Recent legislative and administrative actions have brought about de facto (and sometimes de jure) oversight of the technology used by many companies to deal with their customers. It is no longer enough for companies to simply use good faith measures to mitigate the risk of data breaches and similar activity causing loss to their customers. The impact of the various legislative and administrative developments discussed below is to effectively require companies to continually update their technologies in several respects. This dictates that counsel be involved in direct interaction with technical management and address these considerations in many contract negotiations.
NO to ‘Old’ Encryption Protocols
Not all encryption algorithms are created equal.
In the not-too-distant past, saying something was “encrypted” would elicit a nod and a sigh of relief. No more. Now that is just the jumping off point for more questions: In transit? At rest? How many bits? Custom-made?
If the answer to this final question is “yes,” then you’re in a pickle under California law. California’s most recent amendment to its data breach statute, which went into effect on the first day of the year, defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security” (emphasis added). While “generally accepted in the field of information security” is vague and likely a moving target, it does appear to disqualify encryption algorithms that are home-grown.
The FTC is also taking enforcement action against claims made about encryption strength that don’t measure up, even in the absence of actual harm. For example, the FTC recently entered into a proposed consent order with Henry Schein Practice Solutions, Inc. (“Schein”) (Click here to view Agreement Containing Consent Order)
Schein sold software to dental practices all over the US touting in its marketing materials that the software protected sensitive patient information by using an “embedded SQL database” in “an encrypted format.” No specificity as to encryption level was offered. The FTC investigated and found that those claims were deceptive because the “encryption” that was used by the software was less complex than that of Advanced Encryption Standard (AES), which is the industry standard recommended by the National Institute of Standards and Technology (NIST). In finding that the protection offered by the software was “vulnerable” and “weak,” the FTC re-characterized the protection as a data-masking technique, not encryption. As for the harm caused, the FTC complaint interestingly cites only forward-looking and potential harm. Schein agreed to pay $250,000 to settle the FTC charges that it falsely advertised the level of encryption it provided.
Where substantial losses did occur in connection with the TJX Companies, Inc., data breach in 2007, despite the use of point of sale encryption of wireless communications, the FTC vigorously pursued TJX and entered into an onerous settlement agreement, seemingly as a result of the encryption protocol having been deployed in good faith and being only one generation away from state of the art. (Click here to view TJX Decision and Order)
YES to Tokenization
The FTC’s adoption of the Payment Card Industry (“PCI”) standards as part of its Wyndham Hotels settlement (See Stipulated Order for Injunction here) adds yet another layer to the interaction between technology and legal obligations for those companies who are handling credit card and similar information originating with mobile devices. The PCI standards encourage use of a so-called “token” mechanism whereby the sensitive material is encapsulated in this form for a very short period of time – e.g. 5 or 10 minutes – needed to accomplish a transaction and then self-destructs. Critically, this mechanism eliminates the need for retailers or other merchants to store the material on their own servers or on consumers’ mobile devices. In view of the endorsement of this mechanism by the PCI, and by implication, the FTC, merchants should strive to incorporate it into their mobile commerce strategy and consider whether any third party processors which they propose to engage do so as well. (Click here for an overview of PCI Standards)
While it is not counsel’s place to evaluate alternative technological approaches to security and privacy, we believe that in today’s environment, it is necessary for counsel, in conjunction with specialized outside counsel where necessary, to frequently engage with CIO’s, CTO’s and other IT management (and frequently with senior management) to ensure that reasoned decisions are being made, after meaningful consideration of alternatives, and to directly address these matters, with proper support from IT management when negotiating many third party agreements.