Category Archives: Data Security & Breaches

California Attorney General Forms New Privacy Unit With A-Team Prosecutors

California’s top attorney, Kamala Harris, announced the launch of the Department of Justice’s Privacy Enforcement and Protection Unit, being formed to guard the privacy of Californians by prosecuting violators of state and federal laws.  The press release says “The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”  The new department, with six veteran prosecutors, will wield broad enforcement powers over cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. It will operate within the eCrime Unit that Harris created in 2011.

Victims of Data Breach Would Take Action!

A recent Unisys Security Index survey asked 1,000 individuals in the U.S. what they would do if they learned that their personal information, stored by an organization that they were doing business with, had been accessed through a security breach.  Nearly all said they would take some form of action including:

   87% would change their passwords

   76% would stop dealing with the company by closing their account

   65% would publicly expose the data breach

   53% would take legal action

   31% would maintain their account with the company, but not engage in online transactions

   Only 3% of the respondents said they would do nothing at all!

Data Breach Costs Decline for First Time in Seven Years

In March, Ponemon Institute released the results of its seventh annual study concerning the cost of data breach incidents for U.S. companies.  The 2011 study examined costs incurred by 49 companies in 14 different industries after the companies experienced the loss or theft of personal information.  As required by state data breach laws, the companies had to notify breach victims.  Ponemon’s study findings do not apply to “catastrophic breaches” which would include data breaches of more than 100,000 compromised records.

Some highlights from the report are:

  • The cost of a data breach declined.  The cost to a U.S. company declined from $7.2 million in 2010 to $5.5 million in 2011, and the cost per record declined from $214 to $194.  This was the first time both costs have declined in the same year since the study began.
  • More customers remain loyal after a data breach than in previous years.
  • “Lost business costs” declined significantly from $4.54 million in 2010 to $3.01 million in 2011. In previous studies, the highest cost for lost business was $4.59 million in 2008 and the lowest was $2.34 million in 2005.  Lost business costs include customer churn and reputation losses.
  • The cost to notify breach victims increased in 2011’s study from approximately $510,000 to $560,000.
  • The study found that the overall cost of a data breach can be reduced based on organizational decisions like if, for example, the company has a Chief Information Security Officer (CISO), the cost drops as much as $80 per record.  Engaging external consultants during a breach response can reduce cost by as much as $41 per record.
  • Certain factors of the data breach can increase overall cost like the fact that data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.  Companies that notified customers too quickly without completing a comprehensive investigation paid on average $33 more per record.  Companies that experienced their first ever data breach in 2011 spent on average $37 more per record.
  • Negligent insiders and malicious attacks are the main causes of a data breach. Surprisingly, 39% of companies participating in the study said that negligence was the main cause of the data breaches.  Malicious or criminal attacks account for more than one-third of the total breaches reported in the study.


RockYou to Settle with FTC Over Massive Data Breach

The social networking and gaming site was hacked in December 2009 and suffered a severe data breach, which exposed personal information including email addresses, passwords and photos of 32 million users.  Of that 32 million, 179,000 were children.  The situation went from bad to worse for RockYou when the hacker posted on the Internet a snippet of the data he obtained, showing that RockYou’s user account data were stored in plain text in its database and not encrypted.  Unencrypted personal information is basically like catnip to a hacker and from a risk perspective, the company was in deep trouble. Compounding its problems, RockYou handled the communication to its users and the public horribly and this incident was a public relations disaster for the company.

The magnitude of the data breach drew the attention of the Federal Trade Commission (FTC).  The FTC is the federal agency responsible for enforcing laws that protect online consumers.  The FTC is especially proactive when the personal information of children is compromised.  RockYou is one company on a growing list of companies that the FTC has aggressively pursued for violating the Children’s Online Privacy Protection Act, known as COPPA, which the FTC enforces.  In short, COPPA requires that before a website collects, uses or shares personal information it receives from a child under 13, the website operator must get verified parental consent (commonly referred to as “email plus” verification method).  The rule also requires websites to post a clear, understandable and complete privacy policy on their site.

Here, the FTC investigated and found that RockYou’s information security practices were deceptive, posing a significant risk to consumers and that the company had violated COPPA by gathering personal information from kids under 13 over a two-year period without obtaining the mandatory parental consent.  In addition, the company failed to spell out in its posted privacy policy how the information it collected would be used or shared.  Finally, RockYou was faulted for not maintaining reasonable security procedures to prevent breaches like the one that occurred.  The FTC came down hard on RockYou for its mistakes.  According to a proposed settlement order with the FTC announced on March 27, 2012, RockYou must pay a $250,000 penalty for COPPA violations, implement a data security program, and submit to security audits every other year for 20 years.  In addition, the company it is barred from any further violation of COPPA and prohibited from making deceptive claims regarding privacy and data security. 

The takeaways?  This is a story about the consequences of a company’s deceptive business practices, failed data security program and clearly a lack of preparedness when faced with a large scale data breach.  Aside from the $250,000 fine and attorneys’ fees the company must pay, the other economic costs here are lost business costs and the widespread damage to RockYou’s reputation and brand caused by this catastrophic breach.

Nolo’s Privacy Matters Blog Premieres!

Welcome to Privacy Matters, a Nolo blog devoted to information privacy and data security issues as they relate to small businesses and consumers.  Information privacy covers the rules that apply to the gathering and handling of “personal information” — in other words information that can be traced to a particular individual, like geolocation information, credit information, or health records. 

Privacy law varies by industry, state, country, transaction and customer and is complicated.  Through blog posts and an ongoing series of Nolo primer articles, I hope to provide general, useful information about fundamental privacy principles and best practices that Internet, technology and bricks and mortar businesses need to be aware of, as this area of law can be a field of landmines for the unknowing.

Class action lawsuits and Federal Trade Commission enforcement actions against tech titans like Facebook and Google, and high-profile data breaches jeopardizing that private data of millions of individuals and tarnishing the reputations of scores of companies like Sony, Heartland Payments Systems and RSA Security — have thrust privacy onto the front pages.  It’s important for small business owners to recognize that the same rules that have gotten large companies into trouble apply to small businesses as well.  When it comes to privacy, an once of prevention is, in fact, worth a pound of cure.