New Update to Connecticut Data Breach Law

 Connecticut Updates Its Data Breach Statute by Attorney David Benoit.

A month after Vermont made substantive amendments to its Security Breach Notice Act to address a number of consumer protections, Connecticut followed suit on June 12th with a similar amendment to Connecticut General Statutes Sec 36a-701b to include a notice to the State’s Attorney General.

 

Going into effect on October 1, 2012, Connecticut’s amended breach notification requirements will now include an obligation to notify the Connecticut Attorney General’s office pursuant to a new subsection (b)(2):

“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.”

Regarding when notice is to be made (both to the Connecticut resident and the Attorney General), the statute allows the notifying party a reasonable amount of time to accommodate delays resulting from law enforcement and company-led investigations meant to: (i) determine the nature and scope of the data breach, (ii) identify the individuals affected by the breach, and (iii) restore the reasonable integrity of the data system.

Additionally, subsection (c) was amended to clarify that the state’s notification requirements are applicable only to personal information of “a resident of this state.” 

Furthermore, pursuant to Section (g), failure to comply with the statute will continue to be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (“CUTPA “), however, enforcement is still limited to the Attorney General with no private right of action.

Will A Crack In Data Breach Litigation Open Floodgates

Data loss and security breach incidents have become common. However, lawsuits related to these incidents are not so common or successful. The problems plaintiffs have encountered include not only figuring out the proper cause of action to seek recovery (many states lack laws permitting private lawsuits for damages related to data loss) but also how to establish provable damages. For example, if a large retail store suffers a security breach of 2 hours leaving your personal identifying information exposed to thieves or hackers, have you really suffered any damages if the information is never used or compromised? What about so called "mitigation" damages or out of pocket expenses for future protection such as credit card insurance, fraud protection, or getting a new credit card and incurring an annual fee?

The First Circuit Court of Appeals in Anderson v. Hannaford Bros. Co recently shed some light on the potential for recovery of mitigation damages in data breach litigation. In the Hannaford case, hackers stole up to 4.2 million credit and debit numbers, expiration dates, and security codes, but they did not steal customer names. Hannaford also had received notice that there were 1,800 cases of alleged misuse or fraud from the theft. In response, many financial institutions cancelled consumers’ cards and fees were incurred to reinstate new cards.  Additionally, several consumers purchased identity theft protection for fear of future misuse. 26 separate lawsuits followed that were consolidated into one action in Maine.
 

At the trial court level, nearly all of the plaintiffs’ claims (20 out of 21) were dismissed based on problems with the alleged theories of recovery or the damages claims. The court found that the damages were not recognized under Maine law for claims for lost time and effort or too speculative to prove for claims involving lost points on cards, fees for replacement cards, and insurance.

On appeal, the First Circuit upheld implied contract and negligence as proper theories of recovery. In regards to damages, the First Circuit reversed the trial court and found that "a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate." To recover, however, the plaintiffs needed to establish an actual injury such as money lost as opposed to only time and effort.
 

In finding that the plaintiffs stated a proper claim for damages in a data breach case, the First Circuit noted that the Hannaford breach was not inadvertent loss or simple breach with no misuse. Rather, the court emphasized that there was actual misuse of the information that may have been global in reach running up thousands of charges. This type of breach presented a "real risk of misuse." Thus, it was foreseeable that a customer might replace a card or purchase insurance to avoid or mitigate future misuse. The court specifically noted the many other cases finding no action for damages, but distinguished those cases based on the real threat and misuse that occurred with the Hannaford breach.

Although the Hannaford case appears to show a possible breach in the dam regarding damage claims in data breach cases, a closer look reveals that it may be more limited in scope. The Hannaford case involved actual misuse of the information with sophisticated thieves intent on doing harm for financial gain. It is unlikely that Hannaford will provide support for other mitigation cases unless those claims involve actual or legitimate threats of misuse.
 

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Carders, Full Wallets and Identity Theft In Connecticut

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut’s statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney’s fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.

 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual’s name, date of birth, mother’s maiden name, motor vehicle operator’s license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.

 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Will Your Data Loss Be Covered By Insurance?

I always recommend that businesses implement a plan for data loss, security breach, and privacy related to electronically stored information.   As additional protection, I also typically recommend that businesses investigate additional insurance coverage.  In particular, business owners with risk should investigate insurance coverage for first and third party claims arising out of a loss of data, security breach, or technology errors.  These insurance plans are sometimes referred to as cyber liability or technology errors insurance.  I have posted about these insurance plans in the past.

By obtaining the proper data loss insurance coverage, a business should be able to make an insurance claim for its own losses and, at the same time, have protection from lawsuits following a data loss incident.  However, after reading a recent article by  Jaikumar Vijayan from Computerworld.com,  I suppose the critical words here are "should" and "proper" as it relates to insurance coverage for a data loss incident.    

Jaikumar wrote an article about a Colorado insurance company that filed a lawsuit to deny responsibility for the University of Utah’s 2008 security breach and data loss totaling $3.3 million in costs.  Colorado Casualty Insurance filed a declaratory judgment lawsuit in the United States District Court of Utah  (Download complaint here). 

The University of Utah utilized a third party vendor, Perpetual Storage, Inc.,  for data storage concerning data on 1.7 million patients over 16 years at university hospitals and clinics.   According to the lawsuit, the University of Utah incurred 3.3 million in costs to remedy the security breach and made a claim for reimbursement to Perpetual Storage.  In turn, Perpetual Storage referred the matter to Colorado Casualty, its liability insurer. 

In response to Perpetual Storage’s claim, Colorado Casualty filed the lawsuit seeking a ruling that it did not have to provide Perpetual Storage with a defense to any claims brought by the University or reimburse the University for its damages. Perpetual Storage filed a motion to dismiss the complaint claiming that Colorado Casualty did not plead specific facts or mention particular insurance policy provisions.  At this point, the outcome of the lawsuit is not clear.

The takeaway here for Connecticut business owners is that not every insurance plan will provide the proper coverage for a data loss, security breach, or technology errors.  Whether Perpetual Storage had the "proper" coverage in place is not clear as the specific policies were not referenced in the lawsuit or the motion to dismiss.  Nevertheless, the lawsuit serves as a reminder that business owners need to make sure the proper insurance coverages are in place.  Do not assume that a general commercial liability policy will cover the specific risks of data loss, security breach, or technology errors.  In fact, in most instances, a general commercial liability policy will not cover such risks. 

Don’t Get Rocked like RockYou – – Protect Your Customers’ Personal Information

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace.  RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords.  The suit alleges violations of California Civil Code, breach of contract, and negligence.

 Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)…"  As such,  RockYou may face liability for data exposures across other platforms. 

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers.  I agree with Mr. Remillard that avoiding storage of such personal data  in the first place is often the best way to prevent liability exposure for both loss of data and a security breach.  If a business must store PII in its systems then a data loss and security plan must be in place to protect the data.  In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou’s alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System.  The vulnerability results from RockYou’s SQL database,which relates to the actual storage method and management of millions of email accounts and passwords.  The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou’s security system to storing passwords and emails on sticky notes.  He noted that RockYou stored the information in plain text words.  In other words, once the hacker got inside RockYou’s system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text. 

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords.  Encryption is the method used to make the passwords unreadable once the hacker gains access to the system. 

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan. 

 

Health Net’s Data Loss In Connecticut Was Theft

Attorney General Richard Blumenthal issued a scathing press release related to Health Net’s recent data loss and security breach.  Blumenthal called Health Net’s story on it "sanitized" and its six month delay in reporting "unconscionable."  Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members.  A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted.  Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed.  Thus far, there has been no report of identity theft or misuse of the information.

 

New Study Shows Small Businesses Vulnerable to Cyber Attacks

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

On Monday,  I attended the Connecticut Privacy Forum hosted by Travelers.  This Forum was a well attended inaugural meeting of privacy and data security professionals.  I came away from the meeting very impressed with the panel of speakers and topics on the agenda.  I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers. 

In one of my earlier posts,  I touched on some of the risks involved for businesses related to data loss and security breaches.  I also offered some potential solutions.  At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses.  Here is a sample of some of the statistics from 2008 alone:

  • 80 million records were compromised
  • 580 data loss or breach incidents were reported
  • $202 per record was the average cost to business for loss or breach 
  • 47% of the incidents involved corporations or businesses
  • 33% involved compromised social security numbers 

The speakers also offered some of the solutions for businesses in terms of risk management and planning.  The seminar further included a detailed overview of federal and state laws covering privacy rights and data security.   You can access the presentation materials at ctprivacy.com 

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years.  Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company’s insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage