Data Security Breaches – What You Need to Know Now

Originally published October 4, 2005

Executives of financial services firms--as well as consumers-- are painfully aware of well-publicized security breaches over the past several months. Driven in large part by disclosures made to consumers in the wake of passage of a California law, the national and trade media have made these breaches front page news. The press, and now the regulators, remind us that the risks of identity theft abound. Advocating that Congress legislate greater consumer protections, including requiring companies to notify consumers of security breaches, the FTC told the Senate Commerce Committee this summer that its 2003 survey on identity theft estimated that 10 million consumers were victims that year, costing businesses $48 billion in losses, with an additional $5 billion in consumer losses and an average of 30 hours per victim to correct their records. Recent data put the figures significantly higher these days.

Promises to customers of security will be enforced by regulators. Just last week, a mortgage company settled data security charges by the FTC by agreeing to an onerous consent judgment, including FTC oversight for 20 years and independent audits and monitoring of its security programs for ten years, among other conditions. Superior Mortgage Corporation, a lender with 40 branch offices in 10 states and with numerous web sites, announced on September 28, 2005, that it entered into a consent judgment regarding the FTC’s allegations that it violated the FTC’s Safeguards Rule under Gramm Leach Bliley by failing to provide reasonable security for sensitive customer data, failing to institute appropriate password policies, and falsely claiming that it encrypted data submitted on line. The FTC alleged that Superior’s web site claimed that it encrypted customer information using secure socket layer ("SSL") technology, but the information was in fact only encrypted while in transmission from the customer to the server; once it reached the server, it was emailed in unencrypted form to Superior’s headquarters and branch offices in clear, readable text.

Clients ask how they can comply with regulations and how they can prevent security breaches. While best practices should protect customer data by including physical, technical and administrative safeguards, and data security policies should keep pace with technology changes and commonly-known threats, the real answer is that no one is immune. It is best to be prepared for a breach as a likely eventuality, by having an electronic intrusion action plan and response team in place. Your security breach response and customer notification procedures must comply with applicable federal and state laws and must make sense to enable your organization to respond to any breach in a timely manner.

It is a common misconception that security breaches are primarily caused by sophisticated hackers. While it is true that the thieves are ever more adept at breaking into systems protected from commonly-known threats, there are many breaches that result from more traditional "social engineering," or weaknesses from the weakest link in security – humans. Your organization’s security professionals must keep up in the "arms race" of virus prevention and intrusion safeguards. However, from the top down, an emphasis on information security as a good business practice and as important to compliance and risk mitigation is also critical. Education and training are the cornerstone to any information security program, and employees’ performance evaluations should include how well they train people within the enterprise to understand the importance of the information and to protect it.

Would employees recognize these examples of social engineering?

• In a global enterprise, a last-minute call from a far-flung office requesting data urgently, potentially under the guise of "our email is down in this office and my boss needs this information right away or I’ll get fired – please send it to his personal email account."

• A call from an irate "customer" needing access to his account information during an audit.

Regulators do not expect financial institutions to be impenetrable. However, a strong compliance program on data security and security breach response will go far in demonstrating an organization’s good faith efforts to protect customers’ sensitive information and to keep customers informed if the worst occurs.

On the federal level, the Gramm Leach Bliley Act’s Safeguards Rule requires financial institutions to maintain a comprehensive written information security program designed by the directors and senior management with specified objectives tailored to the size and complexity of the business, to conduct a reasonable risk assessment, to manage and control risk, to monitor service providers, to conduct testing, training and to use encryption and monitoring where appropriate.

In addition, in late March, federal banking regulators issued interagency guidance for banks on response programs for unauthorized access to customer information (the "Guidance"). See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Consumer Notice, 70 Fed. Reg. 15,736-54 (March 29, 2005). The Guidance, among other things, requires notice to be sent to customers whose sensitive information has been compromised if unauthorized use of that information is "reasonably possible." "Sensitive customer information" is defined as the retail customer’s (excluding business customers) name, address or telephone number, in conjunction with a social security number, driver’s license number, account number, credit or debit card number or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account. The regulators do not give guidance on what "reasonably possible" means, but if substantial harm or inconvenience is likely to result from misuse of sensitive information, notice should be sent. In deciding whether to notify customers, financial institutions need to consider all the facts, weighing the two sometimes competing goals regulators emphasize: whether there is a risk of identity theft versus flooding consumers with "false positive" notices so that all such notices are rendered meaningless.

While financial institutions are encouraged to adopt a risk-based approach to the Guidance, they need to insure that service providers are required by contract to notify the institution of potential compromises of sensitive customer information. Banks and financial institutions subject to the Guidance must adopt a customer response program as soon as possible, but the regulators have said that they will take into account the good faith efforts of banks to adopt the changes recommended by the Guidance.

California started the wave of state legislation in the area of data security when it passed its breach notification law in 2002. Twenty states have now enacted legislation requiring persons and entities maintaining an electronic database containing certain personal information to notify those people when the database’s security has been breached. Most states have patterned their data breach notice laws on California’s statute. Most of the laws govern the improper release of similar types of information and permit notice to affected consumers to be completed in a number of similar ways. However, noteworthy differences exist in three areas: (1) whether notice is required for any breach involving covered information or only where there is a likelihood of identity theft or other harm to the consumer; (2) whether the law creates a private right of action or is enforceable only by the state attorney general or other governmental personnel; and (3) the penalties for violations of the new law. California’s Office of Privacy Protection also published guidance for best practices in data security breach policies and for notifying consumers of a security breach. Tellingly, California’s position is that notice "in the most expedient time possible and without unreasonable delay" means 10 business days.

As a result of the rapidly expanding patchwork of state data breach notice laws and highly publicized security breaches earlier this year, Congress is considering at least thirteen bills requiring consumer notice of security breaches. Some of these bills would preempt the new state laws while others would retain those state laws affording consumers greater protection than under the proposed federal standard. While interest in security breach legislation was high earlier this year, other priorities, including hurricane relief, may result in no bill passing Congress this year.

So, how to comply? In deciding whether and how to give notice of a breach, compliance with the current patchwork of laws requires a practical approach, applying the governing regulations to the scope of the problem.

All financial institutions should have an incident response team and a customer response program in place. The team should include representatives from Security, Information Technology, Legal, Senior Management, Operations, Customer Relations and Communications. The customer response program’s elements should include the items recommended in the Guidance, but first and foremost, should plan how to:

• Assess the nature and the scope of the incident;
• Take appropriate steps to contain and control the incident, while preserving records and evidence;
• Provide notice to the primary federal and state regulator as soon as possible;
• Provide customer notice, when warranted;
• Notify law enforcement or appropriate investigators; and
• File Suspicious Activity Reports when required.

The team should monitor the information security program for risks appropriate to the institution’s size and complexity, and should evaluate contracts with service providers, as well as policies for background checks on employees and temporary workers with access to sensitive data. In the event of a breach, contractual obligations with service providers should provide that the vendor must notify the financial institution, cooperate and provide access to hardware, software or data needed to assess and control the incident.

If a financial institution or a service provider suspects that sensitive information about customers may have been compromised:

Activate the response team. The team should be ready to meet and discuss immediate action, bringing in all necessary people to assess the scope of the problem. It is important to have internal or external legal counsel assist in handling the investigation and customer notification, if it is necessary, to protect to the greatest extent possible under the attorney-client privilege the investigation of the breach and discussions about response options.

Stop the bleeding! Secure all systems and information as soon as possible, if necessary, by shutting down access to servers. Protecting the systems and the customers’ personal data is task number one. Discussions with law enforcement may involve a need for the attack to continue for some period or in some manner to improve the chances of catching the thief or preserving evidence, and if law enforcement instructs that notice to customers would impede their investigation, those considerations must be weighed against possible exposure.

Notify law enforcement/regulators. Financial institutions must notify regulators as soon as possible after becoming aware of an incident of unauthorized use of or access to sensitive customer information. In addition, after consulting with legal counsel, the team should notify the appropriate law enforcement agency, usually the FBI or the U.S. Secret Service, which have the resources and experience to investigate these crimes for prosecutors. If card data is involved, the organization must also notify the card associations.

Investigate. It is important to conduct a reasonable investigation of the circumstances surrounding the compromise. The investigation is going to vary, depending on the circumstances and the financial institution’s involvement. The operating rules of the card associations may require hiring an independent company to conduct the investigation, if the breach involves debit or credit card data under the entity’s control The investigation, among other things, should identify any weaknesses in the relevant systems and what needs to be done to remedy them. (Remember that the investigation should be conducted under the auspices of counsel and maintained as privileged when possible.) It is important to determine what fields of data were accessed (and how confident investigators are about what was and was not accessed), and whether names of the customers, or other identifying information, along with account numbers was obtained. Answers derived from the investigation should help determine whether unauthorized use of that information is reasonably possible.

Notify affected customers. If unauthorized use is possible or has already occurred, a financial institution should notify the affected customers as soon as possible. We advise that you notify by "snail mail" letter rather than electronically, due to the risk of imposters or other "phishing" thieves communicating by email, but following up with telephone calls is also prudent. The content of the notice is specified in the Guidance, but it should be consistent with the entity’s security notification policy. The entity needs to look at the applicable state laws to decide if the notice should contain other items. In addition to describing the incident in general terms, as well as what the institution has done to protect the information, some banks have provided free identity theft protection or credit watch services to customers, but that varies by the volume of affected customers and the severity of the risk and is not required by the Guidance. Notices should encourage consumers to file a police report, to report promptly any identity theft incidents, to review all account statements carefully and to remain vigilant for 12-24 months. Telephone numbers and web site addresses for assistance must also be provided.

Finally, other response items particular to your entity should be considered. Financial institutions should review contracts with service providers or partners involved in the breach to evaluate potential liability issues and determine the parties’ respective obligations. Notify applicable insurers, audit committee members and outside auditors. Public companies may have securities law disclosures that need to be made, depending on the materiality of the breach. Suspicious Activity Reports may need to be filed on the incident.

To be better prepared, formulate the action plan in advance, including examining the current security notification policy. Evaluate whether agreements with vendors and partners are sufficient to enable prompt investigation and to access needed information to assist investigators. Finally, the response team should establish a method of regular communication to monitor the implementation of the response to an incident.

The best designed compliance plans must have buy-in throughout the enterprise, to ensure that the business owners’ concerns are addressed. Current discussion of data security between financial institutions and their customers is centered around the level of security customers demand and are promised, but also around practical issues, such as insuring customers’ ready access to their information. Certain institutions are offering greater security for their best customers. In response to the increase in "phishing" attacks using false emails to customers, Wachovia announced on September 5, 2005, that it will no longer use email to discuss account information with its customers, and will now only communicate through a secure online message center. Others have announced issuance of a secure ID token for large customers.

The bottom line from law enforcement is that hackers now focus their time on attacks that net money. The days of attacks for disruption purposes are waning, and protecting information from compromise is the imperative. Regulators are not the enemy, but will take enforcement action when institutions fail at good faith compliance efforts or breach promises to customers. Reasonable anticipation of risks, strong data security protection programs, education and training and a solid customer notification plan are all part of what financial institutions must do to mitigate risk and be in legal compliance. Using the security of customers’ information as a strength of the organization is a smart business practice.

Principal authors of this issue of the Alert are Lynne B. Barr and Deborah S. Birnbach.

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.