FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...

Federal Authorities Prosecuting Suspects of Heartland and Hannaford Breaches

By Mehmet Munur

US Department of Justice reports that federal authorities are prosecuting three suspects for stealing 130 million credit card numbers from Heartland Payment systems, 7-eleven stores, and Hannaford stores. We previously reported on the Heartland Payment Systems Breach and the Hannaford Stores Breach.

The indictment details how Albert Gonzalez and his co-conspirators allegedly “used sophisticated hacker techniques [SQL injection attacks] to gain access to the networks to cover their tracks and to avoid detection by anti-virus software used by their victims.” The suspects allegedly scouted the stores of the corporate victims and their websites for vulnerabilities. Allegedly, in order to cover their tracks, the suspects “program[ed] malware to be placed on the Corporate Victims’ computer networks to evade detection by anti-virus software and then testing the malware against approximately 20 different antivirus programs.”

The breach cost Heartland not just million of dollars but also temporary loss of its PCI certification. Soon after the Heartland Payment systems breach, Heartland lost its PCI certification as reported by VISA CISP. Since then, Heartland has regained its PCI but also disclosed in its 10-Q filing with the Securities and Exchange Commission that it faced $32 million in expenses due to the breach. $22 million of those charges related to fines imposed by card brands and settlement offers, while the remaining amounts were spent on “legal fees and costs the Company incurred for investigations, remedial actions, and crisis management services.”

Shortly after the Heartland breach, in July 2009, PCI Security Standards Council issued the Wireless Guideline, which makes specific recommendation related to the deployment of wireless networks. The recommendations are sometimes as detailed as setting up firewalls, accounting for wireless access points, changing default passwords and settings on wireless devices, and using strong wireless authentication and encryption. On the other hand, despite outlining the weaknesses in WEP, PCI DSS v1.2 only requires discontinuing WEP as of June 30, 2010. Unfortunately, use of WPA or WPA2 only remains a recommendation.

In our previous review of the breaches, we had suggested that “due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point.” Considering that the suspects used custom written malware that was tested to avoid detection by anti-virus software, Heartland could have only protected itself from the attack by preventing the SQL injections in the first place. While complete security remains a difficult objective to attain, we still believe that a vigorous and comprehensive approach to data security is possibly the only defense against such breaches.

Read More...

New England Banks to Sue TJX

The Boston Globe reports that a group of New England banks are planning to sue TJX Cos. over TJX's data breach.

Read More...

Data Breaches and Buyer Behavior

Javelin Strategy & Research has a study for purchase entitled "Data Breaches and Buyer Behavior: Moving PCI Compliance from Costly Burden to Competitive Advantage" (link is to the free preview).

Hat tip to Payments News which states:

The study concludes that "77% of consumers intend to stop shopping at merchants that suffer from data breaches. Retailers and merchants are viewed by 63% of consumers as the least secure when protecting consumer’s data, compared with processors (16%), card networks like Visa or MasterCard (5%) and issuers (5%). When little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault. However, 85% will reward merchants who are perceived as security leaders with increased purchases."

Read More...

TJX Companies 10K on Computer Intrusions

This InternetNews story says that TJX Companies, Inc. revealed to the SEC that as many as 47.5 million customer records were stolen during TJX's highly publicized computer intrusion. For those interested, here's TJX's 10-K filing. Pages 7-10 are devoted to a discussion of the computer intrusion and pages 18-21 detail the 19 legal proceedings related to the computer intrusion. Page 21 also details the various government investigations in regards to the computer intrusion.

Obviously, the security breach will not be cheap for TJX.

Recent News Stories:

• State cracks down on identity theft in wake of TJX security breach
• TJX customers subject to security breach
• How the TJX breach may change security awareness
• Do data breaches really hurt retailers?
• Locals upset at TJX Companies security breach
• TJX security breach affected at least 47.5m
• Revealed: World's largest security breach

Read More...