Data, Data Everywhere, But Hackers Drop into Secure Websites

Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.

Connecticut, after yet further large-scale data security breaches, has approved legislation, effective Oct. 1, 2008, which will require all businesses to have and display a privacy policy that explains how the business protects Social Security numbers. Businesses must safeguard data and documents with personal information from misuse by third parties, and violations trigger a $500 penalty—penalties per incident can total up to $500,000. While unintentional violations do not give rise to penalties, “unintentional” is likely to refer to lapses in the execution of a policy, not to companies without policy or a failure to implement a policy. Do you need help developing a privacy policy, information retention and disposal procedures? Need to comply with the new law in Connecticut and those of well over 30 states that have enacted data breach and data security and protection laws in the past few years? Call 212.702.1303 or email Joe Rosenbaum.

Did you read the article above about word-of-mouth advertising regulations in the UK? Then read the report entitled “Guidance on Data Security Breach Management,” sponsored by the UK Ministry of Justice and issued by the UK Information Commissioner’s Office (“ICO”). The report suggests a big difference between UK and U.S. data protection laws regarding best practices concerning data security breach notification.

In the United States, government operates on the presumption that a consumer is always better off when notified of a data security breach. The UK report explores the potential danger of “over-notifying” and asks if notification actually helps or simply creates anxiety, without the ability to allay the fears created, and postulates, “Not every incident will warrant notification, and notifying the whole 2 million strong customer database of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work.” If consumers are barraged by data breach notices, with multiple notices to consumer reporting agencies and law enforcement officials, isn’t it more likely that people will start to ignore them?

Rimon has a global footprint, with lawyers who keep up to date in and across jurisdictions. Assumptions about the propriety, legal adequacy or efficacy of a response to a data breach may prove as disastrous as a breach itself. For companies that do business across state, provincial, regional and/or national boundaries, citizens of multiple jurisdictions may be involved. You need to know the correct responses. Need help? Contact Joe Rosenbaum to find out how Rimon’s privacy and data security team can meet your needs.