Any business handling credit card transactions, confidential health or financial information needs to be aware of important new amendments to the State of Connecticut’s security breach notification laws.
Effective Oct. 1, 2012, new subsection (b)(2) of the existing Connecticut General Statutes Sec. 36a-701 — the Data Breach Notification Statute — requires the Connecticut Attorney General’s Office to be notified of a data breach. Prior to this enactment, Connecticut and other New England states had established themselves on the forefront of consumer protection laws requiring anyone doing business in their state to provide notice of a computerized security breach without unreasonable delay to those residents who may have been affected.
The new provision now mandates a notice to be given to the Attorney General’s Office as well. A number of other New England states, including Massachusetts and Vermont, have also developed some of the strongest data encryption and notification requirements in the country in efforts to limit the identity theft and fraud occurring inside their borders. As part of the Connecticut Attorney General’s Privacy Task Force, a dedicated Web page detailing these new reporting requirements is available at www.ct.gov/ag.
Given the prolific amount of malware and organized crime activity occurring on the Internet, law firms can’t be too cautious about regularly updating their Internet security tools and accessing risks. Many of the data breaches occurring today are just as likely to be caused by inadvertence or negligent handling of customers’ personal information on the devices that store or transmit information often in an environment where there’s a lack in understanding of what the applicable security standards are.
Any business accepting credit cards or working in other compliance areas would be well advised to be much more aware of their internal practices and policies for using, handling, and storing customer’s names, addresses, Social Security numbers, account numbers or other sensitive health or financial information. Regularly updating computer security, training employees, restricting user access and understanding the legal requirements of the particular user environment will help businesses stay ahead of the costly aftermath of a data breach.
If businesses outsource these functions to third party vendors, it’s critical to verify they meet or exceed current security standards on all networks and devises. In as much as the criminals are often a step ahead, cloud computing and next generation technology should be given careful consideration only after balancing both benefits and risks.
To add an extra layer to this potentially daunting situation is the fact that most states have developed their own data breach laws so that any business with customers outside Connecticut must also comply with the notification laws of those other states. There has been a move in Washington towards nationalizing standards, but until national standards are developed the laws of each state, applicable federal standards and other regulations must be consulted to avoid the costly consequences of failing to meet notification laws.
Failing to notify affected individuals without unreasonable delay can also result in substantial penalties being imposed by regulators. Since there is no defined standard for what a “notice without unreasonable delay” is in each case, the affected business and attorney general in the state where the breach occurred (or was suspected of occurring) may have very different views of when notice should have been provided.
Also of importance to note is the additional provision in this section that failing to comply with notification requirements can be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (CUPTA) potentially resulting in additional liabilities to businesses whose systems were compromised.
Data breach in today’s tech driven world is a much more common occurrence than many businesses realize. Anyone accepting credit card payments should acquaint themselves with the Payment Card Industry’s Data Security Standards (PCI-DSS). These regulations governing credit card transactions are often not fully complied with nor understood by merchants handling credit card transactions. The credit card industry’s PCI Security Standards should be carefully reviewed to ensure compliance with current standards. (See http://pcisecuritystandards.org)
Founded in 2006 by the major payment card brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. — the PCI Security Council has over 600 participating organizations representing merchants, banks, processors and vendors worldwide. Businesses that do not comply with these standards are at much greater risk of data breach and the significant legal and financial consequences that follow.
All too often the third party vendors selling point of sale (POS) card processing systems do not make merchants aware of the technical requirements they’re required to meet leaving unsuspecting merchants with the door wide open to attack. At this time, the security standards and assessment of penalties against merchants is privately regulated by the major card brands and subject to widely varying state notification standards and resulting fines.
This new notification requirement to the Attorneys General’s Office presumably will assist with enforcement efforts and provide further protections to state residents from fraud and identity theft. The new provision will also affect health care and financial vendors, which for many years have been regulated under the Health Information Portability & Accountability Acts and Health Information Technology for Economic and Clinical Health Acts (enacted in 1996) and the Sarbanes-Oxley Act (enacted in 2002), enabling the attorney general to assess additional fines for lack of compliance.
With this new law, any business that uses, stores or transmits personally identifying information, such as names, addresses, Social Security numbers, account numbers or other protected information is well advised to familiarize themselves with the legal and technical requirements of their industry to protect themselves from the high cost of an inadvertent or malicious data breach and the consequences certain to follow.
In the PCI-DSS arena, it’s estimated that 50 percent or more of merchants processing credit cards do not meet defined industry standards. Sufficient encryption on all devises that use, store or transmit data is critical to data breach prevention. The small cost of regularly conducting audits, upgrading security tools and training staff is well worth the investment compared to the high-cost of responding to a data breach.
Only after forensics has been completed with the clock running will the breached entity know just how many individuals, attorneys general, banking institutions, local law enforcement and FBI officials or other regulators will need to be notified. The aftermath to an affected entity will be much more than the sum of the legal expenses, forensics, costs of notification, fines and penalties.
For attorneys, the potential ethical issues that arise and loss of confidence by the consuming public would be an even bigger price to pay. Ensuring your firm meets or exceeds all applicable security standards and carefully training staff is one of best ways to avoid a breach and the serious consequences that follow. •