Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The new law, an addition to the state’s breach notification statute, provides that if a processor or business fails to take reasonable care to guard against unauthorized access to payment card account information in its possession or control, and that failure is the cause of the breach, the processor or business is liable to the relevant financial institution for reasonable actual costs related to the reissuance of payment cards to Washington residents to mitigate “potential current or future damages” to them.  Similarly, a vendor will be liable to the financial institution for these costs to the extent the damages were caused by the vendor’s negligence.

The law contains a number of safe harbors.  For example, there is no liability if the account information was encrypted at the time of the breach.  Also, an entity is not liable if its compliance with the Payment Card Industry Data Security Standard  (“PCI DSS”) was validated by an annual security assessment that took place no more than one year prior to the breach, even if that security assessment is subsequently revoked.

Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  Although Minnesota has codified the PCI DSS requirement that prohibits businesses from retaining certain credit or debit card data after a transaction, Nevada now becomes the only state to require compliance with PCI DSS in its entirety. 

For businesses that do not accept payment cards, the new Nevada law prohibits  electronically transmitting a customer’s personal information “outside of the secure system of the business” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted.  The statute defines “encryption” to include both (1) encryption technologies to render data indecipherable which have been adopted by an established standard-setting body such as the National Institute of Standards and Technology (“NIST”) and (2) appropriate management and safeguarding of cryptographic keys using guidelines promulgated by an established standard-setting body such as NIST. 

Although several states previously have rejected codifying PCI DSS into law, it remains to be seen whether Nevada’s new law will create a nationwide domino effect similar to that which occurred after California enacted the first information security breach notification statute.  Since California’s breach notification statute became effective in 2003, all but five states have enacted similar statutes.

The new law in New Hampshire requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI.  New Hampshire’s law also requires health care providers and business associates to notify individuals in writing of any use or disclosure of their PHI that is not permitted by New Hampshire law, even if such use or disclosure is allowed under federal law.  For example, New Hampshire prohibits all marketing communications (including those authorized by individuals) by voicemail, facsimile, or “other methods of communication that are not secure,” while federal law contains no such prohibitions. 

New Hampshire’s new law adds to the list of state and federal laws regulating breaches of health information:  in August 2009, Missouri’s information security breach notification statute, which applies to breaches of “medical information” and “health insurance information,” took effect, and in February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers.  Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat.  Later, in 2008, the hackers used the injected code to steal millions of payment card numbers.  Heartland did not discover the theft until January 2009. 

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking.  For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.”  The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.” 

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.” 

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”

Claiming $16 million in fraud losses, legal fees and penalties related to the breach, Merrick sued Savvis under theories of negligence and negligent misrepresentation.  After originally being filed in federal court in Missouri (where Savvis is headquartered), the case was transferred to Arizona (where CardSystems operated and eventually filed for bankruptcy due to fallout from the data breach).  If the Arizona court rules in favor of Merrick, data security auditors could for the first time be held professionally liable for their audits of a company’s information security in the same way accountants can incur liability for negligent audits of a company’s financial statements.  Data security auditors would likely increase the price of audits to account for the increased risk.

The filing of Merrick Bank v. Savvis coincides with increased scrutiny of security auditors and of self-regulation of the payment card industry.  Critics have noted that other payment card processors that suffered significant data breaches, such as Heartland Payment Systems, were also listed by VISA as service providers that were compliant with PCI DSS, which is the consolidated industry standard developed by the major payment card companies.  As a result of those breaches, the PCI Security Council announced late last year that it would strengthen oversight of auditors to “make sure no one is rubber-stamping something.”  Some experts believe regulation is possible, pointing to the recent proposed guidance on data encryption standards for personal health information as an example of how the federal government has imposed requirements on information security in a manner previously thought unlikely.