It’s 10:00 pm… Your client informs you about an unauthorized access to their private customer data.
Can you advise them? Have you prepared them?
Has a competent team developed a WISP plan for your client?
Do you even know what a WISP plan is?
By NAT WASSERSTEIN & ALAN HEYMAN
The evening news broadcasts are replete with stories about threats to consumer data privacy and identity theft. It’s only a matter of time before a client calls about a data breach and asks you what they should do.
Even a moderate exposure of private customer data can cost a company millions of dollars in litigation, settlement fees, compliance costs, and fines imposed by state regulatory agencies. Lawsuits may be filed by customers, company shareholders, vendors, and other business partners. Even more costly (and more difficult to quantify) is the loss of public goodwill arising from a breach of data security.
Think about all those costs.
And that’s even before adding the actual financial losses from the cyber hackers themselves.
This is where a deep, specific expertise in data privacy issues comes in – before the problem manifests itself into a full blown financial crisis for your client. Action plans implemented by a skilled crisis manager must involve the synchronization of a team of qualified security experts, attorneys and insurers with expertise in matters of data privacy.
WISP – a new, essential discipline
A critical component is the team’s development of an appropriate “Written Information Security Plan (WISP) for a company that complies with the Federal and State requirements and regulations. In today’s world of cyber data breaches, prudent risk management demands an in-place WISP to mitigate the damage caused by a data breach. The evolving standard of care is simply “you should have known”; and the consequences of not knowing what to do before a breach happens or after a breach has occurred can be severe.
And therein lies the not-so-obvious danger – actions taken by regulators. Regulators (and their respective Attorney Generals) from almost every cash-starved state in the country have taken steps that raise the stakes considerably. At this very moment they are preparing to levy steep fines on any organization “breaching” its responsibility for the care of personal information.[i]
The privacy and security of private information first became an area of concern in the 1960s and 1970s with military-based security data. However, the emergence of the Internet has resulted in widespread abuse and theft of personal information. Until the 1990s legislative regulation was largely limited to sector-specific regulation. However, with the significant rise in security breaches over the past ten years, the United States has implemented many federally-based security protection laws, with most state-mandated regulations proliferating since 2008. It is starting to appear as if a company should be more concerned with the possible violation of the Federal and State Regulatory issues than the potential direct financial losses that stem from the Cyber Data breach itself.
The only thing that can make a major security breach even worse is a regulatory investigation or civil action alleging that you failed to meet your obligations under applicable law, and that such a failure resulted in the breach.
– Proskauer Rose LLP (Washington Legal Foundation) June 2010[ii]
Recent history has led to broad regulatory change. Consider these high-profile cases:
TJX Data Breach. Framingham, Mass.-based TJX owns and operates over 2,500 retail outlets, including T.J. Maxx, Marshalls, and Bob’s Stores. In a 2007 filing with the Security and exchange Commission, TJX disclosed that in 2005 an unknown intruder(s) illegally accessed one of the company’s payment systems and stole the credit and debit card information of 94 million customers across the U.S., Canada, Puerto Rico, as well as the U.K. and Ireland over an 18 month period. This made the TJX breach the worst up until that time in terms of compromising consumer personal information. At the time of the filing, the company was attempting to contact all customers to notify them of the breach.
In June of 2009, TJX announced that it agreed to pay $9.75 million to settle investigations by 41 states attorneys general who were examining the company’s data security policies and practices. Under the agreement, TJC will pay $45.5 million in settlement fees, plus $41.75 million to cover the fees associated with the investigations. Additionally, the company agreed to contribute $2.5 million toward the creation of a Data Security Fund that States will use to create a number of security-related initiatives such as developing best practice models, new legislations, and establishing consumer information and outreach programs. This does not include the cost of preventing this type of break in the future.
Health Net. In June 2010, the Connecticut Attorney General, the first by a State Attorney General under new Federal laws, launched an investigation when Health Net, an insurance provider, lost a computer drive that contained unencrypted health information, such as claim forms affecting nearly 1.5. million plan members (about of one-third of whom, resided in Connecticut). The company reached a settlement agreement for violation of HIPAA regulations under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). In the settlement, Health Net agreed to pay $250,000 to the state, offer two years of credit monitoring to affected plan members, purchase $1 million indentify theft insurance, and reimburse plan members for security freezes. An additional $500,000 will need to be paid in the event the information is used for fraudulent purposes. Healthnet has not provided the costs of preventing this type of breach in the future, which could be substantial.
Epsilon Interactive. In what industry experts say may be the largest breach of personal security every recorded, Epsilon Interactive, a Texas-based database services company for such firms as Capital One, Citigroup, Chase, Marriott, Target, Best Buy, and Walgreen announced that on March 30, 2011 customer information was retrieved by unauthorized access into the company’s email system, thereby exposing customers to spam and possible phishing attacks.
Epsilon has claimed that the information stolen was limited to email address and customer names only. A rigorous review determined that no other customer data was exposed. A full investigation is currently underway. How were affected customers notified of this breach? By email, naturally.
According to privacyrights.org, there have been more than 500 million records breached from 2005-2010 (last reported in August 2010) in the United States involving records containing sensitive consumer information.[iii] Unfortunately, consumers are unable to take the necessary steps to protect their information from a data breach. It is up to organizations to ensure that necessary precautions are in place to protect the privacy and security of personal data.
[The number of high-profile breaches seems to be escalating on an almost daily basis since Epsilon. Current breaches are listed at the end of this article with links.]
Regulators have responded at multiple levels of government, creating a complex of new requirements.
Federal Legislation. The United States does not have a comprehensive data security law. Rather, there are several laws that address specific situations, such as with regard to healthcare information (HIPAA), Gramm-Leach-Bililey (GLB) for financial data, the Fair Credit reporting Act for credit information, and the information obtained from children (the Children’s Online Privacy Protection Act). Another federal law that involves data protection and security is the Electronic Communications Privacy Act that has to do primarily with government surveillance, but also includes many provisions regarding access to privately stored information by unauthorized third parties. There is also the Computer Fraud and Abuse Act which prohibits access to computer-based information without prior authorization for the purpose of obtaining private information. The Computer Fraud and Abuse Act also prohibit someone from knowingly accessing private information with the intent to defraud.
New legislation is emerging seemingly on a daily basis. The recently enacted, “Red Flag Rule”, part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 requires creditors and financial organizations to “provide for the identification detection and response to patterns, practices or specific activities – known as ‘red flags’—that could indicate identify theft.” Every knowing violation will result in a $2500 fine. Exempted from the Red Flag rule are such professionals as doctors, dentists, lawyers, and accountants, althouth these groups are still subject to various State Privacy laws and further interpretation of the Red Flag Act.
Lastly, to illustrate the breadth of data security legislation, even the American Recovery & Reinvestment Act (ARRA) of 2009 (aka the Stimulus Act) required additional data breach notification policies for certain types of organizations that store highly sensitive customer information (e.g. financial and banking institutions).
On April 12, 2011 U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011[iv] “to establish a regulatory framework for the comprehensive protection for individuals under the aegis of the Federal trade Commission.” The bill will be applied to all commercial businesses that “collect, use, transfer or store the covered information” of greater than 5000 people over a consecutive 12 month period. Certain provisions of the bill would direct the FTC to guide regulatory proceedings within certain timeframes, but the bill also imposes mandates directly on companies themselves.
Massachusetts legislation. State-based data privacy legislation has become quiet onerous over the past several years arising primarily from the breaches at TJX and Epsilon. California was the first state to pass legislation in 2005 However, the model for future legislation came from the state of Massachusetts where TJX is based. The Massachusetts Law titled, “Standards for Protection of Personal Information of Residents of the Commonwealth” (Chapter 93H) created a comprehensive set of data security requirements for business, including the development and continual oversight of a “comprehensive“ written information security program” (WISP). The scope of the Massachusetts regulation is broader than any other existing federal or state law and requires public disclosure of a data security breach and provides for the implementation of security freezes to prevent further intrusion. It also requires that WISP include a process for how it will oversee all its vendors and partners who have access to the company’s private data, including customer non-public information in providing services to the firm. Finally, all companies subject to the regulations are required to maintain various computer security protocols for storage and transmittal of personal data, along with installation of anti-virus software; employer-led training in how to properly use the computer security system.
Regulations in other States. As of February 2011, 46 states[v] as well as the District of Columbia have also passed breach notification legislation and a large number of states also have laws that require the protection of their residents’ private information.
Nevada. On January 1, 2010, Nevada’s new identify theft law, S.B. 227, went into effect. Among other requirements (such as mandating compliance with the PCI Data Security Standards for all credit card transactions), S.B. 227 specifically requires the ‘encryption” of all personal data leaving the “logical or physical control of the data collector,” including electronic data on a “data storage device.” As with the Massachusetts legislation, the Nevada law applies to business entities doing business with any resident of the state, whether or not the business is incorporated there.
Nevada and Maryland require that contracts between entities and third party providers that disclose the personal information of state residents must include a stipulation requiring the party to whom the information is disclosed to implement safety measures to protect the privacy of the person.
California. The California regulations stipulate that any business or license that owns or licenses personal data regarding a resident of California must:
… implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Under this statute, “Personal information” includes (when the information is not encrypted or redacted):
- Individual’s first and last name or first initial and last name
- Social security number
- Driver’s license number
- Credit or debit card account numbers in combination with security access code or password.
- Medical information
Arkansas. Protections for medical information are also in place in Arkansas, but that information is not covered to the same extent as are the regulations in Massachusetts.
Illinois requires safety measures for biometric data, a requirement also not covered by the regulations in Massachusetts.
Oregon. Oregon’s Consumer Identify theft Protection Act incorporates safety measure that are similar to those of the Massachusetts legislation, with some forbearance for small businesses (manufacturing firms with less than 200 employees) and other types of businesses with less than 50 employees. An important requirement is that firms implement an “information security program” (i.e. WISP) that contains administrative, technical and physical safety measures (the same stipulation as in the Massachusetts regulations).
Connecticut. Without stipulating specific safety measures, Connecticut requires that any person or business that is in possession of private information of another person to:
Safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.
“Personal information” includes social security number, driver’s license or state ID numbers, a credit or debit card number, a passport number, alien registration number, or health insurance plan number.
Connecticut regulations also require that businesses and licensees notify appropriate government authorities and affected parties of the security breach as “soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.”
Similar regulations were passed in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah.
The Cost of Data Security
Data security breaches can result in significant costs[vi] for a company and not only in terms of monetary loss. These costs include:
- The costs associated with disclosing the breach to government officials and the public at large. This can average $30 to $150 per notice (times perhaps 40 million notices and you begin to get a sense of the financial damage).
- Credit monitoring services for affected parties—usually a Public relations gesture to restore company good will.
- ID theft insurance coverage
- Litigation expenses including the cost of retaining an attorney and settlement fees.
- Costs associated with assessment of damage and reparation of compromised security systems.
- Cost to maintain compliance with state regulations
- Fines for security violations (e.g. HIPAA, GLBA, FRCA)
- Loss of company reputation and trust can have a significant impact on future earnings.
Data Security for Small and Mid-Size Firms
In light of the recent spate of regulation, it is no longer sufficient for company executives to pass on the task of data security to ensure that the privacy of sensitive is maintained. The recent wave of state-based regulations necessitates that organizations of all sizes implement a company-wide effort to ensure that the privacy of sensitive data is maintained.
Specific samples of regulation directed an enhancing the confidentiality of personal information include[vii]:
- Social Security numbers. Written policy requirement regarding the privacy of Social Security numbers is in effect in New York, Connecticut, New Jersey and Michigan;
- Comprehensive Data Security Program Requirements. Regulations requiring the creation of either comprehensive plans or WISPs that contain information regarding the administrative, physical, technical and safety measures implemented by a company with regard to data security and integrity in each of the 46 states. WISPs in Massachusetts, Maryland, Nevada, New Jersey, and Oregon;
- Encryption Mandates. Data encryption requirements in Massachusetts and Nevada.
- Breach Notification requirements. Data breach notification requirements in all 46 states;
- Job Applicant Information. Specific protections are in effect in Utah with regard to personal information on job applications.
- Red Flag Regulations. Federal “Red Flag” regulations for businesses that are financial institutions or creditors. As of this writing, lawyers, doctors, dentists and accountants are exempted from this regulation.
- HIPAA Regulations. Privacy protection under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for company-based health plans and covered health care providers, including on-site medical services. As of February 2010, many of the requirements were also applied to insurance brokers, third party plan administrators, and electronic storage firms, etc.
- Federal Contractor Requirements. For the most part, federal contractors are subject to the same federal laws, regulations, and standards as the agencies which they serve.
- PCI Standards. Some companies that process credit card payments or receive payment for products and services by credit or debit card may need to comply with the Payment Card Industry (PCI) Data Security Standards.[viii]
- International Standards. Those companies with branches or associates in the European Union (EU) may have some difficulty in exchanging personal information with their counterparts due to the stringent regulations in these countries. As one example, in July 2009, the UK’s Financial Services Authority (FSA) fined three HSBC Holding companies a total of £3 million ($4.9 million) for not adequately protecting customers’ confidential information. This was the highest fine ever imposed by the FSA for a data security breach.[ix]
Overall, these protections seek to protect the “personal information of various stakeholders: employees, customers, business partners. Personal information typically includes: 1) first and last name, 2) social security number; 3) driver’s license number or state issued ID; 4) credit and/or debit card number, and 5) medical information. As noted, some states (e.g. Connecticut) have expanded this definition to include passport numbers and alien registration numbers.
Handling the regulatory challenge and keeping it from becoming a full blown crisis: Taking proactive steps is the only strategy. Develop a WISP plan for your client companies.
In light of the wave of regulations and their specificity with regard to each state, small and medium size firms must assess their risks with regard to established safety measures in storing and transmitting personal information.[xi] In particular, they must examine how personal information is stored, retrieved, disclosed, and destroyed. The process, known as “risk assessment,” is critical to understanding the types of personal information a company compiles and what protections need to be implemented. When performed correctly, the risk assessment process enables a business to develop a WISP plan that will sufficiently address all the risks identified.
If there is a common thread through all the laws it is the development of the “WISP” plan. A satisfactory plan requires the collaboration from various professions including, legal, IT Data Security, as well as insurance professionals — all managed by a knowledgeable security oriented crisis manager skilled in risk management.
This is the moment in time best described as the calm before the storm. And the storm is coming. In fact, it’s already here. If you have had a breach, you are in the storm. From my experience as a crisis manager for over 15 years, it’s very rare to be able to plan before an actual crisis unfolds. It’s time to put your team together. To this end, my company will remain prepared to help businesses survive this new threat.
With the assistance of data security industry experts, a thorough risk assessment can be developed that will ensure your business is in full compliance with required mandates and is able to ride the regulatory storm successfully in terms of both continued financial viability and reputational integrity. This is all accomplished by creating and developing your WISP plan. If your clients don’t have one, have them call us to walk thru the necessary steps to cyber security.
# # #
Nat Wasserstein is Managing Director at Lindenwood Associates LLC, a restructuring advisory and crisis management firm in New York City. He has specific, deep expertise in matters of enterprise risk management. He has successfully served as Chief Restructuring Officer for various companies operating in Chapter 11 under extreme crisis conditions in the Southern and Eastern District Courts of NY over the past 15 years. For more information, email: email@example.com
Alan Heyman is Managing Director of Cyber Security Auditors & Administrators, LLC (CSA2) and is certified by the IBM Internet Security Solution’s (ISS) Group in all phases of Cyber Security, while the firm, CSA2,, is an IBM ISS Business Partner. Email firstname.lastname@example.org
Download the entire article here Consequences of Data Exposure and the Rise of the Regulator
***This Just In: Hacker Raids Sony Videogame Network – WSJ.com
***This Just In: The national association of secretaries of state comment on the threat to data breaches to small-mid sized businesses. Small and Mid Sized Companies Wake Up!
[ii] Washington Legal Foundation -Contemporary Legal Note Series Number 66 June 2010 Jeffrey D. Neuburger and Natalie Newman (Proskauer Rose LLP)
[vii] http://www.zurichna.com/internet/zna/SiteCollectionDocuments/en/media/whitepapers/ DOCold2DataSecurity082609.pdf
[x] http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/ PRIVACY/FEDERALSTATEANDOTHERPROFESSIONALREGULATIONS/Pages/default.aspx