While cyber security is not a ‘top-of-mind’ concern for American consumers, the sheer magnitude of this incident and how the company responded will not soon leave regulators’ memories.
Illinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute. In her press release, she states:
Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.
Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.
One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions. The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly. The report outlines three principles the updated legislation should address:
1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.
2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.
3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.
News reports suggest the legislation will go to the Illinois General Assembly shortly.
In advance of the State of the Union, President Obama appeared at the Federal Trade Commission today to preview a couple of administration proposals, which will be addressed in the upcoming speech to the nation. The President addressed a potential federal breach notification statute:
…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.
So, the proposal is to standardize breach notification to 30 days (Personal Data Notification & Protection Act; Florida is 30 days; some states say as soon as practicable).
Some express the concern (which is typically voiced by state Attorneys General) that a federal statute would dilute the effectiveness of the consumer protections in place. http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/12/privacy-advocates-a-national-data-breach-notification-standard-might-actually-make-things-worse/
The political pundits comment that it is not clear whether such legislation would make it through Congress. This is due to certain industry resistance to tackling a new federal statute having absorbed the various state rules; and then there are consumer groups, who worry about preemption on the issue. See comments at:
Another new proposal is the Student Digital Privacy Act. This legislation would require that data gathered about students through educational programs can be used only in an educational context, not sold to third parties (similar to the recent California law).
The Administration is also going to revive its 2012 Consumer Privacy Bill of Rights, which lays out principles for online data collection (revised proposal to come out in 45 days).
The President also took up the challenge of “precision medicine:”
I want the country that eliminated polio and mapped the human genome to lead a new era of medicine — one that delivers the right treatment at the right time. In some patients with cystic fibrosis, this approach has reversed a disease once thought unstoppable. Tonight, I’m launching a new Precision Medicine Initiative to bring us closer to curing diseases like cancer and diabetes — and to give all of us access to the personalized information we need to keep ourselves and our families healthier.
This is part of the movement toward tailored therapies and treatments for diseases and chronic conditions. The example referenced in administration materials was that of a cystic fibrosis patient, given the medicine Kalydeco (developed by a company called Vertex). Reportedly this is the first drug designed to counter the genetic cause of the life-threatening chronic lung disease. The medicine targets the underlying cause of the disease for a small subset of patients.
Providing such targeted treatments likewise requires collection of more personalized medical information from patients. Costs of collecting data and personalizing treatment is noted in reaction to such initiatives but its promoters also hope that “[m]ore research will allow clinicians to make more-precise diagnoses, which in turn drive better treatments.” http://www.modernhealthcare.com/
See also, The Patient-And Her Data-Will See You Now,
“Personalized medicine has the potential to transform our health care system, which consumes almost $3 trillion a year, 80 percent of it for preventable diseases,” Dr. Snyderman said.
Although the new tests and treatments are often expensive, he added, personalized medicine can save money while producing better results. “It focuses therapy on individuals in whom it will work,” he said. “You can avoid wasting money on people who won’t respond or will have an adverse reaction.”
-Effective July 1, 2014-
On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:
-DL number or ID number, passport number, military ID number or other similar number issued on a government document
-Financial account number or credit/debit card number in combination with security/access code or password
-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis
-Health insurance policy number or subscriber number
-User name or email address, in combination with a password or security question (that would permit access)
The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).
In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.
The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”
See text at:
See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).
HHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations. Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.
NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.
HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html
The Ponemon Institute and IBM have released their 2014 Cost of Data Breach Study for the U.S. The notable results include:
- Per record cost has increased from $188/record in 2013 to $201/record as of 2014
- The indirect cost per record was $134/record; direct cost at $67/record (indirect=internal overhead; loss of brand value/reputation; customer “churn”)
- 44% of those surveyed blamed breach on malicious or criminal attacks as compared to 31% blaming some human factor
- Public sector and retail companies are more likely to have a breach (healthcare sector came in 8th place, financial sector in 10th place)
- Healthcare industry had highest costs per capita ($316/record – authors cite regulation as factor)
- Notification costs decreased
- Companies are far more likely to have a small data breach than a mega breach
The authors also provide details regarding the factors that they found are influencing the costs – consultants engaged; mobile devices at issue; quick notification and the like.
For a copy of the report, go to:
Identity Theft/Fraud Trigger
The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud. Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):
- DL numbers
- Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.
The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person. The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.” The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.
In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).
The state auditor had promoted enacting such legislation and released a report stating:
“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”
Just in time for the 140th “Run for the Roses”
My Old Kentucky Home by Stephen Foster
The sun shines bright in My Old Kentucky Home,
‘Tis summer, the people are gay;
The corn-top’s ripe and the meadow’s in the bloom
While the birds make music all the day.
The young folks roll on the little cabin floor,
All merry, all happy and bright;
By ‘n’ by hard times comes a knocking at the door,
Then My Old Kentucky Home, good night!
Weep no more my lady
Oh weep no more today;
We will sing one song
For My Old Kentucky Home
For My Old Kentucky Home, far away
“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”
And, for some Data and The Derby – see:
Michaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue. Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.” In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.” Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.
The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register. According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.
See information regarding nature/scope of breach:
Using Anonymous Patient Data
The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute. This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act. The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry. The PCORI network is supposed to identify patients who could be invited to join clinical trials. The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations. Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.
Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html
The FTC Can Seek to Enjoin
In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers. In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents. The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices. Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court. The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.” Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco). Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.
There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches. The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises. However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring additional enforcement actions. More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.
See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14
Target CEO is being replaced, after a 35-year career with the company. News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line. Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.
UPDATE: Bloomberg BusinessWeek is reporting:
“In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.” http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#r=hpt-tout
“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”
See post below with description of the Target breach and the aftermath.
Now, it is being reported in the press that employees were aware that an analyst at the retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off. This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.
Trade group emerges:
On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced. The group is bringing together retail and financial services sectors. The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.” The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.