A company discovers that a security breach in a retailer’s database has compromised thousands of credit card numbers the company issued to its customers. Is there a legal requirement to notify the customers potentially affected? If so, who is responsible – the company or the retailer? Or perhaps the credit card company?
This situation faced a Day Pitney client, a financial services company with the bad luck to be entangled in the TJX security breach. Last December, the parent company of retailer T.J. Maxx discovered that hackers had stolen a huge amount of customer credit card information. TJX did not publicly disclose the problem for a month, which aroused widespread criticism and helped stimulate lawsuits.
Day Pitney attorneys who practice in the area of privacy law have found that businesses in TJX’s position are often poorly prepared to respond to security breaches. In particular they struggle to comply with state law requirements to notify individuals affected by the breach. As of the beginning of February 2007, thirty-five states had adopted such laws. While the states require notification only of their own residents, there are compelling practical and legal reasons for a business to provide the same notice to all its affected customers. In consequence, notification requirements have in effect become national in scope, even without federal legislation.
Connecticut, New Jersey, and New York each have such laws. The District of Columbia has pending legislation that is likely to go into effect early this year. Massachusetts is considering similar legislation.
While varying in details, the laws all require businesses to give notice of any unauthorized access to or loss of personal information to people likely to be affected. In many situations the business will have to provide individual notices; public announcements may not suffice. The only acceptable reason for delaying notice under most of these statutes is a law enforcement agency’s request.
Under typical state privacy laws, personal information means a person’s name in combination with other data such as a social security, credit card or bank account number. In the matter Day Pitney advised on, we were able to counsel the client that the applicable statute did not require notice because the hacked records contained only credit card numbers unlinked to names of credit card holders.
More than one business may be responsible for giving notice. Many statutes impose obligations on parties who “own,” “maintain” or are “licensees of” data. In the Day Pitney matter the financial services company, the retailer and the credit card company all could have had a duty to notify customers. Many of the statutes would also compel the retailer to notify the credit card company and the financial services company.
Day Pitney strongly recommends that businesses consider these action items:
• Adopt a plan for responding to a loss of data. As TJX found, devising a response after an incident is difficult and risky. The key issues are identifying the scope of the breach; public disclosure and communication about the breach; notifying affected individuals; remedial measures, such as notifying credit reporting services and offering customers credit monitoring, to help individuals prevent financial loss and other harm; and finding and fixing any security flaws.
• Adopt a general data security plan suitable for the size and the nature of the business and the character and amount of the personal information it collects. Identify where and how your business stores such data and with whom and why it shares such data. Analyze whether your business actually needs to keep the data. The plan should consider administrative, technical and physical security measures, identify foreseeable risks and threats and adopt measures to forestall them, and where applicable require third parties to adopt the same safeguards.
• Do not put the plans in the drawer and forget them. Regularly reevaluate, adjust and update the plans in light of changing business needs, threats, laws, and security tools.
• Perhaps most important, senior management must set the right tone and attitude toward protecting personal information. Publicly and conspicuously designate a top level executive as the person responsible for privacy and security. Successful performance is far more likely if the business clearly and consistently conveys that protection of personal information is a major ethical and legal responsibility.