The recent Target (and now Neiman-Marcus) data security breach provides a clear illustration of the challenges faced by businesses that must comply with the various data breach notification laws. As of the writing of this article, what is known is that for 19 days (between November 27 and December 15) computer hackers gained “unauthorized access” to Target’s customers’ names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. [link] Target initially revealed on December 19 (four days after the end of the attack) that 40 million payment cards had been affected. Following the initial disclosure, it was released that some 70 million of Target’s customers’ “personal information” had been compromised in the attack. The company has been cooperating with law enforcement officials including the Department of Justice and the Secret Service.
An effective response to a business data security breach requires a multidisciplinary approach. And, this includes expertise in information technology (IT), forensics, law, and public relations among others; all of which most often occurs in a highly fluid environment. For any company doing business in more than one state, the multiple and often contradictory requirements of data breach notification laws create an additional layer of complexity that must be addressed when a data security breach occurs, particularly when there is a breach that involves “personal information”.
Current Law of Data Security Breach Notification
At this time, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification requirements for breaches of “personal information.” Only four states; Alabama, Kentucky, New Mexico, and South Dakota, do not have data breach notification laws. Currently there is no federal law covering data breach notifications, and as such, there is no national standard. Federal laws creating a national standard for data security breaches of personal information have been introduced to Congress since 2005, but to date no national standard has yet been enacted. [See. Note 1] In the meantime, businesses are left to navigate the 50 separate legal regimes of the various states and U.S. Territories. Although there are similarities between these laws, there are also significant differences.
Personal Information and Notification Triggering Events
When faced with a data security breach, one of the first questions to be answered by a company is whether “personal information” has been accessed or not; this is the typical trigger for state breach notification laws. Although most states have a common definition of what constitutes “personal information”, there are different elements. The typical definition includes the customer’s name (usually first name, or first initial and last name) and at least one of the following pieces of information: Social Security Number, driver’s license number or state identification card number, or financial information (typically a credit card or debit card number, account number and any codes or passwords needed to access them). In the case of Target, the information involving their customers likely included this combination of data, and triggered for them the requirement for notification. It is after this initial threshold that has been crossed that the complexities begin.
Each of the current data breach notification statutes has differing circumstances under which a breach of personal information must be disclosed. Some states impose the requirement if personal information “was or is reasonably believed to have been” obtained by an unauthorized person (regardless of whether or not it is likely that the customer will become a victim of fraud, identity theft, or other harm). Other states take the approach that notification is required if there is a reasonable likelihood that some kind of harm will result on account of the unauthorized access to personal information. In addition, some states impose the duty to conduct a prompt investigation in order to determine whether or not personal information has or will be misused, while other states do not impose any specific requirements for how this determination is to be made.
Method, Content, Timing (and Delay) of Notifications
The method and content of notifications to customers also vary from state to state, as well as the issue of timing. For most companies, including that of the case of Target, the timing of notifications can create particular challenges. Most state statutes set out time limits for notifications as well as acceptable grounds for delay. Most states with data breach notification laws allow companies to delay notification if it is deemed necessary to accommodate a law enforcement investigation. Some states also allow companies to delay notification if it is deemed necessary to investigate the incident and or restore system security. In the case of Target, notification appears to have occurred at least four days after the last day of the attack [See. Note 2]. In the case of Neiman Marcus, the delay in notification appears to have been over a month following the attack. These requirements can pose particularly difficult situations on businesses, which may still be in the process of investigating and dealing with the technological aspects of a data breach, while still needing to operate a business. In the case of both Target and Neiman-Marcus [See. Note 3] the timing of the breach itself was a significant issue; it does not take much to realize that the announcement of a breach of customers’ personal information during the middle of the holiday shopping season would pose a significant business threat n light of the potential impact of lost sales. Yet as is the case for every business facing this kind of situation, the potential cost of non-compliance with the notification requirements can be significant.
Damages and Penalties
Not all states have specific provisions for penalties for failure to comply with notification requirements. However, those that do have such provisions are varied. Some states provide for “maximum civil penalties per breach”, which other states calculate the penalty to be assessed by the number of customers affected by the breach. In other states, the damages are assessed on the basis of how long the delay in notification continued beyond the required time frames. Other states take a hybrid approach to these. Depending on the state, fines can reach up to $500,000 and $750,000 per security breach. Although most states’ regulatory scheme empowers that state’s attorney general to prosecute violations on behalf of a company’s customers in a particular state, there are 10 states that authorize private rights of action against a company for non-compliance with the notification laws. This can create additional legal and investigatory challenges for a company, such as Target, in the case of data security breach.
The Target and Neiman-Marcus data security breach incident is far from over. The investigation and hardening of security will continue, even as the companies respond to the business, regulatory, and legal consequences of the data breach. Some of the important takeaways from the incident, however is that a response must be multi-disciplinary (Target has engaged forensic, legal, and public relations experts in navigating the fallout of the breach), and a response must be prompt. In the case of Neiman-Marcus, it remains to be seen what effect the delayed notification will have on the company’s reputation as well as legal liability. The most important takeaway here should be that this kind of incident could happen to any business that does business in multiple states and maintains any kind of personal information on its customers.
In light of the fact that there is no national standard to follow in the event of a data security breach, companies are required to comply with a complicated set of requirements that vary state by state. The risks are significant. In order to minimize exposure and mitigate those risks, companies should maintain and regularly update a data breach response plan. In addition, companies both large and small, need to have access to experienced legal counsel who can assist a company in navigating and properly responding to a data security breach. No company wants to be the next Target.
= = = = =
[Note 1] On January 8, 2014, Senator Patrick Leahy (D-VT), reintroduced the Personal Data Privacy and Security Act of 2014, comprehensive information security legislation that would establish a national standard for data breach notification and require businesses to safeguard customers’ sensitive personal information from cyber threats. (See. Also) This kind of legislation has been proposed for some time.
[Note 2] Although it has yet to be confirmed as to when Target first learned of the breach, it appears that security blogger, Brian Krebs (www.krebsonsecurity.com) first broke the story. (See. Also, and Also)
[Note 3] Target and Neiman-Marcus have announced their data security breaches, but there are apparently 3 additional retailers that were victims of this attack, who have not yet been disclosed. All five (and potentially more) retailers may have been the victims of a coordinated attack. This was reported in the Huffington Post.