: security breach : Connecticut Business Litigation Blog

Home > security breach >

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

Posted on January 5, 2010 by N. Kane Bennett

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace. RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords. The suit alleges violations of California Civil Code, breach of contract, and negligence.

Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..." As such, RockYou may face liability for data exposures across other platforms.

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers. I agree with Mr. Remillard that avoiding storage of such personal data in the first place is often the best way to prevent liability exposure for both loss of data and a security breach. If a business must store PII in its systems then a data loss and security plan must be in place to protect the data. In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System. The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords. The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes. He noted that RockYou stored the information in plain text words. In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text.

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords. Encryption is the method used to make the passwords unreadable once the hacker gains access to the system.

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan.

Tags: Data Loss & Security Breach, PII, Rock you, RockYou, RockYou security breach, Technology, Unfair Trade Practices, data breach, data loss lawsuits, personally identifiable information, security breach

Health Net's Data Loss In Connecticut Was Theft

Posted on December 9, 2009 by N. Kane Bennett

Attorney General Richard Blumenthal issued a scathing press release related to Health Net's recent data loss and security breach. Blumenthal called Health Net's story on it "sanitized" and its six month delay in reporting "unconscionable." Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members. A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted. Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed. Thus far, there has been no report of identity theft or misuse of the information.

Tags: Data Loss & Security Breach, attorney general, data breach, data loss, data loss attorneys, data loss lawsuits, net health, security breach

Connecticut Businesses Should Check Massachusetts Privacy Laws

Posted on December 2, 2009 by N. Kane Bennett

I have put together several posts on Connecticut's privacy laws and the potential impacts on small businesses concerning data loss or a security breach. It is important to point out that Connecticut companies doing business in Massachusetts or with Massachusetts residents must also consider Massachusetts privacy laws. Tracy Fox, from ForeSite Technologies, recently commented on the small business study I posted and provided a copy of a checklist for small businesses trying to comply with the relatively new, and complex privacy law framework in Massachusetts. I will write a more detailed post about the Massachusetts privacy law in the near future. The checklist is a good starting point.

Tags: Compliance Issues, Privacy Laws, data loss attorneys, massachusetts privacy laws, privacy, privacy rights, security breach

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

Posted on September 23, 2009 by N. Kane Bennett

On Monday, I attended the Connecticut Privacy Forum hosted by Travelers. This Forum was a well attended inaugural meeting of privacy and data security professionals. I came away from the meeting very impressed with the panel of speakers and topics on the agenda. I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers.

In one of my earlier posts, I touched on some of the risks involved for businesses related to data loss and security breaches. I also offered some potential solutions. At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses. Here is a sample of some of the statistics from 2008 alone:

80 million records were compromised
580 data loss or breach incidents were reported
$202 per record was the average cost to business for loss or breach
47% of the incidents involved corporations or businesses
33% involved compromised social security numbers

The speakers also offered some of the solutions for businesses in terms of risk management and planning. The seminar further included a detailed overview of federal and state laws covering privacy rights and data security. You can access the presentation materials at ctprivacy.com

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years. Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Tags: Data Loss & Security Breach, Social Security Numbers, connecticut privacy forum, connecticut privacy laws, cyber liability, data breach, data loss attorneys, data loss lawsuits, privacy rights, security breach

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Posted on July 21, 2009 by N. Kane Bennett

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security. As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages. Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures. To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common. Obtaining insurance to cover losses from data loss can potentially save your business. Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases. Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania. The lead theory of recovery in the complaint against Aetna is negligence.

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases. However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy. If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim. Legal costs alone could be enough to sink a business, let alone the damages.

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach. How can you estimate the cost? One way to estimate the cost is to use a data loss calculator. You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising.

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach. In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower. Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today. Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors.

Technology 404 by Darwin.

CyberChoice by The Hartford

CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

Tags: Business Tech Tips, Class Action, Data Loss & Security Breach, Insurance, Technology, cyber liability, data breach, data loss, data loss attorneys, data loss lawsuits, security breach

Technology Tips For Connecticut Businesses To Avoid Litigation

Posted on July 9, 2009 by N. Kane Bennett

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws. For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP. For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers." Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time. Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal. Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards. TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business. How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business. There is no one size fits all policy and solution and every business will have different needs. If you already have a policy, you should have it reviewed regularly for changes in the law. If you do not have a policy in place, you need to start somewhere. For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information. The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures.

In addition to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy. These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure. Do not wait for the first breach or lawsuit.

Tags: Business Tech Tips, Data Loss & Security Breach, Social Security Numbers, TJX, Technology, cyber liability, data breach, data loss, privacy laws, privacy rights, security breach

Connecticut Business Litigation Blog

Raymond & Bennett, LLC

90 national drive

| Glastonbury, CT 06033 |

Phone:

860.633.0415

| Fax:

860.633.0438

Raymond & Bennett - Attorneys at Law

Connecticut business litigation lawyer & attorney Neyah Kane Bennett of Raymond & Bennett Law Firm, offering services for non-compete agreements, breach of contract, interference with contracts, severance packages, home improvement lawsuits, partnership and business disputes, cyber liability, privacy laws, data loss, technology errors, domain name disputes, defamation, slander, trade secrets, non-disclosure agreement, copyright infringement, software licensing, shareholder rights, business fraud, uniform commercial code, serving Hartford, Middletown, Glastonbury, East Hartford, Manchester, Wethersfield, Windsor, South Windsor, New Haven, Waterbury, Meriden, Rocky Hill, Berlin, Enfield, Bloomfield, New Britain, Southington, Bolton, Vernon, Rockville, New London, Milford, Bridgeport, West Hartford and the state of Connecticut.

Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

Published By
N. Kane Bennett of Raymond & Bennett LLC

Commentary on lawsuits and legal issues impacting Connecticut businesses