43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

InsuranceAs data breaches have continued to grow over the past few years, interest in cyber insurance coverage has grown along with it.  This week, the Fourth Circuit upheld a lower court’s ruling in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, finding that a commercial general liability (CGL) insurance policy covered the cost to defend claims regarding a data breach.

In an unpublished opinion, a panel of the Fourth Circuit affirmed the Virginia District Court’s August 2014 decision that Travelers Indemnity Co. was obligated to defend Portal Healthcare Solutions in a class action lawsuit pending in New York state court.  The underlying class action alleged that Portal failed to secure a server containing confidential records of patients at a New York hospital, leaving the records available to view online for more than four months without a password.  Two patients discovered their records online following an internet search, but there was no evidence that any third parties viewed the information.

In looking at the four corners of the complaint and the underlying CGL insurance policy, the Fourth Circuit agreed that the mere availability of the private medical information online constituted “publication” under the CGL policy’s provision providing coverage for “electronic publication” of material regarding a person’s private life, thereby triggering the duty to defend.

Although the decision is favorable to policyholders, there are a number of important caveats.  For instance, insurance policy language can vary substantially between carriers, and the unpublished decision is not binding on other courts.  Notably, the decision contrasts a 2015 holding by the Connecticut Supreme Court finding that a CGL policy did not cover a loss of computer tapes containing employee personal information when there was no evidence of personal loss, no evidence that any third party ever accessed the information, and thus no “publication” of the information as required by the CGL policy.

In recent years, it has become increasingly difficult for policyholders to secure coverage for data breaches under CGL policies given the continuing trend of “electronic data” exclusions.  Moreover, CGL policies often contain express language clarifying that electronic data does not qualify as “tangible property,” a prerequisite for a finding of “property damage” under such policies.

Given that these policy limitations are becoming more prevalent, companies hoping to have coverage in the event of a data breach should evaluate whether their current policy appropriately covers cyber and data breach risks, or whether they may need to obtain a separate cyber liability policy specifically tailored to cover such risks.

Last week, the Washington Governor signed into law amendments to the state’s data breach notification statute. Importantly, the amendments, which take effect July 24, 2015, (1) expand the statute to cover breaches of non-computerized data; (2) mandate that businesses notify the Washington Attorney General of a breach affecting more than 500 Washington residents; and (3) require that notification to consumers and to the Attorney General occur no later than 45 days after the date of discovery of the breach. The amendments were requested by Washington Attorney General Bob Ferguson.

Washington now joins only a handful of states whose breach notification statutes require notice of a breach of non-computerized data containing consumer personal information. The amendments clarify, however, that notice is only required – both for computerized and non-computerized data – if the breach is reasonably likely to subject consumers to a risk of harm. Risk of harm is assumed, though, if the data is not secured, or if the means to decipher the secured information (e.g., the encryption key) is also compromised. “Secured” is defined as “encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable.”

In addition to mandating that notification occur within 45 days of discovery of a breach, the amendments prescribe the content of the notice to both consumers and the Attorney General (if more than 500 Washington residents are affected). Specifically, the consumer notice must be written in plain language and include (1) the business’s name and contact information, (2) a list of the types of personal information reasonably believed to have been the subject of the breach, and (3) the toll-free telephone numbers and addresses of the major credit reporting agencies. The notice to the Attorney General must include the number of Washington residents affected and a sample copy of the consumer notice, provided electronically.

Despite pending federal legislation, which contains broad federal preemption provisions, state legislatures, often at the request of the Attorney General, are strengthening existing notification requirements, likely in response to the several high-profile breaches that have occurred over the last few years, to attempt to safeguard consumer personal information and prevent identity theft. We continue to track such legislation in several states, including Indiana and New Jersey, as well as the goals of state attorneys general, such as those in New York and Oregon requesting such legislation.

Last Friday, Florida enacted a new Information Security Act that repeals the state’s existing data breach notification law and increases companies’ reporting obligations and liability in the event of a data security breach. The new law takes effect July 1, 2014. Likely in response to the recent high-profile breaches, several states have introduced legislation to strengthen existing data security laws, and it is important for companies to monitor these developments and assess and revise information security policies, as necessary.

The new law will require regulator notice (written notice to the Department of Legal Affairs) if more than 500 Florida residents are affected by a breach, as well as if a company reasonably determines that notice is not required because the breach has not resulted, and will not likely result, in identity theft or other financial harm. Additionally, the new law specifies the content that must be included in both the consumer and regulator notice; imposes a 30-day timeframe for covered entities to provide such notice; and revises the definition of personal information to include medical and health insurance information and an individual’s user name or email address in combination with the required password or security question and answer. Furthermore, the law requires that third-party agents notify a company of a breach of security within 10 days, and, although the third-party agent may provide the required notice, the company is ultimately responsible for any failure by the agent to provide proper notice.

Importantly, the new law codified the Act within Florida’s Deceptive and Unfair Trade Practices Act, and specifies that a violation of the Information Security Act constitutes an unfair or deceptive trade practice. Under the DUTPA, the Attorney General may bring actions for a declaratory judgment, injunction, or actual damages. These remedies are in addition to the civil penalties the Department may assess, up to $500,000, for failure to comply with the consumer and regulator notice requirements.

On June 2, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing examining threats posed to data security and the much publicized data breaches at Sony and Epsilon. The hearing, “Sony and Epsilon: Lessons for Data Security Legislation” focused on the recent Epsilon and Sony data breaches and the need for comprehensive federal data security and data breach notification legislation. The representatives and witnesses discussed the delays in Sony’s notification, the extent of the breaches, and the prospects for federal legislation.

The hearing is part of a comprehensive review of data security and electronic privacy initiated by the House Energy and Commerce Committee that was announced on June 1, 2011. According to the Committee press release, the first phase of the Committee’s review will focus on online data security and data theft prevention, followed later in the year by a focus on broader electronic privacy concerns.

At the hearing, Rep. Bono Mack called for a “uniform national standard” for data security and data breach notification, announcing her intent to introduce legislation. The hearing built on the growing record in Congress supporting data security and data breach notification legislation that could ultimately supersede the current patchwork of state laws. Click here to read more about the hearing.