Who Are Breach Disclosure Laws Meant to Protect? One Merchant Held up Notifications for More Than a Year at the Request of Federal Authorities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securitybistro.com/?p=8450

I live in Texas, and there's a regional retailer that has just announced a
data breach that is believed to have affected more than half a million
customers. The announcement is controversial because the company, Spec's,
supposedly knew about the theft of payment card data almost a year ago and
is just now telling customers. As you might imagine, people affected by
this breach are rather upset.

Let me lay out the details, as reported by the Houston Chronicle newspaper.
(I have no first-hand knowledge of this breach, although I am a Spec's
customer and could possibly be a victim of the breach. I have not received
any such notice, though.)

On March 29, the Houston Chronicle reported that "a sophisticated computer
scam" was perpetrated against the Spec's retail payment system for a year
and a half. The breach is believed to have started October 31, 2012, and
continued as late as March of 2014. The article suggests that authorities
within Spec's knew early last year (2013) that the computer system had been
compromised. In fact, customers were beginning to approach Spec's to let
the retailer know that their payment cards had fraudulent transactions that
they traced back to Spec's. (More on this in a moment.)

If it's true that Spec's knew of the breach more than a year ago, why was
it only announcing now that so many customers may have had critical
financial information stolen some time in that year and a half? According
to a Spec's spokesperson Jenifer Sarver, federal investigators had asked
the retailer not to divulge any details during the ongoing investigation.
Sarver said, "It took professional forensics investigators considerable
time to find and understand the problem, then make recommendations for
Spec's to fully address and fix them."

With most of Spec's stores being in Texas, it's reasonable to assume that a
majority of the customers who might be impacted by this breach are Texas
residents. The following is an excerpt of the Texas breach notification
law. Note that the bold emphasis is mine to draw attention to specific
points.

NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA.
 (a)  In this section, "breach of system security" means unauthorized
acquisition of computerized data that compromises the security,
confidentiality, or integrity of sensitive personal information maintained
by a person, including data that is encrypted if the person accessing the
data has the key required to decrypt the data. Good faith acquisition of
sensitive personal information by an employee or agent of the person for
the purposes of the person is not a breach of system security unless the
person uses or discloses the sensitive personal information in an
unauthorized manner.

(b)  A person who conducts business in this state and owns or licenses
computerized data that includes sensitive personal information shall
disclose any breach of system security, after discovering or receiving
notification of the breach, to any individual whose sensitive personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made as quickly as possible,
except as provided by Subsection (d) or as necessary to determine the scope
of the breach and restore the reasonable integrity of the data system.

(b-1)  If the individual whose sensitive personal information was or is
reasonably believed to have been acquired by an unauthorized person is a
resident of a state that requires a person described by Subsection (b) to
provide notice of a breach of system security, the notice of the breach of
system security required under Subsection (b) may be provided under that
state's law or under Subsection (b).

(c)  Any person who maintains computerized data that includes sensitive
personal information not owned by the person shall notify the owner or
license holder of the information of any breach of system security
immediately after discovering the breach, if the sensitive personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.

(d)  A person may delay providing notice as required by Subsection (b) or
(c) at the request of a law enforcement agency that determines that the
notification will impede a criminal investigation.  The notification shall
be made as soon as the law enforcement agency determines that the
notification will not compromise the investigation.

In other words, it's OK not to disclose a breach of personal financial data
to the owner of that data if law enforcement tells the merchant not to
disclose any details so the investigation won't be compromised.

Needless to say, there are plenty of Spec's customers that are pretty upset
that they weren't told a year ago that their financial data was known to
have been stolen. According to Spec's, debit card, credit card and personal
check information was stolen. The Houston Chronicle reports "the exposure
may include customers' bank routing numbers, card security codes and other
payment card and check information." At least one customer alleges his
debit card PIN was compromised. (Spec's gives a discount for the use of
cash or debit, so it's likely the company has a greater percentage than
other retailers of customers who use debit.)

Dwight Silverman is a technology writer employed by the Houston Chronicle.
He shared his personal experience with the Spec's breach here. In his
first-hand account, Silverman writes that last year, his bank contacted him
about fraudulent use of his debit card and PIN. He couldn't figure out how
a thief got his PIN, unless it was through a skimming device. Once the
Spec's breach was announced, Silverman put two and two together and he now
suspects that a shopping trip to a Spec's store was the source of his
compromise. He writes:

One thing that really bothers me - and I suspect it irks other Spec's
customers, too - is that the feds asked the company not to divulge the
breach, even though it was discovered some time ago. Law enforcement
officials wanted time to figure out how the breach worked and possibly gain
clues to apprehend the bad guys, but by doing so it left Spec's customers'
vulnerable for an extended period of time.

According to the Houston Chronicle, another customer learned in 2012 that
$1,500 had been fraudulently charged to three bank cards at the Spec's
store where he shops. The charges had been made electronically at a time
when the store was closed. He contacted his Spec's store to ask what was
going on and he was told by a store employee that they'd been getting
similar calls from other customers.

The U.S. Secret Service is involved in this investigation. Cynthia Marble,
special agent in charge at the Houston field office declined to comment on
the investigation, other than to say the federal agency's law-enforcement
duties extend to the nation's financial infrastructure. Spec's spokespeople
acknowledge that they could not go public about the breach sooner than this
week at the request of law enforcement. And we see that the Texas breach
notification law specifically says that people whose data has been
compromised don't need to be told if an announcement might compromise an
investigation.

All I can say is, the feds better catch the people responsible and bring
them to justice in order to justify having kept half a million people in
the dark about their financial data being stolen more than a year ago.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!