A great deal of time has been spent discussing and debating the various methods of preventing information security incidents. From Intrusion Detection Solutions to proper firewall configurations, most in the payments industry are by now familiar with the data protection measures that have been mandated. Unfortunately for all, even using best of breed security and having top-notch security and privacy professionals may not prevent a breach. With the best will in the world, it is possible that a compromise could occur. In the event that a data breach does occur, it is best to be educated about the potential consequences involved and the proper actions to take to mitigate the harmful consequences to both the company and its customers.
For most the first thought that comes to mind is reporting the breach to the card brands. Certainly the fines and penalties that the card brands can impose can be significant, especially if the breached entity was not in compliance at the time. It should be noted, though, that the card brands may not be the only organizations to take an active interest in the situation. Nor are they likely to be the most daunting authority with which the compromised entity will have to reckon. The Federal Trade Commission, state Attorney Generals, and private citizens may all become involved in the aftermath of a data compromise.
Most frequently, the Federal Trade Commission is associated with enforcement actions taken in the wake of a data breach affecting consumers. The extent of the enforcement actions that can be taken by the FTC can make their involvement extremely onerous. These actions typically include:
Prohibitions on misrepresentation.
Companies that have suffered a privacy or security breach are prevented from misrepresenting the extent to which the data they collect is protected. For example, a company that offers a “100% Safe Shopping” guarantee and then suffers a breach is clearly in violation of its promise to consumers. The FTC will prohibit the company from making such promises. Irrespective of FTC enforcement actions it is generally considered a bad practice to make such a guarantee.
Establishment of a program.
The FTC may require companies to develop, implement and enforce a program that includes employee awareness and training, a risk analysis conducted on an annual basis, safeguards that are commensurate to the identified risk, and a program to ensure that the information security and /or privacy processes are constantly evaluated and adjusted as needed. This program must also be evaluated by an independent third party on a regular basis.
Oversight
The FTC has the ability to require companies to notify the commission of any changes to the program that may affect compliance with FTC’s enforcement order. Additionally, the FTC will have the right to request documents pertaining to the representations that the company makes concerning the privacy and the security of the data that it collects. FTC oversight can extend to over twenty years depending upon the egregiousness of the breach.
Fines
In some cases, especially in those involving data collected from children, the FTC will impose fines. Those fines may be limited to the money made from selling or renting lists, or they may be punitive in nature.
When determining the appropriate enforcement actions to take, the FTC often uses the Gramm-Leach-Bliley Safeguards and Privacy rules as a yard stick. These rules are loosely based on the Federal Trade Commission Fair Information Practices, which can be found at www.ftc.gov/reports/privacy3/fairinfo.htm.
The more closely the compromised organization was following the requirements of those rules, the less burdensome the enforcement action is likely to be. It is suggested then that organizations keep the Safeguard and Privacy Rules in mind when designing or altering their information security andprivacy programs, even if not necessarily obligated by law to follow them. (The Safeguard and Privacy Rules can be found atwww.ftc.gov/privacy/index.html).
Lest one believe that the FTC is the last of the authorities with which one would contend, it should be noted that there are now 34 states that have Data Breach Notification Laws. These laws vary from state to state as to what constitutes personal information, what triggers notification and what action must be taken in the wake of a data breach. For instance, California defines personally identifiable information as “Person’s first name or initial and last name combined with: SSN, driver’s license or state ID number, account, credit or debit card number, combined with any required info
that allows access to account; or any other financial information.”
Georgia’s definition includes any information, even absent the person’s name, that can be used for identity theft. Most often, notification is triggered if there is significant likelihood of harm to the consumers affected by the breach. Many of the state laws regarding notification do include some provision for encryption. It is also important to recognize that most state laws require expedient notification, but do allow that companies may need a “reasonable”
amount of time to conduct an investigation.
If an organization does not comply with the various state breach notification laws, the consequences with respect to the state laws can be harrowing. While some states have defined penalties associated with breach of the notification laws, others have determined that non-compliance with the notification law constitutes a violation of the state’s unfair competition laws and imposes those penalties. These penalties range from $500 fines per violation (or per record compromised) to administrative and civil penalties.
Many states also allow consumers a private right of action, meaning a compromised entity may be subject to class action suits. Two class action suits that have come this year as a direct result of data breaches claim that the breach and lack of notification put the plaintiffs at higher risk of identity theft. In each of these cases (Bell v. Acxiom, Key v. DSW), the court found that the plaintiffs did not actually suffer from identity theft and dismissed the cases. The dismissal is a positive sign to companies that it is difficult for plaintiffs to prove damages and thus be awarded relief, but the fact remains that defending against such lawsuits costs hundreds of thousands of dollars and certainly impacts the company’s reputation and brand.
Certainly readers at this point are asking just how all of their efforts to comply with the PCI-DSS impact their standing with the other regulations. Unfortunately, while compliance with the PCI-DSS does provide a solid baseline of industry accepted security controls and puts organizations in the right frame of reference to think about other sensitive information to protect, there is not a direct correlation between the PCI-DSS and other standards such as the GLBA Safeguards Rule. To reiterate comments from previous articles, it is critical to understand that the PCI-DSS only applies to Cardholder Data and residual risk may exist with regard to other sensitive data your company possesses. This data, if not protected adequately, can lead to serious consequences in the event of a data breach.
The lesson to be taken from this is not just more “fear, uncertainty and doubt.” It is to prepare readers to face what is likely to come in the event that an organization suffers a data breach. This rather dry recitation certainly does not embody the full experience. Rather it is hoped that it will offer some additional food for thought as
companies create or update their incident response plans.
Organizations must be able to offer consumers and regulators specifics as to who, what when and how. Having an effective, demonstrable security and privacy plan in place may mitigate some of the effects listed here. Additionally, it is imperative to quickly and effectively communicate to affected parties the extent of the breach and what actions are being taken in response to the breach to limit the current damage and to prevent such occurrences in the future. The importance of including a comprehensive communication strategy for each constituency (the consumers, the regulators, the media, etc) cannot be overstated and may save your organization a great deal of trouble as it deals with fallout.
|
