Risk of Data Breaches Keeping You Up? Assess Data Security Before The Holiday Season

by Perkins Coie

Data security breaches marred the 2013 holiday season for many consumers and retailers.  The most famous security breach, at Target Corporation (Target), involved the loss of information on 40 million payment cards and personally identifiable information on 70 million customers. 

Although it suffered the largest breach, Target was by no means the only retailer to experience a data security breach during the holiday season.  Michael’s, Neiman Marcus and Sally Beauty Supply all announced that they had also suffered similar security breaches.  Although the exact cost of these data security breaches cannot yet be determined, a report by the Congressional Research Service includes estimates for the cost of the Target breach ranging from hundreds of millions to billions of dollars.

Despite these large data breaches, some lawyers still do not understand that the legal department has a significant role to play in data security.  They view data security as an IT matter, not a legal matter.  This is a mistake.  Today, the risk of a data security breach is a material risk to every retailer.  Some retailers have recognized the need to address the risk of data security breaches and have made significant investments in securing their data, including establishing a comprehensive data security program, across the entire organization, overseen by a chief information security officer.  Others lag behind.  Whether your organization is a leader in data security or lags behind, it is incumbent on the legal department to understand and assess its organization’s data security efforts in order to advise its client on both risk and legal compliance issues.

Technology Alone Cannot Prevent Security Breaches

To secure an organization’s data, a data security program must address multiple components including: (1) people, (2) process and (3) technology.  A technology solution alone cannot guarantee data security.  

Instead an organization must address its people—employees, temporary employees, contractors and vendors; processes—gathering, accessing, using, disclosing and disposing of data; and technology— firewalls, authentication, encryption, etc.  A  failure to address any of these three components places the data at risk.  Moreover, an organization must determine what standards it will impose on its vendors by contract to ensure that such vendors satisfactorily address data security.  While professionals in the IT department may be the experts on technology, they are not the experts on people, business processes, and contracts, and it is likely they do not have the authority to modify business processes.  Leaving data security in their hands means that without assistance, fundamental components of security may not be adequately addressed.

Data Security is a Legal Compliance Issue

Even if it were possible for the IT department to manage all aspects of data security, there would still be a role for the legal department.  Retailers are required by law to protect the confidentiality and security of consumer information.  If you do not understand your organization’s security program, you cannot advise management on complying with applicable statutory and other mandates.  Examples include:

  • FTC Act

    The FTC has construed the Federal Trade Commission Act of 1914 as giving it authority to bring actions against retailers who have inadequate safeguards as an unfair trade practice.  One federal court recently supported this position in FTC v. Wyndham, 37 ILRD 470 (D.N.J. Apr. 07, 2014). The FTC brought an action against various Wyndham Hotel entities asserting that their failure to maintain reasonable and appropriate data security measures constituted an unfair data security practice.  Wyndham moved to dismiss asserting that the FTC had overreached its statutory authority.  The court declined to dismiss the suit.  The implication of this decision for retailers is that if their data security standards are not considered to be reasonable and appropriate by the FTC, the FTC may deem them to be engaged in unfair trade practices.  
  • State Data Security Breach Notification Statutes

    The vast majority of states have passed statutes requiring any entity that stores sensitive personal information to notify consumers, and sometimes government agencies, in the event of a data security breach.  “Sensitive personal information” is generally the name of an individual plus a social security number, or driver’s license number, or account number with PIN.  Although most of these statutes do not specify a mandated security program, they generally require that businesses handle  sensitive personal information in a manner that protects it from unauthorized access or disclosure.  Additionally, under most of these statutes, a retailer does not have an obligation to notify consumers if the sensitive personal information is encrypted.
  • Payment Card Industry Data Security Standards (PCI DSS)

    The PCI DSS applies to all merchants that store, process or transmit a primary account number for a payment card.  Although a handful of states require by statute that companies comply with PCI DSS, for the most part it is not mandated by statute or regulation.  Instead, it is imposed by contract.  Any retailer that wants to accept payment cards must sign a Merchant Agreement, and accept the requirement to comply with the PCI DSS. 

    The PCI DSS follows a “walls of security” approach, in which risk of breach is minimized by erecting multiple layers of security measures that work together.  At its highest level, PCI DSS has 12 requirements, which then break down into hundreds of sub-requirements.  These requirements apply to all components of any system or network that stores, transmits or processes payment card information, including:
    • All servers: web, database, authentication, mail, proxy, domain name servers and network time protocol (NTP);
    • All applications: purchased and custom applications, including internal and external (Internet) applications; and
    • All network components:  firewalls, switches, routers, wireless access points. 

The only practical way for a retailer to comply with PCI DSS is to segment any system or network component which stores, processes or transmits cardholder data to keep it separate from the rest of its systems and networks, in order to limit the compliance effort.

Although the PCI DSS is imposed by contract, the potential liability for any retailer that does not comply is significant.  Any retailer accepting payment cards that does not comply with the PCI DSS could face substantial fines from the card issuers, loss of the ability to accept payment cards, liability for all fraud losses incurred, liability for the cost of re-issuing cards, and of course reputational harm.

  • Additional Data Security Mandates Applicable to Some  Retailers

    There are other sources of data security compliance obligations for certain retailers, including:
  1. the Gramm Leach Bliley Act, which requires retailers issuing credit cards or otherwise significant engaged in extending consumer credit to establish a formal security program to protect non-public personal information;
  2. HIPAA ,which requires any healthcare provider, such as a retail pharmacy chain, or healthcare plan, such as a retailer’s employee health plan, to establish administrative, physical and technical safeguards to protect individually identifiable information;
  3. the FTC Red Flag Rule, which requires safeguards to identify identity theft; and
  4. Personal Information Protection and Electronic Documents Act (PIPEDA), which requires a data security agreement to be imposed on any American entity that will host Canadian consumer data.

While these regulatory frameworks do not impact every retailer, for those retailers that are subject to them, there are specific regulatory requirements which the retailer’s data security program must satisfy.

Checklist to Help You Get Started in Assessing Your Organization’s Data Security Program

The Target breach had such a significant impact that it caught the attention of senior management at retailers everywhere.  Many general counsels are hearing from their clients that data security is keeping them up at night.  If you do not understand your organization’s data security compliance efforts, you should do so before the holiday season.  

To get your started, we have included questions in the checklist  to guide you.  This is not intended to be a full-blown data security assessment.  It is intended to help you begin an initial cursory review of your organization’s security program.  Moreover, satisfactory answers to every question on the checklist will not establish adequate data security for your organization, or compliance under the FTC Act, the PCI DSS or any other standard.   Instead, it is a quick checklist of issues to consider and investigate, so that if and when your management asks you for advice on whether the company is in compliance with its legal obligations, you will have an overview of where your company stands. 

If you discover issues or unresolved questions in your company’s data security program, you may want to consider a full privacy and data security assessment.  If this is performed by, or under the direction of counsel, it can be protected with the attorney work product privilege.

Data Security Initial Assessment Checklist for Retail Counsel Available Here


Written by:

Perkins Coie

Perkins Coie on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.