Disclosures, Decency and Data Security

For the record, privacy, data protection, information security and international law have officially converged with management, compliance and marketing. More than 30 U.S. states have now passed legislation in one form or another that requires businesses to notify consumers if an actual or potential breach of data security may lead to the compromise of personally identifiable information. This comes on the heels of several years of the government tightening its own policies regarding data security breaches and instances of compromised security.

Recently, the Office of Management & Budget, which oversees U.S. federal agencies, announced a tougher policy for government, requiring agencies to follow the security procedures checklist prepared by the National Institute of Standards and Technology (“NIST”) to protect data. An internal OMB memo recommends that data on mobile computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).

As noted in prior issues of Legal Bytes, requirements and compliance obligations for commercial enterprises doing business across state lines and national boundaries vary, although many have common themes. If you are concerned—and you should be—contact us. We can help you sort out your current compliance obligations and help you keep track of the changing privacy and data protection landscape, both domestically and internationally. Even if you choose not to inject your views into the regulatory process, you must keep abreast of developments or risk action by consumers and regulators.

This whole area is churning with activity and, like the migration of computers from technology organizations to mainstream business management decades ago, privacy and data protection are evolving from a technology problem to an issue throughout the world of management, marketing and business process. On a global scale, disharmony in legal systems is a major roadblock to everything from the war on terrorism and money laundering, to the simple acceptance of credit cards by merchants and air transportation. Recently, Europe’s highest court ruled an agreement made in 2004 that allowed airlines to share 34 items of information about every passenger flying from Europe to the United States—in an effort to fight terrorism—is illegal. The United States threatened to strip air carriers of landing rights if an agreement was not reached, and now the European Court of Justice has allowed the arrangement to continue only until September 30 so the parties can forge a new arrangement.

A New York Senator has proposed legislation that might concern marketing professionals (Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, S. 3713). In addition to requiring notice to consumers, the act allows them to place a permanent security hold on credit information; requires opt-in consent by consumers to financial institutions before sharing information with third parties; and contemplates a private right of action for damages, and—if identity theft occurs—damages up to $5,000 per person.

Several years ago, the Payment Card Industry, comprised of the major credit card and payment instrument issuers and processors, announced Data Security Standards and Audit Guidelines. Requiring encryption and secure storage of personally identifiable payment transactional and related data, merchants are faced with certifying, documenting and ensuring compliance or being deprived of the ability to accept payment instruments issued by the card industry issuers and processors. This is hardly an esoteric issue.

Visa fined BJ’s credit card processor upon discovering the processor’s system improperly kept magnetic-stripe data after sales were consummated, in violation of Visa’s operating regulations. Reissuing new account numbers and cards—in addition to covering unauthorized charges—created damages for Sovereign Bank (among others), and Sovereign sued BJ’s and its processor. A U.S. District Court in Pennsylvania has ruled Sovereign may not recover losses from its payment processor and is not a third party beneficiary of Visa’s agreements with the processor. In dismissing the breach of contract claim against the processor, the court concluded that simply because Visa U.S.A. had contracts with processors to protect its payment processing system does not mean the bank, or any other entity that touches the system, is an intended beneficiary of that agreement. This is not the only, not the first and likely not the last case involving allocation of risk and the protection of information and data flowing through virtually every merchant, financial institution and government system in the world today.