Business Forum for Consumer Privacy Introduces New Data Protection Model

Posted on December 21, 2009 by Hunton & Williams LLP

On December 7, 2009, the Business Forum for Consumer Privacy released “A Use and Obligations Approach to Protecting Privacy: A Discussion Document" at the Federal Trade Commission’s roundtable entitled “Exploring Privacy.”  The roundtable was a first step in the FTC’s effort to re-examine privacy protection in light of rapid, dynamic changes in technology, advances in data analytics and increasingly ubiquitous data collection and use.  The paper is the product of a three year effort on the part of the Forum to develop an approach to protecting data that meets the needs of businesses and consumers in this emerging environment.  The paper may be found at www.informationpolicycentre.com.

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices.  The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability.  The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal).  The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event.  In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment.  Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use.  The use-and-obligations model will likely serve as an important contribution to that discussion.
Tags: , , , , , , , , ,

Liability for Data Security Auditors

Posted on June 16, 2009 by Hunton & Williams LLP

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit.  The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers.  The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”).  Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.”  VISA certified CardSystems shortly after receiving Savvis’ audit report.  In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

Claiming $16 million in fraud losses, legal fees and penalties related to the breach, Merrick sued Savvis under theories of negligence and negligent misrepresentation.  After originally being filed in federal court in Missouri (where Savvis is headquartered), the case was transferred to Arizona (where CardSystems operated and eventually filed for bankruptcy due to fallout from the data breach).  If the Arizona court rules in favor of Merrick, data security auditors could for the first time be held professionally liable for their audits of a company’s information security in the same way accountants can incur liability for negligent audits of a company’s financial statements.  Data security auditors would likely increase the price of audits to account for the increased risk.

The filing of Merrick Bank v. Savvis coincides with increased scrutiny of security auditors and of self-regulation of the payment card industry.  Critics have noted that other payment card processors that suffered significant data breaches, such as Heartland Payment Systems, were also listed by VISA as service providers that were compliant with PCI DSS, which is the consolidated industry standard developed by the major payment card companies.  As a result of those breaches, the PCI Security Council announced late last year that it would strengthen oversight of auditors to “make sure no one is rubber-stamping something.”  Some experts believe regulation is possible, pointing to the recent proposed guidance on data encryption standards for personal health information as an example of how the federal government has imposed requirements on information security in a manner previously thought unlikely.
Tags: , , , , , , , , , , ,