Laws let companies wait weeks, months to disclose data breeches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.chicagotribune.com/sns-rt-target-datanotification-analysis-20140116,0,2669896.story

A decade of lawmaking by U.S. states to ensure consumers are told when
their data has been hacked still lets companies such as Target Corp. wait
weeks or even months to disclose security breaches.

Forty-six of 50 U.S. states have passed laws requiring disclosure, starting
with California in 2002, but the laws vary in terms of when and how notice
must be given, and most states allow for delays to investigate the
intrusion.

Calls for federal action, including by the U.S. Federal Trade Commission,
have gone unheeded by Congress. And guidelines to safeguard investors in
public companies also do not give clear guidance on timing and do not
require disclosures that would compromise a company's cyber security.

Consumer advocates have criticized Target, where data from 40 million
credit and debit cards and 70 million other records containing customer
information was stolen.

State attorneys general are probing the breach. Target says it acted
quickly after taking defensive action.

"It's a judgment call," said Joseph DeMarco, a former head of the cyber
crime unit at the U.S. Attorney's office in Manhattan, citing the time it
takes for companies to find out what happened.

"A breach investigation could take weeks or months before you know enough
to have a legal obligation to disclose."

Target, the third-largest U.S. retailer, said on Dec. 19 that hackers had
stolen data from up to 40 million credit and debit cards of shoppers who
visited its stores between Nov. 27 and Dec. 15.

Chief Executive Gregg Steinhafel said that Target made its announcement
four days after it "confirmed that we had an issue." The retailer has not
said when it first learned of the break-in.

Then, on Jan. 10, the company said the breach was bigger than initially
thought: that hackers also stole personal information of 70 million
customers.

Another retailer, Neiman Marcus, said last Friday that it was warned about
a possible breach in mid-December and that an outside forensics firm
confirmed the intrusion on Jan. 1.

Both the Target and Neiman Marcus breaches were first revealed publicly by
an independent blogger.

In addition, three other retailers suffered breaches during the holiday
shopping season that have yet to be publicly disclosed, according to
sources familiar with the attacks.


PATCHWORK OF LAWS

California was the first state to pass a law requiring disclosure of a
hack, and its rules remain among the toughest.

The state requires notification when unencrypted personal information is
reasonably believed to have been taken by an unauthorized person. The
notices must describe the information at risk, give the date of the
intrusion, say whether the notice was delayed, and provide the name and
contact information for the company.

Still, California's statute gives some leeway. It demands disclosure in
"the most expedient time possible and without unreasonable delay," taking
into consideration law enforcement needs and time for the company to
restore the integrity of its system.

"The first order of business regardless of any state law is to plug the
hole, protect the user and then worry about reporting," said Albert Gidari,
a lawyer who has helped companies deal with dozens of security breach
investigations and issue notices to consumers.

Only a handful of states require notice by a specific deadline. Florida,
Vermont and Wisconsin, for example, give entities 45 days from the date of
discovery. But even those states allow exceptions, such as when disclosure
could hinder a police investigation.

Some states require that consumers be notified once certain types of
information are accessed without authorization, while a greater number let
companies evaluate the risk of identity theft and other harm to consumers
in deciding whether to notify.

Susan Lyon-Hintze, another lawyer who works with victimized companies, said
it was risky to disclose too early, which would tip off hackers to
investigations. "That can actually lead to more harm for consumers in the
long run," she said. "They'll shut down their operations and move onto the
next company."


PROTECTING SALES?

Jamie Court, president of Los Angeles-based public interest group Consumer
Watchdog, said the timing of the Target and Neiman Marcus announcements
raises questions about whether the retailers wrongly delayed telling
consumers. He called on state attorneys general to look into whether
companies failed to disclose their breaches to maintain sales over the
holidays.

Target spokeswoman Molly Snyder said the company acted as quickly as it
could. "As soon as we confirmed the point of access to our system, closed
it and eliminated it, we moved swiftly through the notification process,"
Snyder said in an email. Ginger Reeder, a spokeswoman for Neiman Marcus,
denied its disclosure timing was influenced by sales considerations.

Connecticut Attorney General George Jepsen, who is helping to lead a
coalition of more than 30 states probing the Target attack and possibly
others, may look into whether Target unreasonably delayed its announcement.

"One of the issues we look at in data breach investigations is the
timeliness and adequacy of notification to appropriate government
authorities and to consumers," the attorney general's spokeswoman, Jaclyn
Falkowski, said.

Penalties for failing to disclose breaches vary by state. Some have a
maximum penalty for each attack and depend on how many people are affected.
In Michigan, for example, fines can range up to $250 per failure and
$750,000 per breach.

In 2011, health insurer WellPoint Inc agreed to pay Indiana $100,000 to
settle a lawsuit the state attorney general filed under its data-breach
notification law. WellPoint took months to notify consumers of a breach and
failed to tell the attorney general, despite operating under a law that
requires both "without unreasonable delay."

According to Patrick Fowler, another lawyer who advises companies on
security breaches, some states allow consumers to file lawsuits for
unreasonable delays, while others leave it to the attorney general.

The U.S. Securities and Exchange Commission issued guidelines in 2011 that
public companies such as Target must follow in connection with cyber
attacks. The SEC said the companies may need to tell investors if an attack
occurred and its potential costs and other consequences.

Typically, the disclosures come in the company's next filing, whether it is
a quarterly or annual report.

But since the SEC guidance came out, "companies have tended to include
generic risk factors rather than disclose specific incidents," said Todd
Hinnen, a former acting assistant attorney general at the U.S. Justice
Department.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.