Upload
fhsu
View
0
Download
0
Embed Size (px)
Citation preview
Forman - 1
Merchant Liability for Data Breaches in a Budding
Information Age
At first, it appears that big retail corporations are
insensitive to the basic needs of the consumer in the
marketplace. They devour or destroy smaller, less comprehensive
retail stores in an effort to stamp out the competition. They
sell substandard items that are manufactured poorly and break
easily and need to be returned. Some of those same items contain
materials such as lead and chromium that are introduced during
the manufacturing process that can be harmful to the consumer or
his/her family members (China). And as of late, the newest trend
is that they allow the personal information of their consumer
base to be ravaged either accidentally or more likely, by
allowing their security systems to be hacked by intruders, both
domestically and internationally. But is this true? Do senior
retail executives sit behind their desks and casually decide the
fate of millions of private records? Perhaps this is a vision
easily conceived by the consumer and one which may seem to have
some validity since so many records have been exposed and so many
accounts compromised. But as we travel ‘once more into the
Forman - 2
breach’ as Henry V so aptly put it and batter the walls of common
misconception, that being, that corporations care little for your
information and have such low standards that anyone with the
mindset and a computer can easily pilfer that data, the astute
reader might discover that these data breaches are more than just
merchant liability in the form of individual lawsuits and class
actions for tort concerns such as invasion of privacy and
negligent misrepresentation, breach of contract, lack of
compliance with standards, guideline and industry best-practices
or various federal and state statutory concerns such as false
advertising and consumer fraud. More realistically in this
budding Information Age, they are a reaction to the growing pains
of non-tech savvy consumers and their insatiable need for quicker
and cheaper merchant services, a product of a disjointed
government agencies and its need of stronger, more unified
regulations for the Internet and the organizations that service
all of us, and an inevitability engendered by the greed of
insiders, hackers and opportunists who seem so easily attack our
data storage systems and our commercial infrastructure without
ever having to leave the comfort of their own homes.
Forman - 3
BREACHES IN MODERN CONTEXT
So, what is a data breach? Is it simply a group of hackers
from an old Eastern Bloc country reaching into the American way
of life and stealing all of our information (Perlroth)? Is it a
stolen laptop left in a car (Shulz)? Is it always intentional?
The answers are yes and no. A data breach is defined as “an
incident in which sensitive, protected or confidential data has
potentially been viewed, stolen or used by an individual
unauthorized to do so” (Rouse). Data breaches may involve
personal health information (PHI), personally identifiable
information (PII) (see below), trade secrets or intellectual
property (Rouse). The types of breaches that occur can then be
divided into the following categories:
1) Unintended disclosure - Sensitive information posted
publicly on a website, mishandled or sent to the wrong party
via email, fax or mail;
2) Hacking or malware - Electronic entry by an outside party,
malware and spyware;
Forman - 4
3) Payment Card Fraud - Fraud involving debit and credit cards
that is not accomplished via hacking. For example, skimming
devices at point-of-service terminals;
4) Insider - Someone with legitimate access intentionally
breaches information - such as an employee or contractor;
5) Physical loss - Lost, discarded or stolen non-electronic
records, such as paper documents;
6) Portable device - Lost, discarded or stolen laptop, PDA,
smartphone, portable memory device, CD, hard drive, data
tape, etc;
7) Stationary device - Lost, discarded or stolen stationary
electronic device such as a computer or server not designed
for mobility; and
8) Unknown – cannot actually singularly be categorized as above
or unknown type.
Privacy Rights Clearinghouse – Chronology
of a Breach)
Thus, breaches are neither all some insidious plot by black hat
hackers nor are all breaches as simple as human error vis-à-vis
leaving data unsecured or unencrypted at the hands of some
Forman - 5
misdirected (that is, lacking direction due to a poor corporate
security policy) IT worker. However the data gets exposed to the
public, the truth is the statistics regarding data breaches are
staggering. This year alone there have been 36 publicly reported
retail/merchant breaches and an estimated 58,149,700 compromised
records; those records being comprised various forms of
Personally Identifiable Information or PII (Chronology).11 But if
that statistic is not daunting enough, consider this, Privacy
Rights Clearinghouse has been tallying cumulative breach
statistics since 2005 and has to date amassed 4,419 total
breaches in seven categories – business, financial services,
retail/merchants, education, government/military, healthcare,
non-profits – with an approximate total of 929,676,448
(Chronology). Compounding this seemingly impossible to fathom
statistic are three things that can only serve to augment the
horrendous fate of our personal information. First, as mentioned
above, this is only an approximate figure based on reported data
breaches with nine or more records having been publicly exposed
1 According to the 2010 NIST Special Publication 800-122, PII is defined as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that islinked or linkable to an individual, such as medical, educational, financial, and employment information.").
Forman - 6
(Chronology) – if a company chooses not to publicize its breach
or does not know about the breach there are very few avenues in
which to discover this information (Sherman). Second, hidden
amongst these figures is the fact that many data breaches are not
quantified, that is, since the number of actual records
compromised is unknown, that number cannot be considered as part
of the tallied records for this eight year period (Chronology).
And third, the breaches counted in this total only consider PII
for victims residing in the United States. In contrast to this
number however, ITRC (Identity Theft Resource Center) has
reported only 4854 breaches with 669,690,671 records compromised
(Identity) and while this may sound like a ludicrous comparison,
ITRC’s information may be the more realistic figure with regard
to corporate liability litigation as their numbers rely on a
narrower view of PII, that is, ITRC defines a data breach as “an
incident in which an individual name plus a Social Security
number, driver’s license number, medical record or financial
record (credit/debit cards included) is potentially put at risk
because of exposure” (Identity).
Forman - 7
Consumer Reaction to Breaches. Based on the small sampling of figures
from these two websites, it is not hard to imagine that the
average consumer is going to look for a scapegoat for it all and
perhaps they should do so. The exposure of personal data can not
only lead to theft, fraud, and embarrassment, but as our cyber
identities begin more and more to define who we are the loss of
this information can lead to what amounts to a cyber-identity
crisis. But to be frank, the causal factors for this incredible
loss of personal information may lie with more than just poor
corporate security. It may lay with the consumers themselves and
what can be coined as a strong sense of data breach fatigue; a sense
of complacency and apathy regarding the theft of our PII (Data
Breach). Prior to the Internet rage, that is the flood of
information available to anyone with a connection the World Wide
Web, it would have been nearly impossible to access all of the
complications and issues involved with data breaches and security
risk management issues faced by retailers. Unfortunately perhaps,
rarely now does a week go by when the citizenry is not bombarded
by the media with some new story about data breaches. This is not
to belittle the consequences of a data breach; having your
Forman - 8
personal information remain personal is extremely important. But
the information that we experience today via unregulated media
hype manifests itself in an almost ‘Abouliaesque’ fashion
(Aboulia). And while this is perhaps a stretch this data breach
fatigue is quite comparable to an actual illness. We become
paralyzed with a lack of will or initiative to act (Aboulia). And
even though this is not completely like the physical illness the
evidence as well as the manifestation of such is clear: Data is
exposed or stolen from us on such a regular basis and to such a
massive degree that we become fatigued by the input and thereby
become unable to (or simply refuse to) act on it. It becomes
easier to disregard the obvious necessity for personal regulation
vis-à-vis the way in which we handle our personal information or
the way in which we allow others to handle it and sit back and
play the blame game. It seems easier for the citizenry to turn to
the government for guidance no matter how haphazard that guidance
may be (Germano) Therefore again, the liability may not simply
sit upon the shoulders of our merchants, rather, it may actually
be being compounded by the necessity of our elected officials to
act hastily without clear architecture or any unified purpose,
Forman - 9
that being in the most idiomatic of terms, an inability to see
the forest for the trees. More clearly, so as not to seem too
condescending, they are enacting haphazard regulatory manifestos
in response to media hype and citizen pressure over these
pervasive data breaches. And while perhaps well-meaning, instead
of taking a more holistic view that approaches breaches utilizing
an enterprise-centered sense of, dare we say, Internet regulation
(Lessig – Part I), officials instead are forced into a fragmented
and compartmentalized vision within their particular facet of
federal or state government; all of this motivated by alarming
alacrity in the face of poor ratings and impending elections.
Even under the auspices of concern for their constituents and a
plethora of best intentions, they too are ultimately just
citizens who were unprepared for the data-driven flood rushing
down from this Information Age springhead.
REGULATORY STANDARDS AND ISSUES
The Electronic Transaction. To more enthusiastically strike the chord
of this dissonant sense of regulation, it is best to examine the
way in which organizations, particularly retail/merchants, are
Forman - 10
required to approach transactions and ultimately transaction
privacy (PII) so as to comply with all regulatory duties in an
educated-guess, security-centered attempt to avoid liability in
the face of a breach. While a consumer merely sees the purchase
or swipe of the card as it were, there are so many additional
factors that actually affect the transaction. Not only does the
merchant have to contend with all internal point-of-sale (POS)
concerns – transaction headers, detail, and tender – it must also
then manage the movement of encrypted information garnered from
the magnetic stripe on the back of the card (consumer name,
account number and verification code (CVV), and expiration date)
between the POS terminal and the bank for authorization and then
a return of information verifying or denying the purchase (Mott).
In the case of an ATM or if a PIN is being used the information
may have to travel twice to and from the originating terminal
(Mott). And in an online purchase, additional information such as
any required additional personal data such as a bill to and ship
to address or phone number is additionally required to complete
the transaction (Mott). Throughout this process and enormous
amount of data is collected from the consumer and all of this
Forman - 11
data must be stored in a very specific and secure fashion whether
it is kept for later use in a ‘customer-centric’ or a ‘visit-
centric’ model or whether it is destroyed (Ross). Surely one
would think considering the security-centered neuroses that the
population is experiencing (in both sense of the word) that every
step of every process, whether it be the process of swiping the
card itself at the POS terminal, the transmission of the data
collected from the card, the retention of information acquired
from the consumer or the magnetic stripe during the transaction,
the storage of that information until it is batched to the
bank/acquirer at the end of the day and/or the storage of that
information long-term by the merchant would all be monitored, if
not by Internet regulation (see Lessig), then by both state and
federal legislation. However, this is only true in a cursory way.
The handling, dissemination and storage of PII during a
transaction has a set of guidelines created and continuously
modified by the FTC, SEC, and State Attorneys General (discussed
in detail below) , but the vulnerability management with regard
to the transaction from the POS terminal to the credit issuer and
back to the merchant are based on standards set through the PCI
Forman - 12
SSC (Payment Card Industry Security Standards Consortium), a
syndicate of credit card companies that includes VISA,
MasterCard, AMEX, Discover and JCB International (and do not be
surprised should you be feeling a nagging sense of paradox upon
reading that last phrase) (Blackbaud) who have created a set of
standards quoted as being “somewhat draconian in nature, with so
many requirements that are difficult to implement and maintain…it
would seem that no one is ever really compliant at all” (qtd in
The State of Security).
Consortium of Collusion - PCI DSS Standards. So as not to lose sight of
the indomitable thesis of merchant corporations’ attempt at
avoiding liability in the face of ever more complex enterprise-
related issues, in this case that being the complications for
merchants to stay industry compliant with regard to data security
and privacy, it is worth taking a small aside here to more
clearly understand an overview of PCI DSS v3.0 which has its own
very specific set of guidelines that merchants must follow for
whenever the process, transmit or store data in a transaction:
Forman - 13
Install and maintain a firewall configuration to protect
cardholder data
Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public
networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and
cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
(PCI DSS
Requirements)
Forman - 14
All is well and good here on the face of it as any reasonable
consumer or conscientious business owner must consider security a
high priority when conducting electronic business transactions,
but there are also an enormous amount of subcategories and
standards such as levels of compliance and type of compliance
that make the standards very difficult to comprehend and comply
with unless help is sought through a compliance expert or team of
experts (Controlscan.com). However, truly the most ironic aspect
of PCI DSS is the fact that is an organization made up of credit
card companies who in essence perpetuate and then self-regulate
their own standards. While they purport to be “an open global
forum,” it is hard to ignore the fact that they, whether
intentional or not, are creating standards that are ultimately in
their own best interest:
“The Council’s five founding global payment brands --
American Express, Discover Financial Services, JCB
International, MasterCard, and Visa Inc…mak[es] the Council
a centralized resource for access to standards and services
approved by all five payment brands.”
Forman - 15
(PCISecurityStandard
s.org)
Is it possible to imagine that these companies would assert a
magnanimity boundless enough to consider the merchants or
consumers over their own bottom line, that is through the
charging of interchange fees (card swipe fees that are charged
between and acquiring bank (merchant’s bank) and a customer’s
bank (issuer’s bank) when a credit or debit card is used for the
transaction (Hostmerchantservices.com) that amounted to over $8.1
billion for Visa and MasterCard only for 2013? (Kantor)(see also
The Huffington Post)? A total of $48 billion comes from these
interchange fees annually, according to analysts at The Nilson
Report and that cost is incurred by both the merchant and the
consumer (qtd in The Huffington Post) and it is the second
largest expense that a merchant incurs in the course of doing
business after labor (Coalition). If these somewhat terse
statistics seem too cynical, consider the way the following piece
of legislation and its attached amendment unfolded.
Forman - 16
Dodd-Frank and the Durbin Amendment Debacle. The Dodd-Frank Act of
2010 was meant to put controls on the alleged errant ways of the
financial sector by, in sum, adding regulation via transparency,
creating additional consumer and investor protections, and
tightening regulations on accounting principles (Wikipedia –
Dodd-Frank). Attached to the Act in its final passage was the
Durbin Amendment which was meant to address the egregious fees
charged when a debit card is swiped thereby reducing the
interchange amount. Without going into too much detail, when the
bill was signed into law, fees for transactions were ultimately
capped at $0.21 and .05% of the transaction amount (or 5 basis
points – see the Wikipedia article, Basis Points, for a more
definitive discussion on this) plus an additional $0.01 per
transaction cost to cover any losses the banks may incur due to
fraud. The initial bill, however, was meant to cap transaction
fees at $0.12 per transaction plus applicable fees as noted above
(Investopedia). Instead of celebrating the success of millions of
dollars worth of lobbying saving them billions in profit – two
million dollars alone came through the Electronic Payments
Coalition to Congress in 2011 (Huffington Post) – banks
Forman - 17
immediately went on the defensive upon the passage of the bill by
threatening to charge additional bank account fees and card usage
charges in order to maintain their large bottom line. When it was
all said and done, here is what the consumer saw:
Pre-Durbin:
A consumer buys a $100 product from a merchant using a
signature debit card issued by a large national bank.
The merchant’s expense for accepting that transaction is
$2.00 total in fees.
The consumer uses their debit card free of charge from their
issuing bank.
Post-Durbin:
A consumer buys a $100 product from a merchant using a
signature debit card issued by a large national bank.
The merchant’s expense for accepting that transaction is
$1.12 total in fees. The merchant saved $0.88 due to Durbin
and has limited incentive to pass on its savings to
consumers.
The consumer’s issuing bank makes up the lost revenue by
charging new debit usage fees to its customers.
Forman - 18
Customer still pays $100 for same product while now also
paying new bank fees.
(Tsys.com – …Payments Value
Chain)
And should one wish to be truly outraged, s/he only needs to note
that this payment “reign in” only applied to debit cards. Credit
cards were not considered in the Durbin Amendment and thus banks
have promoted reward-driven credit cards (like the earning of Sky
Miles when a card is used) and cash-back reward cards so that the
unregulated fees they can charge are potentially offset by the
merchants who have been accused in multiple venues of not passing
on all of the savings they have garnered due to the fee cap on
debit cards to the consumer as proponents of Durbin might have
expected. But, assuming those savings are realized by the
merchant, though obviously offset by the higher fees now
associated with credit cards, they do not necessarily have to go
directly to consumers via lower prices. There are other market
considerations other than price wars such as employee wages,
security, expansion or even quality and variety of products where
the savings can be pigeon-holed (Rortybomb).
Forman - 19
Merchant Feasibility, Liability and PCI DSS. But let it be said, according
to critics of the proponents (and even the critics of the
critics) of Durbin it is simply a matter of merchants not
accepting credit or debit cards (Kantor). However, that is a very
unrealistic expectation. According to a 2012 Infographic from
Community Merchants USA (see below), “ 66 percent of all point-
of-sales (POS) transactions are done with plastic – credit,
debit, or gift cards…Only 27 percent of purchases are made with
cash.” It is estimated that cash sales will continue to decline,
dropping to 23% of all transactions by 2017
(Communitymerchantsusa.com).
Forman - 20
(Infographic qtd at
Communitymerchantsusa.com)
So should a merchant wish to be successful, whether they be a
small sole-proprietorship on Main Street USA or a multinational
Forman - 21
chain like Target, the facts above do not lie. They must accept
credit and debit cards, dollar minimums applicable to the
transactions or not, or be doomed to obscurity and perhaps even
failure. Banks and the credit card industry in general through
PCI compliance have transferred both the risk and the blame onto
the merchants by creating standards that are rife with
complexity, cost merchants thousands if not millions of dollars
to implement and regulate either in house or through a third
party provider (known as a QSA or Quality Service Assessor which
although is not required by PCI must be utilized in order to
attempt any semblance of realistic compliance or to mitigate the
risk via transference2), and ultimately hold them hostage when a
breach occurs by way of fines, negative publicity, lawsuits and
compliance revocation; all this while reaping billions of dollars
in fees for interchange and fraud mitigation (simply compare the
margins of merchants to those of the banking sector (Rortybomb).
They preach that no business who is PCI DSS compliant has ever
been breached, but this clearly untrue, according to
2 According to Peter Gregory in CISSP Guide to Security Essentials (Course Technology. Boston, MA. 2010. Pp7-8), risk, once a qualitative or quantitative assessment has been performed, can be managed (“treated”) at an organization in one of four ways: Risk Acceptance, Risk Avoidance, Risk Reduction, and Risk Transfer.
Forman - 22
securosis.com, a security research and advisory firm located in
Phoenix, stating, “…merchants pass their [PCI DSS] assessments,
they get breached, and then PCI retroactively revokes their
certifications. Fines are then levied against the acquiring bank
and passed on to the merchant.” (Securosis.com). Additionally,
other than the fee caps noted above, there is no government
oversight this type of bank-imposed merchant
regulation/strangulation. Couple with this is the fact that they
have almost biblical absolution from liability by touting they
have no real authority as they are merely a standard setting
organization, stating on their website,
“The Council does NOT validate or enforce any organization’s
compliance with its PCI Security Standards, nor does it
impose penalties for non-compliance. These areas are
governed by the payment brands and their partners.”
(PciSecurityStandards.org)
Thus, it is in liability-stained hands of the individual
merchants to divine the level of compliance via the creation of
Forman - 23
new security measures and new infrastructure or they must attempt
to transfer the risk of a breach of PII data by hiring some third
party to help them follow all of these guidelines in order to
stay in a never-ending, cost and fear driven cycle of self-
regulated compliance at the hands of a no-fault master. And of
course, as above in the introduction, ultimately compounding the
pressure to comply with these strongly-suggested, but officially
self-prescribed regulations is the publics’ insatiable need for
better, smarter and faster results (as who carries cash or write
checks anymore) and its unforgiving nature when it comes to a
corporations seeming attempt to cut corners and bilk them out of
their hard earned money. One can hardly imagine the financial
sector standing up for the rights of these merchant corporations
and decrying, “they did their best but were breached anyway…
something has to be done…there needs to be a uniform regulations
and changes that we can all subscribe to.” Instead, they cry
foul, cast aspersions and ‘let slip the dogs of war’ upon the
offending merchants. And if you know you Shakespeare (Julius
Caesar, Act 3, Scene 1) this is an absolutely apt analogy of how
Forman - 24
the merchant/conspirator will ultimately be treated by the system
in place now.
Federal Regulation of Merchant Breaches. Perhaps the best description of
U.S. regulations with regard to data security and privacy was
summed up in the first sentence of the United States section of a
report by the law firm of Hunton and Williams in their article,
Getting the Deal Through – Data Privacy and Protection 2014. Authors Lisa
Sotto and Aaron Simpson state that “…the US legislative framework
for the protection of PII resembles a patchwork quilt” (Sotto
191). The United States has no unified set of guidelines for data
security and privacy and thus corporations as a singularly
vulnerable sector are forced to navigate their way through a
giant maze of regulations which not only are enforceable by
various agencies depending on which rule has been deemed to be
transgressed, but also “provide for a private right to bring
lawsuits against organizations they believe are violating the
law” (Sotto 191). More specifically, US corporations are subject
to regulation enforcement by the following agencies:
Forman - 25
FTC (Federal Trade Commission) – oversight rules such
as:
o Data safeguards rules under Regulations of
Specific Acts of Congress - Title 16:Chapter
I:Subchapter C:Part 314
o Data disposal rules under the Fair Credit
Reporting Act (FCRA) - Title 16:Chapter
I:Subchapter F:Part 682
o Identity theft rules under the FCRA - Title
16:Chapter I:Subchapter F:Part 681
o Red Flags Rule – implementation of a written
Identity Theft Prevention Program which can be
used to detect the warning signs – or red flags –
of identity theft (16 CFR)
SEC (Securities Exchange Commission) and Commodities
Futures Trading Commission (CFTC) – adoption and
enforcement authority with regard to:
o Sarbanes-Oxley Act (SOX) – administered by the
SEC, SOX was originally a congressional act aimed
Forman - 26
at improving governing and accountability with
public corporations
o Red Flags Rule in relation SEC regulated agencies
including most registered brokers and investment
companies as well as registered investment
advisers (Federal Securities Law)
United States Congress:
o Gramm Leach Bliley Act (GLBA) – strict controls on
how financial institutions share or disclose
personal financial information (although actually
enforced by the FTC)
o Authority to perform Formal Inquiries on
organizations experiencing a breach (16 CFR)
State Attorneys General – see especially Compliance
Solutions and Resources’s excellent summary document
noted below which shows the varying requirements of
various State Attorneys General (Data Breach).
Forman - 27
Corporations may also be subject to additional regulations or
oversight via the US Department of Justice, Consumer Financial
Protection Bureau (CFBC), Federal Communications Commission (FCC)
and Department of Health and Human Services (HHS) (Sotto).
Moreover, corporations are being aggressively pursued under this
jumbled muddle of regulations – all at tremendous time, manpower
and expenses aimed at not only the legal issues but also brand
defense – and are seemingly now the scapegoat for the US
government’s inability to keep up with the constantly changing
environment of technology (Germano). It appears as well that
corporations in broad strokes are now forcibly working in tandem
with the central government to protect the public interest (one
wonders if that is what was actually meant by a public company)
(Germano). And while it might be arguable that a corporation who
collects personal data technically becomes the owner of that data
until it is disposed of in proper fashion (16 CFR), it is as
easily as convincing an argument to place the onus on the
government, that is, were unified regulations put in place via a
central authority and information sharing/strategy were the norm,
perhaps many of the issues and growing pains the consumer
Forman - 28
population is experiencing could be more readily mitigated
(Lessig). In light of this corporate conundrum, it is hardly
unfathomable then that many organizations are not only fearful of
this fragmented and increasing complex set of rules but are also
fearful of reporting any type of breach lest they be subject to
additional increased scrutiny (e.g. the FTC has the authority to
levy fines and conduct biennial audits of corporations who are
involved in alleged breaches under Section 5 of the FTC Act)
(Sotto).
BREACH LITIGATION.
Compounding this requirement of compliance with federal, state
and banking regulations is the addition of security-breach-
triggered litigation. To get a clearer picture of the odds
against future litigation success for corporations, we must first
refocus our attention back to the staggering number of records
revealed in only the high profile cases and only in the United
States over the last two years:
09-02-2014 – Home Depot – 56,000,000 records
Forman - 29
o Debit and credit card numbers put up for sale on the
black market.
08-27-2014 – JP Morgan Chase, Fidelity Investments –
83,000,000 records
o Names, addresses, phone numbers and email addresses of
76,000,000 households and 7,000,000 businesses.
05-21-2014 – EBay – 145,000,000 records
o Names, encrypted passwords, email addresses, phone
numbers, registered addresses and birth dates.
08-12-2013 – Target Brands, Fazio Mechanical – 110,000,000
records
o Customer names, addresses, phone numbers, PIN and CVV
numbers.
10-03-2013 – Adobe Systems – 152,000,000 records
o Names, customer IDs, encrypted passwords, encrypted
debit and credit card numbers with expiration dates,
and Adobe source code.
04-26-2013 – LivingSocial Inc – 50,000,000 records
o Customer names, emails, birthdates, hashed and salted
passwords.
Forman - 30
(Largest Data Loss Incidents -
DataLossDB)
And, as stated, this is merely a sampling. There are multiple,
other breaches – 636 this past week of October 26-31, 2014
according to idtheftcenter.org (Identity) – and massive amounts
of data being stolen worldwide as well (220,000,000 stolen in
South Korea on August 22, 2014) (Largest). All of these numbers
are almost inconceivable to the average consumer and literally
insurmountable at the corporate level.
Target Breach. On a legal level, take for example the Target
breach above. While it is still playing out there is a tremendous
amount of information which can be garnered from the web. As of
May 7th, 2014, the cases filed against Target consisted of 81
consumer class-action suits (seven of the lawsuits were filed on
the day the breach was announced), 28 financial institution
class-action suits and 4 shareholder derivative suits (see Collier
v. Steinhafel filed January 29, 2014 which accused Target of false
and misleading statements regarding its handling of the breach)
(Bychowski). With regard to the most recent large-scale breach,
Forman - 31
as of October 13, 2014 (just one month plus after the
announcement of the breach), Home Depot already faced 21 class-
action lawsuits (Allison). Here we see the legal system, like the
regulatory system, attempting to keep up with the information
overload; they too subject to incredible change based on almost
every level of technology.
Defendants Bar. The difference in the legal arena is that there is
more of an obvious counterbalance created by the plaintiff bar
versus the defendant bar. Lawsuits are being filed for a both the
breach itself and the way in which the organizations are handling
the breach. There are lawsuits for unfair or deceptive practices,
breach of contract, negligence, unjust enrichment, breach of
fiduciary duty and duty or care as well as negligent
misrepresentations and invasion of privacy (Germano). From the
defendant perspective, corporations so far have been able to fend
off many of these lawsuits which unfortunately under time and
length constraints are too vast to tackle individually here.
However, in summary of successful defenses against various class-
action attacks by plaintiffs most notable may be the idea of harm
that has been suffered at the hands of these corporations and the
Forman - 32
loss of personal information by the plaintiffs. This is due to
the fact that it is difficult to prove actual harm for PII being
stolen (Grande). According to a Supreme Court decision in Clapper
v. Amnesty International Inc (No. 11–1025 - Argued October 29, 2012—Decided
February 26, 2013) in order for a plaintiff to satisfy Article III
standing requirements - Article III being a separation of powers
consideration of the Constitution whereby the courts are
restricted in the type of cases they can hear - they need to
prove they have suffered:
1) an injury in fact, that is:
(a) one that is concrete and particularized, and
(b) the injury must be actual or imminent, not
conjectural or hypothetical;
2) show a causal relationship between the injury and the
challenged conduct, meaning the injury must be traceable to
the challenged action of the defendant; and
3) show likelihood that the injury will be redressed by a
favorable decision, meaning that prospect of obtaining
relief is definitive and not speculative.
Forman - 33
(from the ‘Lectric Law Library’s
Lexicon Standing)
While this case regarded improper surveillance issues it has been
cross-applied to data breaches whereby it may be true that the
data that was breached was improperly accessed (in the case of
Target by hackers) it does not necessarily mean that the data has
been misused in any way; for the harm to be redressed by the
courts, it cannot merely be “objectively reasonable” (Jones 75)
that injury will occur it must be “certainly impending” (Jones
76). This fending off as it were of class-actions however does
not consider additional litigation against the banking industry
or derivative lawsuits nor does it factor in regulatory fines by
state and federal agencies (Jones 71). The costs to defend
against all of these lawsuits or to show compliance with
regulatory agencies or to redesign internal security measures are
astronomical. Target has stated that it has already seen costs in
excess $148 million (Abrams). Moreover, the banking industry has
stated that it has cost them $240 million just to replace
misappropriated data associated with breached credit cards.25
According to John Kinderburg of Forrester Research, he believes
Forman - 34
it is hard to imagine that Target will be able to escape their
data breach for less than $1 billion (Abrams).
Plaintiffs Bar. On the plaintiff side of the bar, they have had to
become more creative in their filings against potentially liable
merchants as most of the cases have been dismissed. While they
may not be able prove concrete harm under Article III
considerations they have been attempting to circumnavigate this
issue through their use of other lawsuits that might be more
plaintiff-friendly.22 Consider the June 2014 Susan B. Anthony v.
Driehaus that focuses attention away from the certain harm purported
to be necessary under Clapper. It is notable in the dissent by
Justice Breyer that there have been past Supreme Court cases
tried based on “substantial” risk (see especially the 2010
Supreme Court Monsanto v Geertson Seed Farm decision as noted by
Justice Breyer) (Lederman). Additionally in a footnote for the
majority opinion in Clapper, Justice Alito noted that the Supreme
Court has in the past based decisions under this more traditional
“substantial risk” as opposed to the more arduous “certainly
impending” harm that must be done and seems to be a deal-breaker
in Clapper (Lederman).While these may be two confusable standards,
Forman - 35
in Susan B. Anthony, Justice Thomas addressed this concern by
stating that the harm could be either “certainly impending” or
“substantial” in order for the plaintiff to sue (Lederman). Based
on this, it should be of significant concern that the tide will
turn in favor of the plaintiffs as additional waves of litigation
wash up on the shores of merchant defendants.
CONCLUSION
Regulability not Liability. By all of these factors then – citizen
outcry, corporate trepidation, regulation, and litigation – it
appears that there may be no end to the number of affectations
created by data breaches in the future. There seems to be no
current technology or internal, corporate set of security
policies that can even purport reasonably to defend against all
forms of attack. All systems are vulnerable whether it is due to
an unaddressed infrastructure issue or a human one. As defenses
evolve in light of these breaches so too will the abilities and
possibilities invented by hackers and insiders to violate them.
This is not to say that corporations cannot improve on their
internal policies; they must. In this culture of bigger, better,
Forman - 36
cheaper and faster they need to be the beacons of data security.
But as it was shown above, they cannot be forced to accept all of
the blame for the data breaches as they are neither the makers of
regulation nor the keepers of the citizenry. They too are simply
the followers; a corporate body not unlike a human body.
Continued litigation cannot be considered a solution either.
There is no monetary factor that can be successfully imposed on a
merchant that will make them more compliant or more collaborative
in their efforts to thwart various vectors of attack. The effect
will always be the opposite. No one thrives under an
incomprehensible dictatorship. Thus, it is the lack of a unified
set of security regulations that is ultimately to blame as is the
absence of regulation of our country’s internet standards
(Lessig). The fragmentation of our current government with regard
to a singular set of standards has been augmented by its
inability to cooperate with or negotiate with the private sector.
For it is seemingly easier for them to blame than to change; to
fine rather than to refine; to impose instead of to compose. If
this set of standards (or lack thereof) cannot be changed a
unified regulatory system, both governmental and corporate, the
Forman - 37
consequences may ultimately be disastrous and far-reaching as we
travel more deeply into the breach that is not only our personal
information, but also the future technologies that are supposed
to make our lives so much easier.
WORKS CITED
"16 CFR Chapter I - FEDERAL TRADE COMMISSION." LII / Legal Information
Institute.
Forman - 38
Web. 23 Oct. 2014.
Abrams, Rachel. "Target Puts Data Breach Costs at $148 Million,
and Forecasts Profit Drop."
The NewYork Times. The New York Times, 5 Aug. 2014. Web. 23
Oct. 2014.
"Aboulia." Wikipedia. Wikimedia Foundation, 28 Oct. 2014. Web. 29
Oct. 2014.
Allison, David. "Home Depot Now Facing 21 Class-action
Lawsuits over Data Breach
Atlanta Business Chronicle." Widgets RSS. 13 Oct. 2014. Web.
30 Oct. 2014.
Bychowski, Stephen. "United States: Target Data Breach Cases
Progress, But Plaintiffs Face
Uphill Battle." Data Protection. Foley Hoag LLP, 21 July 2014.
Web. 29 Oct. 2014.
Blackbaud.com,. 'Faqs - PCI Compliance - Blackbaud'. N.p., 2014.
Web. 27 Nov. 2014.
"China Lists Substandard Wal-Mart, Carrefour Goods." Reuters.
Thomson Reuters, 29 Nov.
2007. Web. 22 Oct. 2014.
Forman - 39
"Chronology of Data Breaches | Privacy Rights Clearinghouse."
Chronology of Data Breaches.
Privacy Rights Clearinghouse. Web. 24 Oct. 2014.
Coalition, Merchant. 'THE BIGGEST BANK FEE YOU’VE NEVER HEARD
OF | Unfair Credit Card Fees'. Unfaircreditcardfees.com. N.p.,
2014. Web. 27 Nov. 2014.
Communitymerchantsusa.com,. 'The Benefits Of Small Business Card
Acceptance « Community Merchants USA'. N.p., 2014. Web. 27
Nov. 2014.
Controlscan.com,. 'PCI Compliance Faqs | Controlscan'. N.p.,
2014. Web. 27 Nov. 2014.
"Data-Breach Fatigue: Consumers Pay the Highest Price." The
Huffington Post.
TheHuffingtonPost.com, 16 Oct. 2014. Web. 24 Oct. 2014.
Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in
the
United States. Jensen Beach: Compliance Solutions and
Resources, 26 Jan. 2013. Pdf.
"Federal Securities Laws." SEC.gov. Web. 23 Oct. 2014.
"From the 'Lectric Law Library's LexiconStanding." Legal Definition of
Standing. Web. 31 Oct.
Forman - 40
2014.
Germano, Judith H. and Zachary K. Goldman. After the Breach:
Cybersecurity Liability Risk.
Pages 1-7. NYU Center on Law and Security. 2014
Grande, Allison. "Clapper Defense No Sure Bet In Home Depot
Breach Suits - Law360."
Clapper Defense No Sure Bet In Home Depot Breach Suits. Law360, 11
Sept. 2014.
Web. 31 Oct. 2014.
Hostmerchantservices.com,. 'Host Merchant Services | The Durbin
Amendment'. N.p., 2014. Web. 27 Nov. 2014.
"Identity Theft Resource Center -." Data Breaches. Web. 22 Oct.
2014.
Investopedia,. 'Durbin Amendment Definition | Investopedia'.
N.p., 2012. Web. 27 Nov. 2014.
Jones, Brad. Fifty Shades of Claims: When Private Information
Becomes Public in the United
States. Pages 76-82. McCague Borlack LLP, 2014. Web. 1 Nov.
2014.
Kantor, Doug. 'Broken Payment System Guarantees Another Breach
Forman - 41
Like Target's'. Bank Think. N.p., 2014. Web. 27 Nov. 2014.
"Largest Data Loss Incidents." Largest Data Loss Incidents. DataLossDB.
Web. 25 Oct. 2014.
Lederman, Marty. "Commentary: Susan B. Anthony List, Clapper
Footnote 5, and the State of
Article III Standing Doctrine." SCOTUSblog RSS. 17 June 2014.
Web. 1 Nov. 2014.
Lessig, Lawrence. Code Version 2.0. Basic Books. 2006.
Mott, Ashley. "When You Swipe Your Credit Card, Does It Take Just
the Numbers?" Budgeting
Money. Web. 29 Oct. 2014.
Pcisecuritystandards.org,. 'What Is The PCI Security Standards
Council?'. N.p., 2014. Web. 27 Nov. 2014.
Perlroth, Nicole, and David Gelles. "Russian Hackers Amass Over a
Billion Internet Passwords.
"The New York Times. The New York Times, 5 Aug. 2014. Web. 22
Oct. 2014.
Rortybomb,. 'Three Points About Interchange Reform: Pass
Through, Australia, Low-Income Groups.'. N.p., 2011. Web. 27
Nov. 2014.
Forman - 42
Ross, Dan. "Transaction Analysis for Retail Business Intelligence
| Claraview." Transaction
Analysis for Retail Business Intelligence. Claraview, 1 Jan. 2011. Web.
29 Oct. 2014.
Rouse, Margaret. "What Is a Data Breach?" What Is? Web. 24 Oct.
2014.
Schulz, David. "As Patients’ Records Go Digital, Theft And
Hacking Problems Grow." Kaiser
Health News As Patients Records Go Digital Theft And Hacking Problems Grow
Comments. 3 June 2012. Web.22 Oct. 2014.
Securosis.com,. 'Securosis Blog | Could This Be The First Crack
In The PCI Scam?'. N.p., 2014. Web. 27 Nov. 2014.
Sherman, Erik. "Should Companies Reveal All Data Breaches? Some
Execs Say No." CBSNews.
CBS Interactive, 5 Aug. 2014. Web. 22 Oct. 2014.
Sotto, Lisa and Aaron Simpson. Data Protection and Privacy in 26
Jurisdictions Worldwide:
United States. Pages 191-198. Hunton and Williams LLP. 2014.
The Huffington Post,. 'Banks, Merchants And Why Washington
Doesn't Work For You'. N.p., 2014. Web. 27 Nov. 2014.
Forman - 43
The Huffington Post,. 'Banks, Merchants And Why Washington
Doesn't Work For You'. N.p., 2014. Web. 27 Nov. 2014.
The State of Security,. 'PCI DSS 3.0 - The Devil Is In The
Details - The State Of Security'. N.p.,
2014. Web. 27 Nov. 2014.
"Welcome to the PCI Security Standards Council." Official PCI Security
Standards Council Site.
Web. 27 Oct. 2014.