-applicable federal and international standards, the most significant challenge facing many companies is understanding and complying with the different information security and disclosure obligations imposed by varying state statutes.

3 Most state statutes are triggered upon the unauthorized disclosure of an individual s personal information, which is generally defined to be an individual s name in combination with other sensitive information such as a social security number, driver s license number or certain account numbers. Once the statute is triggered, a whole host of notification obligations are imposed, such as direct notification to the affected consumers, alerting state agencies or state police, informing credit reporting bureaus or a combination of all three. Significantly, the form and substance of the consumer notification varies from state to state, with some states permitting telephonic or notification (and others prohibiting it) and some states requiring a brief explanation of the security breach and the company s efforts to restore the integrity of the information system (and others expressly prohibiting such an explanation). The penalties imposed for failing to comply with state notification statutes vary, with some statutes vesting the state attorney general with the power to commence a civil action seeking legal and equitable relief, others creating a private cause of action whereby consumers can obtain a financial recovery for actual damages sustained, and one statute (Florida) that provides for an administrative fine of up to $500,000. In sum, it is necessary to identify and understand the myriad potentially-applicable state, federal and international regulations to evaluate your company s compliance with existing information security standards for data that you maintain, as well as the legal obligations that may be triggered in the event of an information security breach. Recommendation 2: Plan to Prevent a Data Security Breach Companies can significantly reduce the possibility of sustaining the substantial financial, goodwill and other damaging consequences associated with a data security breach by developing and implementing a comprehensive information security plan. An effective data security plan begins with a critical assessment of the information your business collects and maintains, the manner in which that information is stored (both in hard copy and electronically), the length of time the information is retained and the identification of the individuals who have access to the information. A comprehensive information security plan also includes the clear identification of individuals and departments who are accountable for information security, as well as employee training on the prevention, detection and response to attacks, intrusions and other data security breaches. Although the specific information technology needs of each business are unique, general recommendations for information security include installing a firewall to protect personal information (a computer program that prevents computer hackers from accessing your information systems), implementing a routine password cycling procedure and avoiding the use of default system passwords (i.e., setting the password to password ), installing and regularly-updating anti-virus and anti-spyware software and instituting a comprehensive mechanism to track all access to network resources (such as installing network management software). Companies that use paycard services (such as Visa and Mastercard) must also comply with strict policies for protecting consumer information that are incorporated into the PayCard Industry Data Security standard ( PCI DSS ). See PCI Security Standards Council, About the PCI Data Security Standard (PCI DSS), The PCI DSS establishes a set of comprehensive requirements for enhancing data security that paycard service users may be required to implement under the terms of their contract with individual paycard providers. Compliance with these industry standards (even if your business is not required to do so) can further ensure that individual personal information is protected and company liability reduced. It is also important for companies to recognize that not all information security breaches are external -- studies suggest that in many cases the breach may be the result of an employee s unauthorized access to sensitive information, misuse by a vendor or contractor or simply human error. For example, the State of Connecticut recently sued a consultant (Accenture) it hired to implement a new computer system following the inadvertent disclosure of several hundred state agency bank account numbers and purchasing cards. 2 Accenture has since released a statement indicating that the information breach was the result of human error and its employees failure to follow the

4 firm s established privacy and data protection policies. Accordingly, companies should (1) implement business need-to-know policies that limit the number of employees who have access to sensitive consumer information, (2) implement and enforce generally-applicable employment policies governing access to and use of information and (3) review vendor and consultant data security standards and limit (or eliminate) those service providers access to sensitive information when possible. Recommendation 3: Design a Plan for Responding to a Data Security Breach Before it Happens Each breach situation will present its own set of facts and challenges, but a company generally should be prepared to follow four basic principles when a data breach occurs. These four principles can be remembered as the Four I s : 1. Investigate. Promptly examine the nature of the breach and assess the number of customers potentially at risk, the type of account information at risk (e.g., account number, magnetic stripe data, cardholder name and address) and the time frame of the information compromised. Determine whether the information was encrypted and, if so, whether the encryption was compromised. Companies also should consider retaining an experienced forensic consultant to assist with investigating the breach. Partnering with a state-of-the-art expert may provide additional benefits in subsequent litigation and in terms of restoring customer confidence. 2. Implement Restorative Measures. As soon as possible, implement appropriate measures to contain the security breach and restore the integrity of the information system. Here again, an expert consultant may be particularly helpful. 3. Inform. Notify consumers, state agencies and consumer reporting bureaus as and when appropriate under applicable state, federal and international notification statutes. Most state statutes require notification in the most expedient time and manner possible and without unreasonable delay ; however, some states require notification within a specified number of days. 3 Additionally, contracts with business partners and bank card service providers, such as Visa and MasterCard, may impose affirmative notification obligations in certain circumstances. Independent of any external notification requirements, companies may well determine that it makes good business sense to promptly notify customers of a potential breach to prevent identity theft and maintain customer confidence. In any notification scenario, companies must be cognizant of the likelihood of significant publicity and press coverage and should consider the potential need for a public relations or crisis management strategy. 4. Identify -- and Incorporate -- Improvements. Evaluate the effectiveness of your company s existing information security systems and response plan, identify areas for improvement and, if necessary, implement new systems and policies. In sum, companies should discuss -- and be prepared to take -- substantial steps in anticipation of a data security breach. Advance preparation for a security breach that involves offices or individuals responsible for information security and coordinating the company s response to a potential breach (information technology, legal counsel, public and media relations and senior management) is essential to managing the risk associated with a company s sensitive consumer information. Conclusion Customer information is essential to the operation of most businesses today, and safeguarding that information has become increasingly challenging. Nevertheless, companies that develop comprehensive information security strategies -- and implement and routinely reevaluate them -- can significantly mitigate the risk of a data security breach (and the financial and goodwill costs associated therewith). If, despite those best efforts, a data breach still occurs, companies that understand the varying state, federal and international legal obligations will be best equipped to respond rapidly and in a manner that restores the integrity of the information system and customer confidence.

5 Ten Key Data Security Strategies While there is no substitute for developing and implementing an information security program specifically tailored to the unique needs of each business, the following ten strategies highlight several core data security strategies. 1. Survey And Understand All Potentially-Applicable Laws. Identify all potentially-applicable state, federal and international laws with the assistance of legal counsel to assess the ways in which those laws may affect your business, both in terms of its existing operational practices and in the event of a data breach. 2. Review And Revise Contracts With Clients, Vendors And Service Providers. Conduct a thorough review of the contractual obligations your company may with clients, vendors and service providers to ensure your compliance with those agreements and to identify potential notification obligations in the event of a data breach. This review also may identify agreements that require modification to ensure service providers appropriately safeguard consumer information your business collects and maintains. 3. Assess The Data Your Company Collects And Retains. Identify the types of customer information your business routinely collects, the manner in which it is stored and maintained, when and how (and if) it is customarily disposed, and assess whether the information is still needed (or should have been collected in the first place). 4. Collect And Retain Less Data. Collect only the information that is essential to your business, and implement a data retention policy that routinely -- and safely -- discards unnecessary consumer data. 5. Encrypt The Data You Keep. Use state-of-the-art encryption technology to protect sensitive consumer information and isolate the encryption key to prevent its disclosure. 6. Limit Employee And Third-Party Access to Sensitive Data. Implement a business need-to-know policy that restricts employee access to sensitive consumer information to reduce the likelihood of unauthorized disclosure and use of customer data. Include contract provisions that restrict the use of customer information and, when possible, limit (or altogether eliminate) the sharing of customer information with vendors and other third-parties. 7. Develop a Response Plan for a Potential Data Breach Before You Need It. Formulate a comprehensive action plan now and identify the individuals responsible for coordinating the company s response to ensure rapid implementation if a data security breach is detected or suspected. 8. Implement An Information Notification Policy. Many state consumer notification statutes provide that disclosure of a potential security breach in a manner consistent with a company s usual information notification policy generally satisfies the state notification requirements. See Del. Code tit. 6, 12B Routinely Test The Integrity of Your Information Systems. Routinely conduct training exercises (announced and unannounced) to identify vulnerabilities in your information security systems and evaluate your company s response to a suspected breach. 10. Periodically Reevaluate Based on Evolving Business Needs. Data security measures, the types of information collected and maintained, and response plans to a data security breach must be continually revised as your business changes. * James R. Carroll and David S. Clancy are litigation partners, and Christopher G. Clark is a litigation associate, at Skadden, Arps, Slate, Meagher & Flom LLP in Boston. The opinions expressed in this Article are those of the authors and not necessarily those of Skadden, Arps or its clients. 1 Data theft to cost TJX 1.6 billion, says vendor, TechWorld, June 11, 2007, 2 Attorney General, Comptroller Sue Accenture Over Loss, Misuse Of Confidential Taxpayer, State Bank Account Information, September 19, 2007,