Insights

Today's Trends in Credit Regulation

In the Midst of all the Federal Change, Don’t Forget Data Security
By Patricia E.M. Covington

Data security may be on the map again. In the last 3 months there has been a scurry of activity with respect to data security. Most of this activity is a direct result of recent large-scale, high profile security breaches – namely Epsilon Data Management LLC, Sony PlayStation, and most recently Citigroup.

Accordingly to a letter dated April 18, 2011, from Epsilon to Representatives Mary Bono Mack and G.K. Butterfield, the e-mail database management and marketing services company experienced a breach of certain email databases. A copy of Epsilon’s letter can be founder here. The breach occurred on March 30th, and within a day Epsilon began notifying its business clients that their information was compromised in the breach. On April 1st and 6th, Epsilon published press releases about the breach on its website. According to Epsilon, email addresses, and in some cases names, were stolen. While Epsilon has not been able to identify the exact number of consumers affected, news reports estimate it to be in the millions. Epsilon provides email platform services, among other services, to approximately 2,500 companies.

In late April, Sony notified its online users of the PlayStation video gaming and Qriocity streaming music and video networks that these networks were compromised, resulting in unauthorized access to personal and financial information. Accordingly to a letter dated May 2, 2011, from Sony to Representatives Mary Bono Mack and G.K. Butterfield, user names, email addresses and some credit card numbers were stolen. Sony discovered the hacking on April 20th and notified users on April 26th. Sony reports that 77 million consumers were affected.

The most recent of these breaches is CitiGroup’s. On May 10th, CitiGroup discovered that its Citi Account Online had been compromised. Customer name, account number, contact information and e-mail address for over 360,000 consumers was stolen. By May 24th, CitiGroup was able to confirm the scope of the breach, and on June 3rd it began sending notices to affected consumers.

Capitol Hill has taken a special interest in these breaches. They are asking many questions, scrutinizing the timing of notices sent to consumers, and, at times, criticizing the companies. Epsilon and Sony, in particular, have been subject to intense scrutiny.

Within a week of Epsilon making its breach public, on April 6, Chairman of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade Mary Bono Mack (R-Calif.) and ranking member G.K. Butterfield (D-N.C.) sent Epsilon’s parent company a letter posing 14 questions about its breach. The Senate has also shown an interest. Senator Richard Blumenthal (D-Conn.) sent a letter dated April 6th, to U.S. Attorney General Eric Holder, asking the Department of Justice to investigate Epsilon’s breach.

Just two days after its breach was made public, Sony was similarly confronted. Representatives Bono Mack and Butterfield, by letter dated April 28th, asked Sony to respond to 13 questions about its breach. Also on April 28th, Senator Blumenthal asked the DOJ to investigate whether Sony had violated the Computer Fraud and Abuse Act. In his letter to the DOJ, Senator Blumenthal called Sony’s one-week delay in sending notice to consumers “unacceptable.”

The timing of Sony’s notice to consumers has been strongly challenged. In its letter to Sony, Representatives Bono Mack and Butterfield asked “[w]hy did you wait to notify your customers of the breach?”. This line of criticism is surprising given that Sony notified consumers within a week of discovering the breach. Among other questions asked by Representatives Bono Mack and Butterfield of Sony and Epsilon, were:

  • When did you notify the appropriate authorities of the breach?
  • What steps have you taken or you plan to take to prevent future such breaches?
  • Do you currently have a privacy policy that addresses data retention practices? If not, why not? If so, what are those practices and do you plan any changes in your policies as a result of this breach?
  • Regarding the information obtained in the breach, how long had that personal data been retained?

Representatives Bono Mack and Butterfield’s letters to Epsilon and Sony can be found here and here.

As of the date of writing this article, two hearings have been held by Representative Bono Mack’s Subcommittee to discuss the data breaches. The first was held on May 4th and aimed at exploring the threat of data theft and the need for federal data security legislation. Both Epsilon and Sony were invited to testify, however, they declined – sending letters in response to the questions posed by Representatives Bono Mack and Butterfield. David Vladeck, Director of the FTC’s Bureau of Consumer Protection, testified along with a representative from the Secret Service Agency. During her opening remarks, Representative Bono Mack stated that “The single most important question is simply this: Why weren’t Sony’s customers notified sooner about the cyber-attack?” She also announced that she planned to introduce security breach notice legislation. Mr. Vladeck urged the Subcommittee to consider broadening the risk of harm trigger in any security breach notice legislation they undertake. See Preliminary Transcript of the Hearing here.

The Subcommittee’s second hearing, entitled “Sony and Epsilon: Lessons for Data Security Legislation,” was held on June 2nd and aimed directly at Epsilon and Sony. In an Internal Memo distributed to members of the Subcommittee, the purpose of the hearing was described as examining the risks of the Epsilon and Sony breaches and the “state of the ongoing investigations into each incident.” A copy of the Internal Memorandum to the Members of the Subcommittee on Commerce, Manufacturing, and Trade, dated May 31, 2011 can be found here.

Both Epsilon and Sony had representatives testify at the hearing. Representative Bono Mack opened the hearing making general comments about the risk and harm consumers face with respect to identity theft, and that there is a real need for federal security breach notice legislation. She then launched into an attack on Sony, questioning the appropriateness of safeguards Sony had in place when the breach occurred and criticizing the timing of Sony’s breach notice and the form of its notice. Specifically, she remarked

… with 69 millions of American consumers in harm’s way, why weren’t these safety protocols already in place? For me, one of the most troubling issues is how long it took Sony to notify consumers and the way in which the company did it--by posting an announcement on its blog. In effect, Sony put the burden on consumers to search for information instead of providing it to them directly. That cannot happen again.

See Preliminary Transcript of the Hearing here.

Sony and Epsilon were questioned heavily about how long they retained consumer data, how the breaches occurred, how they determined what data was stolen (and how sure they were of this), what safeguards they had in place to prevent breaches and the timing of the notices to consumers. Both Sony and Epsilon expressed support for federal legislation on security breach notification, agreeing that the patchwork of state laws were difficult to navigate and can conflict. By the end of the June 2nd hearing, Representative Bono Mack appeared slightly more sympathetic to Sony and Epsilon, praising them for a cooperative spirit.

What is most surprising is Capitol Hill’s focus on the timing of notices sent by Sony – particularly since its notices was within a week of discovering the breach. One week is being criticized as being too long. For those companies that have experienced a breach, they know that one week is actually pretty prompt. It can be difficult and time consuming to simply determine the scope of a breach. In prior years the focus has been on the harm or risk threshold that must be surpassed to trigger notice. The trigger factor will likely still be debated given the FTC’s desire to broaden it; however, all indications are that the timing of notices will be equally central.

Currently there are two bills before Congress seeking federal standards for security breach notification. These bills are largely the same as bills introduced in prior years. H.R. 1707 is entitled “Data Accountability and Trust Act” (“DATA”) and was introduced on May 4, 2011 by Representative Bobby Rush (I-Ill). H.R. 1841, similarly entitled – “Data Accountability and Trust Act of 2011” (“DATA 2011”) – was introduced on May 11, 2011, by Representatives Cliff Stearns (R-Fla.) and Jim Matheson (D-Utah). Representative Bono Mack promises to introduce yet another bill, modeled after Representative Rush’s DATA bill.

As a refresher – Representative Rush’s DATA bill was introduced in the 110th and 111th Congressional sessions, but failed to pass. In the 110th Congress, the bill never left committee, and in the 111th Congress, the House approved the measure but the Senate never acted on it.

Both Rush’s DATA and Stearn’s DATA 2011 bills have identical risk/harm triggers for when data breach notification would be required. Notice would be required unless a company determines “that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.” The difference between the bills begins with the timing of the notice. Stearn’s DATA 2011 calls for more intensity on the timing. Notice is required “as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and consistent with any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.” There is no delay for law enforcement or national security purposes. Rush’s DATA bill calls for notice “not later than 60 days following the discovery of a breach of security, unless the person providing notice can show that providing notice within such a time frame is not feasible due to extraordinary circumstances necessary to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case such notification shall be made as promptly as possible.” Rush’s DATA bill also allows for a delay for law enforcement or national security purposes. The lack of a time deadline in Stearn’s DATA 2011 bill may actually impose more scrutiny on when a notice is given.

Another difference is that Rush’s DATA bill would immediately require businesses to adopt a data safeguarding program. Stearns DATA 2011 bill, however, tasks the FTC with examining the issue and reporting its findings back to Congress. Stearn’s DATA 2011 bill also has a sunset provision of September 30, 2016.

Representative Bono Mack is expected to introduce a bill. She has commented that the guiding principle of her bill will be for consumers to be promptly notified when their personal information has been jeopardized. In the June 2nd hearing, she remarked “[t]he time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification and we need it now.”

Only time will tell whether Congress can stay focused on the topic of data security, particularly in light of their attention on the CFPB and the federal government’s budget. We’ll just have to wait and see.

Patricia E.M. Covington is a partner in the Maryland office of Hudson Cook, LLP. Patty can be reached at 410-865-5409 or by email at pcovington@hudco.com.

Article Archive

2022   2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009