07.15.2009 Companies Held Accountable for Consumer Data Security
In today’s digital age, most companies gather and rely on significant amounts of sensitive personal information from their customers and employees. The risks to the consumer if the data is compromised are apparent, but what are the risks to the company holding that data? What if the breach is caused by hackers and not negligence? The TJX Companies’ recent settlement — for $9.75 million — with 41 state attorneys general and the Obama administration’s recent cyber security review demonstrate that companies are being held accountable (in terms of the size and frequency of penalties) for the integrity of the sensitive personal information they collect and hold.

The TJX Companies Inc. learned the high cost of security breaches the hard way. Massachusetts Attorney General Martha Coakley and 40 other attorneys general contended that the company failed to properly protect its customers’ financial information. These state investigations followed litigation brought by TJX customers against the company and its bank, Fifth Third Bancorp over data breaches caused by computer hackers that compromised the security of at least 45.7 million consumer credit and debit cards. TJX settled the customer litigation case in September 2008 for more than $10 million. Related to that breach, TJX entered into a $40.9 million agreement with Visa in November 2007, and a $24 million agreement with MasterCard in April 2008, to cover breach-related expenses incurred by the issuing banks, such as replacement of credit cards. And in March 2008, TJX agreed to a settlement with the Federal Trade Commission (FTC), under which TJX agreed to submit to an independent security audit every other year for 20 years.

Information security requirements are a mix of state and federal statutes and regulations and, in some cases, industry standards. Most broadly, using the authority in §5 of the Federal Trade Commission Act, the FTC (1) enforces the privacy and information security commitments made by businesses in their statements and policies; and (2) monitors information security practices that cause injury to consumers. Most FTC action occurs after a breach or other event causing injury to consumers. It is important to note that the FTC has taken the position that any person or entity that collects sensitive personal information must take reasonable measures to ensure the safety and integrity of such information; failure to do so may be a deceptive trade practice. In addition, specifically focused federal statutes and regulations thereunder, such as the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996, impose specific information security obligations on the entities covered by such statutes.

States also regulate information security, usually through consumer protection statutes, such as the Maryland Consumer Protection Act, the Virginia Consumer Protection Act, and the District of Columbia Consumer Protection Procedures Act. Certain states may also have specifically-focused information security statutes and regulations. Investigations led by state attorneys general can be a considerable challenge because (1) each state may open an investigation at the same time (TJX was the subject of 41 concurrent but somewhat coordinated investigations); and (2) a state investigation does not necessarily preclude a federal investigation, an industry-led investigation or private litigation. State statues can also differ in defining the information subject to its protections.

To the extent a company uses payment card (debit or credit card) information, it must comply with the Payment Card Industry data security standards. Other industry groups have developed self-regulatory standards. Companies also face the possibility of litigation from consumers (individually or as a class), as well as public relations damage from unfavorable media coverage of an information security issue.

Despite these challenges, businesses that collect and use sensitive personal information can minimize their risk by:

  1. Developing a strong information security policy and procedure that, among other things, appoints a single person as the company’s information security “czar”;
  2. Auditing, on a regular basis, all computer systems and other information collection channels to determine and remedy any weak points;
  3. Determining what information it collects, and why, and limiting collection and use to only that information necessary to achieve a specific purpose (such as executing a transaction);
  4. Limiting the number of people who may access sensitive information, informing such people of the company’s security policy, and requiring that such people affirm their understanding of, and agreement with, the company’s information security policy;
  5. Physically securing sensitive information and, when the time comes, disposing of such information properly and completely (such as through erasing and/or burning storage media);
  6. Requiring the use of strong passwords by persons with access to sensitive information, prohibiting the sharing of such passwords, locking out access points after a period of non-use, installing firewalls, using regularly-updated anti-spyware (and related) software, encrypting data transmitted over public lines, and developing a policy and safeguards on the remote access (such as through mobile devices or home computers) of sensitive data; and
  7. Monitoring and updating internal information security standards as required.

  8. If a breach (any unauthorized access to sensitive information) does occur, certain jurisdictions (including Virginia, Maryland and the District of Columbia) have statutes covering what must be disclosed to affected consumers, and when such disclosures should be made. In addition, a company may consider notifying law enforcement if the breach may involve criminal activity, as well as credit bureaus and other businesses that may be affected by the breach.

    Businesses are well advised to be proactive in this area, and to stay ahead of potential problems. While the risks and potential damages are significant, simple risk mitigation strategies can provide confidence to consumers and businesses alike.

    For more information on this topic, please contact Michael E. Burke, 202.293.8137,

    Click here to join the mailing list for this and other Williams Mullen publications.