Forman - 1

Merchant Liability for Data Breaches in a Budding

Information Age

At first, it appears that big retail corporations are

insensitive to the basic needs of the consumer in the

marketplace. They devour or destroy smaller, less comprehensive

retail stores in an effort to stamp out the competition. They

sell substandard items that are manufactured poorly and break

easily and need to be returned. Some of those same items contain

materials such as lead and chromium that are introduced during

the manufacturing process that can be harmful to the consumer or

his/her family members (China). And as of late, the newest trend

is that they allow the personal information of their consumer

base to be ravaged either accidentally or more likely, by

allowing their security systems to be hacked by intruders, both

domestically and internationally. But is this true? Do senior

retail executives sit behind their desks and casually decide the

fate of millions of private records? Perhaps this is a vision

easily conceived by the consumer and one which may seem to have

some validity since so many records have been exposed and so many

accounts compromised. But as we travel ‘once more into the

Forman - 2

breach’ as Henry V so aptly put it and batter the walls of common

misconception, that being, that corporations care little for your

information and have such low standards that anyone with the

mindset and a computer can easily pilfer that data, the astute

reader might discover that these data breaches are more than just

merchant liability in the form of individual lawsuits and class

actions for tort concerns such as invasion of privacy and

negligent misrepresentation, breach of contract, lack of

compliance with standards, guideline and industry best-practices

or various federal and state statutory concerns such as false

advertising and consumer fraud. More realistically in this

budding Information Age, they are a reaction to the growing pains

of non-tech savvy consumers and their insatiable need for quicker

and cheaper merchant services, a product of a disjointed

government agencies and its need of stronger, more unified

regulations for the Internet and the organizations that service

all of us, and an inevitability engendered by the greed of

insiders, hackers and opportunists who seem so easily attack our

data storage systems and our commercial infrastructure without

ever having to leave the comfort of their own homes.

Forman - 3

BREACHES IN MODERN CONTEXT

So, what is a data breach? Is it simply a group of hackers

from an old Eastern Bloc country reaching into the American way

of life and stealing all of our information (Perlroth)? Is it a

stolen laptop left in a car (Shulz)? Is it always intentional?

The answers are yes and no. A data breach is defined as “an

incident in which sensitive, protected or confidential data has

potentially been viewed, stolen or used by an individual

unauthorized to do so” (Rouse). Data breaches may involve

personal health information (PHI), personally identifiable

information (PII) (see below), trade secrets or intellectual

property (Rouse). The types of breaches that occur can then be

divided into the following categories:

1) Unintended disclosure - Sensitive information posted

publicly on a website, mishandled or sent to the wrong party

via email, fax or mail;

2) Hacking or malware - Electronic entry by an outside party,

malware and spyware;

Forman - 4

3) Payment Card Fraud - Fraud involving debit and credit cards

that is not accomplished via hacking. For example, skimming

devices at point-of-service terminals;

4) Insider - Someone with legitimate access intentionally

breaches information - such as an employee or contractor;

5) Physical loss - Lost, discarded or stolen non-electronic

records, such as paper documents;

6) Portable device - Lost, discarded or stolen laptop, PDA,

smartphone, portable memory device, CD, hard drive, data

tape, etc;

7) Stationary device - Lost, discarded or stolen stationary

electronic device such as a computer or server not designed

for mobility; and

8) Unknown – cannot actually singularly be categorized as above

or unknown type.

Privacy Rights Clearinghouse – Chronology

of a Breach)

Thus, breaches are neither all some insidious plot by black hat

hackers nor are all breaches as simple as human error vis-à-vis

leaving data unsecured or unencrypted at the hands of some

Forman - 5

misdirected (that is, lacking direction due to a poor corporate

security policy) IT worker. However the data gets exposed to the

public, the truth is the statistics regarding data breaches are

staggering. This year alone there have been 36 publicly reported

retail/merchant breaches and an estimated 58,149,700 compromised

records; those records being comprised various forms of

Personally Identifiable Information or PII (Chronology).11 But if

that statistic is not daunting enough, consider this, Privacy

Rights Clearinghouse has been tallying cumulative breach

statistics since 2005 and has to date amassed 4,419 total

breaches in seven categories – business, financial services,

retail/merchants, education, government/military, healthcare,

non-profits – with an approximate total of 929,676,448

(Chronology). Compounding this seemingly impossible to fathom

statistic are three things that can only serve to augment the

horrendous fate of our personal information. First, as mentioned

above, this is only an approximate figure based on reported data

breaches with nine or more records having been publicly exposed

1 According to the 2010 NIST Special Publication 800-122, PII is defined as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that islinked or linkable to an individual, such as medical, educational, financial, and employment information.").

Forman - 6

(Chronology) – if a company chooses not to publicize its breach

or does not know about the breach there are very few avenues in

which to discover this information (Sherman). Second, hidden

amongst these figures is the fact that many data breaches are not

quantified, that is, since the number of actual records

compromised is unknown, that number cannot be considered as part

of the tallied records for this eight year period (Chronology).

And third, the breaches counted in this total only consider PII

for victims residing in the United States. In contrast to this

number however, ITRC (Identity Theft Resource Center) has

reported only 4854 breaches with 669,690,671 records compromised

(Identity) and while this may sound like a ludicrous comparison,

ITRC’s information may be the more realistic figure with regard

to corporate liability litigation as their numbers rely on a

narrower view of PII, that is, ITRC defines a data breach as “an

incident in which an individual name plus a Social Security

number, driver’s license number, medical record or financial

record (credit/debit cards included) is potentially put at risk

because of exposure” (Identity).

Forman - 7

Consumer Reaction to Breaches. Based on the small sampling of figures

from these two websites, it is not hard to imagine that the

average consumer is going to look for a scapegoat for it all and

perhaps they should do so. The exposure of personal data can not

only lead to theft, fraud, and embarrassment, but as our cyber

identities begin more and more to define who we are the loss of

this information can lead to what amounts to a cyber-identity

crisis. But to be frank, the causal factors for this incredible

loss of personal information may lie with more than just poor

corporate security. It may lay with the consumers themselves and

what can be coined as a strong sense of data breach fatigue; a sense

of complacency and apathy regarding the theft of our PII (Data

Breach). Prior to the Internet rage, that is the flood of

information available to anyone with a connection the World Wide

Web, it would have been nearly impossible to access all of the

complications and issues involved with data breaches and security

risk management issues faced by retailers. Unfortunately perhaps,

rarely now does a week go by when the citizenry is not bombarded

by the media with some new story about data breaches. This is not

to belittle the consequences of a data breach; having your

Forman - 8

personal information remain personal is extremely important. But

the information that we experience today via unregulated media

hype manifests itself in an almost ‘Abouliaesque’ fashion

(Aboulia). And while this is perhaps a stretch this data breach

fatigue is quite comparable to an actual illness. We become

paralyzed with a lack of will or initiative to act (Aboulia). And

even though this is not completely like the physical illness the

evidence as well as the manifestation of such is clear: Data is

exposed or stolen from us on such a regular basis and to such a

massive degree that we become fatigued by the input and thereby

become unable to (or simply refuse to) act on it. It becomes

easier to disregard the obvious necessity for personal regulation

vis-à-vis the way in which we handle our personal information or

the way in which we allow others to handle it and sit back and

play the blame game. It seems easier for the citizenry to turn to

the government for guidance no matter how haphazard that guidance

may be (Germano) Therefore again, the liability may not simply

sit upon the shoulders of our merchants, rather, it may actually

be being compounded by the necessity of our elected officials to

act hastily without clear architecture or any unified purpose,

Forman - 9

that being in the most idiomatic of terms, an inability to see

the forest for the trees. More clearly, so as not to seem too

condescending, they are enacting haphazard regulatory manifestos

in response to media hype and citizen pressure over these

pervasive data breaches. And while perhaps well-meaning, instead

of taking a more holistic view that approaches breaches utilizing

an enterprise-centered sense of, dare we say, Internet regulation

(Lessig – Part I), officials instead are forced into a fragmented

and compartmentalized vision within their particular facet of

federal or state government; all of this motivated by alarming

alacrity in the face of poor ratings and impending elections.

Even under the auspices of concern for their constituents and a

plethora of best intentions, they too are ultimately just

citizens who were unprepared for the data-driven flood rushing

down from this Information Age springhead.

REGULATORY STANDARDS AND ISSUES

The Electronic Transaction. To more enthusiastically strike the chord

of this dissonant sense of regulation, it is best to examine the

way in which organizations, particularly retail/merchants, are

Forman - 10

required to approach transactions and ultimately transaction

privacy (PII) so as to comply with all regulatory duties in an

educated-guess, security-centered attempt to avoid liability in

the face of a breach. While a consumer merely sees the purchase

or swipe of the card as it were, there are so many additional

factors that actually affect the transaction. Not only does the

merchant have to contend with all internal point-of-sale (POS)

concerns – transaction headers, detail, and tender – it must also

then manage the movement of encrypted information garnered from

the magnetic stripe on the back of the card (consumer name,

account number and verification code (CVV), and expiration date)

between the POS terminal and the bank for authorization and then

a return of information verifying or denying the purchase (Mott).

In the case of an ATM or if a PIN is being used the information

may have to travel twice to and from the originating terminal

(Mott). And in an online purchase, additional information such as

any required additional personal data such as a bill to and ship

to address or phone number is additionally required to complete

the transaction (Mott). Throughout this process and enormous

amount of data is collected from the consumer and all of this

Forman - 11

data must be stored in a very specific and secure fashion whether

it is kept for later use in a ‘customer-centric’ or a ‘visit-

centric’ model or whether it is destroyed (Ross). Surely one

would think considering the security-centered neuroses that the

population is experiencing (in both sense of the word) that every

step of every process, whether it be the process of swiping the

card itself at the POS terminal, the transmission of the data

collected from the card, the retention of information acquired

from the consumer or the magnetic stripe during the transaction,

the storage of that information until it is batched to the

bank/acquirer at the end of the day and/or the storage of that

information long-term by the merchant would all be monitored, if

not by Internet regulation (see Lessig), then by both state and

federal legislation. However, this is only true in a cursory way.

The handling, dissemination and storage of PII during a

transaction has a set of guidelines created and continuously

modified by the FTC, SEC, and State Attorneys General (discussed

in detail below) , but the vulnerability management with regard

to the transaction from the POS terminal to the credit issuer and

back to the merchant are based on standards set through the PCI

Forman - 12

SSC (Payment Card Industry Security Standards Consortium), a

syndicate of credit card companies that includes VISA,

MasterCard, AMEX, Discover and JCB International (and do not be

surprised should you be feeling a nagging sense of paradox upon

reading that last phrase) (Blackbaud) who have created a set of

standards quoted as being “somewhat draconian in nature, with so

many requirements that are difficult to implement and maintain…it

would seem that no one is ever really compliant at all” (qtd in

The State of Security).

Consortium of Collusion - PCI DSS Standards. So as not to lose sight of

the indomitable thesis of merchant corporations’ attempt at

avoiding liability in the face of ever more complex enterprise-

related issues, in this case that being the complications for

merchants to stay industry compliant with regard to data security

and privacy, it is worth taking a small aside here to more

clearly understand an overview of PCI DSS v3.0 which has its own

very specific set of guidelines that merchants must follow for

whenever the process, transmit or store data in a transaction:

Forman - 13

Install and maintain a firewall configuration to protect

cardholder data

Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public

networks

Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Track and monitor all access to network resources and

cardholder data

Regularly test security systems and processes

Maintain a policy that addresses information security

(PCI DSS

Requirements)

Forman - 14

All is well and good here on the face of it as any reasonable

consumer or conscientious business owner must consider security a

high priority when conducting electronic business transactions,

but there are also an enormous amount of subcategories and

standards such as levels of compliance and type of compliance

that make the standards very difficult to comprehend and comply

with unless help is sought through a compliance expert or team of

experts (Controlscan.com). However, truly the most ironic aspect

of PCI DSS is the fact that is an organization made up of credit

card companies who in essence perpetuate and then self-regulate

their own standards. While they purport to be “an open global

forum,” it is hard to ignore the fact that they, whether

intentional or not, are creating standards that are ultimately in

their own best interest:

“The Council’s five founding global payment brands --

American Express, Discover Financial Services, JCB

International, MasterCard, and Visa Inc…mak[es] the Council

a centralized resource for access to standards and services

approved by all five payment brands.”

Forman - 15

(PCISecurityStandard

s.org)

Is it possible to imagine that these companies would assert a

magnanimity boundless enough to consider the merchants or

consumers over their own bottom line, that is through the

charging of interchange fees (card swipe fees that are charged

between and acquiring bank (merchant’s bank) and a customer’s

bank (issuer’s bank) when a credit or debit card is used for the

transaction (Hostmerchantservices.com) that amounted to over $8.1

billion for Visa and MasterCard only for 2013? (Kantor)(see also

The Huffington Post)? A total of $48 billion comes from these

interchange fees annually, according to analysts at The Nilson

Report and that cost is incurred by both the merchant and the

consumer (qtd in The Huffington Post) and it is the second

largest expense that a merchant incurs in the course of doing

business after labor (Coalition). If these somewhat terse

statistics seem too cynical, consider the way the following piece

of legislation and its attached amendment unfolded.

Forman - 16

Dodd-Frank and the Durbin Amendment Debacle. The Dodd-Frank Act of

2010 was meant to put controls on the alleged errant ways of the

financial sector by, in sum, adding regulation via transparency,

creating additional consumer and investor protections, and

tightening regulations on accounting principles (Wikipedia –

Dodd-Frank). Attached to the Act in its final passage was the

Durbin Amendment which was meant to address the egregious fees

charged when a debit card is swiped thereby reducing the

interchange amount. Without going into too much detail, when the

bill was signed into law, fees for transactions were ultimately

capped at $0.21 and .05% of the transaction amount (or 5 basis

points – see the Wikipedia article, Basis Points, for a more

definitive discussion on this) plus an additional $0.01 per

transaction cost to cover any losses the banks may incur due to

fraud. The initial bill, however, was meant to cap transaction

fees at $0.12 per transaction plus applicable fees as noted above

(Investopedia). Instead of celebrating the success of millions of

dollars worth of lobbying saving them billions in profit – two

million dollars alone came through the Electronic Payments

Coalition to Congress in 2011 (Huffington Post) – banks

Forman - 17

immediately went on the defensive upon the passage of the bill by

threatening to charge additional bank account fees and card usage

charges in order to maintain their large bottom line. When it was

all said and done, here is what the consumer saw:

Pre-Durbin:

A consumer buys a $100 product from a merchant using a

signature debit card issued by a large national bank.

The merchant’s expense for accepting that transaction is

$2.00 total in fees.

The consumer uses their debit card free of charge from their

issuing bank.

Post-Durbin:

A consumer buys a $100 product from a merchant using a

signature debit card issued by a large national bank.

The merchant’s expense for accepting that transaction is

$1.12 total in fees. The merchant saved $0.88 due to Durbin

and has limited incentive to pass on its savings to

consumers.

The consumer’s issuing bank makes up the lost revenue by

charging new debit usage fees to its customers.

Forman - 18

Customer still pays $100 for same product while now also

paying new bank fees.

(Tsys.com – …Payments Value

Chain)

And should one wish to be truly outraged, s/he only needs to note

that this payment “reign in” only applied to debit cards. Credit

cards were not considered in the Durbin Amendment and thus banks

have promoted reward-driven credit cards (like the earning of Sky

Miles when a card is used) and cash-back reward cards so that the

unregulated fees they can charge are potentially offset by the

merchants who have been accused in multiple venues of not passing

on all of the savings they have garnered due to the fee cap on

debit cards to the consumer as proponents of Durbin might have

expected. But, assuming those savings are realized by the

merchant, though obviously offset by the higher fees now

associated with credit cards, they do not necessarily have to go

directly to consumers via lower prices. There are other market

considerations other than price wars such as employee wages,

security, expansion or even quality and variety of products where

the savings can be pigeon-holed (Rortybomb).

Forman - 19

Merchant Feasibility, Liability and PCI DSS. But let it be said, according

to critics of the proponents (and even the critics of the

critics) of Durbin it is simply a matter of merchants not

accepting credit or debit cards (Kantor). However, that is a very

unrealistic expectation. According to a 2012 Infographic from

Community Merchants USA (see below), “ 66 percent of all point-

of-sales (POS) transactions are done with plastic – credit,

debit, or gift cards…Only 27 percent of purchases are made with

cash.” It is estimated that cash sales will continue to decline,

dropping to 23% of all transactions by 2017

(Communitymerchantsusa.com).

Forman - 20

(Infographic qtd at

Communitymerchantsusa.com)

So should a merchant wish to be successful, whether they be a

small sole-proprietorship on Main Street USA or a multinational

Forman - 21

chain like Target, the facts above do not lie. They must accept

credit and debit cards, dollar minimums applicable to the

transactions or not, or be doomed to obscurity and perhaps even

failure. Banks and the credit card industry in general through

PCI compliance have transferred both the risk and the blame onto

the merchants by creating standards that are rife with

complexity, cost merchants thousands if not millions of dollars

to implement and regulate either in house or through a third

party provider (known as a QSA or Quality Service Assessor which

although is not required by PCI must be utilized in order to

attempt any semblance of realistic compliance or to mitigate the

risk via transference2), and ultimately hold them hostage when a

breach occurs by way of fines, negative publicity, lawsuits and

compliance revocation; all this while reaping billions of dollars

in fees for interchange and fraud mitigation (simply compare the

margins of merchants to those of the banking sector (Rortybomb).

They preach that no business who is PCI DSS compliant has ever

been breached, but this clearly untrue, according to

2 According to Peter Gregory in CISSP Guide to Security Essentials (Course Technology. Boston, MA. 2010. Pp7-8), risk, once a qualitative or quantitative assessment has been performed, can be managed (“treated”) at an organization in one of four ways: Risk Acceptance, Risk Avoidance, Risk Reduction, and Risk Transfer.

Forman - 22

securosis.com, a security research and advisory firm located in

Phoenix, stating, “…merchants pass their [PCI DSS] assessments,

they get breached, and then PCI retroactively revokes their

certifications. Fines are then levied against the acquiring bank

and passed on to the merchant.” (Securosis.com). Additionally,

other than the fee caps noted above, there is no government

oversight this type of bank-imposed merchant

regulation/strangulation. Couple with this is the fact that they

have almost biblical absolution from liability by touting they

have no real authority as they are merely a standard setting

organization, stating on their website,

“The Council does NOT validate or enforce any organization’s

compliance with its PCI Security Standards, nor does it

impose penalties for non-compliance. These areas are

governed by the payment brands and their partners.”

(PciSecurityStandards.org)

Thus, it is in liability-stained hands of the individual

merchants to divine the level of compliance via the creation of

Forman - 23

new security measures and new infrastructure or they must attempt

to transfer the risk of a breach of PII data by hiring some third

party to help them follow all of these guidelines in order to

stay in a never-ending, cost and fear driven cycle of self-

regulated compliance at the hands of a no-fault master. And of

course, as above in the introduction, ultimately compounding the

pressure to comply with these strongly-suggested, but officially

self-prescribed regulations is the publics’ insatiable need for

better, smarter and faster results (as who carries cash or write

checks anymore) and its unforgiving nature when it comes to a

corporations seeming attempt to cut corners and bilk them out of

their hard earned money. One can hardly imagine the financial

sector standing up for the rights of these merchant corporations

and decrying, “they did their best but were breached anyway…

something has to be done…there needs to be a uniform regulations

and changes that we can all subscribe to.” Instead, they cry

foul, cast aspersions and ‘let slip the dogs of war’ upon the

offending merchants. And if you know you Shakespeare (Julius

Caesar, Act 3, Scene 1) this is an absolutely apt analogy of how

Forman - 24

the merchant/conspirator will ultimately be treated by the system

in place now.

Federal Regulation of Merchant Breaches. Perhaps the best description of

U.S. regulations with regard to data security and privacy was

summed up in the first sentence of the United States section of a

report by the law firm of Hunton and Williams in their article,

Getting the Deal Through – Data Privacy and Protection 2014. Authors Lisa

Sotto and Aaron Simpson state that “…the US legislative framework

for the protection of PII resembles a patchwork quilt” (Sotto

191). The United States has no unified set of guidelines for data

security and privacy and thus corporations as a singularly

vulnerable sector are forced to navigate their way through a

giant maze of regulations which not only are enforceable by

various agencies depending on which rule has been deemed to be

transgressed, but also “provide for a private right to bring

lawsuits against organizations they believe are violating the

law” (Sotto 191). More specifically, US corporations are subject

to regulation enforcement by the following agencies:

Forman - 25

FTC (Federal Trade Commission) – oversight rules such

as:

o Data safeguards rules under Regulations of

Specific Acts of Congress - Title 16:Chapter

I:Subchapter C:Part 314

o Data disposal rules under the Fair Credit

Reporting Act (FCRA) - Title 16:Chapter

I:Subchapter F:Part 682

o Identity theft rules under the FCRA - Title

16:Chapter I:Subchapter F:Part 681

o Red Flags Rule – implementation of a written

Identity Theft Prevention Program which can be

used to detect the warning signs  – or red flags –

of identity theft (16 CFR)

SEC (Securities Exchange Commission) and Commodities

Futures Trading Commission (CFTC) – adoption and

enforcement authority with regard to:

o Sarbanes-Oxley Act (SOX) – administered by the

SEC, SOX was originally a congressional act aimed

Forman - 26

at improving governing and accountability with

public corporations

o Red Flags Rule in relation SEC regulated agencies

including most registered brokers and investment

companies as well as registered investment

advisers (Federal Securities Law)

United States Congress:

o Gramm Leach Bliley Act (GLBA) – strict controls on

how financial institutions share or disclose

personal financial information (although actually

enforced by the FTC)

o Authority to perform Formal Inquiries on

organizations experiencing a breach (16 CFR)

State Attorneys General – see especially Compliance

Solutions and Resources’s excellent summary document

noted below which shows the varying requirements of

various State Attorneys General (Data Breach).

Forman - 27

Corporations may also be subject to additional regulations or

oversight via the US Department of Justice, Consumer Financial

Protection Bureau (CFBC), Federal Communications Commission (FCC)

and Department of Health and Human Services (HHS) (Sotto).

Moreover, corporations are being aggressively pursued under this

jumbled muddle of regulations – all at tremendous time, manpower

and expenses aimed at not only the legal issues but also brand

defense – and are seemingly now the scapegoat for the US

government’s inability to keep up with the constantly changing

environment of technology (Germano). It appears as well that

corporations in broad strokes are now forcibly working in tandem

with the central government to protect the public interest (one

wonders if that is what was actually meant by a public company)

(Germano). And while it might be arguable that a corporation who

collects personal data technically becomes the owner of that data

until it is disposed of in proper fashion (16 CFR), it is as

easily as convincing an argument to place the onus on the

government, that is, were unified regulations put in place via a

central authority and information sharing/strategy were the norm,

perhaps many of the issues and growing pains the consumer

Forman - 28

population is experiencing could be more readily mitigated

(Lessig). In light of this corporate conundrum, it is hardly

unfathomable then that many organizations are not only fearful of

this fragmented and increasing complex set of rules but are also

fearful of reporting any type of breach lest they be subject to

additional increased scrutiny (e.g. the FTC has the authority to

levy fines and conduct biennial audits of corporations who are

involved in alleged breaches under Section 5 of the FTC Act)

(Sotto).

BREACH LITIGATION.

Compounding this requirement of compliance with federal, state

and banking regulations is the addition of security-breach-

triggered litigation. To get a clearer picture of the odds

against future litigation success for corporations, we must first

refocus our attention back to the staggering number of records

revealed in only the high profile cases and only in the United

States over the last two years:

09-02-2014 – Home Depot – 56,000,000 records

Forman - 29

o Debit and credit card numbers put up for sale on the

black market.

08-27-2014 – JP Morgan Chase, Fidelity Investments –

83,000,000 records

o Names, addresses, phone numbers and email addresses of

76,000,000 households and 7,000,000 businesses.

05-21-2014 – EBay – 145,000,000 records

o Names, encrypted passwords, email addresses, phone

numbers, registered addresses and birth dates.

08-12-2013 – Target Brands, Fazio Mechanical – 110,000,000

records

o Customer names, addresses, phone numbers, PIN and CVV

numbers.

10-03-2013 – Adobe Systems – 152,000,000 records

o Names, customer IDs, encrypted passwords, encrypted

debit and credit card numbers with expiration dates,

and Adobe source code.

04-26-2013 – LivingSocial Inc – 50,000,000 records

o Customer names, emails, birthdates, hashed and salted

passwords.

Forman - 30

(Largest Data Loss Incidents -

DataLossDB)

And, as stated, this is merely a sampling. There are multiple,

other breaches – 636 this past week of October 26-31, 2014

according to idtheftcenter.org (Identity) – and massive amounts

of data being stolen worldwide as well (220,000,000 stolen in

South Korea on August 22, 2014) (Largest). All of these numbers

are almost inconceivable to the average consumer and literally

insurmountable at the corporate level.

Target Breach. On a legal level, take for example the Target

breach above. While it is still playing out there is a tremendous

amount of information which can be garnered from the web. As of

May 7th, 2014, the cases filed against Target consisted of 81

consumer class-action suits (seven of the lawsuits were filed on

the day the breach was announced), 28 financial institution

class-action suits and 4 shareholder derivative suits (see Collier

v. Steinhafel filed January 29, 2014 which accused Target of false

and misleading statements regarding its handling of the breach)

(Bychowski). With regard to the most recent large-scale breach,

Forman - 31

as of October 13, 2014 (just one month plus after the

announcement of the breach), Home Depot already faced 21 class-

action lawsuits (Allison). Here we see the legal system, like the

regulatory system, attempting to keep up with the information

overload; they too subject to incredible change based on almost

every level of technology.

Defendants Bar. The difference in the legal arena is that there is

more of an obvious counterbalance created by the plaintiff bar

versus the defendant bar. Lawsuits are being filed for a both the

breach itself and the way in which the organizations are handling

the breach. There are lawsuits for unfair or deceptive practices,

breach of contract, negligence, unjust enrichment, breach of

fiduciary duty and duty or care as well as negligent

misrepresentations and invasion of privacy (Germano). From the

defendant perspective, corporations so far have been able to fend

off many of these lawsuits which unfortunately under time and

length constraints are too vast to tackle individually here.

However, in summary of successful defenses against various class-

action attacks by plaintiffs most notable may be the idea of harm

that has been suffered at the hands of these corporations and the

Forman - 32

loss of personal information by the plaintiffs. This is due to

the fact that it is difficult to prove actual harm for PII being

stolen (Grande). According to a Supreme Court decision in Clapper

v. Amnesty International Inc (No. 11–1025 - Argued October 29, 2012—Decided

February 26, 2013) in order for a plaintiff to satisfy Article III

standing requirements - Article III being a separation of powers

consideration of the Constitution whereby the courts are

restricted in the type of cases they can hear - they need to

prove they have suffered:

1) an injury in fact, that is:

(a) one that is concrete and particularized, and

(b) the injury must be actual or imminent, not

conjectural or hypothetical;

2) show a causal relationship between the injury and the

challenged conduct, meaning the injury must be traceable to

the challenged action of the defendant; and

3) show likelihood that the injury will be redressed by a

favorable decision, meaning that prospect of obtaining

relief is definitive and not speculative.

Forman - 33

(from the ‘Lectric Law Library’s

Lexicon Standing)

While this case regarded improper surveillance issues it has been

cross-applied to data breaches whereby it may be true that the

data that was breached was improperly accessed (in the case of

Target by hackers) it does not necessarily mean that the data has

been misused in any way; for the harm to be redressed by the

courts, it cannot merely be “objectively reasonable” (Jones 75)

that injury will occur it must be “certainly impending” (Jones

76). This fending off as it were of class-actions however does

not consider additional litigation against the banking industry

or derivative lawsuits nor does it factor in regulatory fines by

state and federal agencies (Jones 71). The costs to defend

against all of these lawsuits or to show compliance with

regulatory agencies or to redesign internal security measures are

astronomical. Target has stated that it has already seen costs in

excess $148 million (Abrams). Moreover, the banking industry has

stated that it has cost them $240 million just to replace

misappropriated data associated with breached credit cards.25

According to John Kinderburg of Forrester Research, he believes

Forman - 34

it is hard to imagine that Target will be able to escape their

data breach for less than $1 billion (Abrams).

Plaintiffs Bar. On the plaintiff side of the bar, they have had to

become more creative in their filings against potentially liable

merchants as most of the cases have been dismissed. While they

may not be able prove concrete harm under Article III

considerations they have been attempting to circumnavigate this

issue through their use of other lawsuits that might be more

plaintiff-friendly.22 Consider the June 2014 Susan B. Anthony v.

Driehaus that focuses attention away from the certain harm purported

to be necessary under Clapper. It is notable in the dissent by

Justice Breyer that there have been past Supreme Court cases

tried based on “substantial” risk (see especially the 2010

Supreme Court Monsanto v Geertson Seed Farm decision as noted by

Justice Breyer) (Lederman). Additionally in a footnote for the

majority opinion in Clapper, Justice Alito noted that the Supreme

Court has in the past based decisions under this more traditional

“substantial risk” as opposed to the more arduous “certainly

impending” harm that must be done and seems to be a deal-breaker

in Clapper (Lederman).While these may be two confusable standards,

Forman - 35

in Susan B. Anthony, Justice Thomas addressed this concern by

stating that the harm could be either “certainly impending” or

“substantial” in order for the plaintiff to sue (Lederman). Based

on this, it should be of significant concern that the tide will

turn in favor of the plaintiffs as additional waves of litigation

wash up on the shores of merchant defendants.

CONCLUSION

Regulability not Liability. By all of these factors then – citizen

outcry, corporate trepidation, regulation, and litigation – it

appears that there may be no end to the number of affectations

created by data breaches in the future. There seems to be no

current technology or internal, corporate set of security

policies that can even purport reasonably to defend against all

forms of attack. All systems are vulnerable whether it is due to

an unaddressed infrastructure issue or a human one. As defenses

evolve in light of these breaches so too will the abilities and

possibilities invented by hackers and insiders to violate them.

This is not to say that corporations cannot improve on their

internal policies; they must. In this culture of bigger, better,

Forman - 36

cheaper and faster they need to be the beacons of data security.

But as it was shown above, they cannot be forced to accept all of

the blame for the data breaches as they are neither the makers of

regulation nor the keepers of the citizenry. They too are simply

the followers; a corporate body not unlike a human body.

Continued litigation cannot be considered a solution either.

There is no monetary factor that can be successfully imposed on a

merchant that will make them more compliant or more collaborative

in their efforts to thwart various vectors of attack. The effect

will always be the opposite. No one thrives under an

incomprehensible dictatorship. Thus, it is the lack of a unified

set of security regulations that is ultimately to blame as is the

absence of regulation of our country’s internet standards

(Lessig). The fragmentation of our current government with regard

to a singular set of standards has been augmented by its

inability to cooperate with or negotiate with the private sector.

For it is seemingly easier for them to blame than to change; to

fine rather than to refine; to impose instead of to compose. If

this set of standards (or lack thereof) cannot be changed a

unified regulatory system, both governmental and corporate, the

Forman - 37

consequences may ultimately be disastrous and far-reaching as we

travel more deeply into the breach that is not only our personal

information, but also the future technologies that are supposed

to make our lives so much easier.

WORKS CITED

"16 CFR Chapter I - FEDERAL TRADE COMMISSION." LII / Legal Information

Institute.

Forman - 38

Web. 23 Oct. 2014.

Abrams, Rachel. "Target Puts Data Breach Costs at $148 Million,

and Forecasts Profit Drop."

The NewYork Times. The New York Times, 5 Aug. 2014. Web. 23

Oct. 2014.

"Aboulia." Wikipedia. Wikimedia Foundation, 28 Oct. 2014. Web. 29

Oct. 2014.

Allison, David. "Home Depot Now Facing 21 Class-action

Lawsuits over Data Breach

Atlanta Business Chronicle." Widgets RSS. 13 Oct. 2014. Web.

30 Oct. 2014.

Bychowski, Stephen. "United States: Target Data Breach Cases

Progress, But Plaintiffs Face

Uphill Battle." Data Protection. Foley Hoag LLP, 21 July 2014.

Web. 29 Oct. 2014.

Blackbaud.com,. 'Faqs - PCI Compliance - Blackbaud'. N.p., 2014.

Web. 27 Nov. 2014.

"China Lists Substandard Wal-Mart, Carrefour Goods." Reuters.

Thomson Reuters, 29 Nov.

2007. Web. 22 Oct. 2014.

Forman - 39

"Chronology of Data Breaches | Privacy Rights Clearinghouse."

Chronology of Data Breaches.

Privacy Rights Clearinghouse. Web. 24 Oct. 2014.

Coalition, Merchant. 'THE BIGGEST BANK FEE YOU’VE NEVER HEARD

OF | Unfair Credit Card Fees'. Unfaircreditcardfees.com. N.p.,

2014. Web. 27 Nov. 2014.

Communitymerchantsusa.com,. 'The Benefits Of Small Business Card

Acceptance « Community Merchants USA'. N.p., 2014. Web. 27

Nov. 2014.

Controlscan.com,. 'PCI Compliance Faqs | Controlscan'. N.p.,

2014. Web. 27 Nov. 2014.

"Data-Breach Fatigue: Consumers Pay the Highest Price." The

Huffington Post.

TheHuffingtonPost.com, 16 Oct. 2014. Web. 24 Oct. 2014.

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in

the

United States. Jensen Beach: Compliance Solutions and

Resources, 26 Jan. 2013. Pdf.

"Federal Securities Laws." SEC.gov. Web. 23 Oct. 2014.

"From the 'Lectric Law Library's LexiconStanding." Legal Definition of

Standing. Web. 31 Oct.

Forman - 40

2014.

Germano, Judith H. and Zachary K. Goldman. After the Breach:

Cybersecurity Liability Risk.

Pages 1-7. NYU Center on Law and Security. 2014

Grande, Allison. "Clapper Defense No Sure Bet In Home Depot

Breach Suits - Law360."

Clapper Defense No Sure Bet In Home Depot Breach Suits. Law360, 11

Sept. 2014.

Web. 31 Oct. 2014.

Hostmerchantservices.com,. 'Host Merchant Services | The Durbin

Amendment'. N.p., 2014. Web. 27 Nov. 2014.

"Identity Theft Resource Center -." Data Breaches. Web. 22 Oct.

2014.

Investopedia,. 'Durbin Amendment Definition | Investopedia'.

N.p., 2012. Web. 27 Nov. 2014.

Jones, Brad. Fifty Shades of Claims: When Private Information

Becomes Public in the United

States. Pages 76-82. McCague Borlack LLP, 2014. Web. 1 Nov.

2014.

Kantor, Doug. 'Broken Payment System Guarantees Another Breach

Forman - 41

Like Target's'. Bank Think. N.p., 2014. Web. 27 Nov. 2014.

"Largest Data Loss Incidents." Largest Data Loss Incidents. DataLossDB.

Web. 25 Oct. 2014.

Lederman, Marty. "Commentary: Susan B. Anthony List, Clapper

Footnote 5, and the State of

Article III Standing Doctrine." SCOTUSblog RSS. 17 June 2014.

Web. 1 Nov. 2014.

Lessig, Lawrence. Code Version 2.0. Basic Books. 2006.

Mott, Ashley. "When You Swipe Your Credit Card, Does It Take Just

the Numbers?" Budgeting

Money. Web. 29 Oct. 2014.

Pcisecuritystandards.org,. 'What Is The PCI Security Standards

Council?'. N.p., 2014. Web. 27 Nov. 2014.

Perlroth, Nicole, and David Gelles. "Russian Hackers Amass Over a

Billion Internet Passwords.

"The New York Times. The New York Times, 5 Aug. 2014. Web. 22

Oct. 2014.

Rortybomb,. 'Three Points About Interchange Reform: Pass

Through, Australia, Low-Income Groups.'. N.p., 2011. Web. 27

Nov. 2014.

Forman - 42

Ross, Dan. "Transaction Analysis for Retail Business Intelligence

| Claraview." Transaction

Analysis for Retail Business Intelligence. Claraview, 1 Jan. 2011. Web.

29 Oct. 2014.

Rouse, Margaret. "What Is a Data Breach?" What Is? Web. 24 Oct.

2014.

Schulz, David. "As Patients’ Records Go Digital, Theft And

Hacking Problems Grow." Kaiser

Health News As Patients Records Go Digital Theft And Hacking Problems Grow

Comments. 3 June 2012. Web.22 Oct. 2014.

Securosis.com,. 'Securosis Blog | Could This Be The First Crack

In The PCI Scam?'. N.p., 2014. Web. 27 Nov. 2014.

Sherman, Erik. "Should Companies Reveal All Data Breaches? Some

Execs Say No." CBSNews.

CBS Interactive, 5 Aug. 2014. Web. 22 Oct. 2014.

Sotto, Lisa and Aaron Simpson. Data Protection and Privacy in 26

Jurisdictions Worldwide:

United States. Pages 191-198. Hunton and Williams LLP. 2014.

The Huffington Post,. 'Banks, Merchants And Why Washington

Doesn't Work For You'. N.p., 2014. Web. 27 Nov. 2014.

Forman - 43

The Huffington Post,. 'Banks, Merchants And Why Washington

Doesn't Work For You'. N.p., 2014. Web. 27 Nov. 2014.

The State of Security,. 'PCI DSS 3.0 - The Devil Is In The

Details - The State Of Security'. N.p.,

2014. Web. 27 Nov. 2014.

"Welcome to the PCI Security Standards Council." Official PCI Security

Standards Council Site.

Web. 27 Oct. 2014.