Tag Archives: Attorney General

Indiana Argues Companies are Deceptive if They Suffer a Data Breach

The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.

If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.

The Indiana Deception Act

The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches. Continue reading Indiana Argues Companies are Deceptive if They Suffer a Data Breach

New York Report: Record Year for Data Breaches

In the press release, Schneiderman reported a record 1,300 data breaches were reported to the state’s attorney general’s office in 2016. That represents a 60% increase over the prior year.

Common Breach Trends

Each year in the various annual breach reports we see human error leading the way as the top cause for security incidents. This report shows similar trends.

Hacking – i.e. phishing and malware – caused 40% of the breaches. It’s preached time and again, make sure employees are trained and aware of the latest social engineering threats. But the rising numbers don’t lie. We still click on funny emails, or compelling messages.

Right on its heels, employee negligence takes second place causing 37% of reported breaches. This encompasses the lost laptops, accidental disclosure of records, and insider threats. Again, this highlights the importance of training employees on privacy and data security best practices.

ePlace Solutions makes cyber training courses available to policyholders. The courses touch on several relevant topics: Social Engineering, Threats of a Data Breach, Safeguarding Information, and Data Security Basics.

Reach out to cyberteam@eplaceinc.com to find out if your organization has access to these training courses.

Attorney General Recommendations

Scheiderman included a list of recommendations for organizations to consider. They’re geared toward helping organizations protect sensitive data.

Reviewing the recommendations is a good idea. The Attorney General’s office could use them as a benchmark in the future when evaluating if a company has reasonable security practices in place.

Recommendations from the AG’s office:

  • Understand Where Your Business Stands:  The first step toward an effective data security policy is to understand what information your business requires for its operation, what data has already been collected and stored, how long the data is needed and what steps have been taken to ensure security. Organizations should review how sensitive data is acquired, how sensitive information is being shared with third parties, and what access controls are in place.
  • Identify and Minimize Data Collection Practices:  Put simply, data that does not exist cannot be stolen or lost. Collect only information that you need, store it only for the minimum time that you need it, and deploy data minimization tactics wherever possible. For example, if your company uses a point-of-sale system, ensure that expiration dates are not stored with credit card numbers. Reduce the use of highly sensitive data points, such as Social Security numbers, unless absolutely necessary, and minimize the length of retention for such data.  Delete any information you no longer need.
  • Create an Information Security Plan That Includes Encryption:  Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards, but will incorporate training, awareness, and detailed procedural steps in the event of data breaches. Read more about what a comprehensive security plan should include in the report.
  • Implement an Information Security Plan:  Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.
  • Take Immediate Action in the Event of a Breach:  Remember to investigate all security incidents immediately and thoroughly. In the event of a breach, the law may require you to notify consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses.
  • Offer Mitigation Products in the Event of a Breach:  While not required by law, New Yorkers affected by a data breach should be provided with mitigation services for free. These include credit monitoring, which provides alerts, usually by email, whenever an application for new credit is submitted to a consumer credit reporting agency, and a security freeze, which blocks new credit accounts. The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens.

How Failure to Notify Cost Wells Fargo $8.5 Million

A month after releasing the California Data Breach Report 2012-2015, CA Attorney General Kamala Harris settled with Wells Fargo for $8.5 million over privacy violations under California law. The chief violation was the recording of consumers’ phone calls without timely telling consumers they were being recorded.

“Protecting the privacy of California consumers is increasingly crucial as technology rapidly develops and becomes a bigger part of our lives,” said Attorney General Harris. “This settlement holds Wells Fargo accountable for violating the privacy of its customers by recording calls without providing adequate notification, and ensures that the bank makes the changes necessary to protect the privacy of its customers.”

California has been notorious for having some of the most stringent privacy laws in the nation. With that said, before engaging in a confidential conversation, individuals must be notified at the beginning of the call if it’s being recorded, so they have the option to either object or end the call.

Corrective Action

The settlement includes obligations for Wells Fargo to comply with the California law going forward. This means making clear, conspicuous, and accurate disclosures of any recording between the bank and its customers in the future. Wells Fargo is implementing a compliance program tasked with making the necessary policy changes.

The Ultimate Guide to California Data Breaches

Attorney General Kamala Harris released a report – California Data Breach Report 2012-2015 – detailing four years’ worth of data breaches her office has seen. From 2012 to 2015, 657 data breaches were reported to the Attorney General’s Office, totaling more than 49 million records of compromised personal information.

Attorney General Harris states in the report, “California is leading the nation with measures to prevent data breaches, but we can do better. This report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.”

The report provides details about the common types of data compromised, the industry sectors most susceptible to a breach, and recommendations to reduce the risk of a data breach.

Types of Data

The top three types of data compromised over the past four years:

  • Social Security numbers
  • Payment card data
  • Medical information

Industry Sectors

The following industry sectors accounted for the most breaches over the past four years:

  • Retail sector – 24% of breaches & 42% of records breached
  • Financial sector – 18% of breaches & 26% of records breached
  • Healthcare sector – 16% of breaches
  • Small businesses – 15% of breaches

Recommendations

The Attorney General’s report made the following recommendations to organizations to comply with the state laws and help reduce the likelihood of a data breach occurring:

  • Controls: Adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program.
  • Multi-Factor Authentication: Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Encryption: Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider using it for desktop computers as well.
  • Fraud Alert: Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and highlight this in breach notices.

State AGs Ask For Chip-and-PIN

Nine state attorneys general sent a letter to the leading card brands asking for quicker implementation of chip-and-PIN technology in the United States. The letter asserts that PIN technology is the gold standard for payment card technology in other countries – and fraud related to payment cards has decreased as a result.

“This letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”

Many point out that chip-and-PIN technology would be a hassle for consumers. But there are plenty of consumers that use PIN technology with debit cards. Especially with the high frequency of impactful breaches this past year, the consumer transition might not be as difficult as previously believed.

Rhode Island Amends Data Breach Notification Statute

Rhode Island Governor Gina Raimondo signed into law SB 1034, updating the 2005 Identity Theft Protection Act. The amendment includes a notification deadline as well as additional requirements to notify the state Attorney General.

With the enactment of this amendment, entities that experience a data breach that poses a risk of identity theft to a Rhode Island resident must notify the affected individuals within 45 days after discovery of the breach.

Additionally, the act now requires written or electronic notice to the Attorney General if the number of consumers affected by the breach exceeds 500 individuals.

The bill will take effect on June 26, 2016.

 

Oregon Amends State Breach Notification Statute

Oregon Governor Kate Brown signed into law SB 601, updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment broadens the definition of personal information (PI) and includes additional requirements to notify the state Attorney General.

PI has been expanded to include the following elements in combination with first and last name:

  • Biometric information (fingerprint, retina, or iris);
  • Health insurance; and
  • Medical information

Additionally, the act now requires written or electronic notice to the Attorney General if the number of consumers affected by the breach exceeds 250 individuals.

The bill will take effect on January 1, 2016, and apply to data breaches occurring on or after that date.

Connecticut AG Forms Department for Privacy and Data Security

Connecticut Attorney General George Jepsen announced the formation of a Privacy and Data Security Department within the Connecticut Office of the Attorney General. Assistant Attorney General Matthew Fitzsimmons was named to head the new department, which will work exclusively on investigations and litigation related to privacy and data security. The department will also be tasked with educating the public and business community about responsibilities regarding personally identifiable and sensitive information and notification requirements.

“When I took office in January 2011, it became immediately clear that data privacy and security were growing concerns in our state and across the country,” Jepsen said. “During that time, my office has taken a lead role in investigating massive consumer data breaches involving Anthem, Target, Home Depot and others as well as significant issues impacting consumer privacy, including the Google Street View Wi-Fi data collection case.”

Montana Amends State Data Breach Notification Statute

Montana’s governor signed into law HB 74, amending the state’s data breach notification statute to broaden the definition of personal information (PI) and include additional requirements.

PI has been expanded to include the following elements in combination with first and last name:

  • Medical record information;
  • Taxpayer identification number; or
  • An identity protection personal identification number issued by the U.S. internal revenue service.

Additional requirements include submitting an electronic copy of the notification, along with a statement providing the date and method of distribution of the notification and the number of residents impacted by the breach, to the state Attorney General’s Consumer Protection Office.

The bill was enacted on February 27, 2015 and will take effect on October 1, 2015.