Category: Uncategorized

California AG Issues Report on Data Breaches Covering 2012

~ Peggy Reetz ~ Leave a comment

stock-illustration-19023722-california-flag-icon

In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012.  The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders.  See link to AG website:  http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.

Notably, Attorney General Harris provides some recommendations:

  • Companies should encrypt digital personal information
  • Companies and agencies should review and tighten security controls
  • Companies and agencies should improve readability of breach notices
  • Companies and agencies should offer mitigation products
  • And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password

This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted.  States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud.  The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter).  The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts.  A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”

The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013.  Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.

Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email.  Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes.  With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.

California

BREACH REPORT 2012

iStock_000019699898XSmall

U.S. Supreme Court Again Affirms Application of Arbitration Agreements

~ Peggy Reetz ~ Leave a comment

supremecourtl

The Court has held that the FAA (Federal Arbitration Act) does not permit courts to invalidate a contractual waiver of class arbitration on the ground that the plaintiff’s costs of individually arbitrating a federal statutory claim exceeds the potential recovery.  In a 5-3 decision (Justice Sotomayor recused herself)[1], the Court found that:

 “[T]he fact that it is not worth the expense involved in proving a statutory remedy does not constitute the elimination of the right to pursue that remedy.”  Also the court noted that its earlier ruling in the AT&T Mobility v. Concepcion matter “all but resolves this case,”  because that ruling held that the Federal Arbitration Act trumps a state law requiring classwide arbitration proceedings .  See summary at:  http://lawyersusaonline.com/blog/2013/06/20/justices-high-cost-no-bar-to-class-arbitration-waiver/?utm_source=WhatCounts+Publicaster+Edition&utm_medium=email&utm_campaign=Justices%3a+High+cost+no+bar+to+class+arbitration+waiver+&utm_content=+Justices%3a+High+cost+no+bar+to+class+arbitration+waiver+

The Supreme Court issued its ruling on Thursday, June 20, 2013 in the matter of American Express Co. v. Italian Colors Restaurant.  See:

http://www.supremecourt.gov/opinions/12pdf/12-133_19m1.pdf

The respondents in the case were merchants who accept American Express cards.  Respondents had alleged that American Express used its monopoly power in the market for charge cards to force merchants to accept credit cards at rates approximately 30% higher than the fees for competing credit cards.  This tying arrangement allegedly violated the Sherman Act and the merchants sought treble damages for a class under the Clayton Act.  In response to this action, American Express moved to compel individual arbitration under the Federal Arbitration Act.

Respondents claimed in opposition to the motion to compel that in order to prove the antitrust claims, the costs would be “at least several hundred thousand dollars, and might exceed $1 million,” while the maximum recovery for an individual plaintiff would be $12,850 , or $38,549 when trebled.

Writing for the majority, Justice Scalia stated that the text of the Act “reflects the overarching principle that arbitration is a matter of contract.”  See, American Express v. Italian Colors Restaurant, 570 U.S.___ (2013) (slip op., at 3); citing Rent-A-Center, West, Inc. v. Jackson, 561 U.S. ___ (2010) (slip op., at 3).  Courts must ‘rigorously enforce’ arbitration agreements, Justice Scalia asserted.  In addressing whether requiring plaintiffs to litigate their claims individually would contravene the policies of antitrust laws, the Court advised that the antitrust laws do not guarantee an affordable procedural path to the vindication of every claim.  See, American Express, slip op. at 4.  The Sherman and Clayton Acts make no mention of class actions; and, the acts were enacted before Federal Rule of Civil Procedure 23, the procedural rule allowing for cases to proceed on a class basis.  In contrasting this ruling with language  from an earlier Supreme Court decision (which was dicta, Justice Scalia noted), the Court reiterated that “so long as the prospective litigant effectively may vindicate its statutory cause of action in an arbitral forum, the statute will continue to serve both its remedial and deterrent function.”  See, American Express at slip op. 6 referring to Mitsubishi Motors v. Soler Chrysler-Plymouth, 473 U.S. 614, 637 (1985).

The dissent (Justices Ginsburg, Breyer and joined by Justice Kagan) expressed concern that the approach would allow all kinds of de facto prohibitions into arbitration agreements to prevent parties from effectively vindicating their rights.

As noted in SCOTUSBlog, “class proceedings are an exception to the rule, not an entitlement.”  http://www.scotusblog.com/2013/06/opinion-analysis-a-class-action-waiver-in-an-arbitration-agreement-will-be-strictly-enforced-under-the-federal-arbitration-act/#more-165505

The Court included a discussion of the “effective vindication exception,” however, it noted this applied more appropriately at attempts to prohibit the assertion of statutory rights.  In Justice Thomas’ concurrence, he notes, “[b]ecause Italian Colors has not furnished ‘grounds…for the revocation of any contract,’… the arbitration agreement must be enforced.”

[1] Justice Sotomayor sat on the Second Circuit panel that originally decided the case.

SONY DSC

Apple, Facebook, Twitter: Mobile App Development Leads to Hacking?

~ Peggy Reetz ~ Leave a comment

wateringholeStock_000006594898XSmall spearStock_000004731498XSmall

Watering Holes and Spear Phishing

From AllThingsD:

http://allthingsd.com/20130219/this-is-the-site-likely-responsible-for-the-recent-major-tech-company-hacks/

“A ‘watering hole’ attack, in that it’s launched from a centralized, popular location that many people visit across multiple industries.”

Twitter reports at least 250,000 accounts affected.  Attack reportedly originated in Eastern Europe:

http://www.theverge.com/web/2013/2/19/4006868/hackers-exploit-java-vulnerability-apple-facebook-twitter#apple-facebook-and-twitter-hacks-reportedly-originated-in-eastern

California Supreme Court Finds That Apple Is Not Prohibited From Obtaining Personal Identification Information for Online Purchases

~ Peggy Reetz ~ Leave a comment

iStock_000000162568SmallCourt Makes a Distinction between Brick-and-Mortar Transactions

by Peggy Reetz

 On February 4, 2013, the Supreme Court of California issued its decision in the Apple v. Krescent case.  In June 2011, David Krescent (the original plaintiff) sued Apple on behalf of himself and a putative class, alleging violations of California’s credit card act (The Song-Beverly Credit Card Act).  The Act prohibits retailers from requesting or requiring as a condition to accepting credit card as payment that the cardholder write any personal identification information upon the credit card transaction form; and, the Act prohibits retailers from writing the personal information on the transaction form.

Krescent alleged that he purchased media downloads from Apple on various occasions and that, as a condition of receiving these downloads, he was required to provide his telephone number and address.  Krescent also alleged that Apple records each customer’s personal information but Apple is not required to collect a customer’s telephone number or address in order to complete the credit card transaction.  Even if a credit card processing company requires a valid billing address, under no circumstances would a customer’s telephone number be required to complete the transaction, Mr. Krescent argued.

Apple filed a demurrer arguing that the Credit Card Act does not apply to online transactions and also argued that a decision otherwise would undermine identity theft and fraud prevention measures.  The trial court overruled the demurrer – “the Act itself is silent on exempting online credit card transactions… [the Court is] not prepared, at the pleading stage, to read the [Credit Card] Act as completely exempting online credit transactions…”

The Supreme Court reviewed various exceptions to the prohibition on collecting personal data: cash advances, contractual obligations, in order to prevent fraud/theft by collecting zip codes at a self-serve gas station, special purposes like shipping, installation.  The Court noted that the Act does not prohibit requiring a cardholder to show a reasonable form of ID, as a condition to accepting credit card payments.

The Court noted that the Act makes no reference to online transactions, or even the Internet (having been enacted as of 1990).  The Court stated that the text of the Act alone is not decisive.   At the time the language was enacted, the Legislature did not contemplate commercial transactions over the Internet.  The Court reviewed California appellate cases that dealt with whether shield laws apply to digital media; or whether an electronic signature was appropriate for an initiative petition.  But, rather than analogizing too closely to the “new media” versus “old media” cases, the Court returned to the history/purpose of the Credit Card Act.

While the Act is intended to protect consumer privacy, the Legislature did not intend to achieve privacy goals without regard to risks for fraud.  The Court reasoned that the fraud safeguards available to a brick-and-mortar retailer are not available to an online retailer (the shopkeeper can inspect the signature, photo ID, etc.)   The Court ruled that the key antifraud provision in the Act has no practical application to online transactions involving electronically downloadable products.  Krescent conceded that Apple may need a valid billing address, if not a telephone number, to verify the credit card.  The Court believed the Legislature expressly authorized retailers to request additional information—a driver’s license, state ID card, or other form of photo ID- in order to combat fraud.

In that regard, the Court found it appropriate for Apple to collect such information to combat fraud (disagreeing with one of the dissenting justices, the majority found that the legislative history addresses the concern that there be some mechanism for verifying a cardholder’s identity).  Ultimately, the majority found that the Act did not apply to online transactions.  The Court was forced to reconcile these findings with its earlier decision in Pineda v. Williams-Sonoma, which decision found ZIP codes constitute personal identification information.  The Court noted the legislature subsequently carved out exceptions to the collection of ZIP codes, if used for fraud prevention purposes (pay-at-the-pump transactions, for instance).

Finally, the Court noted that the California Legislature has weighed the goals of regulating online privacy with concerns unique to online commerce.  COPPA, the California Online Privacy Protection Act of 2003, requires online services or Web site operators to post privacy policies and for those policies to address which categories of information  the operator may collect.  The Court also cited to the TCPA, stating that federal law likewise is supposed to protect the privacy interests of consumers (do-not-call registry and the like).  The Court closed the decision with a recitation of how significant e-commerce has become since the enactment of these statutes and invited the Legislature to revisit the issue of consumer privacy and fraud prevention in online transactions (just as the Legislature did in response to the Pineda decision).

The decision is at:

http://appellatecases.courtinfo.ca.gov/search/case/mainCaseScreen.cfm?dist=0&doc_id=2002562&doc_no=S199384

iStock_000001249408XSmall

HHS Issues Final Omnibus Rule under HIPAA

~ Peggy Reetz ~ 1 Comment
HHS Issues Final Rule
Final Rule Keeps Tiered Penalties, Now Addresses “Subcontractors”

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing the modifications to the HIPAA Privacy and Security rules. The HHS issued the final rule to:
-modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under HITECH to strengthen privacy and security protection for individuals’ health information (applying Security Rule standards, certain Privacy Rules directly to business associates);
-modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under HITECH Act (access/disclosure of PHI not permitted is presumed a breach);
-modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing GINA provision (Genetic Information Nondiscrimination Act of 2008);
-make certain other modifications to the HIPAA Rules in order to improve effectiveness, flexibility.

The final rule is effective March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

The regulations transform the relationship between covered entities and business associates, and, for the first time, regulates a new type of HIPAA entity: “subcontractors.” The rule replaces the  “harm” standard in breach notification rules with a four-step determination as to whether notification is required.

The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.

Final modifications to the Privacy, Security and Enforcement Rules (per HITECH) include:
• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information without individual authorization.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

The final rule adopts the tiered civil money penalty structure. This included the modified “reasonable cause” definition, i.e., the second tier of the penalties (knew/should have known with reasonable diligence of violation but not willful neglect). The HITECH tiered penalty scheme is as follows:

(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation;
(2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation;
(3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and
(4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.

(Emphasis added).

In applying these amounts, HHS says it will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors).

The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

HHS declined to provide a definition for Health Information Organization.

Data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.

The official publication for the new rule is scheduled for January 25, 2013.