The past year brought issues of data security and privacy closer to the legal and regulatory forefront than ever before. Spurred by recent high-profile data breaches, several states introduced legislation aimed at increasing merchants’ accountability, while other states took measures intended to prevent the occurrence of data breaches. Federal agencies also enhanced data security regulation of specific industries, including financial institutions, securities and health care. In the area of privacy, 2008 demonstrated a renewed focus on Internet usage as state and federal prosecutors brought charges against international identity thieves, and the Federal Trade Commission (“FTC”) and state lawmakers tackled online behavioral advertising. Legislation also armed consumers with additional tools to protect their own personal information and privacy.
* * *
The increasing prevalence and scope of data security breaches dramatically shaped state legislation, federal enforcement and private litigation during 2008.
1. Credit Card Data Breaches Generate Large Settlements, Indictments and Heightened Accountability for Merchants
Data breaches continued over the past 12 months, with over 200 reported breaches in 2008 alone at entities such as colleges and universities, hospitals, insurance companies, government agencies and financial institutions. Data breaches at TJX Companies and Hannaford Brothers were two of the most prominent data breach cases this year.
TJX Companies. In the aftermath of the largest data breach in U.S. history, TJX Companies (“TJX”) settled in late 2007 and early 2008 with issuing banks of Visa and MasterCard for $40.9 million and $24 million, respectively. In late 2006, TJX discovered that hackers placed unauthorized computer software on the company’s computer system, stealing, by some estimates, as many as 94 million credit and debit card numbers. TJX also reached an agreement in April 2008 with the FTC immediately to upgrade and implement comprehensive data security procedures and to submit to outside audits.
The U.S. Department of Justice also launched an investigation into the TJX data breach, resulting in an August 5, 2008 indictment of 11 individuals from the United States, Ukraine, Estonia, Belarus and China. They are charged with offenses including computer fraud, wire fraud, aggravated identity theft and conspiracy. The Justice Department described its prosecution of the alleged perpetrators as “the single largest and most complex identity theft case ever charged in this country.”
Hannaford Brothers. On March 17, 2008, the Hannaford Brothers supermarket chain (“Hannaford”) announced that hackers stole 4.2 million credit and debit card numbers as customers swiped their cards at checkout lines and Hannaford transmitted the information to banks for approval. The thefts occurred despite Hannaford’s compliance with the Data Security Standards promulgated by the Payment Card Industry (“PCI”) – which do not require companies to encrypt data at the point of sale – raising doubts about the sufficiency of the PCI standards and merchants’ reliance upon them.
High-profile incidents such as the TJX and Hannaford breaches spurred states to enact or strengthen laws providing for merchant accountability in the event of a data breach.
Merchant Liability. Minnesota became the first state to impose liability on merchants for their data retention practices. At least five other states introduced similar legislation, including California (passed by legislature and vetoed by Governor Schwarzenegger), Illinois and Massachusetts. Effective August 1, 2008, Minnesota’s “Plastic Card Security Act” imposes strict liability on merchants for security breaches and requires them to reimburse financial institutions for the “costs of reasonable actions” associated with, among other things, the closure of accounts, reissuance of new cards, notification of cardholders and refunds to cover the costs of unauthorized transactions. The Minnesota law closely tracks the PCI Data Security Standards.
Breach Notification Laws. In 2008, five more states enacted breach notification laws, bringing the total number of states with such laws to 44. Breach notification laws require companies to notify consumers when their personal information has been compromised.
2. State Legislation Aims at Data Breach Prevention
In addition to increasing merchant accountability in the event of a data breach, states also enacted legislation intended to prevent the occurrence of such breaches.
The Massachusetts Office of Consumer Affairs and Business Regulation released new rules in September 2008 that will require any person or entity who owns, licenses, stores or maintains personal information about Massachusetts residents to (i) develop and implement a comprehensive written information security program and (ii) meet specific information security requirements. The rules, effective January 1, 2009, are more specific than any other state’s data security regulations, and compliance will likely require changes for most businesses and organizations. Among other requirements, those subject to the regulations must encrypt personal information during transmission across public networks and when stored on laptops or other portable devices.1
Regulations like those enacted in Massachusetts likely signal a trend, particularly with respect to data encryption. A new Nevada law, which became effective October 1, 2008, prohibits businesses from electronically transferring unencrypted personal customer information outside the business’s secure system. Although the Nevada law only requires data to be encrypted when it is being transmitted, other states such as Michigan and Washington have introduced bills that would require encryption of data during storage.2
3. FTC Consent Decree Outlines Information Security Minimums
The FTC stepped up its efforts to police the way companies secure personal data and the generic claims they make in their privacy policies. The FTC took issue with language on retailer Life Is Good’s website which claimed that, “All information is kept in a secure file and used to tailor our communications to you.” The FTC charged that, contrary to that language, Life is Good “failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network.” Consequently, according to the FTC, a hacker accessed the Life is Good network and stole credit card information from thousands of consumers. The FTC issued a consent decree requiring that Life is Good develop and maintain a security program that will identify internal and external risks to information security, establish safeguards and ensure retention of service providers capable of adequately protecting customer information they receive from Life is Good. The FTC’s consent decree may serve as a roadmap for how companies should develop and implement policies regarding the handling of sensitive consumer information.3 In this way, the FTC is seeking to build upon its previous enforcement actions against companies with substandard information security practices.4
4. Courts Dismiss Consumer Actions Alleging Only an Increased Risk of Identity Theft
Although data breach cases often result in hefty settlements between merchants and banks, consumer class actions continue to face legal barriers when plaintiffs allege only an increased risk of identity theft. Recent decisions such those in Caudle v. Towers, Perrin, Forster & Crosby, Inc.,5 Kidman v. Wells Fargo & Co.,6 and Randolph v. ING Life Ins. & Annuity Co.7 highlight this point. In Randolph and Kidman, the plaintiffs alleged that lost or stolen personal information put them at greater risk of identity theft, and in both cases the courts dismissed the class claims for lack of the “injury in fact” required for standing. In the Caudle case, the court concluded that increased risk of identity theft, analogous to toxic exposures, constituted a sufficient injury for standing purposes. The court stopped short, however, of allowing plaintiffs to proceed with their negligence and breach of fiduciary duty claims, dismissing the claims because plaintiffs failed to show cognizable damages. The court denied the motion to dismiss plaintiffs’ breach of contract claims pending further discovery. Although these cases reflect continued reluctance by courts to provide plaintiffs with a legal remedy for increased risk of identity theft, they also demonstrate the creative ways in which plaintiffs are working to overcome those obstacles as litigation of this type increases.
* * *
The past year also reflected significant developments in the regulation of data security in specific industries.
5. Banks and Other Financial Institutions: New FACTA Rules Approved
Under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), final rules have been approved for the following8:
Affiliate Marketing. Effective October 1, 2008, entities affiliated with a bank or other type of financial institution are prohibited from using “eligibility information” (e.g., information that a financial institution or affiliate has obtained from a credit report or credit application, as well as information relating to transactions and experiences with the consumer) to make marketing solicitations to a consumer unless the consumer has: (i) been given notice; (ii) been provided with reasonable opportunity and a simple method to opt out; and (iii) not opted out within the time period specified in the notice.
Red Flags. By May 1, 2009, each financial institution and creditor that holds any consumer account, or other account with an associated risk of identity theft, is required to develop and implement a written program to prevent and minimize the risk of identity theft. Specifically, the program must enable the financial institution or creditor to identify, detect and respond to patterns and activities that are “red flags” indicative of identity theft.
Address Discrepancies. By November 1, 2008, credit and debit card issuers are required to develop policies and procedures to assess the validity of a request for address change that is followed within 30 days by a request for an additional or replacement card. Also, users of credit reports are required to develop policies and procedures to be applied when a consumer reporting agency sends them a notice of “substantial” address discrepancy.
6. Securities: SEC Proposes Revisions To Regulation S-P
On March 4, 2008, the Securities and Exchange Commission (“SEC”) announced proposed changes to Regulation S-P to address identity theft of securities industry customers. The proposed amendments require financial institutions governed by the SEC to adopt information security programs similar to the framework adopted by other financial institution regulators. Specifically, the proposed amendments will: (i) create more specific standards under the safeguards rule of Regulation S-P; (ii) broaden the type of information and persons covered by the SEC safeguards and disposal rules; and (iii) create record-keeping requirements for policies and procedures to comply with the proposed regulation, as well as for documentation of compliance.9
7. Health Care: Heightened Protection of Medical Information Under HIPAA and State Law
Over the past year, the Department of Health and Human Services (“HHS”) has increased its efforts to enforce the security rules of the Health Insurance Portability and Accountability Act (“HIPAA”). The HIPAA security rules include periodic risk assessments and ongoing employee training. In March 2007, an Atlanta hospital became the first institution audited for compliance with these rules. In January 2008, HHS announced plans to conduct audits on an additional 10 to 20 hospitals by September 2008. As a result of one audit, HHS entered into its first Resolution Agreement and corrective action plan (“CAP”) with Providence Health & Services to settle what HHS described as “potential violations” of HIPAA’s security rules including the loss or theft of unencrypted medical records of more than 386,000 patients. HHS imposed a $100,000 fine and required Providence Health & Services to make a number of changes regarding its information security. The CAP imposed on Providence Health & Services is notable not only because it is the first of its kind but also because it is very stringent in terms of the obligations it imposed.10
As another example of the increased attention to the protection of medical information, California took several measures in 2008 to protect patient data. The Governor recently signed two bills, which amend the state’s Confidentiality of Medical Information Act, requiring health care providers to safeguard confidential patient data and giving the state authority to levy fines of up to $250,000 on facilities and individuals for information breaches. California also revised its existing breach notification statute by broadening the term “personal information” to encompass both “medical information” and “health insurance information.”11
* * *
Internet use and misuse by consumers also posed challenges to state and federal regulators and enforcement agencies.
8. Spyware: Ongoing Attention Despite Major Setback in Direct Revenue Case
In recent years, client side software displaying advertisements and characterized by some critics as “spyware” has become the subject of intense litigation by federal regulators and state attorneys general.
New York v. Direct Revenue. The founders of Direct Revenue (represented by Goodwin Procter) won a complete victory over the New York State Attorney General’s Office in the leading Internet “spyware” case in the country. The Attorney General accused Direct Revenue of a “vast, elusive pattern of spyware installations,” alleging that they had “surreptitiously installed millions of pop-up ad programs on consumers’ computers.” Direct Revenue faced billions of dollars of potential exposure, as the suit sought $500 in penalties for each alleged installation, as well as disgorgement. Direct Revenue moved to dismiss the case on a variety of grounds, including the enforceability of Internet contracts and the scope of authority of the New York State Attorney General in Internet cases. The court agreed and dismissed the case completely.12 The Attorney General’s Office has filed a notice of appeal.
Washington v. McCreary. On September 29, 2008, the Washington Attorney General’s Office charged Texas-based computer software marketer, Branch Software (d/b/a Registry Cleaner XP and Alpha Red, Inc.) and its sole director, James Reed McCreary, with violations of the state’s Computer Spyware Act and consumer protection law. The complaint alleges that Branch Software induced computer owners to purchase and install its software by using “incessant pop-ups” in the form of advertisements resembling a computer’s internal operating system error alerts. The Washington Computer Spyware Act provides for penalties of $2,000 per violation.
9. Online Behavioral Advertising: FTC, Trade Groups and States Disagree on Appropriate Level of Regulation
In December 2007, the FTC released a set of proposed principles to guide the development of self-regulation for online behavioral advertising, also known as targeted advertising. These principles recommend notification to website visitors of data collection for targeted advertising purposes and enhanced data security. The FTC also proposed that companies obtain express consent from affected consumers before collecting sensitive data or using data for a purpose other than how the company originally promised to use it. In testimony on behavioral advertising on July 9, 2008 before the U.S. Senate Committee on Commerce, the FTC expressed optimism that privacy concerns can be addressed by industry self-regulation combined with close monitoring by the FTC. Trade groups, however, voiced concern that the FTC’s proposed guidelines are too broad.
In contrast with the FTC’s pitch for self-regulation of online behavioral advertising, Connecticut and New York are considering bills that would limit the collection and use of personal data for targeted advertising purposes and would require advertisers to allow Internet users to opt out of such systems. Likewise, Congress has shown an increased interest in online behavioral advertising and may step into this area.
10. Children: Texas Brings COPPA Enforcement Actions, Following FTC’s Lead
The FTC has played an active role enforcing the Children’s Online Privacy Protection Act (“COPPA”) since its enactment in 1998, demonstrated by the increasing fines and penalties it has imposed on websites. Pursuant to COPPA, operators of websites directed to children under the age of 13 or website operators that knowingly collect personal information from children under 13 on the Internet must provide parents with notice of their information practices. Subject to certain very limited exceptions, such operators must also obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children.
On December 5, 2007, Texas became the first state to bring enforcement actions under COPPA pursuant to a previously unused provision of COPPA that empowers state attorneys general to bring enforcement actions on behalf of the residents of their states. The Texas lawsuits, brought against three out-of-state websites and which settled, highlight the growing risk of enforcement for any company with an online presence, not only from the FTC but from the states as well.13
11. User Access: Misuse of MySpace for Cyberbullying Results in Indictment for Unauthorized Access to Information
* * *
12. Consumers: More Tools to Defend Against Misuse of Personal Information
2008 legislation gave consumers additional “self-help” mechanisms to protect their personal information.
Extension of Do-Not-Call Registry. On February 15, 2008, President Bush signed a bill designed to extend the national do-not-call registry that restricts telemarketers’ calls to consumers. Under the original 2003 law, registered phone numbers were to be automatically removed from the list after five years unless a consumer re-registered a number. The new “Do-Not-Call Improvement Act of 2007” prohibits the automatic removal of a number from the registry. In response to the new law, the Federal Communications Commission amended its rules on June 17, 2008 to require telemarketers to honor registrations indefinitely.
Credit Freeze Laws. In 2008, 12 additional states’ credit freeze laws became effective, and Alaska’s credit freeze law goes into effect on January 1, 2009, bringing the total number of states enacting laws to 48. Only Michigan and Alabama have not yet enacted some form of credit freeze law, although legislation is pending in both states. A credit freeze typically gives consumers the right to prevent credit reporting agencies (“CRAs”) from releasing their credit reports. Although the three nationwide CRAs already offer a commercially developed credit freeze program available to consumers nationwide, state credit freeze laws set forth operational requirements for how to place, temporarily lift or permanently remove a freeze, and establish associated fees.
As this review demonstrates, there has been a variety of recent legislative, regulatory and enforcement activity affecting the legal landscape for privacy and data security. As this area of law rapidly evolves, Goodwin Procter will continue to monitor these activities to help its clients stay up-to-date on key developments.