Last Thursday two masked men, operating a stolen jeep, pulled up next to a courier's white van that was parked outside a MA RMV location, jumped out of the jeep and stole five bags from the courier's van. This is according to witness' accounts reported to police.

According to the MA Department of Transportation Press Secretary the private courier worked for the Registry of Motor Vehicles and the five bags contained documents not money. The documents included:

"Personal customer information is contained in the types of paperwork stolen. The records included names, dates of birth, addresses and license numbers. The types of paperwork stolen do not include the social security numbers of Massachusetts residents," she said.

As reported by the Gloucester Times

Apparently between 500-600 customers were affected.

The police are saying it was a targeted theft, but that maybe the men thought the bags contained money. These guys used a car that had been recently stolen and had a second get-a-way car parked nearby.

This seems like a lot of work to go through to steal 500-600 people's registry transaction paperwork. The "they thought the bags had money" theory seems more likely.

But... if the bad guys had this thing so planned out, why didn't they know that the bags didn't contain money? Does the courier usually have the Registry's money, but only had the paperwork on this particular morning? That is an important question.

The other important question is: exactly what information was taken? Was there something about the information that would be valuable? The registry took care to say that no "social security numbers" or "credit card information" was taken. But if the stolen information was in the right (wrong) hands, what could they do with it?


Usually a theft like this involves access to inside information. It's not like these guys would sit outside the Wilmington branch of the RMV every day to learn the courier's schedule. That might happen in the movies, but in my experience, criminals are just too lazy to do that leg work. They will either know someone on the inside who can tell them the schedule, or one of them IS on the inside and works for either the RMV of the courier service. Either way, the information should have included the fact that no money would have been in those bags or we have yet another example of "world's stupidest criminals."


From a data security standpoint, this crime should serve as notice to those companies still using data in paper form that they are not immune from being "hacked." This incident is technically a data breach, right? And since it involves a State agency, different rules apply.

Executive Order 504 requires Massachusetts State Agencies to protect "Personal Information." Because M.G.L. 93H and 201 CMR 17 do not apply to public entities, this order seeks to close a loophole with one big exception: penalties for non-compliance... or lack thereof.

Since it appears that the courier was a private company and the RMV is a State agency, they would have had to execute a contract with specific language regarding the protection of Personal Information of Massachusetts residents. Exec Order 504 commands it.

So, what at first blush appears to be a couple of bungling idiots taking the wrong bags (or the right bags on the wrong day) may turn into an "investigation" into the lack of protection afforded 500-600 Massachusetts' residents personal information.

Did the contract between the RMV and the courier have the appropriate language?

Did the courier have the appropriate protections in place?

How much will this incident cost the courier? The State? There are procedures under Exec Order 504 that must be followed.


Until I hear that this courier usually carried money I will presume that the theft of information was the goal of the bad guys' actions. I mean, these guys stole a car just hours before this crime, had a second car ready to go, wore masks, and pulled this off at 9:00am? If you go to all that trouble and don't know exactly what's in those bags you deserve to serve time for stealing paper...



Today is the Deadline for MA Data Privacy Law

On March 1, 2010, two years ago, the regulations associated with the Massachusetts Data Privacy Law went into effect. The regulations, found at 201 CMR 17, require business who possess “Personal Information” (PI) of Massachusetts’ residents to protect that data in fairly specific ways. Arguably, the most important aspect of the regulations was the requirement that all businesses have a “Written Information Security Program” or WISP. But there are certainly other important regulations, one of which comes into effect today, March 1, 2012.

March 1, 2012 is the deadline for those businesses who possess “PI” to address any third-party contracts where the third-party possesses or otherwise maintains PI on behalf of the business.


Let’s say you’re a large law firm who, by nature of the business, are in possession of a large amount of PI. Your firm processes hundreds or even thousands of cases each year. As each case comes to an end, the file gets boxed up and shipped out for storage for say, ten years. Contained in that box is the personal information of Massachusetts’ residents who were involved in the case. Your firm has used the same storage company for twenty years and so far things have seemingly been fine. (at least as far as you know) **NOTE: the “file” and the “box” could be, and probably are, electronic files as opposed to physical (paper) ones.

Under the regulations that come online today, your firm must now have, as part of its contract with the storage company, certain clauses or elements in that contract in order to comply with MA law. Specifically, the regulations require that the “owner” (see here: the large law firm) of the PI, must have a clause in their contract with the vendor (see here: storage company) that seeks to obtain the assurance that the vendor can protect the PI that it possess on behalf of the business.

The regulations require that owners/licensors of Personal Information of MA residents’ “oversee service providers” by selecting providers that are capable of maintaining appropriate security measures to protect PI and require by contract that the vendor implement and maintain such appropriate security measures to protect the PI. In addition, the contract should include a clause that requires the vendor, in the event of a loss or “breach” of that data, give notice to the owner as soon as is practicable and without reasonable delay. Cooperation between the owner of the PI and the vendor, or possessor of the PI is required as well. Cooperation is defined as vendor informing the owner of the breach; the date of the breach; and any steps taken by the vendor related to the breach. (M.G.L. c. 93H s. 3(a))


[ **NOTE: the above is not legal advice, and this blog post should not be considerer legal advice – if you have questions or concerns about this law, please consult competent legal counsel. ]


I suspect the large law firm who has been doing business with the storage company for twenty years will have no problem fixing up their contract. After all, the storage company wants their business.

But what about the smaller businesses who use an outside IT company to run their computer systems? Let’s say the IT company stores the client’s data on servers located in the IT company’s offices; a sort of “private cloud” arrangement since he also stores other clients’ data of these servers as well. Or what if the small business uses a behemoth like Amazon Web Services for their cloud storage of data? Will the small business be in the position to “oversee” Amazon’s internal security apparatus? These small businesses are the entities that need to be made aware of this regulation, but I fear that their education in this area is lacking.

I suppose the answers to the above questions will lie in the regulator’s definition of “oversee.” The law seems to define “oversee” as selecting entities that are capable of providing the appropriate security measures. Will having boilerplate language in your contract be enough? I guess we will have to wait and see for that answer. (Again, please consult a lawyer if you find yourself in this situation)



March 1, 2012 is also a special date because it’s the first anniversary of the Massachusetts Data Privacy Law Blog. Its official launch, live on the Internet, was March 1, 2011… We’ve had over 11,000 visitors and several thousand are returning readers. I thank you for your interest in this blog. I try to keep it light, but at the same time convey interesting material.

Thanks for reading.

Your author,




A Survey of Pending Federal Legislation

Good Afternoon,

Tomorrow, November 3, 2011 I will be making a presentation at the Boston Bar Association on the topic of pending Federal legislation in the area of data breach and data security. It is sure to be a historic event as I will predict the future.

OK, maybe not historic, but certainly relevant. In 2007, Massachusetts passed the "Mass Data Privacy Law", followed shortly (ha ha) thereafter by the infamous regulations found at 201 CMR 17 (2010). The pending bills clearly intend to preempt all state laws. What will happen to Massachusetts law? I mean, it just got here... does it have to leave already?

I have chosen six bills that seem to have the best chance of passage this year. Of those six, probably three have a solid chance.

Come see which six are the "chosen ones" and which three have the best chance, and why!!

The United States lacks a comprehensive data privacy / data breach notification law. Even Russia purports to have one. Will it finally happen? Will the United States join the majority of the developed world and enact a nationwide law? Or will Congress bicker and debate for another year?

I have all the answers (maybe), you just have to be in Boston tomorrow at noon to get them...

Boston Bar Association

16 Tremont Street

Boston, MA

12pm - 1pm



The tech world loses a visionary

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.


PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...


What happens twice a day, every day for 20 months? Give up? Some company somewhere loses your personal information.

On Tuesday, September 20, 2011, the Massachusetts Attorney General announced that two million residents of Massachusetts personal information was subject to a data breach in one form or another. That's one out of every three residents here...

Almost every media outlet in Massachusetts has put something out about the announcement. Here's a few:

Boston Globe

Boston Herald

Although I haven't seen any press release from the AG, the Boston Herald did report a breakdown of the numbers, some of which I will recap here:

1,166 data breaches were apparently reported during a 20 month span starting in January of 2010. Mathematically, that works out to about 58 a month, or 2 a day.

25% were a result of intentional hacking (287), so YES, it's happening in Massachusetts.

16 of the breaches involved over 10,000 people's info, but the majority, 961, involved less than 100 people's info and 351 of that number involved only one person's information.


This was a very public announcement and the Attorney General herself says that "they're going to stay on top of it." I am glad to hear that for a couple of reasons.

One is because the whole culture of computer storage of information needs a wake up call. Does anyone remember the 3.5 inch floppy discs? Do you remember how many you used to have? Do you know where any, and I mean any, of them are today? Do you remember what was on them?

I used to have boxes of them, have no idea what was on them, and have no idea where they are today... Of course, I probably didn't have spreadsheets of people's social security numbers, but someone did.

Everyone who collects personal information needs to remember that it's just that: PERSONAL. It's personal to someone, a real person. Those who have it need to be responsible with it.


Another reason is simply because I am in the business of helping companies protect personal information. I help them conduct risk assessments, draft company policies and conduct training to reinforce the concept of security. My informal research has shown that many of you out there are still not taking this serious.

If you are reading this and are wondering if your company has a "data security program", (officially called a WISP or Written Information Security Program in Massachusetts) you should consider this announcement by the Attorney General a wake up call. Think that your company will not be subject to a data breach because they are so rare...? It's happening twice a day, everyday. How long do you think it will take to get to you?

Do yourself and your company a favor...give me a call (617.951.2929). It's not often you get to call an attorney for free... I can assure you, if the Attorney General calls you, it won't be free.


We were informed about the 2 MILLION that were reported... How many do you think went either unreported or unnoticed by companies?




Federal Data Breach Notification statute moves along

Today, I’d like to have a look at a Federal Data Breach notification statute that’s been getting some attention. There are, by my count, five, bills pending in Washington, D.C. Want a list?

Representative Bono Mack’s bill is the one we’re discussing today. Why? Because it’s likely to make it to at least a full House vote. Whether the Senate takes it up and the President signs it are too far off to predict. As an aside, Representative Rush’s bill, that competes with Bono Mack’s, was recently referred to the subcommittee that just approved Bono Mack’s bill. She chairs the committee, so Mr. Rush, try again next session. I can’t see Bono Mack calling for a vote on a bill that covers the same issues as hers.


The bill is known as the SAFE Data Act. It basically requires certain businesses to employ certain safeguards designed to protect data. Those requirements are eerily similar to the Mass regulations found at 201 CMR 17. The bill also requires certain businesses to inform the Federal Trade Commission and citizens of a data breach, in certain circumstances. Finally, the bill preempts certain state laws.

OK, I used the word “certain”, five times in that paragraph. I did so because the bill only applies to those companies engaged in interstate commerce. The security regulations only apply to those companies engaged in interstate commerce who are not already regulated by HIPAA or GLBA (Federal regulations for healthcare and banking industry respectively). And finally the preemption of the various state laws will affect its application to businesses… let’s briefly touch on that…


The preemption clause, in relevant part:

 …This act supersedes any provision of a statute, regulation or rule of a State…, with respect to any entity subject to this Act, that contains:

(1) requirements for information security practices or treatment of data similar to those under section 2; or

(2) requirements for notification of a breach of security similar to the notification required under section 3.

 ** Please note the “any entity subject to this act” statement. We will talk about this again.


Let me sum up the Massachusetts Data Law for you:

  • Massachusetts put in place strict regulations regarding the handling of Personal Information (PI), as well as notification triggers and requirements. The law and regulations apply to ALL Massachusetts businesses. In short, if you own PI, and it’s on a mobile device, got to be encrypted. If you realize that some data went missing, and there is a SUBSTANTIAL risk of identity theft, you must report it to the Attorney General and the various citizen’s whose data went missing.


Now let me sum up the SAFE Data Act (presuming you as a company possess PI):

  • If you are engaged in interstate commerce and you are not already regulated by HIPAA or GLBA, you have to have the required security safeguards in place.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.


  • If you are engaged in interstate commerce, not regulated by HIPAA/GLBA, and you lose data and you make the determination that “there is no reasonable risk of identity theft, fraud or other unlawful conduct… no notification necessary.   But if you do find a “REASONABLE risk” of identity theft then you must notify the Federal Trade Commission within 48 hours, and the affected citizens within 45 days.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.


Who does the law apply to then? Companies engaged in interstate commerce who are not in healthcare or banking, I guess.

So, if you are not engaged in interstate commerce, but are a Massachusetts company, where are you? Didn’t the new Federal Law preempt the Massachusetts law, or did it just preempt the law as it applies to those entities engaged in interstate commerce. Recall the “any entity subject to this act” from above. It appears that if you are engaged in interstate commerce you are an “entity subject to this act” and exempt from the Massachusetts law, right?


I am a small accounting firm in Central Massachusetts, I do not engage in interstate commerce. I am subject to the Massachusetts Data Law and the regulations. The neighboring business happens to be involved in interstate commerce, but offers a very similar service. Do we have different regulatory schemes? Yes, it appears you do.


The goal was to make data breach notification simpler. This does it, for the very largest companies in our country. Unfortunately for the small ones in Massachusetts they will end up with a more onerous law than the one that applies to say, Walmart...


PS - Bono Mack appears to have lost the support of Rep. Henry Waxman on this bill. That might be costly. His concerns are legitimate, but big business is happy with the bill.


Beth Israel Hospital suffers data breach - 2,021 people affected

The Boston Globe is reporting today that a major Boston hospital, Beth Israel, has suffered a data breach. This one appears to be "real" in the sense that no records were mistakenly left on a train, the information was purposely stolen via malware.

Hiawatha Bray, a technology writer at the Boston Globe, reports the hospital saying that "an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it." Apparently that machine was later found to be infected with a virus which transmitted data files, in encrypted format, to an unknown location. Ask me, it's a trojan, placed via a phishing e-mail... but that's just a guess.

The information taken appears to be medical record numbers, names, genders, birthdates and procedure details. The hospital says that no social security numbers were taken.

I would suggest that based on the information stolen, and the hospital's status as a "covered entity" under HIPAA, formal notification is required. Health and Human Services lists all reported data breaches here. I looked, but could not find this one... Maybe they haven't told them yet.

Interesting how the media finds out fairly early on in these situations, maybe even before the authorities.


Under Massachusetts Law, notification may also be required... I say "may" because according to the Globe's report, "medical record number" and "names" were stolen. On the MA Office of Consumer Affairs website, under the "Frequently Asked Questions" section, the question is asked whether an "insurance policy number" qualifies as a "financial account number" requiring notification. The answer:

An insurance policy number qualifies as a financial account number if it grants access to a person's finances, or results in an increase of financial burden, or a misappropriations of monies, credit or other asset.

I am comparing the "medical record number" with the "insurance policy number" for two reasons: one, it's likely that in the hospital's database the medical record number is associated with an insurance policy number (mine is). And two, it's certainly a way to get services under someone else's name.

If I had someone's name and their medical record number, could I show up at a hospital and obtain services via the emergency room? Of course, the bill would go to the victim, right? Why might someone do this you ask? Prescription drug access is one possibility. The FTC has a page dedicated to "Medical Identity Theft" and describes what it means.

The major problem with using the medical record number is that the bad guys would have to know some details about the victim's past before using the number. You can't walk in as a twenty-something female using the medical record number of a fifty-something female... ah, but they took the birth dates as well.

I think it's an open question as to whether notification would be required under Massachusetts law.


Do you know what's also an open question: Why doesn't the Massachusetts Attorney General post the reported data breaches? The Federal Government does, the Attorney General in New Hampshire does... New Hampshire posts the actual letters sent to them reporting the breach.

Did you know that I requested all filed notification letters under a Freedom of Information type request... Four months after my initial request I was told that I could have all 2,400 of them, for $2,907.00.



Friday tid bits for our Nation's Birthday

As we approach our nation's 235th birthday we should reflect on our amazing accomplishments. Well, how about just one, the Internet. A marvelous creation that allows for the instantaneous delivery of information anywhere in the world. It started out as a knowledge base for our universities, then the obvious military applications (and money) came along and then the commercial use.

I remember pre-Internet days, although it gets harder each year to remember life "before" the Internet. I don't recall if I was a news junky in those "pre-Internet" days, and although a curious lad, it was probably a little more difficult to get the information that today is available in my pocket (see: smartphone).


Since I am a news junkie, let's see what I found recently:


Let's start with LulzSec. Even though in my last post I hoped never to speak their name again, they have seemingly imploded. Ryan Cleary was arrested in England. A search warrant was executed on a house in Ohio that was purportedly the home of a teenage member of the "pinheads" (LulzSec). And I'd like to thank Paul Roberts over at Threatpost for the regular intel on the issues in cyberspace. I recently met Paul, very knowledgeable.

OK, just when you thought that law enforcement was taking them to task, I read a story out of Arizona where the wife of a police officer received a threatening phone call, a bomb threat. In that same story another police officer had a bogus facebook page set up by someone. There were also personal emails of police officers released. Think these events have something to do with the "pinheads"? Ya, me too. These stories came out as we discovered that a second round of private data belonging to Arizona law enforcement was released. A group named "AntiSec" took responsibility for the second release. How creative... wasn't that the name of the "operation" undertaken by the "pinheads" and the group Anonymous? Their new logo is a combination of LulzSecand Anonymous, so we may or may not be dealing with the same folks.

Of course, we're not dealing with Mr. Cleary anymore now are we? Eventually these folks will all "face the man". I sincerely hope that each one will face severe punishment. This is a clear opportunity to exhibit deterrence.



Along those lines, my last post was picked up by "". That's a site that does a great job compiling all the data breaches that are occurring around the globe. The author thought that I was angry in my tone (I was), seemed to agreed with the reasons for that, but seemed to think that I thought that other victims (non law enforcement) of data breaches are less important. You can read it here

My opinion is as follows: if someone's information is stolen and then released to the world and as a result some harm comes to them it's wrong. There are a lot of things wrong in our world, but they have to be scaled. A punch in the eye hurts, but murder is permanent. Loss of your credit card data is annoying, getting a replacement card solves it. Loss of your personally identifiable information is scary and creates worry, but there are ways to mitigate the potential damage. Being identified as a political dissident and then subjected to murder, torture or other physical harm is absolutely wrong on the highest scale.

You see, I draw a distinction between those harms that are able to be repaired or mitigated and those harms which are permanent. This is an important difference.




Moving on, Citi bank says that of the 360,000 plus cards numbers stolen, 3400 of them were used to the tune of $2.7 million for an average of about $800 each. What happened to the other 350,000 plus card numbers? Hopefully they turned them off because at these rates if it continued would have resulted in losses over $200 million (think the APR might go up next year?)


And in case you were wondering your chances of suffering a data breach...we have the Ponemon study that says being a victim of a data breach is "a statistical certainty". Dr. Larry Ponemon is THE standard for these things. I trust his numbers, they are based in significant research (his number showed that 90% of 583 respondents reported that they have had a breach in the last 12 months - this is a loss of data and in many cases was attributed to a rogue insider).


And helping along Dr. Ponemon's findings, (and probably why there are so many breaches), researchers have discovered a potentially "indestructible botnet". These are the tools needed to be an effective bad guy in the cyber world. Great, they created the TERMINATOR of cyber space.... and I am sure that "they'll be baaack".


And to bring it back home to Boston, Massachusetts... where our country started... Yes, it started here. Have you heard about the Suffolk Resolves? Sure, Philly played a role, but really it started here... And so did a class action lawsuit against AOL for violating numerous federal privacy based statutes*. Why I think it's "newsworthy" is because the lawsuit also alleges violation of the Massachusetts Privacy Act and a violation of the Massachusetts Consumer Protection Act. This is a first, but we'll have to wait and see if it's even a real case. The plaintiff lives in Mississippi, her lawyers work in Boston (classic!).

If allowed to proceed it would mean that a private citizen is seeking to "enforce" the Mass Data Privacy law before the State Agency obligated to do so, has done so. I say "enforce" because a citizen cannot "enforce" the data privacy law, rather they can claim that a company in violation of the data privacy law is also in violation of our consumer protection laws which is "enforceable" by private citizens.


Happy Birthday America !!!





*The suit charges that the companies violated the Electronic Communications Privacy Act (Wiretapping Act); the Computer Fraud and Abuse Act; the federal Video Privacy Protection Act; the Massachusetts Privacy Act; the Massachusetts Consumer Protection Act; and based on tort claims of Trespass to Chattel; and equitable claims of Unjust Enrichment.



Banks to sue Michaels for data breach?

Quincy, MA – The Patriot Ledger is reporting that between 15 and 20 Massachusetts banks are replacing their customers’ debit cards and refunding fraudulent withdrawals and expenditures because of the recent data breach at Michaels Stores. The affected stores, relevant here, were located in Hanover and Braintree.


Apparently, banks all over the country are doing the same thing as a result of the Michaels breach.


The banks are not happy about having to replace the cards, and with good reason. They’re not the ones who lost the information; the retailer – Michaels - lost the information. Not so much “lost” but “allowed it to be stolen” in a sense. At least that’s the banks’ position.


The Ledger quotes Tom Chew, Vice President of Hingham Institution for Savings, as saying:


“We end up eating the fraud. We think the retailer should have some responsibility. It was their lack of due diligence that allowed the whole thing to happen.”


The banks in fact do “eat” the fraud. If you shopped at Michaels with a debit card between February 8th and May 6thand your card was “skimmed” or copied, it may have ended up being used in Las Vegas or somewhere in California. If you, as the customer, notice that fraudulent expenditure, and you report it to your bank, the bank will put the money back into your account and issue you a new card. All on their dime.


Ok, why doesn’t the bank just sue the retailer? Because they lose. Remember TJX? There were 45 million cards involved there. Many banks did sue TJX. The lawsuits in the TJX mess involved numerous allegations, numerous parties and numerous legal issues. Some parties settled, some appealed, but in the end the banks didn't prevail. Why was it all so legally complex?


You see, in order to take credit cards at your place of business, and become a "merchant", you must have a contractual relationship with an “acquirer.” The merchant does not contract with VISA (for this example). The acquirer has a contractual relationship with VISA. VISA has a contractual relationship with the bank, known as the “issuer.” The bank and the retailer/merchant do not have a contractual relationship. The bank and the acquirer do not have a contractual relationship. VISA runs the whole shebang. VISA makes the associated electronic communications between the merchant/acquirer/issuer. [ Visa Visual Transaction.pdf. ]


A little Contracts 101: If I hire you to paint my house and give you money and you don’t paint my house, I can sue you for the money. If I hire you to paint my house and give you money and  you give that money to another guy because you owed him money, and the house doesn’t get painted… I can’t sue that second guy. We don’t have a contract. I have to sue the first guy. Maybe the first guy sues the second, but I can’t (at least not “on the contract”).


A little Contracts 201: There is a concept called “3rd party beneficiary” in contract law. If two people make a contract for the benefit of a third, that third party has certain rights under that contract even though he is not a “party” to the actual contract. This 3rd party has to be the “intended beneficiary”, meaning one of the purposes of the contract is to benefit the 3rd party. If it is an “unintentional benefit”, then the 3rd party has no rights. Back to my house: if I hire the first guy to paint my house, give him the money, and he gives the money to the second guy…and the second guy signs a contract with the first guy to paint my house, then I am an intended 3rdparty beneficiary and if he doesn’t paint my house I can sue him, even though we don’t have a contract.



The banks and the merchants do not have a contract. The banks and the acquirers do not have a contract. The banks contract with VISA. The acquirer contracts with VISA. The merchant contracts with the acquirer. In the wake of the TJX disaster, the banks tried to sue the merchants and their acquirer. You see, the acquirer has an obligation to make sure their merchants are following VISA’s operating regulations. Part of those regulations involve strict security measures. If the merchant wasn’t following the security measures, then the acquirer arguably breached their contract with VISA. The banks insisted that they were a 3rd party beneficiary of the contract between VISA and the acquirer because the security measures being enforced were for the benefit of the bank. (And p.s., if you’re confused here, multiply this by 1,000 to get the feeling of studying contracts for the Bar exam). 


The banks lost that argument in the TJX litigation, but the devil is in the details.


Before the TJX mess, there was a case in Pennsylvania: Sovereign Bank v. B.J.’s Wholesale. Very similar fact pattern: credit card data stolen from B.J’s, banks repay losses and replace cards. Banks sue merchant and acquirer. I say “before” because the BJ’s incident happened before TJX, but the cases were argued and decided in reverse order.


The TJX decision said no 3rd party beneficiaries because the VISA contract expressly said (paraphrased) "there are no 3rd party beneficiaries to this contract.” (decision of Judge Young at the district court level, PDF)


The Pennsylvania decision(pdf) said there may be 3rd party beneficiary rights for the banks because the VISA contract was silent on that issue (you see, VISA is believed to have changed the contract after the BJ’s case to make sure there were no 3rd party rights).


If you ask me, having Hingham Institution for Savings have to pay back the customer for the money withdrawn in Las Vegas and issue a new card as a result of a breach at Michaels seems unfair. What did the bank do wrong? On the other hand, the small business merchant may be driven out of business because of the huge bill, leaving the consumer empty handed. Many different banks may be involved with one merchant’s breach which arguably puts the banks in a better position to absorb the costs. Who can/should absorb the fraud costs better and keep us spending?


Minnesota passed a law that clearly says that a breached merchant must pay for the costs associated with replacing the cards, and other “associated costs.” Several other states tried to pass similar laws, all were defeated. Notably, former Governor Ahhnold Schwarzenegger vetoed California’s version. The small business lobby must have some sway, fight for the little guy and all that (doesn't gel with the rest of The Terminator's decisions).


As of July of 2011, the “Durbin Amendment” goes into effect. That section of the Dodd-Frank Act will allow the “debit card interchange fees” charged by banks to be “regulated” by the Federal Reserve Bank. In effect, it will lower the rates. The banks argued that those fees helped to off-set the costs associated with fraud occurring at the merchant level. The merchants argued that many of their transactions lost money due to the fees and tight profit margins on small purchases. In the wake of the negative press surrounding financial institutions in America and the Government’s “bailout” of banks, the “small businesses” of America won that battle. (The Dodd-Frank Act is 2,319 pages long, I would insult you to link to that, but for those eager beavers: click here)



Is it “fair” for the banks to have to pay for the merchant’ mistakes?

Is it “fair” for the banks to charge $0.44 for a $15.00 transaction? If the retailer is netting 4% profit, that sale is worth $0.60 to them.

Is it "fair" that VISA, MasterCard, AMEX, and the rest of the credit card world doesn't have to pay for these fraudulent situations? They're making arguably about 3% of EACH transaction - how many in a year? In 2006, someone says 21.6 billion.


The answer probably lies in the theory of “equity”: he who benefits should share the risk of loss.


Now, let’s see: the merchants make a sale, the banks have a happy customer, they both benefit, right?  And what about VISA, MasterCard, American Express and all the other credit card brands? Aren’t they benefitting from these transactions? You can bet your bottom dollar they are… (in fairness to the credit card industry, their security requirements, PCI-DSS, are robust and effective, but not uniformly employed).



Two year old children have a hard time sharing, apparently so does big business.


National Data Breach Law Proposed

Another day of rain in Boston. That’s three in a row and at least four more coming. April showers bring May flowers, but what do May showers bring? Not pilgrims. How about data laws. Congress is awash with bills that deal with data in one way or another. They're just lining up down there in D.C.


I was reading through what has been called the “President’s Cybersecurity Legislative Proposal.” It has multiple parts, so today we will only dive into the “Data Breach Notification” [pdf] section, and examine two problems that jump right out at me.

There is plenty of analysis to be completed here, but we have to start somewhere, this is where I am starting:




The proposal follows a similar path as most of the bills that seek to protect our data. It defines what it intends to protect: Sensitive Personally Identifiable Information, or SPII.  Can’t we all just agree to call it the same thing?  Is it “PI” for personal information, or “PII” for personally identifiable information or is it now “SPII” for sensitive personally identifiable information?  As much as I like the acronym, SPII (pronounced “SPY” of course), it’s better if we all just called it “PII”. (the mathematicians took over PI a long time ago, remember: 3.14…?)


What difference does it make, you might ask. It makes a big difference, a real big difference. The President’s proposal defines the targeted information as:


(1) An individual’s first and last name, or first initial and last name in combination with any two of the following data elements:

            (A) home address or telephone number;

            (B) mother’s maiden name;

            (C) Month, day and year of birth;


(2) A non-truncated social security number, driver’s license number, passport number, or alien registration number or other government issued unique identification number;


It further defines “SPII” is sections 3 and 4 that include “biometric data”, financial account or credit or debit card number (apparently standing alone), or:


(5) Any combination of the following data elements:

            (A) an individual’s first and last name or first initial and last name;

            (B) a unique account identifier, including a financial account number or credit or debit card number…

            (C) any security code, access code or password or source code that could be used to generate such codes or passwords.


Note the missing information: e-mail addresses. I guess the Epsilon breach wasn’t that big a deal then, now was it? That party hasn’t even started yet – the bad guys are still designing the PHISH!!!


Recall our good Senator Kerry and his far flung fishing buddy, Senator McCain’s “Commercial Privacy Bill of Rights” definition of “PII” was (paraphrased) name, address, E-MAIL ADDRESS, (emphasis added), phone number, Social Security or other Govt number, credit card number, a “unique identifier that alone could be used to identify an individual”, and biometric data.


And for completeness, let’s get Massachusetts’ definition of PI out here too:


a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:


(a) Social Security number;


(b) driver’s license number or state-issued identification card number; or


(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account…


So we have PI, PII, and now SPII and they’re all different or “legally distinct” as one may say. Wow, what a fabulous example of you say tomAYto and I say tomAHto…but  what’s the third guy supposed to say?


OK, I can accept the differences at some level because in practice it will just make more work for lawyers like me. (see generally $$$) I point them out to emphasize the chaotic storm that is raging in Congress. We can’t seem to agree on what we want to protect. Imagine if all the different definitions, PI, PII, SPII, are put into law. What data did you lose, Mr. Company? Oh, you lost this, then got to tell so and so. But if you lost that, you got to tell them over there. But if you lost a combination of this and that, you need to tell them. It's like an Abbott and Costello routine.





 Let’s get to what’s likely to become the scuttlebutt here in Massachusetts: STATE LAW PREEMPTION.


The Federal Government is allowed to pass laws that “pre-empt” or trump the various state laws because of the “supremacy clause”, Article VI, clause 2, of the U.S. Constitution. (U.S. Const. art. VI, cl. 2. – hope that’s proper citing, old law school profs, been a while) The Federal Government also has significant leeway in passing “supreme” laws in the area of “interstate commerce”. Those two words are dropped more often than “my uncle’s a cop” after being pulled over by the “staties” here in Mass. It’s where Congress gets a lot of their juice.  You can be sure that if they can get a law passed in furtherance of protecting interstate commerce, they will.



In what has been called “Section 109”, the President puts forward the following language in his proposal:


Sec. 109 Effect on Federal and State Law


The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data, except as provided in section 104(c).*


*for completeness: section 104(c) says essentially the States can require that the notice sent out after a breach include any “victim assistance program” offered by that particular State.


You noted the use of “interstate commerce”, right? It appears throughout the proposal.


So my question to ponder as I sail adrift in this storm is whether the Massachusetts requirement that businesses have a Written Information Security Program will be eliminated by the passage of this bill in its current state. You see, the proposed Federal law specifically says “supersede any provision of the law…relating to notification…” It doesn’t say any more or any less.


My initial read on this is that the Federal Government is trying to standardize the notification process by trumping all existing notification rules. The proposal lays out what the notification has to say, who it goes to and when. I can see the value in having a standardized approach to that, but there’s problems, “mattey!” (as in a ship’s mate – have you noticed the theme here?)


This law only applies to those companies who handle, (own, license, etc.) SPII of at least 10,000 people in a 12 month period. So, if I am a smaller company (i.e. less than 10K people’s PI, PII or SPII) in Massachusetts, am I off the hook?



But recall our “interstate commerce” connection. In order to have significant Federal involvement, and “supremacy”, the Feds really have to rely on “Interstate Commerce” as their basis to get involved. So this law only applies to those business who have at least 10,000 people’s information AND are involved in interstate commerce.


So, I am a small accounting firm or architecture firm, I do keep PI around, both of my employees and clients/customers. I employ lots of mobile devices and transmit the PI across the Internet on a regular basis. But all my business is in Massachusetts.  I paid big money for encryption software and other upgrades in order to be in compliance with the Mass regs… are you telling me that after only one year it’s going away?


There is an analogy… sort of… Back a bunch of years ago, Boston passed a rule/law that required restaurants to have a separate room for those customers who choose to smoke. That room had to have its own ventilation system. Many restaurants actually built out those rooms at a significant cost to the business. What happened next? Government passed a law that outlawed smoking in every restaurant, period.


Yes, that’s right, even government can change their mind.


It’s not clear that the proposal will actually sink the WISP, in fact there are several arguments to be made that the regulations under 201 CMR 17 will still stay in effect with the force of law. It’s just that there are arguments to be made that the passage of this proposal will put that issue “in play.”

This proposal now has to take the route made so famous in Schoolhouse Rock's "I'm just a bill... yes, I'm only a bill and I'm sitting here on Capitol Hill..." Do you remember how that ended?

 Bill2.jpgschoolhouse rock bill dies in committee.jpg

 Assigned to committee..... amended, negotiated, amended some more.

And it died in committee...




 You can be sure that your author will watch this situation closely.


Massachusetts State Agency suffers data breach

It appears that one of the State of Massachusetts Agencies has suffered a data breach.  The Executive Office of Labor and Workforce Development (EOLWD) released a statement today announcing the possible breach.

Hiawatha Bray of the Boston Globe is covering it, as well as the Boston Herald.

It appears from the statement that a virus was discovered on or about April 20, 2011 and steps were taken to eliminate the virus. Computer security firm, Symantec, was involved.

Those steps appeared not to have worked. Yesterday, May 16, 2011, the EOLWD learned that  the virus had not been eliminated, but rather "persisted" and caused a "data breach."


The data involved appears to include Personal Information of unemployed individuals and employers who filed their required paperwork manually. The virus seems to have captured the information as it was being manually typed in at the infected work stations.

The statement says as many as 1,500 computers were affected and possibly up to 1,200 companies who filed their paperwork manually. The State is not saying how many individuals information was involved because:

"There is no mechanism available to EOLWD to assess the actual number of individuals affected but any claimant who had their UI file [sic] manually (about 1,200 out of 180,000) may have had identifying information transmitted through the virus. For a claimant to have been impacted, a staff person would have had to key in sensitive information at an infected work station."

The period of time that "filers" should be concerned is April 19, 2011 to May 13, 2011.

MGL 93H obligated state agencies to develop certain protocols for data protection. Executive Order 504 does this and has some significant requirements. I can't help but wonder if a thorough review of those requirements would be enlightening.

They're calling it a virus, but I did a little research into the named "malware", "QAKBOT". It has been around since 2007 and has many variations which makes it difficult to pin down and get rid of. Here's the interesting part, it's considered "Low Risk" by Symantec, the company who was providing security to EOLWD. Symantec also called it "easy to contain". Guess they're going to have to revisit that opinion.


UPDATE: 5/18/11

We now know that 210,000 people's information is alleged to be compromised as well as possibly 1,200 company's information. Guess they found a "mechanism" to assess the actual number of individuals affected.


Sony data breach discussion on Lawyer 2 Lawyer

lawyer-2-lawyer.jpgYesterday, May 12, Legal Talk Network aired their talk show, Lawyer 2 Lawyer. The topic: The Sony Data Breach... The host: Bob Ambrogi... The guest: ME. That's right, little 'ol me!

 It was a honor to be asked to discuss the issue. There were two guests, myself and Justin Brookman, Director, Consumer Privacy, at the Center for Democracy and Technology. Mr. Brookman had testified in Congress about data breaches only last week.

OK, the talk show is legit. They discuss real issues and have really good guests. How in the world did I end up on the show?

Maybe it's because I took a shot at the plaintiff's bar and their Sony lawsuits. (and by the way, I got voice mails and emails from people who want in on the suit, how ironic)  Or maybe it's because I try to shoot as straight as I can on these issues.

For whatever reason, I did get the opportunity and enjoyed the experience. If you have some time, have a listen.

What's really strange is that even after all these years of listening to myself try cases and elicit Grand Jury testimony, I still don't like the sound of my voice... I guess some people are just like that.


Michaels' Data Breach Hits Massachusetts

Michaels.bmp If you have shopped at this store recently, you should read this blog post and all the available press releases issued by Michaels.

May 4th press release

May 10th press release


According to the company's May 10th press release, Michaels stores located in Burlington, Braintree, Everett and Danvers have had their machines compromised. They are saying that their "PIN pads" have been "tampered with".


Bank of America has reached out to some customers and informed them that they are replacing their cards. According to the Chicago Tribune, 2 "staffers" at the LA Times were contacted by Bank of America and asked to call them at an "800" number. When they called, they were allegedly told by the B of A representative that their "card was part of a mass compromise". A Bank of America spokesperson is now saying that the rep on the phone is "mistaken" about the "mass compromise" and no further comment.


The news of problems with Michaels credit/debit card PIN pad machines was first disclosed by them on May 4, but appeared at that time to have been limited to the Chicago area. It is now being reported that at least 90 individual PIN pad machines have been "tampered with" in 20 states.

Michaels last listed 80 different stores in 20 states where they have confirmed that the machines have been tampered with.

Brian Krebs over at his blog,, reported yesterday that a named police officer told him that withdrawals from the compromised accounts are taking place in Las Vegas and other West Coast locations, and exceed a million dollars. The withdrawals are in the $500 range and are made at ATMs. That means that the bad guys are making new cards with the stolen information, and are probably frustrated by the $500 per day limit on the accounts.

Please allow me to put this in context... The machines involved here may look like the ones pictured here:

PIN pad jpg  PIN pad 3.jpg PIN pad 2.jpg

I don't know the exact type that Michaels uses (happy about that right now), but what I do know is that if the device was physically tampered with then the bad guys either have a very very fast car or there are a whole lot of them. 20 states? 80 different locations?


What may come out is that the bad guys actually swapped out the real machine with a fake one. The fake one has been redesigned to copy all the credit card/debit card and PIN information being transmitted on the machine. In the old days the bad guys had to come back for the machines. I am aware of certain technology that now allows the information to be transmitted from the compromised device to the bad guys location "wirelessly." Usually they have to be somewhat nearby, say 1000 feet or so. For this one, I have no idea how the scam works.


The scope of this thing is scary. How long would it take to visit the 80 stores in 20 states? Just for fun, I used Google Maps... I put in 2 locations that I know are connected by one highway: Kirkland, WA and Braintree, MA - the highway is Interstate 90 and the distance is 3,086 miles. They say you can drive is in about 2 days and 2 hours, guess Google doesn't sleep.


Seriously, either there are a lot of bad guys in on this operation or the data has been available to the bad guys for a long time at some locations. Unraveling this will take a significant amount of time, thankfully the United State Secret Service have been alerted and are likely running the show now. This is in their wheelhouse. Hopefully when it's all over the USSS will tell us the whole story. Ya right.


This is the nightmare scenario for Michaels. I hope they had a "data breach scenario binder ready." They have to:

1) stop the bleeding, end the breach

2) figure out which numbers were swiped

3) notify VISA, MasterCard, American Express, Discover, Bank of America, Bank of -------, Fred's Credit Union, you get the picture (remember, 20 states, 80 locations)

4) read the applicable statute in the 20 states and make the associated notifications

5) contact their insurers, who are circling their wagons

6) hire a public relations firm

7) call Sony, Epsilon, RSA, TJX, Heartland for advice

8) contact their lawyers - fellas, over here in Boston I know a guy who knows this stuff


As this whole thing gets unraveled, I will see what Michaels' obligations may be under Massachusetts Data Privacy Law, and let you know my results. I will then have to figure out a way to put up a "pay wall" for members of Michaels legal team who will certainly try to read it...



Lawsuits filed against Sony - the game is on

Sony mirror.bmp

 Mirror mirror, on the wall... which Complaint will tell it all?

Almost immediately after the announcement of the Sony breach, a lawsuit was filed in the State of California, the "California Complaint".  On May 5, 2011, yesterday, a lawsuit was filed here in Massachusetts, the "Massachusetts Complaint". (thanks to Universal Hub for the complaint)


I have read both complaints and have concluded that plagiarism is alive and well. Of course, this is not to accuse any fellow lawyer of any impropriety, but if you take the time to read both complaints it is amazing how often both lawyers use the exact same sentence, same paragraph structure, same everything.

I was curious how these plaintiffs found these lawyers... you see, in the California case, the plaintiff, Mr. Kristopher Johns lives in Birmingham, Alabama. His lawyers? Novato, California. In the Massachusetts case, the plaintiff, Dawn Thompson lives in "Essex County", the lawyers? Wareham, MA. (about 70 miles south of Essex County)

Did the plaintiffs find the lawyers or did the lawyers find the plaintiffs?

And here I was thinking that a PlayStation user may walk into my office looking for legal representation, I am so naive...


After reading both complaints, side by side, I was amazed to find out that both plaintiffs purchased their Sony PlayStaion "in or around 2009." Certainly could have happened, 2009 was a long year. The California Complaint claims that 77 million people's information was lost, while the Massachusetts Complaint claims "over 100 million" people's information lost. I guess California should have waited a week, they would have been informed of "part Deux", the second Sony breach.


In the California Complaint, in the section marked "Substantive Allegations", paragraph 33 it says:

"On information and belief, members of the Class have begun to experience losses from fraudulent use of credit car information believed compromised by the security breach alleged herein." 

You want to guess what the Massachusetts Complaint says in paragraph 32?

"On information and belief, members of the Class and Subclass have begun to experience losses from fraudulent use of credit card information believed compromised by the security breach alleged herein."

The California Complaint in paragraphs 40 and 43 claim that Sony left credit card information "unencrypted."

The Massachusetts Complaint in paragraphs 38 and 41 claim that Sony left credit card information "unencrypted."

So, even given the benefit of additional information, the Massachusetts Complaint is still taking the position that the credit card data was "unencrypted" and is being fraudulently used.


There has been no evidence that the credit card information has been used fraudulently, at least no credible publicly disclosed information, and Sony has always maintained that the credit card data was encrypted. Maybe these lawyers know more about the details than I do.

I am seriously thinking about doing a copy/paste job and put my brother's name on it... I know he uses PlayStation and don't care if he had a credit card on their system.


This is turning into a game. Both Complaints essentially ask for the same thing: Money. (How about that BILLION dollar lawsuit coming out of Toronto) Who wins the game?  Is it the first lawsuit in?  The second?  The biggest law firm's complaint?  The firms involved here are very experienced in these matters and can probably do a great job.  Does a guy from Birmingham, Alabama and a woman from "Essex County" really represent the injury sustained by the public from the massive Sony data breach?

The injury from this data breach is not so simple to gauge. What if it turns out that it was a couple of "Script Kiddies" who pulled this off and the data never left their basement? Much ado about nothing in that case.  What if it turns out to have been committed by true cybercrooks? Potential problems for years in that case.

The real injury here is to the confidence the public has in the digital world. Does anyone feel safe putting their information online? At the same time, do we have a choice?


Eventually, Sony will pay out millions of dollars because of this breach. Most of that money is in lost revenue, declining share price, internal costs associated with the investigation and rebuilding the system. Various State Attorneys General have gotten in the act, subpoenas need to be responded to, fines may have to be paid. There will be a significant legal bill to pay to defend suits like the ones discussed here. Even if the lawsuit can be won from Sony's end, it's not free to defend and in many situations, it's cheaper to settle it early.

I believe that "Justice" really doesn't play much of a role in cases like these. The counter argument to that is that by making companies pay significant sums, they will change their behavior so that future harm is prevented. And other companies similarly situated will take steps to avoid getting in the same situation, thus "protecting the consumer".



In reality, everything is about money, well, except Star Trek. Bonus points for the person who can tell me which episode the screen shot below comes from? One hint... Kirk and Spock encounter a transporter issue and end up in an "alternative universe" and their counterparts end up on the real Enterprise, except that the counterparts are really bad guys they just look exactly like Kirk and Spock, who has a goatee. (oh, and it's in the first line of this post)



Are these the good ones or the bad ones?


Sony Data Breach, part deux: tu as cassé ma confiance (you lost my trust)

Sony has a new problem: a recently disclosed second data breach. A Part Deux, if you will.

It's not actually part two because it happened at either the same time or just before the "other" one. Of course, we're just hearing about it now... That seems to be their method.


24.6 MILLION, (with an M) people's information stolen... That brings the total from the Sony breach to over 100 million people's information. That's a third of the county. I sincerely hope that there is some overlap between PSN (PlayStation Network) and SOE (Sony Online Entertainment). OK, I know, of the 77 million in the original breach or "OB" only 36 million were US citizens. Of the next 24.6 million in the new breach or "NB" we don't know yet how many were US citizens. We do know that 12,700 credit card numbers, debit card numbers, and financial account numbers from the NB belonged to non-US citizens in places like Germany, Spain, Austria and Netherlands. (Good luck in Germany, Sony, their data breach laws are b-brutal)

I have a new question for Sony: Do you have any other online gaming systems?


Just curious. 


100 million... that's a big number... and I got to thinking about my Kindle. How many Kindles are out there? This gentleman suggests over 5 million heading into 2011. Remember way back when it was cold and snowy I told you about my Kindle? I got it from Amazon and during the "setup" I had to give them a credit card number. I wonder how that number is doing today? Is it warm and fuzzy all wrapped up in unbreakable encryption? Or is it getting chilly sitting on a server in plaintext just waiting for a visit. I really don't know. Am I entitled to know? Can I call  up Amazon and ask them about their security apparatus?

I spent a lot of time reading their "Privacy, Security and Accessibility" webpage.

In relevant part, at least as relevant a part that I could find:

How Secure Is Information About Me?

  • We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
  • We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.
  • It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer. Click here for more information on how to sign off.
  • I can read those words, but what do they actually say? Oh, wait, this is for those people using Amazon's website... but what about me? A Kindle user...


    Found it: "Managing your Kindle on"


    Doesn't help me, lots of information, but nothing about credit cards... except this: they say that they use something trademarked as "1-Click" to make the credit card purchases.

    Is it ok to access free unsecured wifi on the MBTA commuter rail and make a wireless purchase via my Kindle and my credit card?  Can someone on the train intercept my data?  Is it "encrypted" during that process?  Maybe the Kindle doesn't transmit any data via wifi, just my "request" for a new purchase.  The rest of the transaction happens at  OK, that's just a guess, but a logical one.  What about their servers?  Can someone get my credit card number from them? A re they encrypted in a "separate table" like Sony's...  Can someone "hack" my Kindle and then "get on their servers" and then "get my data"?


    I don't know the answers to those questions, nor does Amazon's website help me answer those questions, and you know what? I'm ok with that. I don't need Amazon's security protocol out in the public domain for every Tom, Dick and script kiddie to read.


    I just need to TRUST them, and you'd like to think that we can TRUST them. Incidents like these at Sony where 100 million people's information is taken is shaking that TRUST, now isn't it?




    Did Sony lose credit card data or not?

    Why can't we get a straight answer to a simple question?




    Everyday you don't answer that question creates a real probability of fraud being perpetrated on the banks.


    First it was, "no evidence to suggest" that the credit card data had been stolen.

    Then is was, "the credit card table was encrypted, but we still don't think it was taken"

    Now there are stories all over the Internet that are saying that Hackers have 2.2 million credit card numbers WITH their associated CVV (that little 3 digit number on the back that you need sometimes)

    Your author got an email from a person who said they were a Sony PS3 user and they told me that their credit card was fraudulently used shortly after the date of the breach.



    Ordinarily I provide links to the stories that either support my facts, or are the source of information. There are far too many today, and I can't tell which ones are accurate or which ones are merely repeating the information from a different source. If you want to read about the alleged "Hackers" just go to "google news" and you'll see that some 5,000 stories are floating around. Let me sum them up for you:

    Someone supposedly was on a "chat forum" where hackers tend to "chat". Apparently one of the hackers was claiming they had the credit card data, 2.2 million card numbers, and were offering it for $100,000.00 - they even allegedly offered "the list" back to Sony for the same price, but were turned down. (Sony denies this happened)

    Now there are also stories about fraudulent charges showing up on credit cards that are owned by PlayStation users. The source of these stories seem to come from "gaming forum" websites where video game players "chat". I guess a few people having been "chatting" and "Tweeting" that they're credit card had been used to buy various things fraudulently. One of the strange stories is that the fraudulent charges have been in Japan, Germany and the United States. And I must note that the charges seem to involve a physical presentment of a card.


    Here's my take:

    I can't see why the alleged hackers would discuss the matter publicly. From a law enforcement standpoint, if  you "chat" online, I will likely find you in a matter of hours.

    There are generally two kinds of thieves in a situation like this... ones who use the credit card info and ones who sell it. So far the rumors out there have both events happening.

    Sure, credit card data is easily moved around. The data could certainly fly from California to Romania to Japan to Germany, etc. But to have fraudulent transactions conducted in various countries around the world with a very short time frame is highly unlikely. This is especially true because the "victims" are claiming that cash withdrawals happened, groceries in Germany were purchased, and "something" was bought at a "store" in Japan. Simply unlikely.


    I don't know if the credit card data was stolen or not. I will take Sony at their word that it was stored in an encrypted table. I don't know if the "key" for that encryption was stolen along with everything else. And finally, I don't know for sure if any or none of the stories about hacking and credit card fraud are true.


    What I do know is that Sony had credit card data and with that data you can identify the banks involved. (remember, it's not actually stolen in the physical sense, its copied - meaning Sony still has the credit card numbers) If Sony would reach out to the banks involved, which they should have already done, the banks could flag those accounts. The banks may then issue new cards to the affected card holders. New cards ain't free ladies and gents, so don't count on that happening, not just yet.

    But, I have a solution:


    Cross reference the banks involved with the PS3 users. At some point the coincidence theory fails and the truth emerges.


    Fraudulent charges happen everyday. With 77 million peoples info involved, and an unknown amount of credit card numbers involved, the truth cannot be discerned from the "victim" reports. They could be coincidence or lies. I take $600 out of my account and then claim I was a victim... not too difficult is it.


    I return to my original question: Were the credit card numbers taken or not? Every day of delay in answering that is potentially costing the banks real dollars in fake fraudulent claims.



    It's official: Sony suffers massive data breach

    Sony has put out a statement about what happened. I would like to put this in context... Epsilon lost what, 40 million email addresses? The whole nation heard about that, either on TV, radio, Internet or via an email from the myriad of companies who sent out "notifications".

    Sony may have lost 75 million people's information. There are a little over 300 million documented people in the United States. That means that 25% of the population of the United States had information on Sony's network? And now who has it?


    Sony has been calling this an "outage", as if it were an electric company after a big storm. Excuse me, the fact that your video game operations are offline is not the problem here, it's the fact that 25% of the United States citizens now are worried about identity theft, or should be.

    Let's get to the specifics: Sony has said the following:

    "...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained... WHILE THERE IS NO EVIDENCE AT THIS TIME THAT CREDIT CARD DATA WAS TAKEN, WE CANNOT RULE OUT THE POSSIBILITY. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

    From the statement posted by Patrick Seybold, Sr. Director, Corporate Communications & Social Media.

    I have been reading words written by lawyers for fifteen years and pride myself on being able to tell when they are riding the razor's edge. I don't know if Mr. Seybold wrote it, I doubt it, nor do I know if a lawyer wrote it, but I am sure that Sony's legal counsel had a look at this statement before it went out.

    Note that they are fairly certain that a bunch of your information was "stolen", but they're not quite sure that the credit card info was taken. A very convenient conclusion. Losing the credit card number would certainly make matters worse, but those could be changed... your name, address, etc cannot be changed.

    Everyone stays focused on the credit card number... oh dear, they have my credit card number.. oh dear... LOOKIT, (as my grandmother used to say) with one simple phone call that "credit card" is a piece of plastic, nothing more. Of course, in order to make that happen, you'd have to know that it was missing... and Sony seemed to have waited at least a week to finally tell us that "hey, maybe, well, possibly, ahhh, out of an abundance of caution, let's assume its missing."

    I find it hard to believe that they can't figure this out. This isn't some small restaurant group in Boston who was tech-ignorant... this is freakin' SONY.  I know, they want to be sure before they go public. Not just "sure" but what I would call "no-other-choice sure." (as in, we have no other choice fellas, we have to tell mom we broke the lamp playing ball in the house)


    I took a hard look at the Massachusetts Law, MGL 93H, and it's definition of "personal information". Name and driver's license number; name and social security number; name and:

     " account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account" MGL c.93H s.1(a)(iii)(c)

    If Sony lost the credit card number, and the person is from Massachusetts, bingo - our law applies. If not, well, it's not clear. Could the rest of the information that Sony lost allow access to someone's financial account? Can't tell.

    But let's revisit Sony's statement: recall they said that they can't say for sure if the credit card number was lost. (no evidence, but can't rule out the possibility - remember?)

    MGL c.93H s.3(b)(1)(2) says: "...(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired..."

    There we have it ladies and gents, the razor's edge. They're willing to say to the public that "out of an abundance of caution, presume your card's been compromised." But they don't affirmatively say that they "know" the card info has been compromised. Can you see why?


    There are 46 different state laws regarding data breaches. I hereby offer my hourly services to Sony Corporation in assisting them comply with them, in the event they have to...


    And as I like to do in situations like this, figure out who did it, I think that the perps here are cybercriminals. This one's in their wheelhouse and now 25% of American citizens' personal information is in Eastern Europe being analyzing for future use.

    Does Sony have a WISP? They seem to have had a breach!!

    Late last week a small story broke that said Sony's Playstation Network was offline and would be out for a day or two.  Today the reports are getting more omnious. Various media outlets are now reporting that credit card data may be involved.  

    This small story is about to go big time based on the 75 MILLION networked users (according to Fox), who lost the ability to play their games online;  it meant days of playing video games by, egad, yourself!! And the little fact that the reason they're offline is due to a hacking incident, oh yeah, and Sony may have some credit card information on their users.

    (ABC, CBS, WSJ and others are currently covering the news as well)


    Sony's Playstation allows you to play a video game against other users via the Internet.  It also allows you to shop in their "store" online and buy new games.  It also, apparently, allows you to keep a credit card on file to make those, likely to be impulsive, purchases.

    If you're not a "playa" I want you to know that this is big business.  Online video gamesmanship is a big deal.  A real big deal. As of March 31, 2011, they sold 50 million Playstation machines (read release here- pdf) That's just the console, how about the games? Plus the bragging rights you get to wield in school the next day are very powerful.


    Out of the 75 million users of Sony's Playstation Network, how many are from Massachusetts?  And how many of those Massachusetts residents have their credit card numbers on file?  And what other information does the user have to provide in order to get "hooked up online"?


    If even ONE of Sony's Playstation Network users is from Massachusetts, and Sony has their credit card info, they are required to have a WISP.  A Written Information Security Program that lays out all the little details of how Sony keeps your information private and protected.


    If it turns out that even ONE of Sony's Playstation Network users is from Massachusetts and their information was obtained by hackers, or otherwise "Breached" - - - - - - There shall be notifications made to the affected resident and the Attorney General. In fact, the Massachusetts Attorney General is entitled to be informed:

    1. How the breach happened
    2. What remedial steps the company has taken to prevent future incidents
    3. How many Massachusetts residents were affected


    I know what the words of the law say. I know what Sony's obligations under the law may be, both pre and post breach.

    If this turns out to be an actual data breach, will Sony get the same treatment as the Briar Group did?


    Do stay tuned.... this may get real interesting...



    Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

    Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?


    The regulations (201 CMR 17) say a definite YES.

    The law (MGL 93H) seems to say otherwise…


    Read on, my friends:


     Section 5 of the Massachusetts Data Privacy Law states:

    MGL 93H Section 5.

    “This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.



    Let’s break this down: “this chapter does not relieve a person…from the duty to comply with…[other] law[s]…” That makes sense, lawmakers didn’t want to make a law that allows someone to be immune from other laws. Okay, so the MA Data Privacy law requirements do not forgive other obligations – got it.


    Then we see the infamous intro: “provided however.” In law school the “provided however” essentially meant that whatever you were reading was about to take a sharp left …oh dear… watch out, we’re turning….


    … “provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter IF…”


    OK, the legislature has now identified a group (those subject to federal laws) and is granting them “compliance”… IF – if what?


    … “IF, the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further…”


    So, if I am an entity that is subject to a federal law and comply with that law I am deemed in compliance with the Massachusetts law if I notify the affected Massachusetts residents when a breach occurs. Check, can do. But we see that pesky “provided further” and our sharp left continues…


    … “provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach.”


    Seems simple enough, I have rules and regulations promulgated by the Feds that I have to follow if I suffer a loss of data, a breach; in order to satisfy the Massachusetts law I simply have to be in compliance with the Federal law and then make sure to notify the Massachusetts residents and also the MA Attorney General and the Office of Consumer Affairs.



    And just to add one more twist to our journey, the good legislature uses “provided further” one more time:


    … “provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.”


    So, if I ignore the federal laws, I must follow this law – sound right?


    Is the inverse true? If I follow my federal laws, do I have to follow this one? The language of the statute seems to suggest that if you follow your federal laws, and make sure that you notify the correct people, you’re all set, or “deemed to be in compliance.”


    Let’s see what the legislators said during their debate of the bill: (from the legislative history)


    May 9, 2007 ----- RODRIGUES AMENDMENT: Rep. Rodrigues offered another amendment.

    Rep. Rodrigues said, this amendment specifically addresses those industries governed by federal statute and regulation. There are a couple that we know are custodians of much personal information and abide by very strong federal regulations in order to protect that information. This amendment would not exempt them from the requirements of notification, but if they are in compliance with federal law relative to notification, and all of the entities are notified that are required to be notified, they will be in compliance with this bill.

    The House adopted the amendment on voice vote.


    Seems very clear, doesn’t it?



    I am a hospital that is subject to HIPAA regulations. Those regulations have strict rules regarding “personal health information” and those rules specifically address what to do if you suffer a data breach. This seems to be exactly what the legislators were talking about when they voted for the “Rodriques Amendment” and wrote section five, right?


    Allow me to refer you to the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”) website, specifically the “FAQ’s” or “frequently asked questions” section:(pdf)


    I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.



    I want to be absolutely clear: the regulations in the code (201 CMR 17) are comprehensive and require significant effort to follow. The law, MGL 93H, says there must be regs, the OCABR created the regs. The regs require companies to have written policies, encryption technology, locking file cabinets, etc. It's not a short list.


    The law also has this “exception” built into it, doesn’t it?


    Why does the OCABR believe that a HIPAA compliant business must comply with their regs?




     I have researched the possible legal outcomes of this, so stay tuned for the conclusion.





    Does an ATM skimming breach require notification under law?

    In my hypothetical, a bad guy puts a "skimming device" on an ATM at a suburban bank, a couple hours later he comes back and retrieves it. He knew when to put it on - he conducted surveillance to figure out the busiest times and busiest days. During his "hit" 155 people used the machine resulting in 155 people's ATM card and PIN number captured by the bad guy.


    SKIMMING - an overview

    As I briefly touched on a few months back, skimming occurs in the criminal sense when a device made to look exactly like part of an ATM machine is placed over the actual part. I am talking about the card reader. That little slot where you put your ATM card. You put your card into that slot in order to access the machine, and your funds. The "skimmer" is also reading your card info. Generally the bad guy will need another piece of equipment to complete the act, a tiny camera that focuses on the key pad to record you entering the PIN code.


    To recap, the bad guy puts a device on the ATM that "reads" your card. He also places a tiny camera somewhere in the area of the ATM to retrieve your PIN. Later on, he retrieves both items. The device he retrieves has a memory chip that recorded all the card numbers that were used. The camera recorded all the PINs that were entered. A time/date stamp on both devices enable the bad guy to match up the ATM card number with the PIN.


     ENCODING - an overview

    OK, now what... the bad guy goes into a retail store that sells "gift cards". You've seen them... you can get iTunes cards in varying amounts, or Walmart gift cards, Target giftcards, just about any type of card you want. These cards sit on the shelf waiting to be "activated". There is no money on the cards until you take them to a register and have them "activated". BUT they have a magnetic strip that is ready to RECEIVE information...any information... including the newly obtained information from our friend, the bad guy.


    With some readily available equipment, he can "encode" the stolen ATM/PIN information onto ANY card with a magnetic strip, yup even a calling card for Africa. It doesn't matter what kind of card it's encoded on, once he's done encoding, he's not going to a department store to "present it" - - - he's going to another ATM to use it... the ATM doesn't know it's a Walmart card... it only knows that it's a card with a magnetic strip.

    He goes, he withdraws and, like Charlie Sheen, he wins.


    SOLVING THE CRIME - an overview

    So, the bank... it figures it out**(see below)... recalls the surveillance tapes, and sure enough, there's our bad guy putting it on the machine and taking it off. The bank people will have the start and end of the "skim", a picture of the bad guy and likely a list of all cards used during that period.

    But is that a data breach that requires notification?


    Hold onto your hats ladies and gents.... probably not.


    You mean to tell me that the bank down the street is KNOWN to have been compromised and you don't have to tell the public or even the 155 poor souls who used the machine?


    THE LAW: MGL 93H - Data Breach Notifications

    The Massachusetts Data Breach law says that the data involved has to be (for this example) a combination of "NAME" and a financial account number. If the ATM only reads the card number... and that's all the bad guy was able to obtain... then, well, no name - no notification.

    In fact, the bad guy doesn't even care what your name is... he just wants a working ATM card with the right PIN.


    Sure, your name is encoded on the card's magnetic stripe - but here's the funny part: there are at least 2 "tracks" on your card's magnetic stripe. Usually there are 2: Track 1 and Track 2. Based on some technological limitations, only one track can contain alpha-numeric characters, letters, and numbers. This track will have the cardholder's name and card number. The other track, without letters, contains your card number. (both have other info as well)


    So long as the bank can say that only the track without the name was the one read, then no notification is legally required.

    This leaves a compelling question: do the banks HAVE TO notify the Attorney General and the 155 hypothetically affected card holders?

    Based on sources that I cannot disclose, some banks take the position that the only information read from an ATM "skimmer" is from the track without the name. Their position is that the compromised information came from that track and therefore no notification is required.

    But how do they know? Do they actually KNOW that the skimmer only captures the number and not the name? Or is it a convenient conclusion to reach.


    No company wants to go public with a data breach story. It is bad for business, just ask Epsilon.

    I guess that reaching the convenient conclusion is good for business, but is it the right thing to do?


    I spent a little time researching skimmers. You have to be careful, you are dealing with a very nasty group of people when looking for ATM skimmers. Most of them lie, some are undercover law enforcement, and some will really sell you a "skimming kit"...  I found one person claiming to sell a skimmer that reads both "Tracks" - it says it's a "hand skimmer" which wouldn't work on an ATM... but it appears the technology is available...


    I cannot say with any certainty that a bad guy's skimmer will read both tracks and therefore have your name AND account number. What I can say is that if the bank in my neighborhood was found to have had a skimmer on it, I would want to know because ATM skimmers are like termites, where there's one, there are likely more.


    FULL DISCLOSURE: This is a hypothetical situation created to discuss a potential serious data breach that goes undisclosed and unreported. I cannot say what any bank would do in any given situation like this - I would hope that at the very least the cards compromised would be replaced by the bank. I can say with relative certainty that a criminal investigation would follow any ATM skimmer being discovered and under Massachusetts law that investigation takes precedence and will delay any notification... but not indefinitely.


    ** "skimming" incidents are discovered in various ways: Sometimes a technician working on the ATM will discover it, sometimes a customer will notice it and sometimes after a group of affected card holders have their accounts drained, the bank will cross reference those cards recent usage and discover that they all used the same ATM on the same day/time, etc.

    P.S. Skimming is a very popular crime. Brian Krebs of "" has a series of articles on the topic. 


    Massachusetts Attorney General v. Briar Group, LLC - Data Breach Settlement - the details

    Yesterday news broke (thanks to Jenn Abelson of the Boston Globe) that the Massachusetts Attorney General had come to an agreement with Briar Group, LLC regarding a data breach that dates back to 2009. I wrote on the topic and continued to investigate....


    A little research by your author turned up some interesting facts:

    One, the complaint was filed by the Attorney General in Suffolk Superior Court the same day as the announced settlement.

    Two, the facts alleged in the complaint are a lot more scary than what was relayed in the press release.


    Apparently the Attorney General was contacted by the Briar Group on November 25, 2009 and was informed by Briar that they had suffered a data breach. In fact, on November 25, 2009 the breach was STILL ONGOING. It wasn't until December 10, 2009 that the "malcode" was removed, thus ending the known breach.

    Some significant highlights of the complaint filed in court:

    • The breach involved "over 53,000 MasterCard accounts and over 72,000 VISA accounts."
    • Six of Briar's twelves locations were affected (Ned Devine's, The Lenox, The Harp, MJ O'Connor's Back Bay, MJ O'Connor's Waterfront, and The Green Briar).
    • The breach was discovered by a payment card processor in EUROPE on October 15, 2009.
    • The initial breach occurred at Ned Devine's in Fanueil Hall.
    • Briar was informed of the breach on or about October 29, 2009.
    • The president of Briar wrote an e-mail on November 5, 2009 stating that he wanted "to do the right thing" but did not want to "pay for an investigation that they could somehow avoid."
    • Briar hired Verizon Business Network Services only after being required by VISA to do so.
    • Verizon Business Network Services started work on Nov 15, 2009 - and established that the "malcode" was installed on April 24, 2009 and the "malcode" was gathering the "account number, cardholder name, expiration date and secure code"
    • Briar continued to accept credit cards the whole time.
    • The "malcode" was removed on December 10, 2009.
    • Briar had not changed passwords in over 5 years.
    • Briar had outsourced its IT work to Bromley Engineering..
      • "Peter Bromley... of Bromley Engineering noted in a December 2, 2009 e-mail to Briar that Briar's security "problems came up years ago when I first returned to Briar and saw the blatant lack of [] even basic security on the Micros servers." A second e-mail on March 25, 2010: "Probably the most egregious practice had been that all the Micros serves with which I have had contact used the same administrator and password - even at different restaurants."
    • The compromised accounts were used in Arizona, California, Nevada, Texas, the United Kingdom, Italy, India and Saudi Arabia.
    • More than 125,000 consumers were harmed by Briar's conduct.


    I have a copy of the Complaint AG v Briar.pdf and and Final Judgment.pdf for your review.


    Did you visit one of these restaurants between April 24, 2009 and December 10, 2009? Did you pay by credit or debit card? Are you in the "know" or in the "dark"? Have you heard from The Briar Group, LLC? From the Attorney General? If so, I'd like to hear about it, unless you have been sworn to secrecy.


    So, we find out yesterday, March 28, 2011, some 25 months after the incident really happened and and some 16 months after the known breach had been contained.

    [** A release by the New York Consumer Protection Board called the "Data Breach Report for the period of March 2010" lists that on 3/11/2010 The Green Briar, City Bar Solas, Ned Devine's Paris, The Harp, and MJ O'Connor's reported having suffered a "Hacking" effecting a total of 25 New York residents. So either there's a twin in NYC, or this is Briar]


    What breaches are currently ongoing that we won't find out about for 2 more years???


    It appears to me that the Attorney General did a thorough and complete job investigating the breach and it's likely that the delay in filing a complaint or going public was due to an ongoing criminal investigation which I hope was successful.


    The errors that Briar Group made are easily remedied IF a company takes security seriously. Their computer network setup had nothing in the way of real security, heck, they even had an unprotected WIFI network with access to their main system. Seriously? Unprotected WIFI?


    The Attorney General did NOT bring this action under MGL 93H, the "data breach law" now in force. The date of the breach pre-dated the effective date of the law. This is NOT the FIRST enforcement action under 93H / 201CMR17. This IS a serious breach. The details of the complaint show a complete disregard for the security of consumer information. This action was brought under MGL 93A, the consumer protection statute.



    If you are a restaurant group or a single proprietor, or a retail business or any business owner or decision maker who hasn't really thought about securing your information, please reconsider.

    Although $110,000.00 sounds like a lot of money, the fine could have, and based on what I read, should have been, much higher. The damage to the Briar Group's reputation is an intangible... will I go to their locations, probably... I don't know. How about 5 years from now when no one's watching them anymore? If I do, I'll definitely use cash.

    Taking credit cards when you know you have a problem is really disturbing and I hope that $110,000.00 sends enough of a message because it equates to roughly 88 cents per effected person, not exactly a stinging fine now is it?




    Major Boston Restaurant Group, The Briar Group, LLC - Data Breach Settlement

    Today, the Masschusetts Attorney General issued a press release stating that they had reached a settlement with The Briar Group, LLC which owns and operates several restaurants and bars in Boston including: The Harp, The Green Briar, Ned Devine's, MJ O'Connor's, Solas and more.


    I would be surprised if a Bostonian hasn't been to at least one of their locations.


    Apparently, the Briar Group's computer system was somehow compromised by the installation of what the Attorney General called "malcode". This "malcode" was apparently installed on their computer system in April of 2009 and remained on their system until December of 2009.

    During this nine month gestation period, the "malcode" allowed hackers access to customer's credit and debit card information including names and account numbers.


    According to the AG, the Briar Group has agreed to pay $110,000.00 in a civil penalty and agreed to:

    • be in compliance with the Massachusetts Data security regulations;
    • be in compliance with the Payment Card Industry Data Security Standards;
    • "establishment and maintenance of an enhanced computer network security system;
    • develop a security password management system; and
    • implementation, maintenance and adherence to a Written Information Security Program. (WISP)

    The Attorney General points out that the "data breach occurred prior to the effective date..." of 93H / 201CMR17 (the Massachusetts Data Law with the stinging penalties) but the data security standards laid out in the law and the regulations were used in the settlement.


    This is all "hot off the presses", but I have some concerns... This company has, according to their website, 12 venues. That is 12 locations taking credit cards. From my old days (10 years) bartending for competing restaurant "groups" in Boston, I can tell you that the number of credit card transactions processed across 12 locations during a nine-month period is PROFOUND!

    To drive home the point: let's just say 100 per day per location which is likely way too low. The total is then over 300,000 transactions. (12 locations times 100 times approximately 250 days)

    Now, I don't know if this breach affected all 12 locations, nor do I know if each and every transaction was susceptible to the "malcode", but I do know that the retail industry, and in particular, the hospitality industry, is, and has been, ripe for this type of breach.


    Do we know the extent of this breach? Do the people whose cards were exposed already know? How many banks were forced to reissue cards because of this? Will anyone be held criminally responsible, or does this just end up a dead end in Romania... 


    I commend the Attorney General, and AAG Scott Schafer, for making this news public and for also taking the time and effort to hold this company accountable. Perhaps other restaurant groups out there will have a hard look at their systems so that another nine month long data breach doesn't expose half a million people's credit cards to the hackers.


    I think I will use cash tonight.


    Federal Data Privacy Law looms

    Back in early February, I wrote about the possibility of a Federal Data Privacy Law in 2011.  I know, a genius prediction… There are, by my count, three different data privacy bills being proposed in Congress.


    Recently Senator Kerry released his proposed bill and thanks to the good folks over at Hogan Lovells, I was able to read the Senator’s draft. Based on the following facts, I believe that the Senator’s Bill, with some alterations, will likely be the Bill that Congress gets behind.

    • First, the content is clearly the result of negotiation and communication with the private sector. There are significant opportunities for industry self-regulation, and there is no “private right of action” included.
    • Second, this Bill is co-sponsored by Senator John McCain, an influential Republican who based on his 70 years in Congress is likely owed votes by half of Congress.
    • Third, the Obama Administration has indicated its support for this type of law.
    • Fourth, the good Senator used the term “Bill of Rights” in the name, how do you vote against that?


    If you would like to read the proposed Bill, I suggest that you read Attorney Christopher Wolf’s blog post and the bill is linked to his site. Attorney Wolf is extremely knowledgeable on these issues and does a great job explaining the Bill.


    Just as Attorney Wolf’s blog post does, most of the posts (here, here, here) that I have seen commenting on the bill have talked about what the Bill proposes to do. I am going to focus on what the Bill DOESN’T DO. Why simply copy when you can create, besides they already did a great job.


    Senator Kerry’s Bill is called “Commercial Privacy Bill of Rights Act of 2011” and deals directly with regulating those businesses and industries that collect and/or collect and share data about individuals with or without the person’s knowledge. Most of this activity is done online. So, it seems to me that the Bill is trying to control the snooping being done online in the name of collecting awesome intel for advertisers.


    In my old post, I used the term: Federal Data Privacy Law and suggested that a proposed Federal Law may mirror the existing Massachusetts law. The two have absolutely nothing in common. I should probably consider changing the name of this blog to “Massachusetts Data Breach Blog”.


    Data Privacy in the Federal sense, according to Senator Kerry's Bill, involves that information about you that is available when you are online and engage in “interstate commerce.” (See below finding #6)


    Data Privacy in the Massachusetts sense involves that information about you that anyone has, anywhere. You see, our law transcends the simple “data breach laws” because it makes clear that if you have a person’s information, you must take steps to protect it before you lose it.



    In the United States today, there are 46 different State Laws that deal with data breaches. Some are similar and some are very very different. Either way, if you’re a company who does business nationwide, and you have a breach, you’re going to have to deal with all or some of those very different laws. Why are the citizens of the various states treated differently? Some will get detailed information about the breach, some will get generic information and some will get none….


    Senator Kerry’s Bill includes “Findings.” These are important pieces of information that tell the world “why” Congress is passing this law (or at least that’s what they're supposed to do). Findings numbered (5) and (6) are the most interesting for my purposes.


    (5) To the extent that States regulate the treatment of personally identifiable information, their efforts to address Internet privacy could lead to a patchwork of inconsistent standards and protections.

    (6) Existing State, local and Federal laws provide inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.


    The Senator and his crack team have correctly identified that when states passing their own laws on the same topic creates a "patchwork". I give him and his team credit for putting this bill forward before that "patchwork" is created.


    What this bill doesn’t do is solve the patchwork problem of data breach laws. I believe that Senator Kerry had an opportunity to do just that. Sure, it would have been more complicated, but better for both business and citizens in the long run.


    The bill also doesn’t deal with the possibility that one of the soon-to-be regulated companies loses a person’s information. I have to play this out. Company A is on online retailer, they are subject to the new “Privacy Bill of Rights” law and they give the “opt in” “opt out” buttons, they don’t violate the rest of the federal law’s regs… but one day their entire database of “opted in” people is stolen. Oh dear, what now…. What now is Company A's lawyers better start reading those 46 different state laws, cuz  there’s no guidance in the new Federal one.



    So, in the end, I was dead wrong. Sure, there will be a bill passed at the Federal level with the word “privacy” in it, just not the one I had envisioned. Apparently Congress is going to take the divide and conquer strategy. Divide up data privacy into as many small laws as possible and then leave it to us lawyers to find, memorize and explain them all.

    Massachusetts General Hospital fined $1 million

    According to a U.S. Health and Human Services, HHS press release, and a story in today's Boston Globe, Massachusetts General Hospital agreed to pay a $1 million fine for lost data containing what is known as PHI or Personal Health Information. The records were apparently left on a MBTA red line train and contained 192 patient's records. By my count that means a cost of $5,208.33 per patient record. My what an expensive train ride that was!!

    This comes on the heels of another health organization, Cignet, being fined $4.3 million by HHS. The allegations there strike me as really strange behavior by Cignet. Forty one patients apparently told the HHS that they had requested copies of their medical records from Cignet but not received them. Patients are entitled to their own medical records. Cignet apparently ignored their request and when HHS finally got involved, Cignet made the interesting decision to ignore HHS' subpoena too. Those two strange decisions were very expensive.

    At first I thought that Cignet must have lost the records and that's why they didn't give them to the patients... and I still thought that as I read on and found that Cignet ignored the Federal Govt's request for the records. Then the records miraculously appeared after the Feds got an a court order. So, you mean to tell me "Mr. Cignet", that you had the records all along? Are you kidding me? Since I don't have all the facts, I will leave this one filed under: "Really?"

    MGH actually lost their records, so they're in a different category altogether. Those things happen. Paper records, Laptops, BlackBerries, Androids, etc, are by the nature of the items, "lose-able". (to be clear, the settlement did not involve MGH admitting to any negligence or anything else ["losing" for example] other than the corrective action plan and the fine)

    That's the funny thing about these data protection/privacy laws. It makes you a victim twice. Let's say for arguments sake that the records were on a laptop, and the laptop was actually stolen. Someone grabbed it as the doors on the train were closing and poof, it's gone. That's larceny or robbery and it's a crime. Now, you as the owner of the laptop are subject to fines by the Government because of what was on that laptop. Victim of a robbery and "victim" of the Govt's authority.

    As a result of the settlement with HHS (PDF): 

    Mass General also agreed to enter into a Corrective Action Plan (CAP), which requires the hospital to:

    • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
    • Train workforce members on these policies and procedures; and
    • Designate the Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

    Now they have HHS on their backs for 3 years. Hey, sometimes it's 20 years! It also sounds like they have to develop a "comprehensive set of policies..."

    The actions that MGH is required to take are very similar in scope to what's required under MGL 93H / 201 CMR 17.

    Hospitals and other medical industry organizations have significant compliance regulations under HIPAA. The Federal Government has just shown us that they are serious about enforcing those regualations.

    The Massachusetts Government, through the Attorney General's Office has the authority to impose fines just like the Feds did if a company fails to comply with the MA Data Privacy Laws.

    Moral of this lost records story: don't ignore or underestimate these compliance laws and "see what happens", that's almost as bad a decision as Cignet's. (** this is not to suggest that MGH did either)


    P.S. - After HHS's investigation, Cignet received a letter which gave them an opportunity to appeal the fine, request a hearing on the fine or otherwise engage in some communciation with the Government entity levying such a fine... what do you think they did (PDF)?

    Your zip code is private. Really? It is in California

    The Supreme Court for the State of California has ruled that a retailer cannot ask you for your zip code when you make a purchase using your credit card. Read the case here (PDF). A shopper at Williams-Sonoma bought something with her credit card and was asked by the cashier for her zip code. Thinking that is was necessary to complete the transaction, she gave it to the cashier who promptly entered into the store's computer system.

    Providing your zip code during a credit card transaction makes sense from a security standpoint. If a bad guy found, stole, or otherwise had your credit card, he may try to use it. (surprise!) When he presents the card, he may not know where the actual owner lives, so by asking him for the zip code the retailer may foil his attempt to fraudulently use the card. Of course, if he stole your whole wallet or purse, he'll probably have that info, but if he has to look through a purse to get the zip code in front of the cashier, one hopes that the cashier may find that strange.

    It is fascinating that with such a legitimate, pro-consumer, anti-fraud purpose for requesting the zip code, why did they find it illegal?

    Why was Williams-Sonoma asking for the zip code? As it turns out it was not to confirm the identity of the card holder but to gather information for a database. The company was able to take the zip code and the purchasers name (obtained from the credit card info) and conduct a "reverse search" through some fancy computer program to get the purchasers home address. Once they had the home address they would send catalogs. The company would also sell the person's information to other "partners" or "affiliates" who wanted to send this person catalogs.

    Now I get it... security is ok - marketing is not ok... is that it?

    Not exactly, the real problem here is that the company "recorded" the information, they kept it, manipulated it, and even sold it. The law in California certainly give businesses the ability to request identifying information when conducting credit card transactions, they just don't let the businesses keep the information.

    We have become a society of "data pack-rats". We keep everything, forever because "you never know..." The privacy area of the law is developing in such a way that frowns upon such behavior. Only take what you need, when you need it, and get rid of it when you're done. Of course, that information may be worth something, and in fact it can be worth a whole lot. These competing issues will play out in courtrooms all over America and I, for one, am very happy to hear that.

    And since this is a Massachusetts Data Privacy Law Blog, here's how we do it here: M.G.L. ch 93 s. 105: The retailers cannot require you to provide "personal information" unless the credit card issuer requires it to process the transaction. "Personal Information" includes (but not limited to): card holder's address (see Zip Code) and telephone number. Some credit card issuers do require the zip code, but guess what, they don't ask the merchant to keep it.... at least they're not supposed to according to the agreement (PDF) signed with Visa.