April 2009: Data Security in the Call Center.
by Joseph Sanscrainte, an attorney specializing in telemarketing law.
"While no organization can 100% prevent illegal activities of third parties, it can certainly decrease the likelihood . . . . The evidence showed that the defendant had absolutely no procedures or safeguards in place to ensure that confidential information was not accessed by unauthorized persons. . . . Even as recent as a decade ago, it could be said that the likelihood of identity theft occurring as the result of personal information being allowed to leave defendant's premises was remote. However, today, the possibility of identity theft is all too commonplace." - Bell v. Mich. Council 25, (Michigan Court of Appeals, 2005)
In the case quoted above, the Michigan Court of Appeals awarded $275,000 to a class of defendants who had fallen victim to identity theft. The identify theft occurred because, as the Court determined, the defendant had failed to implement proper procedures or safeguards to protect the personally identifiable information (PII) within its control. As more litigation related to identity theft occurs, both in the United States and around the world, the question of what constitutes "proper" procedures or safeguards will undoubtedly be contested and further defined. The onus is on companies that collect PII, however, to attempt to stay one step ahead of the breach liability curve.
Data security breaches are already a costly matter, thanks to international laws granting a range of protections to consumers. These costs fall into two broad categories: the direct costs associated with handling the breach itself; and the downstream costs resulting from the repercussions of the breach. In most U.S. states, Canada, and New Zealand, data breach notifications are required where consumers' PII has been breached under circumstances where it is reasonably believed to have been acquired by an unauthorized third person. Where such laws are in place (and they are under consideration in the EU and in the Asia-Pacific), companies experiencing a data breach face costs associated with the notice to consumers, and very often costs for credit monitoring and replacement of credit cards. At first blush, such costs may not appear to be that great - but the numbers associated with data breaches (i.e., millions of records lost) make such costs quite significant. As an example, as a result of a well-publicized data breach, TJX Companies, Inc. paid out $65 million in settlements to Visa and MasterCard just for the costs of credit card replacement.
The direct costs of the breach are all too often just the beginning of a company's exposure. Significant data breaches may garner the attention of government regulators, the credit card associations, class action lawyers, and individual consumers. Government fines associated with lax security practices have made headlines recently, and rightly so - the fines tend to be in the "seven figure" range. (Examples abound, but a few notable ones include: Choicepoint entered into a $15 million settlement with the Federal Trade Commission over the breach of 163,000 records; CVS Pharmacies paid a $2.25 million settlement to U.S. Department of Health and Human Services over improper disposal of patient information; Vodafone was fined $103 million by Greece's Data Protection Authority for failing to protect its network from hackers who monitored a mere 100 mobile phone accounts - one of which belonged to the Greek Prime Minister.)
One downstream cost that is often overlooked (but not for long) are fines levied by credit card associations (Visa, MasterCard, American Express, Discover, etc.) for infractions of the associations' Payment Card Industry Data Security Standard (PCI-DSS). All card processors, and the merchants for which they process card payments, are contractually obligated to comply with the PCI-DSS, with potentially significant consequences. The card associations constantly monitor fraud activity around the world via such programs as Common Point of Purchase reviews (which can identify the common point of compromise across multiple fraudulent transactions.) Where such locations are identified, the merchants operating them are contacted and required to facilitate on-site investigations - and more often than not, violations of the PCI-DSS are discovered. In such circumstances, the card associations will fine the responsible processor, who in turn passes these costs along to the merchant (since the processor is collecting monies directly from such merchant, it is normally not a difficult matter to make such collections.) The trend with regard to such "enforcements" is to pass as much of the costs of the fraud down to the merchant, under the theory that it's the merchant that is at the front lines of data security. The unfortunate reality is that every breach of credit card data can result in millions of dollars of subsequent fraud and, in turn, fines by the credit card associations - as Fifth Third Bancorp found out when Visa levied a $1.4 million fine against it following a data breach involving BJ's Wholesale.
Lawsuits are another source of downstream liability, and it is anticipated that litigation related to data privacy breaches is going to increase. Such litigation could take the form of individual claimants seeking recompense for damages related to just the existence of the breach itself, or (as in the Bell case, above), claims related to actual fraud committed as a result of the breach. Although such cases present their own unique frustrations, most companies are more concerned with the potential for class actions lawsuits - and this concern is justified. Again, examples abound - TJX Companies, Inc. settled its class action lawsuit for an estimated $100+ million dollars (the exact costs were never disclosed); and the U.S. Department of Veterans Affairs paid $20 million to veterans affected by a data breach. Finally, all companies recognize that the true costs of a data breach must also include consideration of loss to brand - one-time costs, fines and settlements can be quantified, while loss to reputation is something that is more difficult to fix. For example, Heartland Payment Systems suffered a 40% decline in its stock price in the aftermath of announcing a major data breach - and declines in sales and market share are also common setbacks for companies reporting breaches.
A silver lining . . . "The Court concludes that Guin has not presented sufficient evidence from which a fact finder could determine that Brazos failed to comply with [Gramm Leach Bliley.] In September 2004, when Wright's home was burglarized and the laptop was stolen, Brazos had . . . policies in place to protect the personal information, trained Wright concerning those policies, and transmitted and used data in accordance with those policies." - Guin v. Brazos Higher Educ. Serv., (US Dist. Court, Minn., 2006)
For those companies searching for the silver lining in the data breach cloud, it is this: courts (and presumably, regulators as well) are beginning to recognize that a data security breach should not be treated as a strict liability issue. That is, companies that have reasonable policies and procedures in place, that disseminate such policies and train their employees on such policies, and who conduct monitoring related to such policies, will be well-positioned to plead "safe harbor" in the event of a breach. That is, as the Bell Court recognized, there is no 100% iron-clad system that can prevent data breaches - however, the response by companies to this should not be (as so often appears to be the case today) to simply declare defeat. Rather, companies should aim for the successful outcome in the Guin case, quoted from above. In Guin, the defendant was able to establish that it had policies, training, and safeguards in place, and the Minnesota District Court concluded that Guin was not liable for the data breach that occurred.