New Update to Connecticut Data Breach Law

 Connecticut Updates Its Data Breach Statute by Attorney David Benoit.

A month after Vermont made substantive amendments to its Security Breach Notice Act to address a number of consumer protections, Connecticut followed suit on June 12th with a similar amendment to Connecticut General Statutes Sec 36a-701b to include a notice to the State’s Attorney General.

 

Going into effect on October 1, 2012, Connecticut’s amended breach notification requirements will now include an obligation to notify the Connecticut Attorney General’s office pursuant to a new subsection (b)(2):

“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.”

Regarding when notice is to be made (both to the Connecticut resident and the Attorney General), the statute allows the notifying party a reasonable amount of time to accommodate delays resulting from law enforcement and company-led investigations meant to: (i) determine the nature and scope of the data breach, (ii) identify the individuals affected by the breach, and (iii) restore the reasonable integrity of the data system.

Additionally, subsection (c) was amended to clarify that the state’s notification requirements are applicable only to personal information of “a resident of this state.” 

Furthermore, pursuant to Section (g), failure to comply with the statute will continue to be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (“CUTPA “), however, enforcement is still limited to the Attorney General with no private right of action.

IP Advice for Connecticut Start-Ups: Protecting Your Client’s Personally Identifiable Information

 David Benoit presents his fourth post as a guest blogger on the topic of Intellectual Property for Connecticut Start-Up companies.  In his fourth installment, he focuses on the need for entrepreneurs to protect their client’s most important assets: client personal information.  

In addition to implementing best practices with respect to a company’s own IP, start-ups need to be as mindful in taking adequate safeguards to ensure that any client IP that is being collected, stored, manipulated or distributed is not being used in a manner that will expose the start-up to liability.  Client IP most often includes “NPI” (nonpublic personal information) and includes personally identifiable financial information and any lists, descriptions or other groupings of consumers derived using personally identifiable financial information.  Unauthorized disclosure or access of personally-identifiable customer data typically results in financial liability (i.e., regulatory fines, penalties and legal fees) and reputational liability (i.e., damage to goodwill that the startup has worked hard to build). 

Knowing which IP safeguards to implement and what steps need to be taken if an IP breach occurs requires a thorough understanding of the ever-changing, multi-jurisdictional laws and regulations applicable to the start-up’s business.  This could include federal regulations, state- and industry-specific requirements surrounding the collection, storage, deletion and distribution of sensitive customer or end-user data.  Utilizing the services of a privacy attorney who understands not only your business, but also your client’s, is important to implementing best practices.  

Having an understanding of these regulations and standards, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Gramm-Leach-Bliley Act (GLBA) the Fair Credit Reporting Act (FCRA), the Fair and Accurate Transactions Act (FACT Act) and the Payment Card Industry Data Security Standards (PCI DSS), is extremely important to minimizing liability exposure.  Furthermore, knowing how to use customer IP without overstepping boundaries requires a well-written privacy policy, terms of service and other applicable data use agreements.

 

 

Will A Crack In Data Breach Litigation Open Floodgates

Data loss and security breach incidents have become common. However, lawsuits related to these incidents are not so common or successful. The problems plaintiffs have encountered include not only figuring out the proper cause of action to seek recovery (many states lack laws permitting private lawsuits for damages related to data loss) but also how to establish provable damages. For example, if a large retail store suffers a security breach of 2 hours leaving your personal identifying information exposed to thieves or hackers, have you really suffered any damages if the information is never used or compromised? What about so called "mitigation" damages or out of pocket expenses for future protection such as credit card insurance, fraud protection, or getting a new credit card and incurring an annual fee?

The First Circuit Court of Appeals in Anderson v. Hannaford Bros. Co recently shed some light on the potential for recovery of mitigation damages in data breach litigation. In the Hannaford case, hackers stole up to 4.2 million credit and debit numbers, expiration dates, and security codes, but they did not steal customer names. Hannaford also had received notice that there were 1,800 cases of alleged misuse or fraud from the theft. In response, many financial institutions cancelled consumers’ cards and fees were incurred to reinstate new cards.  Additionally, several consumers purchased identity theft protection for fear of future misuse. 26 separate lawsuits followed that were consolidated into one action in Maine.
 

At the trial court level, nearly all of the plaintiffs’ claims (20 out of 21) were dismissed based on problems with the alleged theories of recovery or the damages claims. The court found that the damages were not recognized under Maine law for claims for lost time and effort or too speculative to prove for claims involving lost points on cards, fees for replacement cards, and insurance.

On appeal, the First Circuit upheld implied contract and negligence as proper theories of recovery. In regards to damages, the First Circuit reversed the trial court and found that "a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate." To recover, however, the plaintiffs needed to establish an actual injury such as money lost as opposed to only time and effort.
 

In finding that the plaintiffs stated a proper claim for damages in a data breach case, the First Circuit noted that the Hannaford breach was not inadvertent loss or simple breach with no misuse. Rather, the court emphasized that there was actual misuse of the information that may have been global in reach running up thousands of charges. This type of breach presented a "real risk of misuse." Thus, it was foreseeable that a customer might replace a card or purchase insurance to avoid or mitigate future misuse. The court specifically noted the many other cases finding no action for damages, but distinguished those cases based on the real threat and misuse that occurred with the Hannaford breach.

Although the Hannaford case appears to show a possible breach in the dam regarding damage claims in data breach cases, a closer look reveals that it may be more limited in scope. The Hannaford case involved actual misuse of the information with sophisticated thieves intent on doing harm for financial gain. It is unlikely that Hannaford will provide support for other mitigation cases unless those claims involve actual or legitimate threats of misuse.
 

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Only Five Days To Report Data Breach For Insurers And Agents In Connecticut

One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it.  The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010.  The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.  

The Insurance Department defined a security incident requiring notification as follows: 

The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

 This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss.  In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.

Five days is a very short time frame, let alone responding immediately.  It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event.  I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents.  With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.

Health Net’s Data Loss In Connecticut Was Theft

Attorney General Richard Blumenthal issued a scathing press release related to Health Net’s recent data loss and security breach.  Blumenthal called Health Net’s story on it "sanitized" and its six month delay in reporting "unconscionable."  Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members.  A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted.  Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed.  Thus far, there has been no report of identity theft or misuse of the information.

 

New Study Shows Small Businesses Vulnerable to Cyber Attacks

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

On Monday,  I attended the Connecticut Privacy Forum hosted by Travelers.  This Forum was a well attended inaugural meeting of privacy and data security professionals.  I came away from the meeting very impressed with the panel of speakers and topics on the agenda.  I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers. 

In one of my earlier posts,  I touched on some of the risks involved for businesses related to data loss and security breaches.  I also offered some potential solutions.  At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses.  Here is a sample of some of the statistics from 2008 alone:

  • 80 million records were compromised
  • 580 data loss or breach incidents were reported
  • $202 per record was the average cost to business for loss or breach 
  • 47% of the incidents involved corporations or businesses
  • 33% involved compromised social security numbers 

The speakers also offered some of the solutions for businesses in terms of risk management and planning.  The seminar further included a detailed overview of federal and state laws covering privacy rights and data security.   You can access the presentation materials at ctprivacy.com 

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years.  Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company’s insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage