When shoppers swiped their credit and debit cards to pay for purchases at Barnes & Noble stores last year, they didn’t expect to have their card and personal identification numbers (PINs) stolen. But hackers had breached point-of-sale keypad card terminals at 63 Barnes & Noble stores in nine states. When the company discovered the attack in September 2012, it decided as a precautionary measure to discontinue use of all PIN pads in its nearly 700 stores.
At the Justice Department’s request, the company did not inform consumers of the data breach for more than a month so the FBI could investigate the crimes first. Although it did notify customers in late October, the retailer’s website at press time said the company was still seeking to identify compromised accounts. Barnes & Noble thus became the latest in a long string of companies to face the public relations nightmare, financial drain and potential legal risks of coping with a significant data breach.
An October Ponemon Institute study found the average annual cost of cybercrime was $8.9 million per year per company, with a range of $1.4 million to $46 million. The companies in the study experienced on average 1.8 successful cyber-attacks per week.
The frequency of such incidents has made data security the top legal concern of 55 percent of in-house counsel, according to the 2012 Law and the Boardroom Study by Corporate Board Member and FTI Consulting. A plethora of federal and state laws designed to protect consumers also has helped push data protection to the top of the compliance priority list.
“Regulators understand that there are sophisticated criminals out there, but they also expect you to take the necessary reasonable steps to protect information,” says Linda Clark, senior counsel for data security and compliance at Reed Elsevier. “You may not get credit for doing the right thing, but if you don’t ... you will almost certainly not be looked upon favorably.”
Doing the right thing starts with encryption, the process of encoding information so it is unreadable to hackers. At least 46 states have enacted security breach laws requiring notices to consumers, but if personal information is encrypted, notice generally is not required.
“Following industry best practices encryption standards remains very helpful in minimizing both reporting requirements and litigation exposure in the event of a data breach,” says Michael Pennington, a partner at Bradley Arant Boult Cummings.
The safe harbor only applies if the decryption keys that allow the data to be viewed are not compromised. Therefore, strong key management is essential.
“The company should confirm that the decryption key was not stored with the encrypted data,” says Philip Gordon, head of Littler Mendelson’s privacy practice group. “As long as that is the case, the data owner would have no notification obligation.”
Experts strongly recommend encryption for mobile devices, which are easily stolen. For example, someone stole a laptop computer from a NASA employee’s locked vehicle on Oct. 31, 2012, the latest in a series of data breaches at the space agency. The laptop contained personally identifiable information for a large number of NASA employees, contractors and others. According to NASA, although the laptop was password-protected, it did not have whole disk encryption software, which means the thief could easily access the information it held. NASA pledged to have all laptops fully encrypted by Dec. 21, and in the meantime banned all unencrypted laptops from leaving NASA premises.
But encryption isn’t always effective in an ever-evolving technology environment. Pennington says data thieves apparently stole the Barnes & Noble data at the point of purchase, before it could be encrypted. According to some experts, even encrypted data no longer deters skilled hackers. “Business and criminals are constantly working against each other to come up with the latest technology to thwart the other in this area,” Pennington says.
The basis of any compliance program is understanding what information you have, says Clark.
“For example, do you have personal information? Protected health information (PHI)? Company confidential information? [Then you know,] you can plan and design your program to meet your regulatory and legal obligations,” she says.
If the breach involves PHI subject to the Health Insurance Portability and Accountability Act (HIPAA), then the Health Information Technology for Economic and Critical Health Act requires notification within 60 days of the breach discovery. In addition, if the breach affects more than 500 people, the company must notify the Department of Health and Human Services, and if the 500 individuals reside in the same jurisdiction, the company also is required to notify major media outlets.
“By contrast, if the health information is not PHI subject to HIPAA—for example, if it is health information in a database of workers comp claims—state law might not even require notice because only a relatively small number of state notice laws include health information,” Gordon says.
Although the details of compliance will vary, the overall culture of the company is the key to a successful data protection program, according to Clark.
“The most important requirements are that you develop a framework that makes sense for your organization and foster a culture where privacy and security are serious matters,” Clark says.
The framework should foster a self-critical environment, an understanding that privacy and security are business imperatives, and recognition that feedback and engagement in the process are important, she adds.
“Of course, the details are what will be used to measure your compliance, so they are no small matter,” Clark says. “But without the right framework and culture, you won’t know what details apply, and people may disregard them even if they do.”