online prescription solutions
online discount medstore
pills online
buy lorazepam without prescription
xanax for sale
buy xanax without prescription
buy ambien without prescription
ambien for sale
buy modafinil without prescription
buy phentermine without prescription
modafinil for sale
phentermine for sale
lorazepam for sale
buy lexotan without prescription
bromazepam for sale
xenical for sale
buy stilnox without prescription
valium for sale
buy prosom without prescription
buy mefenorex without prescription
buy sildenafil citrate without prescription
buy adipex-p without prescription
librium for sale
buy restoril without prescription
buy halazepam without prescription
cephalexin for sale
buy zoloft without prescription
buy renova without prescription
renova for sale
terbinafine for sale
dalmane for sale
buy lormetazepam without prescription
nobrium for sale
buy klonopin without prescription
priligy dapoxetine for sale
buy prednisone without prescription
buy aleram without prescription
buy flomax without prescription
imovane for sale
adipex-p for sale
buy niravam without prescription
seroquel for sale
carisoprodol for sale
buy deltasone without prescription
buy diazepam without prescription
zopiclone for sale
buy imitrex without prescription
testosterone anadoil for sale
buy provigil without prescription
sonata for sale
nimetazepam for sale
buy temazepam without prescription
buy xenical without prescription
buy famvir without prescription
buy seroquel without prescription
rivotril for sale
acyclovir for sale
loprazolam for sale
buy nimetazepam without prescription
buy prozac without prescription
mogadon for sale
viagra for sale
buy valium without prescription
lamisil for sale
camazepam for sale
zithromax for sale
buy clobazam without prescription
buy diflucan without prescription
modalert for sale
diflucan for sale
buy alertec without prescription
buy zyban without prescription
buy serax without prescription
buy medazepam without prescription
buy imovane without prescription
mefenorex for sale
lormetazepam for sale
prednisone for sale
ativan for sale
buy alprazolam without prescription
buy camazepam without prescription
buy nobrium without prescription
mazindol for sale
buy mazindol without prescription
buy mogadon without prescription
buy terbinafine without prescription
diazepam for sale
buy topamax without prescription
cialis for sale
buy tafil-xanor without prescription
buy librium without prescription
buy zithromax without prescription
retin-a for sale
buy lunesta without prescription
serax for sale
restoril for sale
stilnox for sale
lamotrigine for sale

Target-ing Data Security Breaches

On December 19, 2013 Target reported that there had been unauthorized access to Target customers’ payment card data, which may have resulted in 40 million credit card numbers and personal information of up to 70 million individuals being exposed.  The Target data breach was so significant and shocking that there are reports that a “cyber-thriller” movie based on the breach is in the works.  Only months later, Neiman Marcus reported that 350,000 of its customers’ credit and debit cards had been compromised.  At least 9,200 of those cards had been fraudulently used by February 21, 2014 – not an insignificant number.  Data breaches are ongoing – just last month, the University of Maryland reported 287,580 records had been affected by a security breach, and earlier this month the California Department of Motor Vehicles reported a potential credit card security breach.

These security breaches are concerning for consumers, businesses and governments.  Consumers risk being subject to credit card fraud and identity theft, as well as serious inconvenience.  Businesses risk significant reputational damage which may result in loss of business, reduced profits and falls in share price (Target suffered a significant decline in profit and its stocks have fallen 9% since the data breach was reported).  Businesses may also lose valuable confidential information such as trade secrets as a result of the breach.  National and domestic security could also be compromised if government-related data security breaches occur.

So, what’s being done to address data breaches?  Congress has responded to these high profile breaches by introducing a number of bills establishing a uniform, nationwide data security scheme, but so far no agreement has been reached on how to deal with these challenging issues.

There is general consensus that the existing data security laws are unsatisfactory.  They differ significantly from state to state, creating “a complicated patchwork of requirements”, and also by industry (for example, specific data security regimes apply to entities covered by Health Insurance Portability and Accountability Act and financial institutions covered by the Gramm-Leach-Bliley Act).

To investigate the best way to deal with data security concerns, there have been three congressional committee hearings in the past two months that have focused on these issues: Senate Judiciary Committee’s hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime”; the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade’s hearing “Protecting Consumer Information: Can Data Breaches Be Prevented?”; and the Commerce Committee’s hearing “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches”.  In each of these hearings witnesses called for the introduction of uniform federal legislation to address data security concerns.

Reflecting these calls for uniform nation-wide laws, four data security bills to establish a uniform national scheme have been introduced or reintroduced into the Senate in 2014: the Data Security Act (“DSA”); the Data Security and Breach Notification Act (“DSBNA”); the Personal Data Privacy and Security Act (“PDPSA”); and the Personal Data Protection and Breach Accountability Act (“PDPBAA”).  Some of the key areas they differ on and are likely to be hotly debated by stakeholders include:

  • how prescriptive the data security obligations are.  The DSA imposes a general obligation on entities to “implement, maintain, and enforce reasonable policies and procedures to protect the confidentiality and security of” protected information (§3(a)), whereas the other legislation requires the FTC to promulgate regulations setting out security policies and procedures entities must comply with, which will likely be more detailed;
  • the types of entities the data security and notification requirements apply to.  For example, the security requirements in the PDPSA only apply to entities who handle personal information of “10,000 or more United States persons” (§201(b)) whereas the DSBNA applies more broadly to any entity that handles personal information;
  • when the notification requirements arise.  The DSA only requires disclosure where the relevant entity determines that the compromised information “is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers” (§3(c)), whereas the DSBNA requires notification irrespective of the harm or inconvenience caused;
  • whether there is a private right of action.  There is a private right of action under PDPBAA (§205), but no similar right is contained in the other legislation; and
  • the amount of civil penalty that should apply to breaches – this ranges from no specific civil penalty in the DSA up to a capped $20 million per violation in the PDPBAA (§203(a)(1)).

Data security poses significant challenges for lawmakers, businesses and consumers, as illustrated by the recent Target and Neiman Marcus breaches and the variety of legislative solutions that have been proposed in response.  Due to the rapidly evolving nature of technology, the legislative solutions will need to be flexible and able to adapt to changing threats.  However, there appears to be general consensus that to reduce the burden on businesses and ensure that consumer information is adequately protected, nationwide rather than state-based laws must be adopted.

 

About the Author

Alison Gurr

Alison Gurr is a Staffer for the Columbia Science and Technology Law Review. She is an LLM student at Columbia Law School.
blog comments powered by Disqus