The Biggest Identity Theft Spree in U.S. History and The Obligation of Business to Prevent Identity Theft
August, 2009
The news on Monday of what has been described as the "largest hacking and identity theft caper in U.S. history"[1] renews concerns about business obligations to control and prevent identity theft. Indicted in federal court in New Jersey this week, the alleged perpetrators of the scheme reportedly stole data from over 130 million credit and debit cards, after hacking into the computer systems of 7-Eleven, Hannaford Bros. supermarkets, and Heartland Payment Systems, along with other businesses. The hackers might not be solely responsible, however. Businesses may find themselves under intense scrutiny – and potentially liable – for failure to implement appropriate preventative measures.
The current string of crimes was alleged to be related to the earlier large breach of private consumer data from The TJX Companies, Inc., the holding company of the TJ Maxx apparel chain. The Federal Trade Commission undertook a major investigation of that company and concluded that it had failed to employ reasonable measures to control identity theft. The FTC ultimately entered into a consent judgment requiring the business to undertake a series of identity theft prevention measures. With a new major identity theft event, each of the newly affected businesses will need to notify consumers of the potential that their information has been stolen. But they may also be subject to regulatory scrutiny about whether they had taken adequate steps to prevent such a breach in the first place.
Businesses in most states are required to notify consumers of known security breaches
In most states, when a business or agency has reason to know that its systems have been breached, and consumer personal information was wrongfully taken, the business or agency must notify all affected individuals.
California led the way in this area by enacting Sections 1798.29 and 1798.82 of the California Civil Code, which require businesses and government agencies to notify consumers when their personal information has been wrongfully taken from a server or database. The "personal information" is an individual's name in combination with an unencrypted social security number, driver's license number, account or credit card number along with a security code allowing access. The California statutes initially were limited in scope to consumer financial information, but were amended effective January 2008 to include medical information and health information.
California's breach notification law was the first in a wave of state legislation requiring notification to consumers following security breaches and the wrongful disclosure of personal identification information. Similar legislation has now been enacted in at least 45 states. Oregon's Consumer Identity Theft Protection Act was effective October 1, 2007, and is codified at ORS § 646A.600 through § 646A.604. Washington's similar laws are found at Wash. Code Ann. § 19.255.010, and Nevada has enacted similar legislation: Nev. Revised Statutes 52 § 603A.220.
FTC now will begin enforcement of Red Flags Rule on November 1, 2009
Obligations to address security breaches do not focus only on the response to a breach. Businesses have important legal obligations to take steps to prevent identity theft before it happens. Many businesses are now subject to the federal Red Flags Rule, which was developed by the Federal Trade Commission and federal financial regulatory agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") to create a set of identity theft prevention obligations.
The Rule requires businesses to implement programs that identify, detect and respond to the warning signs, or "red flags," that could indicate identity theft. The Rule applies to any businesses deemed "creditors." The term "creditor" means not just a financial institution[2], but any businesses or organizations that "regularly defer payments for goods or services or provide goods or services and bill customers later." This will include many if not most utility companies, health care providers, telecommunication services providers, as well as many finance companies, mortgage brokers, real estate agents, automobile dealers and other businesses that offer consumers financing and process credit applications.
The Commission has now launched a site dedicated to explaining the Red Flags Rule and offering resources to help businesses determine if they are covered and how to comply.[3] This includes a "do-it-yourself template" for businesses that believe they are at low risk for identity theft but are still covered by the Rule. The Commission states that businesses that know their customers personally, usually provide services at a customer's home, and have not experienced incidents of identity theft will be considered at low risk. There is no further guidance from the FTC on which additional businesses may be at low risk.
Businesses must transition from WEP to WPA Encryption by June 2010
Many businesses that may be subject to Red Flags Rule compliance are also subject to the payment card industry's data security standards (PCI DSS). Consumer business merchant banking agreements require PCI DSS compliance as a condition of maintaining the account. Among other things, businesses must transition from using WEP encryption on wireless networks to WPA encryption, which is considered safer. The potential risks of reliance on WEP encryption were highlighted by the FTC in its enforcement action against the TJX companies: use of WEP encryption was said to be much of the reason for the substantial security breach that occurred.
If they have not already done so, businesses are required to implement WPA encryption by June 2010. Several state laws subject businesses to liability for failure to adopt some of the safeguards the PCI DSS would require. And some of these laws require businesses that collect and store consumer personally identifiable information only to do so in encrypted format.
Still, the PCI standards are not applicable to all businesses, and it is not clear that WPA encryption or any other particular level of encryption is sufficient. The FTC has not established a standard level of security and will consider whether a business has acted reasonably under the circumstances and undertaken reasonable measures to protect consumer personal information.
For more information on identity theft, data security, and privacy issues generally, please contact Jonathan.Rubens@bullivant.com.