Data security breaches marred the 2013 holiday season for many consumers and retailers. The most famous security breach, at Target Corporation (Target), involved the loss of information on 40 million payment cards and personally identifiable information on 70 million customers.
Although it suffered the largest breach, Target was by no means the only retailer to experience a data security breach during the holiday season. Michael’s, Neiman Marcus and Sally Beauty Supply all announced that they had also suffered similar security breaches. Although the exact cost of these data security breaches cannot yet be determined, a report by the Congressional Research Service includes estimates for the cost of the Target breach ranging from hundreds of millions to billions of dollars.
Despite these large data breaches, some lawyers still do not understand that the legal department has a significant role to play in data security. They view data security as an IT matter, not a legal matter. This is a mistake. Today, the risk of a data security breach is a material risk to every retailer. Some retailers have recognized the need to address the risk of data security breaches and have made significant investments in securing their data, including establishing a comprehensive data security program, across the entire organization, overseen by a chief information security officer. Others lag behind. Whether your organization is a leader in data security or lags behind, it is incumbent on the legal department to understand and assess its organization’s data security efforts in order to advise its client on both risk and legal compliance issues.
Technology Alone Cannot Prevent Security Breaches
To secure an organization’s data, a data security program must address multiple components including: (1) people, (2) process and (3) technology. A technology solution alone cannot guarantee data security.
Instead an organization must address its people—employees, temporary employees, contractors and vendors; processes—gathering, accessing, using, disclosing and disposing of data; and technology— firewalls, authentication, encryption, etc. A failure to address any of these three components places the data at risk. Moreover, an organization must determine what standards it will impose on its vendors by contract to ensure that such vendors satisfactorily address data security. While professionals in the IT department may be the experts on technology, they are not the experts on people, business processes, and contracts, and it is likely they do not have the authority to modify business processes. Leaving data security in their hands means that without assistance, fundamental components of security may not be adequately addressed.
Data Security is a Legal Compliance Issue
Even if it were possible for the IT department to manage all aspects of data security, there would still be a role for the legal department. Retailers are required by law to protect the confidentiality and security of consumer information. If you do not understand your organization’s security program, you cannot advise management on complying with applicable statutory and other mandates. Examples include:
The FTC has construed the Federal Trade Commission Act of 1914 as giving it authority to bring actions against retailers who have inadequate safeguards as an unfair trade practice. One federal court recently supported this position in FTC v. Wyndham, 37 ILRD 470 (D.N.J. Apr. 07, 2014). The FTC brought an action against various Wyndham Hotel entities asserting that their failure to maintain reasonable and appropriate data security measures constituted an unfair data security practice. Wyndham moved to dismiss asserting that the FTC had overreached its statutory authority. The court declined to dismiss the suit. The implication of this decision for retailers is that if their data security standards are not considered to be reasonable and appropriate by the FTC, the FTC may deem them to be engaged in unfair trade practices.
State Data Security Breach Notification Statutes
The vast majority of states have passed statutes requiring any entity that stores sensitive personal information to notify consumers, and sometimes government agencies, in the event of a data security breach. “Sensitive personal information” is generally the name of an individual plus a social security number, or driver’s license number, or account number with PIN. Although most of these statutes do not specify a mandated security program, they generally require that businesses handle sensitive personal information in a manner that protects it from unauthorized access or disclosure. Additionally, under most of these statutes, a retailer does not have an obligation to notify consumers if the sensitive personal information is encrypted.
Payment Card Industry Data Security Standards (PCI DSS)
The PCI DSS applies to all merchants that store, process or transmit a primary account number for a payment card. Although a handful of states require by statute that companies comply with PCI DSS, for the most part it is not mandated by statute or regulation. Instead, it is imposed by contract. Any retailer that wants to accept payment cards must sign a Merchant Agreement, and accept the requirement to comply with the PCI DSS.
The PCI DSS follows a “walls of security” approach, in which risk of breach is minimized by erecting multiple layers of security measures that work together. At its highest level, PCI DSS has 12 requirements, which then break down into hundreds of sub-requirements. These requirements apply to all components of any system or network that stores, transmits or processes payment card information, including:
All servers: web, database, authentication, mail, proxy, domain name servers and network time protocol (NTP);
All applications: purchased and custom applications, including internal and external (Internet) applications; and
All network components: firewalls, switches, routers, wireless access points.
The only practical way for a retailer to comply with PCI DSS is to segment any system or network component which stores, processes or transmits cardholder data to keep it separate from the rest of its systems and networks, in order to limit the compliance effort.
Although the PCI DSS is imposed by contract, the potential liability for any retailer that does not comply is significant. Any retailer accepting payment cards that does not comply with the PCI DSS could face substantial fines from the card issuers, loss of the ability to accept payment cards, liability for all fraud losses incurred, liability for the cost of re-issuing cards, and of course reputational harm.
Additional Data Security Mandates Applicable to Some Retailers
There are other sources of data security compliance obligations for certain retailers, including:
the Gramm Leach Bliley Act, which requires retailers issuing credit cards or otherwise significant engaged in extending consumer credit to establish a formal security program to protect non-public personal information;
HIPAA ,which requires any healthcare provider, such as a retail pharmacy chain, or healthcare plan, such as a retailer’s employee health plan, to establish administrative, physical and technical safeguards to protect individually identifiable information;
the FTC Red Flag Rule, which requires safeguards to identify identity theft; and
Personal Information Protection and Electronic Documents Act (PIPEDA), which requires a data security agreement to be imposed on any American entity that will host Canadian consumer data.
While these regulatory frameworks do not impact every retailer, for those retailers that are subject to them, there are specific regulatory requirements which the retailer’s data security program must satisfy.
Checklist to Help You Get Started in Assessing Your Organization’s Data Security Program
The Target breach had such a significant impact that it caught the attention of senior management at retailers everywhere. Many general counsels are hearing from their clients that data security is keeping them up at night. If you do not understand your organization’s data security compliance efforts, you should do so before the holiday season.
To get your started, we have included questions in the checklist to guide you. This is not intended to be a full-blown data security assessment. It is intended to help you begin an initial cursory review of your organization’s security program. Moreover, satisfactory answers to every question on the checklist will not establish adequate data security for your organization, or compliance under the FTC Act, the PCI DSS or any other standard. Instead, it is a quick checklist of issues to consider and investigate, so that if and when your management asks you for advice on whether the company is in compliance with its legal obligations, you will have an overview of where your company stands.
If you discover issues or unresolved questions in your company’s data security program, you may want to consider a full privacy and data security assessment. If this is performed by, or under the direction of counsel, it can be protected with the attorney work product privilege.
Data Security Initial Assessment Checklist for Retail Counsel Available Here