The “Reasonable” Perils of Data Security Law
The following is drawn from the materials to be presented at the 17th Annual America’s Claims Event 2013 conference in the “Cyber-Liability and Data Loss Claims: A Case Study from Notice of Occurrence Through Conclusion” session on June 20, 2013 in Austin, Texas.
NEGLIGENCE. “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”1
“When we think about data breaches, we often worry about malicious minded computer hackers exploiting software flaws, or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is that errors and negligence within the workplace are a significant cause of data breaches that compromise sensitive personal information.”2
According to a recent privacy institute study by the Ponemon Institute, only 8% of the surveyed data breach incidents were due to external cyber attack, while 22% could be attributed in part to malicious employees or other insiders. Loss of laptops or other mobile devices containing sensitive data topped the survey, while mishandling of data “at rest” or “in motion” were also major contributors.3 A later study showed that 39% of surveyed organizations identified negligence as the root cause of their data breaches, while 37% were attributed to malicious or criminal attack.4
Negligent document disposal is a clear source of preventable negligence. On December 7, 2012, at least eight garbage bags were left unattended on a dirt road in Hudson, Florida, containing credit applications to Rock Bottom Auto Sales with names, driver’s license information, and Social Security numbers. Three days later, in Pittsburgh, Pennsylvania, job placement documents were found in a dumpster from the West Pittsburgh Partnership, all containing names and SSN’s.5 For that matter, the Internal Revenue Service in 2008 was found to have disposed of taxpayer documents in regular waste containers and dumpsters, and that a follow-up investigation revealed that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks.6
Convincing users to back up their laptops has been difficult enough in practice; getting them to encrypt them voluntarily is much more daunting a task. A 2010 Ponemon Institute study, admittedly biased towards large corporations, concluded that of those surveyed typically 46% of the laptops held confidential data, while only 30% had their contents encrypted. A startlingly low 29% of the laptops had backup/imaging software installed, which implies that more than two thirds of all laptops if lost or stolen would leave no backup of work in progress.7
Even though more devices are coming to market with built-in encryption capabilities, these features may simply be left switched off by their users despite the fact that lost laptops, tablets, smartphones, USB “thumb” drives and other portable devices with unencrypted contents continue to provide a wealth of information to identity thieves.
On March 22, 2013, a laptop used by clinicians at the University of Mississippi Medical Center was discovered to be missing. It contained patient names, social security numbers, addresses, diagnoses, birthdates and other personal information, protected only by a password.8
On January 8, 2013, an unencrypted flash drive was stolen from a Hephzibah Georgia middle school teacher’s car, containing student SSN’s and other information.9 TD Bank had two unencrypted backup tapes with customer and their dependent names, SSN’s, addresses, account, credit and debit card numbers go missing while being transported between two TD Bank offices in March 2012, but public notice was not made until March 4, 2013.10
An examination of reported data security incidents with potential or actual data privacy breaches reveals that the scope of what is deemed “reasonable” ranges from ordinary care in the disposal of documents containing personally identifiable information (“PII”) and personal health information (“PHI”), to sophisticated data encryption, access authentication and other highly technical data security practices that the “reasonably prudent” persons, companies and governmental agencies are now expected to employ to protect the personal data that they have collected.
On October 10, 2012, the South Carolina Department of Revenue was informed of a potential cyber attack involving the personal information of taxpayers.11 The origin of the attack was traced to a state Department of Revenue employee who clicked on an embedded link in a “salacious” email and compromised his computer.12 The subsequent investigation revealed that “outdated computers and security flaws at the state’s Department of Revenue allowed international hackers to steal 3.8 million tax records”, according to Governor Nikki R. Haley. Apparently South Carolina did not encrypt Social Security Numbers, and once the outer perimeter security was compromised the hackers were able to log in as tax officials and read the data.13
Users of online services will routinely provide personal information as a matter of course to shop or obtain other services, all of which gets recorded and tracked. Data privacy laws are intended to promote and enforce a number of fair information practices to give individuals the ability to find out what personal information is being kept and by whom, opportunities to correct or remove such information, assurances that reasonable measures will be undertaken to protect such information from disclosure and to properly dispose of such information when appropriate, and may include remedial measures to be undertaken in the event of a data breach.
In the United States, there is no single comprehensive statute for data privacy laws.14 Instead, a number of sector-specific federal laws have been enacted to address the particular sensitivity of information generally recorded by companies in that market sector, and forty six states have enacted data breach notification statutes. If there is a data breach, you may be liable under state law to provide notice to those affected.15 In some jurisdictions, you may be required to provide notice to all consumer credit reporting agencies as well.16
The financial exposure to a data breach by a company may be insurable to some degree using various forms of “cyber liability” insurance, which expand and supplement many forms of more standard insurance coverages underwritten today. Policy premiums for such policies, however, are dependent upon the extent of data security practices implemented.
Conducting a data security risk assessment before encountering a data breach should identify measures that can be taken at the corporate level to provide additional protection not only to sensitive data, but also mitigate the consequences of a security incident where company data is disclosed, lost or stolen. Encrypted data in many cases may not be considered “exposed” for purposes of mandated notice to affected individuals.
In the event of a data security incident, please consider obtaining a data forensic team to not only identify the source and extent of the breach, but to preserve evidence in the event that a potential prosecution may be possible.
We will discuss a data breach case study from inception through enforcement, resolution and potential mitigation through cyber liability insurance at our presentation at ACE 2013. We hope to see you then.
1 BLACK’S LAW DICTIONARY 1184 (4th ed. 1968).
2 Privacy Rights Clearinghouse, Are the Businesses You Frequent or Work For Exposing You to an Identity Thief?, (Mar. 6, 2012), https://www.privacyrights.org/workplace-identity-theft-quiz-alert-2012
3 The Human Factor in Data Protection, 3 PONEMON INSTITUTE LLC (January 2012), available athttp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_Protection_WP....
4 2011 Cost of Data Breach Study: United States, 7 PONEMON INSTITUTE LLC (March 2012),available at http:// www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf.
5 http://www.privacyrights.org/data-breach/new (check Breach Type “PHYS”, Organization Type “BSR” and Year “2012”).
6 Increased Management Oversight of the Sensitive but Unclassified Waste Disposal Process Is Needed to Prevent Inadvertent Disclosure of Personally Identifiable Information, TREASUR INSPECTOR GENERAL FOR TAX ADMINISTRATION (May 8, 2009), http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf.
7 The Billion Dollar Lost Laptop Problem 6 PONEMON INSTITUTE LLC (Sept. 30, 2010), availableat http://newsroom.intel.com/servlet/JiveServlet/download/1544-8-3132/The_B....
8 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).
9 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).
10 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “BSF” and Year “2013”).
11 Kara Durrette, SC Department of Revenue hacked; millions of SC residents affected, http://www.midlandsconnect.com/sports/story.aspx?id=817902#.UVyOdheYu7w (posted Oct. 26, 2012, updated Oct. 27, 2012).
12 Matthew J. Schwartz, How South Carolina Failed To Spot Hack Attack, INFORMATION WEEK, Nov. 26, 2012, http://www.informationweek.com/security/attacks/how-south-carolina-faile....
13 Robbie Brown, South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere, N.Y. TIMES, Nov. 20, 2012, available at http://www.nytimes.com/2012/11/21/us/more-details-of-southcarolina-hacki....
14 PETER P. SWIRE & KENESA AHMAD, FOUNDATIONS OF INFORMATION PRIVACY AND DATA PROTECTION 41 (International Association of Privacy Professionals) (2012).
15 NYC Administrative Code § 20-117(c) (2013); NY CLS State Technology Law § 208(2) (NY state residents only); 73 Pa. Stat. § 2303 (PA residents).
16 73 Pa. Stat. § 2305; NY CLS State Technology Law §208(7)(b).