California is ready to adopt new legislation regulating the management of credit card data by retail merchants. The legislature has passed Assembly Bill (AB) 779, the so-called Consumer Data Protection Act, and submitted it to the governor for signature. Proponents believe Governor Schwarzenegger will sign the legislation. [Update: He vetoed the bill. But this discussion is still relevant to those thinking about how data security law should and should not be written.]
Similar to Minnesota's HF 1758, AB 779 contemplates that a merchant will reimburse credit card issuers for costs they incur replacing cards after the merchant suffers a data security breach.
Under Minnesota's HF 1758, the reimbursement requirement only applies if the merchant commits the "transgression" of storing card security data or full magnetic stripe data longer than 48 hours after transactions are authorized.
Compare California’s AB 779. Under 779, the merchant can be excused from the reimbursement requirement if the merchant avoids certain "transgressions" such as storing full track data, storing payment verification codes, transmitting unencrypted payment data over the Internet and storing payment information without a proper data retention policy.
Hence, HF 1758 and AB 779 are similar in the way they impose liability. Both laws effectively say a merchant that suffers a data breach must reimburse card issuer costs if the merchant has committed any of the identified transgressions. Further, both laws require reimbursement even if the breach is unrelated to the transgressions.
In other words, this is what the literal words of the Minnesota and California legislatures seem to mean: If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur.
Analysis: This scheme for imposing liability does not seem fair or rational. It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection.
Computer Crime Evidence
Data Security at Risk
Sophisticated hackers use so-called anti-forensics tools to make break-ins harder to detect and harder to trace once they are detected. The tools wipe out data, change timestamps, misdirect audit trails and scramble network logs so no one can prove what happened or when. Observers have
speculated that anti-forensic tools helped the crooks who stole credit card data from TJX Companies.
In principle, a hacker's goal in using an anti-forensics tool is to avoid prosecution. Yet the outcome of a criminal case against the hacker may ironically be different from what he had in mind. If a hacker is caught using anti-forensics tools, it will be easier to prosecute him and impose stiff punishment. The use of such tools can, in itself, be evidence of his sinister intent.
Similarly, if a government official were to use anti-forensics tools to hide a misallocation of funds, his misdeed may appear more to be a crime and less a mere clerical mistake.
Historically prosecution of hackers has sometimes been hard if they did not clearly steal anything. The hackers garnered some sympathy by saying they were just snooping around and not trying to harm anyone. But if a hacker uses anti-forensics tools, any sympathy will evaporate. Use of the tools can show he was trying to cover his tracks.
The CSI Working Group on Web Security Research Law, Inaugural Report, June 11, 2007, suggests a key factor in a computer crime prosecution is whether the defendant tried to hide. It cites the computer crime prosecution of Eric McCarthy, who arguably was just an innocent researcher who found a vulnerability in a USC server. But instead of reporting his finding in a responsible way, he disclosed the vulnerability in a pseudonymous e-mail to the press. His effort to hide his identity contributed to the conclusion that he was guilty.
Electronic Data Forensics Meets Traffic Tickets
Subpoena for Cell Phone Text & Call History Records
Engadget reports that a motorist successfully stymied a drunk driving prosecution by demanding to see the source code for the breathalyzer used to determine he was drunk. This story is a specific example of a big phenomenon in our legal system, caused by technology.
Information technology begets ever-growing oceans of records (e-mail, text, SMS, cell phone, instant message, video/audio, meta data and more). Records are irresistible to a legal or automobile-insurance investigation. Any investigation naturally wants to delve into all the relevant records. The relevant records in a drunk driving case include even the source code of the breathalyzer used to determine the driver was drunk.
Investigations More Difficult
Net result: legal investigations and prosecutions grow ever more expensive and difficult to close. In any controversy, there are always more records to uncover, inspect and argue about. If you want to gum-up an investigation -- or legitimately shift its focus -- just subpoena or demand access to more relevant records. (But of course, any subpoena or other document demand should be rational and relevant to the investigation. A subpoena is a legal demand that someone turn over information or evidence. Commonly the laws of litigation enable a party to subpoena others for records. If a party abuses the power to subpoena, by demanding irrelevant records or by issuing a demand with no regard for the cost of compliance, a court may sanction the issuer of the subpoena.) Or employ computer forensics to search for all the deleted records or to find hidden connections among records.
Or, to further impede prosecutors, a defendant can allege that any incriminating electronic records are false because they were created by hacker or a virus. Such an allegation calls for deep forensic investigation. An Alabama CPA successfully employed the "virus defense" when tried for criminal tax evasion. Eugene Pitts persuaded a jury that the reason his tax returns were inaccurate this that a virus had infected his computer and the virus caused his tax preparation software to malfunction!
In corporate lawsuits, e-mail records are so voluminous, and the e-discovery of them so expensive, that e-discovery becomes a litigation weapon in and of itself, where one party bullies another into settling just so it can avoid the costs of digging through mountains of e-mail. See, Chris Mondics, "Ediscovery profoundly changing lawyering: But some say rules for e-mail and other digital data don't serve justice," Philadelphia Inquirer, June 8, 2008.
To quote CSO Magazine: "Fraud investigators are struggling to cope with vast quantities of data sent to them by financial institutions, meaning some crimes may go uninvestigated or even unnoticed."
Update: When parents of girls with eating disorders sued a health insurer, the insurer demanded e-discovery access to the girls' massive blog, e-mail, social-networking and text message records (OMG!). The insurer said it was entitled to examine these records to ascertain whether the disorders were biological or psychological.
Please turn to my other post on e-discovery, in which I argue firms can employ technology creatively to transform e-records from a liability to an asset.
--Benjamin Wright, instructor at SANS Institute, teaching eDiscovery and eInvestigations Law.
When Has Privacy of Credit Card or Social Security Numbers been Compromised?
Security Incident Response and Information Protection Law
Many states now have data breach notification laws modeled on or inspired by California's SB 1386. Usually, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security.
In all these data notification laws, a key issue is the definition of what constitutes a breach of data security. Just because a hacker accesses data related to a credit card account does not mean that the account has in fact been compromised (or, in the alternative, that the data has been compromised in any meaningful way). The credit card system features many layers of security beyond simply the purported confidentiality of a person's name + credit card number + card security code.
Thus a corporation holding data might detect that a hacker accessed card data, but still conclude (based on other controls in the industry) that none of the card data in question had in fact been "compromised". The other controls I speak of can include monitoring of card activity, telephoning cardholders to confirm transactions and much more.
Confusing and Unnecessary Notices
|To send unnecessary breach |
notice is unethical.
When the public hears too many announcements that data has been "BREACHED," it becomes like the villagers who grew insensitive to the boy's cries of "WOLF". For that reason, I argue enterprises are legally and ethically justified to expect that a reasonably high threshold be crossed before they send out notices of a "data security breach."
I published most of the foregoing in 2007 and 2008. Fortunately, in 2013 a leading authority has reviewed this issue carefully and instituted reform. The U.S. Department of Health and Human Services now says that a breach notice is required only after a sophisticated risk assessment has determined a notice is justified. See my analysis of HHS's new regulation on data security breach notice.
Attorney Wright teaches the law of data security and investigations at the SANS Institute.
Update July 2008: Anton Chuvakin makes an interesting observation. If dataholders maintain good system logs, then in the event of a security breach they can examine the logs carefull to determine with precision which particular data files (if any) were compromised. That would allow them to notify only the people affected, rather then everyone on whom they hold data.
For more on this topic, see my other article on data security breach.
Update Summer 2008: See my analysis of a breach notification where data on stolen laptop are encrypted, and my examination of the definition of "private" data.
(Reminder: Nothing I publish is legal advice to anyone and not a substitute for advice from a lawyer.)