Laws and Regulations Governing Data Breach Notification

By Mark Brady, CSRSI Team Member

As a merchant, when must I notify my customers regarding loss of Personally Identifiable Information?

The highly publicized issue of identity theft has led to several issues for companies that, for legitimate business purposes, must store sensitive customer information.  One of those issues is the somewhat grey area of when a loss or theft of a customer’s Personally Identifiable Information must be disclosed to customers, federal or local governments, and/or MasterCard/Visa.

There are two state laws (and several other states in the process of drafting same) that deal with the disclosure issue.

Massachusetts

Requirements for Security Breach Notifications under Chapter 93H:

Massachusetts approved a comprehensive identity theft prevention bill in 2007.  This law provides that “Massachusetts consumers must be notified of anybreach of their personal information that creates a substantial risk of identity theft or fraudas soon as practicable and without unreasonable delay after a breach occurs, except when a law enforcement agency determines that notice may impede a criminal investigation”.

Additionally, where a person who owns, licenses, maintains or stores personal information, knows or has reason to know (1) of a security breach, or (2) that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or for an unauthorized purpose, that person must notify the Attorney General and the Office of Consumer Affairs and Business Regulationof that breach or unauthorized acquisition or use.

As such, three parties must be notified under Massachusetts law; the Attorney General, the Office of Consumer Affairs and Business Regulation, and the consumer.

The notifications to the Office of Consumer Affairs and Business Regulation and to the Attorney General must include:

• A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
• The number of Massachusetts residents affected as of the time of notification;
• The steps already taken relative to the incident;
• Any steps intended to be taken relative to the incident subsequent to notification; and
• Information regarding whether law enforcement is engaged investigating the incident.

The Massachusetts Attorney General may bring action against parties that do not notify the Office of Consumer Affairs and Business Regulation and the Attorney General of a security breach.  Penalties may result in triple damages and costs of attorney’s fees regarding the AG lawsuit.

Note: As of 2009, 807 notifications were submitted to the Mass AG’s office affecting over 1million Massachusetts residents.

California

The following is excerpted from California law regulating the privacy of personal information SB1386, amending civil codes 1798.82 and 1798.84:

“Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the

security of the data to any resident of California who’s unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (SEC.4. Section 1798.82)

Any customer injured by a violation of this title may institute a civil action to recover damages.” (Sec. 4.1798.84)

Applicable for both Massachusetts and California:

“A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.” 

US Government Position on Data Breach Notifications

Executive Office of the President Office of Management and Budget (OMB)

The US Office of Management and Budget Recommendations for Identify Theft Related To Data Breach Notifications

This memo from the OMB to federal agencies provides recommendations for handling Identify theft incidents, including under what circumstances to issue data breach notifications to those impacted by the loss or theft of personally Identifiable Information.

The OMB addresses the issue of “Whether a breach notification is required”.  Their advice encompasses several common sense considerations as follows:

• The nature of data elements breached
• The number of individuals affected
• Likelihood information is accessible and usable
• Likelihood the breach may lead to harm
• Ability to mitigate the risk of harm    

It is interesting to note that the OMB separately addresses the potential “chilling effect” of breach notifications on consumers.  The OMB encourages their agencies to consider the seriousness of the information loss in deciding whether to issue consumer notifications.

MasterCard and Visa Requirements for Reporting Compromised Credit Card Information.

Unlike the state and federal laws/guidelines detailed above, MasterCard/Visa address only information related to credit cards.  Accordingly, their rules do not encompass the breadth of data normally defined in “personal Identifiable information”. (See links to related blog posts that discuss and define personal Identifiable information are below). As such, the MasterCard/Visa information impacted would be: the cardholder number, expiration date, the three digit security code, and information from the card’s magnetic stripe.

MasterCard and Visa rules for compromised entities including merchants and third party card processors are as follows: 

Steps for compromised entities

Alert all necessary parties immediately.Be sure to contact:

1. Your internal information security group and incident response team.
2. Your merchant bank.
3. Visa Fraud Investigations and Incident Management group (If you do not know the exact name and/or contact information for your merchant bank,)
4. Your local office of the United States Secret Service.

(Note: regarding items 3 and 4 above, it is our experience that the merchant’s member bank will advise the merchant or third party card processor to contact the member bank before alerting Visa and the Secret Service. The member bank and Visa will then determine actions to be taken).

Visa also details the following which applies to the Visa member bank:

If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Most contracts between merchant banksand merchants or third party card processors provide for the transfer of liability for not disclosing loss or theft of any Visa transaction informationfrom the member bank to the merchantor third party card processor. 

It is our experience that several types of relatively minor credit card information loss incidents are not reported to card associations.  Examples might include:

• A lost or stolen PDA containing less than, say, 100 card numbers.
• A break-in at a merchant or sales office where laptops containing a relatively small number of card numbers and expiration dates (only) were stolen.
• Missing paper files including a relatively small number of card numbers.
• Missing merchant copy receipts.

CSRSI believes that MasterCard/Visa and the member banks informally adhere to a common sense process more or less as detailed in theOffice of Management and Budget recommendations discussed above.

Conclusion

In today’s environment where identify theft and data security are very “hot” topics, companies will want to follow all federal, state and MasterCard/Visa laws and guidelines to the best of their ability.  Corporate reputations are very much at stake.

That said, there are still decisions to be made about whether and under what conditions your customers must be notified of loss of Personally Identifiable Information.  Start by creating your data security policy and proceed to issues like data breach notifications as part of the policy.

CSRSI provides consulting services including the complete documentation of the flow of personally identifiable information within an organization. From this diagram, weaknesses can be revealed to be addressed.

CSRSI can assist with all data security and Personally Identifiable Information issues.

Related blog posts:

Personally Identifiable Information– Protect or Destroy

Personally Identifiable Information – Advanced Threats