New England Biz Law Update
A recent consumer protection action by Massachusetts Attorney General Martha Coakley against a Boston area pub and restaurant chain victimized by credit card hackers provides a road map for what the liability landscape could look like in future data breach litigation.
In late March, the AG’s Office announced that it had reached a consent judgment with Briar Group, LLC to pay $110,000 in civil fines over a data breach that occurred in 2009.
Coakley accused Briar Group of unfair and deceptive trade practices under G.L.c. 93A, §2 for failing to take reasonable steps to secure the company’s computer system from data thieves, thus exposing credit card and other personal information accumulated from patrons for nearly eight months, according to a complaint filed in Superior Court.
The AG cited in part the company’s purported failure to comply with Payment Card Industry Data Security Standards (PCI DSS), a set of rules promulgated by the credit card industry, as contributing to the breach.
Attorneys in the data privacy arena say that although the suit didn’t result in any new caselaw and the breach took place prior to the enactment of Massachusetts’ robust new data security laws, the action is important because of how unusual it is for a government authority to hold a company liable under Chapter 93A for not meeting a private contractual standard.
“This is a warning shot and the message is: get your privacy and security house in order,” said Cynthia J. Larose, of Mintz, Levin, Cohn, Ferris, Glovsky & Popeo in Boston.
Briar Group’s agreement with the AG to comply with PCI DSS from now on “absolutely sets a baseline” for companies who may one day face similar litigation, she said.
Mark E. Schreiber, chairman of the privacy and data protection group at Edwards, Angell, Palmer & Dodge in Boston, said the AG’s requirement that Briar Group adhere to tough industry rules has “broad and significant implications of all sorts.”
Most importantly, he said, it suggests the posture the AG is likely to take in future enforcement actions, which may very well result in PCI DSS compliance becoming the new de facto legal standard in breach liability suits.
Indeed, earlier this month Coakley put Sony Network Entertainment on notice that it must provide appropriate legal notification to thousands of Massachusetts consumers who may have been affected by a data breach in April that exposed the credit card information, birth dates, passwords, addresses and phone numbers of an estimated 100 million Sony Playstation Network users. At a recent Boston Bar Association talk, Coakley told lawyers that data privacy enforcement is a top priority of the AG’s Office.
Schreiber said that what is particularly troublesome for lawyers is the tension that appears to be developing between state regulations and PCI DSS rules.
“Compliance with one is not compliance with the other,” he said. “Are there two sets of standards?”
‘Extraordinarily demanding’
Because of the extensive and technical nature of the PCI DSS, Schreiber said meeting the rigorous 12-part standard is a serious and costly undertaking.
“PCI DSS is a very complex and difficult set of rules for merchants to fully comply with,” he said. “It’s extraordinarily demanding even on the largest merchants in the country.”
To comply, users must protect all stored credit card data with secure network systems and applications, firewalls, data encryption, and unique passwords, as well as regularly test and update these measures. Companies must also establish written policies that limit and track who has access to such data internally.
Even if companies can afford to devote the time, money and expertise needed to ensure compliance, Schreiber said the rules are frequently refined to keep up with innovative data thieves, making it tough to set procedures to follow.
“The bar is getting constantly raised,” he said.
Although the standards provide some flexibility to account for differing business sizes, smaller merchants are still likely to have trouble because true PCI DSS compliance requires an interdisciplinary team of Information Technology specialists, financial executives and management, as well as in-house and even outside counsel, Schreiber said.
Different standards
Not everyone expects the standards to become mandatory.
Peter M. Lefkowitz, legal and chief privacy officer at Oracle Corporation, does not foresee PCI DSS becoming the legal standard because it covers different ground than the state regulations.
While the regulations are broadly written to safeguard personal data generally, the PCI DSS rules focus solely on credit card information for member merchants.
“I think both the state AG and PCI are going to hold companies to the standards they set themselves out to hold,” said Lefkowitz, a founding co-chairman of the Boston Bar Association’s Privacy Law Committee. “I don’t think we could take that to mean that this is going to morph into state AGs giving this the imprimatur of law.”
But others say PCI DSS compliance is simply the cost of doing business if you’re going to offer customers the option of using credit cards.
“I don’t think it’s unfair at all — they signed a contract,” said Larose who chairs Mintz Levin’s information management and security practice. “These standards are pretty explicit.”
She said that having a two-pronged approach to enforcement makes sense because state data privacy laws typically lag anywhere from five to 10 years behind the hackers’ technology.
Further, said David J. Goldstone of Goodwin Procter, given the stiff penalties credit card companies, issuing banks and merchant banks can impose on businesses that don’t abide by the PCI DSS, they face “significant exposure” regardless of whether the AG treats it as part of the law.
Benchmark for insurers
In the last five years, the PCI DSS standards has become an important benchmark for insurers who offer cyber-risk or media policies to cover the cost of breach notifications and other expenses, including lawyers’ fees for inquiries and defense.
Underwriting questionnaires are now very carefully tied to a business’s practices and compliance level with both industry rules and state regulations.
Companies who fall short in these areas could get “a rude awakening” when they see the cost of coverage or learn they cannot get covered at all, Larose said.
Further complicating the terrain are a host of pending measures in D.C. on consumer privacy issues, including a draft bill sponsored by Sens. John F. Kerry and John S. McCain and preliminary staff reports put out last December by both the Federal Trade Commission and the U.S. Commerce Department.
The Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 would give the FTC authority to establish rules governing how companies may use, handle, store and disclose the personal information, including credit card data, they seek to obtain in transactions with consumers. The broadly written bill would require companies to collect only the minimal amount of data necessary, to implement data security measures and to give consumers the choice to “opt out” of having their information used or stored in a particular way.
The bill puts privacy enforcement in the hands of the FTC and state attorneys general, and would sharply limit the ability of consumers to bring a private right of action.
Acknowledging that businesses have not done enough to protect consumer privacy through self-regulation, the FTC’s “Privacy Framework” report recommends many of the practices in the Kerry-McCain bill, as well as a “do not track” provision that would curtail businesses from monitoring and selling consumer Internet activities to advertisers or other third parties.
The U.S. Commerce Department’s report proposes a privacy bill of rights, a federal data breach notification standard and an update of the Electronic Privacy Communications Act, 18 U.S.C. §2510, to ensure it remains relevant as technology changes.
