Category Archives: Regulatory

Court Says Posting PII Online is Cool — First Amendment Cool

I’m going to have to apologize in advance for the extreme use of ellipses here. I’m frankly confused as can be over this blog post, and the result is aggressive punctuation.

In what seems to be one of the most ridiculous situations we’ve read about recently, the Richmond Times reports that a U.S. District Court judge has ruled that a woman posting Social Security numbers of government workers online was, well… *cough*… *pains me to type this*…protected by the First Amendment. Yes… posting PII online is protected by the First Amendment. The judge ordered the state of Virginia to halt prosecution against her for doing so. The state has appealed, and a three judge panel is reviewing the appeal.

This is only part of the ridiculousness. This Virginia woman is essentially doing this in protest to how accessible Virginia residents’ personal information is via public records stored by various clerks around the state (mortgages, divorce decrees, etc). Most (if not all) of these records she’s referring to are obtainable by anyone in unredacted form, online in some cases or in person in most cases. In a way, we’re rooting for her…

… but…

Isn’t a ruling like this a bit counterproductive? Having a court rule that posting PII online is protected as freedom of speech is… well… very bad for data loss! We’re not questioning the ruling, really; it may make sense. It does, however, seem (on some level)… well… really *expletive*’ing messed up.

On the one hand, you have laws being made and enforced to protect that sort of data, and on the other hand you have judges throwing around the First Amendment. Maybe, just maybe, if governments didn’t exempt themselves from these breach notification laws, we’d be in better shape! Virginia’s data breach law exempts government PII in this paragraph:

“The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.”

It seems hypocritical of the State of Virginia to go after anyone about posting PII online when the government freely does the same thing. Virginia isn’t the only state exempting themselves, either — many are. Maybe we should tabulate a list of ’em?

Share your thoughts with us on our discussion mailing list.

Written by d2d

Federal Data Breach Bill (H.R. 2221) Passes House

Yesterday, for the first time ever, a data breach notification bill actually came to a vote in the United States Congress. The House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill and others have been introduced many times over the past several sessions of Congress, but unlike other similar bills and this bills’ predecessors, H.R. 2221 not only came out of committee, but was voted on and passed.

This bill is similar in nature to multiple state breach notification laws that have already been passed. Here are some highlights:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

  • (i) Social Security number
  • (ii) Driver’s license number or other State identification number
  • (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details include:

  • The Federal Trade Commission would be the responsible agency.
  • The FTC would ultimately define the proper technical procedures for protecting data.
  • Organizations that have data need to establish a data security policy.
  • Organizations must identify an information security officer.
  • Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
  • Organizations need a process for securely destroying data that is no longer required.
  • Breaches need to be reported to the consumers affected, and the FTC, unless:
    • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
    • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The jurisdiction point is significant. The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities. These limitations seem significant.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an encryption exemption (in addition to whatever exemptions the FTC will define) should the bill become law. The FTC would also be tasked with posting breaches on their website if the commission deems it in the public interest on a case-by-case basis.

There are several other interesting subtleties in this bill, and we encourage anyone interested to read the bill themselves. The law has some gaping holes, such as FTC jurisdiction, and may preempt stronger state laws. On the flip side, it would certainly add some degree of consistency for organizations experiencing breaches, and would simplify compliance as a result. It also would provide notification for consumers in states without breach notification laws. For these reasons and many more, it behooves everyone to familiarize yourselves with this particular proposed legislation.

Updated (12-10-2009): See Incidents that may have been exempt from this bill were it law at the time of the incidents.

Finally, below is a clip of the bill being explained in the House, and subsequently passing by voice vote:

Data Breach Notification Letters

Many of our “regular” readers are keenly familiar with data breach notification letters. They’ve seen the Primary Sources Archive, or have been unfortunate enough to have the honor of receiving one, or potentially worse, have the unfortunate honor of drafting one. Many, however, have not.Nearly every state in the United States has adopted data breach legislation, and new adoptee-states continue to trickle in each year. Several federal legislative efforts are under way to blanket the nation, and one has even passed pertaining to medical data breaches. Internationally, the issue is also progressing.

Some states, like Massachusetts and Nevada have passed laws, or are in the process of considering legislation governing the implementation of practices to protect personally identifiable information. These requirements are bringing the issue to the people, forcing businesses small and large a-like to consider their security practices, from document disposal and retention periods, to data encryption and fraud prevention. While the effectiveness of these new laws is debatable, there is no question that the laws are forcing the issue to be considered, and that isn’t necessarily a bad thing.

This is where the Primary Sources Archive can really help business of all sizes. We have samples of thousands of data breach notification letters, issued from companies big and small to various states in compliance with law. Wondering how a breach letter should look when sent to Massachusetts? We have hundreds of samples for you — real world examples. Wondering how you should fill out the New York or North Carolina data breach notification forms? We have almost a thousand of those combined. Wondering what type of incidents people are notifying on in Maine? Peruse our collection! You can even find law firms that have specialty in data breach notifications, just by browsing through and seeing what firms are doing work from what companies.

The Primary Sources Archive really is an under-tapped resource for businesses of all sizes, be it the compliance department, the legal counsel, or the small business owner. We’d like to encourage any readers to forward links to the Archive off to their privacy officers, or counsel. You’d be amazed at how useful they may find it.

Legal Sub-Project – Elvey v. TD Ameritrade

The TD Ameritrade incident of 2007 hasn’t quite been resolved — yet. While the breach may have been contained, the litigation is still ongoing. A class action suit field in California in May of 2007 has reached a preliminary settlement, but the settlement is contested by the individual who filed the class in the first place and has been through some extremely interesting twists and turns.

The case was filed in May of 2007, with a complaint that claimed that TD Ameritrade was essentially selling email addresses of clients to spammers, in violation of TD Ameritrade’s privacy policies and various laws.

A motion for a preliminary injunction kicked things into gear in July 2007, which alleged that the spam was still ongoing, and demanded that TD Ameritrade take steps to protect members of the class (TD Ameritrade customers). The fact that the incident was still ongoing at the time of the injunction was later confirmed in testimony, and it would seem from interpreting the various testimonies in the case that the breach was mitigated “on or about August 14th, 2007”.

Sometime thereafter, TD Ameritrade acknowledged that it had in fact been “hacked”, and that the hacker had access to names and email addresses. During the disclosure (via a letter to customers), TD Ameritrade also acknowledged that the database that had been breached also contained Social Security numbers, but that TD Ameritrade had no evidence that Social Security numbers had been taken. This spawned another lawsuit: Brad Zigler v. TD Ameritrade. The complaint in this new lawsuit went beyond the spam aspect, and brought into view the potential compromise of Social Security numbers as well. In December of 2007, the two cases became officially related.

In early 2008, a new judge was assigned to the case. Several months later, the two cases merged, and a request to have a settlement approved was filed by the plaintiffs (on May 30, 2008). Both sides seemed in agreement at the time. Days later, at a proceeding, that agreement appeared to have dissolved. One of the class representatives, Matthew Elvey, the individual who had originally filed the case in May 2007, opposed the settlement — even though he had signed it days prior. Mr. Elvey stated that he had been threatened, which is why he agreed to sign the settlement. His opposition claimed that the settlement was not fair, that he had been an identity theft victim as a result of the TD Ameritrade breach, and that some of the reasoning behind the decision to settle was flawed. During the same court hearing, one of the most significantly discussed “reasons” for settling was the results of an “organized misuse” analysis, which was done by a third party organization, ID Analytics. This reason was particularly opposed by Mr. Elvey.

Now, before we dig into “organized misuse”, we should first look at how one might assume a traditional investigation into a data breach would proceed. One would suppose that both during and after a breach, an organization experiencing the breach would first try to stop and contain it, try to assess what exactly occurred, and then understand what was accessible, accessed, potentially lost, and confirmed as lost. In containing the breach, one might assume an organization would act swiftly, yet carefully. In assessing the scope, one might think an organization would look to internal security systems to make determinations — networklogs, system logs, audit logs, and transaction logs. An organization might also contract with a firm with forensic expertise to assist in making determinations and provide further analysis. Supposedly, this sort of analysis did occur. The “security officer” responsible at TD Ameritrade, Willliam Edwards, gave a deposition regarding the details of the breach, which became sealed for “attorney’s eyes only”. We can’t conclude much at all from this, however. But back to the hypothetical, what if the aforementioned “expected” protocol didn’t provide sufficient information, or perhaps didn’t provide “ideal” conclusions? More alternatively, what if those conclusions did not give the organization the answer it wanted to hear?

Fortunately, there’s another option: a now nearly court-proven way to gain intelligence into the matter… in comes an “organized misuse” analysis. Companies, with what appears to be access to and/or partnerships with credit bureaus, can run some form of pattern analysis to determine whether or not identity theft is linked with a given organization, population, or sample. Presumably, they analyze occurrences of ID thefts in a sample, and determine whether or not the samples show a higher occurrence of ID theft than a baseline sample/population (no doubt via some fancy math and other complicated stuff.)

Where this all gets interesting is that when the TD Ameritrade incident was originally disclosed, there was no mention of Social Security numbers being affected. OSF did not include it as a data type, nor did we find any indication in any reports regarding the incident that they had been included. In the process of fighting this class action suit, however, TD Ameritrade used an outside firm to run this “organized misuse” analysis, which came back as “negative”. TD Ameritrade could have simply said that Social Security numbers were not accessible, but they didn’t, which would imply that they were indeed accessible to the intruders. Nowhere in any of the documents we reviewed did we find any denial of this, and in fact, in many instances they confirmed that “Social Security numbers were in the database”.

That statement is very different from TD Ameritrade *outright* saying that Social Security numbers were accessible. It could have been that the nature of the compromise exposed a database view, and that Social Security numbers were not accessible to that view. Had that been the case, saying that they were not accessible seems like a stronger defense than going through an expensive “organized misuse” analysis process. It would seem evident that proving there were logical or physical gates in place that separated the data, and thus made it inaccessible, would have been a less expensive and more convincing an argument to make, but no actual attempt was made to refute accessibility. From that, it does not seem a far stretch to assume that the numbers were accessible.

Even still, it seems that relying on “organized misuse” analytics as some sort of “proof” that a breach of Social Security numbers did not occur is a bit curious, and also possibly a logical fallacy. For one, it would only be reliable at the point in time when it was concluded, and actually might only be representative of a point in time months prior given the delay with which credit data is populated. It could never definitively conclude that a breach of identities did not occur, given that there could simply be the case that the stolen identities hadn’t been sold or otherwise abused at the time of the analysis. Given the permanent nature of identities and specifically, Social Security numbers, it also does not seem implausible that an identity thief might “hold on” to their find for some duration prior to capitalizing on it as a way of “laundering” the identities. Granted, this is speculative, but so is the presumption that since no evidence of “organized misuse” exists, Social Security numbers had not been compromised.

Regardless, the settlement would have essentially consisted of the following:

    • TD Ameritrade would post notices 4 times in the year, for 1 week each, regarding the incident.
    • Members of the class would get a free 1 year subscription for Trend Micro Internet Security Pro (retail value $69.96). The software was to address the spam that came as a result of the disclosure of TD Ameritrade customers’ email addresses.
    • TD Ameritrade would commit to twice yearly external penetration testing.
    • TD Ameritrade would perform account seeding to detect compromise of email accounts.
    • Class members would give up their right to form another class action lawsuit, but could pursue TD Ameritrade as individuals if identity theft did occur as a result of the breach.
    • TD Ameritrade would donate $20,000 to the Honeynet Project, and $35,000 to the National Cyber Forensics and Training Alliance.
    • TD Ameritrade would cover all legal expenses of the case incurred by the class.
    • A settlement notice would be posted in USA Today.

Elvey retained additional counsel to oppose the settlement that he and his original counsel had signed. Over the course of several months, and several court appearances, the plaintiff and the defendant seemed to “buddy up” to some degree, while Elvey continued to oppose with his new representation. Elvey had all but seemed discredited when, in late 2008, the Texas Attorney General jumped in on behalf of a stated near half-million Texans represented in the class. The Texas AG had the following to say (as summarized by the judge):

      • the proposed settlement agreement offered “no meaningful relief to the class members”;
      • the award of proposed fees to class counsel was excessive;
      • the proposed settlement failed to address the harm of identity theft adequately;
      • the proposed release was too broad;
      • The Texas Attorney General contended that the settlement was essentially worthless because the “warning” to be placed on the TD Ameritrade website would largely go unseen by consumers most vulnerable to stock spam;
      • the security measures TD Ameritrade agreed to conduct should have been conducted by “any reputable company” anyway;
      • the coupon for security software was of little value because similar software was largely available to most Internet users for free or at low cost;
      • the Texas Attorney General noted that the class members were to receive no monetary recovery while the proposed attorney fee award for class counsel was substantial —— $1.87 million;
      • the proposed settlement agreement did not address adequately the potential harm to class members from identity theft;
      • the Texas Attorney General further argued that the settlement agreement should make clear that the individuals who engaged in the unauthorized access are not “Released Parties” and “Releasing Parties” should be amended to make clear that government entities such as the Texas Attorney General has not released any claims to relief related to this security breach;

These oppositions were strong, and spun off months of additional negotiations between the plaintiff, the defendant, and the Texas AG’s office. The revamped settlement, which won the approval of the Texas AG, was a slightly improved version. It emphasized somewhat more the risk of ID theft from the breach, and also removed or revamped some of the limits that class members would have had imposed on them for additional suits, but substantively didn’t really alter much.

What it did change was that it created a new argument for the defendant and the plaintiff: “The Texas AG signed off…”, which sealed the deal and seemed to outweigh any opposition to the settlement by Mr. Elvey. The revised settlement was “preliminarily approved”, on May 1st, 2009, bringing the class action suit a big leap forward towards conclusion.

In all, this is a fascinating case, which begs several questions: why is this “organized misuse” so convincing? What is so confidential about the deposition given by Mr. Edwards? It was sealed for several reasons, some of which seem a little far fetched. One was that it might expose the class to the risk of identity theft, and that was vaguely related to the fear that such information, if made public, would somehow entice or encourage hackers to go after TD Ameritrade. This doesn’t seem all that realistic. The firm has a million reasons to be concerned about security, but, other aspects of the case suggest that this “concern” is a recent phenomenon at TD Ameritrade, for instance: How exactly is a commitment to perform “twice yearly independent vulnerability scans” a benefit to the class? Is TD Ameritrade not already required by industry standards like PCI, or better yet, its own internal security policies to do so? Was this not point 6 of the Texas AG’s argument? And why did the Texas AG back down on several points?

And those are just the questions on one side of the coin. Why did Elvey approve the settlement in the first place? The “threats” claimed could use some additional scrutiny. Had he not signed the settlement, would things have gone much differently? Did Elvey’s “late game” claims of identity theft help or hurt his case?

We don’t yet have all the final numbers on this, as the case is still ongoing, but when we do we’ll update the incident with the final costs associated with this class action suit. The costs will be of some substance, but from the looks of it, a very small amount per record breached. We are updating the data types to include Social Security numbers, partially because of a recent article in the media on the topic, and partially due to the information gathered from the court documents. All the documents we’ve collected regarding this case are available for your perusal here.

We believe gaining legal insight and costs associated with data loss incidents are key indicators to help fully understand the true impacts. We are in the process of starting a new legal sub-project that will be tightly integrated into DataLossDB. The project will focus on collecting information on lawsuits associated with data loss incidents. The goal is to be able to provide more depth to the data, give us some editorial fodder, and most importantly, to get some empirical data on the legal costs of a data loss incident. If you are interested in helping to lead, shape, and ultimately maintain this project please contact

Breach Notification to 700 New Hampshire Restaurants

Per WMUR9 New Hampshire, Heartland is encouraging the New Hampshire Lodging & Restaurant Association to notify 700 restaurants regarding the breach.

The New Hampshire Lodging and Restaurant Association is one of 12 Affiliate organizations listed on the heartland payment systems website. The others are:

These are not the only states affected, but it would seem likely that these states will be affected.

Posted by d2d