Frost Brown Todd News

Recent Publications

February 20, 2007
Data Security Breaches – Beware
Grant S. Cowan

PDF File

Since 2005, a number of relatively high-profile data security breaches have been the subject of ever-increasing media and legal attention.  The breaches generally involved one of the following:  (i) the creation of fraudulent accounts; (ii) stolen laptops or other computer equipment; (iii) computer hacking; (iv) stolen or compromised passwords; (v) insider or employee theft of personal data; and (vi) lost or misplaced discs or back-up tapes.  Most recently, on January 17, 2007, The TJX Companies, Inc. (“TJX”) announced that it had suffered an unauthorized intrusion into its computer systems that handle credit card, debit card, check, and merchandise return transactions process for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores.  Although TJX discovered the data security breach in mid-December, 2006, it waited until January 17, 2007, to publicly announce the problem and issue a press release.  The next day, The Wall Street Journal reported that people familiar with the matter said the number of exposed cards could exceed 40 million.  On January 25, 2007, The Boston Globe reported that community banks in New England had identified at least 200,000 credit and debit cards compromised by the security breach, and several Massachusetts banks had reported cases of fraud connected with card numbers stolen from the TJX computer system.  On January 29, 2007, noted plaintiffs’ class action firm Berger & Montague filed a class action suit against TJX in federal court in Boston, Massachusetts, asserting that TJX was negligent in failing to use reasonable care to implement and maintain appropriate security procedures to protect the credit and debit card information of TJX customers.  (Please click here to view a copy of the TJX complaint.)

The TJX data security breach follows on the heels of several other notable breaches, all of which resulted in charges and settlements with various regulatory agencies.  On November 16, 2006, the Federal Trade Commission (“FTC”) announced that Guidance Software, Inc. (“Guidance”) had agreed to settle FTC charges that Guidance had failed to take reasonable security measures to protect sensitive customer data, contradicting security promises made by Guidance on its Web site.  The FTC charged Guidance with failing to protect consumers’ data by (i) failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language (“SQL”) injection attacks; (ii) failing to implement simple, low-cost, and readily available defenses to such attacks; (iii) storing in clear, readable text, network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network; (iv) failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and (v) failing to employ measures to detect unauthorized access to consumers’ credit card information.  The FTC alleged that Guidance’s data security failure allowed hackers to access sensitive credit card information for thousands of Guidance customers.  (Please click here to view a copy of the FTC complaint).  The settlement requires Guidance to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

On December 11, 2006, Ameriprise Financial, Inc. agreed to settle charges brought by the Massachusetts Secretary of State after an Amerprise laptop containing personal information about some 230,000 customers and financial advisors was stolen the prior year.  The laptop was stolen from an Ameriprise employee’s car and the data on the laptop included customer names and account numbers as well the names and social security numbers of current and former Ameriprise financial advisors.  The sensitive data was not encrypted.  The terms of the settlement require Ameriprise to hire a security consultant to review its security policies and offer recommendations within six months, which recommendations Amerprise must implement by September, 2007.  Ameriprise also agreed to pay a fine of $25,000.

There currently is no single, comprehensive federal law governing data protection.  There are several federal laws that address data protection concerns within specific business environments, such as (i) the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires health-care entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic-protected health information and to protect against any unauthorized uses or disclosures of such information; (ii) the Children’s Online Privacy Protection Act of 1998 (COPPA), which requires an owner or operator of a website or online service directed to children, or any operator that collects or maintains personal information from a child, to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children; (iii) the Gramm-Leach-Bliley Act of 1999 (GLBA) and the FTC’s Safeguards rule issued to implement provisions of the GLBA, which require financial institutions to have an information security plan that contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal consumer information; and (iv) the Federal Information Security Management Act of 2002, which requires federal government agencies to provide information security protections for agency information and information systems to provide integrity, confidentiality, and availability.

Complicating matters further is the fact that over 30 states have their own state data protection statues or regulations.  The first state to enact such a law was California, and many of the other state laws follow the basic framework of California ’s breach notification law.  Under California’s law, state government agencies as well as companies and nonprofit organizations (wherever located) must notify California customers if personal information maintained in computerized data files have been compromised by unauthorized access.  Personal information is defined as the first name or initial and last name of an individual, with one or more of the following:  Social Security Number, driver’s license, credit card or debit card number, or a financial account number with information such as PIN numbers, passwords, or authorization codes that could gain access to the account.  Importantly, excluded from the notification requirement is personal information that is maintained in encrypted form.  Most current state statutes cover companies and governmental agencies, and impose breach notification obligations on service providers to notify the owner or licensor of the data when a breach occurs.

As a result of the increased awareness of data security issues - and the potentially enormous costs associated with breaches of sensitive personal data - a number of recommended “best practices” for data security are emerging, including:
  • Collect the minimum amount of personal information necessary to accomplish your business purposes, and retain it for the minimum time necessary;
  • Inventory records systems, critical computing systems, and storage media to identify those containing personal information;
  • Classify personal information in records systems according to sensitivity;
  • Adopt written procedures for internal notification of security incidents that may involve unauthorized access to higher-risk personal information;
  • Plan for and use measures to contain, control and correct any security incident that may involve higher-risk personal information;
  • Promote awareness of security and privacy policies and procedures through ongoing employee training and communications.
Questions or concerns regarding data security issues can be directed to Grant S. Cowan, Chair of Frost Brown Todd LLC’s Business and Commercial Litigation Practice Group.  Mr. Cowan can be reached at 513-651-6745 or .