When does the public need to know about a data breach?
To political junkies Massachusetts Attorney General Martha Coakley is best known as the Democrat with an uncanny knack for snaring defeat from the jaws of victory. First she lost to Republican Scott Brown in an election to fill the Senate seat that was open following the death of liberal icon Ted Kennedy and this past November she lost in her race to become Governor of a state that has been overseen by two- term Democrat Deval L Patrick-So much for AG standing for Aspiring Governor. But Coakley has aggressively pursued data breaches and what Massachusetts does in this area is worth paying attention to.
This brings me to the subject of today’s blog: Yesterday she announced an $825,000 settlement against TD Bank for failing to promptly notify her office of a March 2012 data security incident until October 2012. The settlement stemmed from a courier’s loss of account backup information. According to the press release, when TD found out that data backups it believed it had entrusted to couriers had not arrive at its storage facility it conducted an internal investigation and found no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
The National Conference of State Legislators tells us New York is one of forty-seven states that have a data breach notification law. But these laws ostensibly leave much room for determining when notification requirements kick in, For instance, NY provides:
“Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization….. N.Y. Gen. Bus. Law § 899-aa (McKinney)
Personal information includes Social security numbers, account numbers, drivers licenses, and credit or debit card numbers in combination with any required security code.
What the Massachusetts settlement underscores for me is that you don’t have as much flexibility in deciding when the statute is triggered as you might think you do. For instance New York’s law applies when a data breach results in a “reasonable belief” that the breached data fell into the hands of an unauthorized person which is usually going to mean a third-party . I’m reading between the lines of the Massachusetts settlement but it appears that the bank was slow in reporting the breach in part because it concluded that the data loss did not compromise anyone’s privacy. It did an investigation, saw no indication that the misplaced data was misused, surmised it was misplaced by its vendor and moved on.
This is a good legal argument since it had no evidence that anyone other than an authorized vendor or a bank employee accessed the information.
But don’t put yourself in the position of having to make this argument. When it doubt follow the statute’s requirements. Consumers are sensitive to data breaches and AG’s are getting more and more sensitive to the issue.