backTarget Settles For $18.5M Over 2013 Customer Data Breach – On May 23, 2017, Target Corp. reached a settlement with 47 states and the District of Columbia, agreeing to pay $18.5 million to resolve the states’ investigation into Target’s 2013 customer data breach. The resolution represents the largest multistate data breach settlement to date.
In December 2013, Target announced that it had suffered a data breach affecting more than 41 million customer payment card accounts and personal information for over 60 million customers. Cyber-attackers accessed Target’s customer service database and installed malware that captured shoppers’ data over a period of 19 days in November and December 2013. According to the announcements from various states’ authorities, the breach exposed customers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification data, and encrypted debit PINs. Illinois Attorney General Lisa Madigan stated that the hackers gained access by using credentials stolen from a third-party HVAC vendor and exploiting weaknesses in Target’s security system.
Madigan and Connecticut Attorney General George Jepsen led the investigation into the breach, in conjunction with 45 attorneys general from other states as well as Washington, D.C. While their findings are confidential, they apparently found that the data was inadequately secured: In addition to the multi-million dollar financial penalty, the settlement requires Target to encrypt and segment its customer payment card data from the rest of its computer network and to implement strengthened security features to control access to its network, such as password rotation policies and two-factor authentication for individual, administrator, and vendor accounts. Target will also be required to hire an independent third party to conduct a comprehensive security assessment within a year of the settlement date and hire an executive or other officer to implement and maintain a comprehensive information security plan at the company.
The settlement with Target “establishes industry standards for companies that process payment cards and maintain secure information about their customers,” Madigan said in a statement. “People must remain vigilant about activity on their credit and debit cards as it’s not a matter of if but when you are going to be a victim of identity theft or a security breach.”
The states’ settlement of $18.5 million follows over $100 million in agreed payments by Target to settle with payment card companies and financial institutions that alleged financial losses and other damages as a result of the retailer’s breach. A consumer class action settlement of $10 million is also in the process of being considered for final approval in multi-district civil litigation.
Reporter, Nicole M. Pereira, New York, NY, + 1 212 556 2132, npereira@kslaw.com
Senate Subcommittee Holds Hearing On Cross-Border Data Warrants – On May 24, 2017, the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism held a hearing on issues related to warrants for data stored abroad by U.S. entities and possible reforms of the Electronic Communications Privacy Act (“ECPA”). The hearing, titled “Law Enforcement Access to Data Stored Across Borders,” involved testimony from federal, state, and United Kingdom law enforcement representatives, as well as those from academia and industry.
The hearing stems in part from a 2016 decision by the U.S. Court of Appeals for the Second Circuit—Microsoft v. United States, 829 F.3d 197—which held that Microsoft was not required to produce email data stored on servers in Ireland in response to an U.S.-issued search warrant. Other courts, including the U.S. District Court for the Northern District of California, have reached the opposite conclusion and have ordered the production of such foreign information.
All of the witnesses (including the Chief Legal Officer of Microsoft) agreed that the ECPA, which was enacted in 1986 and governs the treatment of warrants for electronic data, is outdated, and that the overall legal framework regarding data stored internationally is chaotic and uncertain. Moreover, companies that must produce such information are subject to conflicting laws in differing jurisdictions and may be faced with warrants demanding data whose production violates the privacy laws and regulation of the nations in which the data is stored.
The witnesses also agreed that a complete ban on cross-border data warrants, as in Microsoft, places too high a burden on legitimate law enforcement and national security needs. Alternatives to the cross-border warrant process, such as direct requests to foreign authorities, are much slower and ineffective in time-sensitive investigations.
While the witnesses agreed that a comprehensive solution must involve legislative action, they disagreed on the best course of action. For example, the Department of Justice took the position that Congress should amend the ECPA to overrule Microsoft altogether, while other witnesses cautioned against any solution that failed to take conflicting international laws and regulations into account. The witnesses all seemed to agree that one possible solution was a legislative framework that allowed the U.S. government to negotiate reciprocal treaties with foreign governments that would explicitly codify the treatment of warrants under that nation’s privacy laws. The witnesses pointed to a proposed U.S.-U.K. Bilateral Agreement of Data Access, but congressional action is needed before the U.S. can enter into such an agreement.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com
Rep. Blackburn Files Bill To Return ISP Regulation To Federal Trade Commission – On May 18, 2017, Representative Marsha Blackburn (R. TN) introduced H.R. 2520 (the “Bill”) to the House of Representatives, which purports to shift online privacy regulation authority from the Federal Communications Commission (“FCC”) to the Federal Trade Commission (“FTC”). The introduction of the Bill by Rep. Blackburn comes on the heels of the issuance of a Notice of Proposed Rulemaking (“NPRM”) by FCC Chairman Ajit Pai, which was approved by the FCC in a 2-1 vote, and proposes to reverse the FCC’s 2015 Open Internet Order (“Title II Order”) classifying Internet service providers (“ISPs”) as Title II common carriers. Because the 2015 classification of ISPs as common carriers largely exempted them from FTC authority, the Bill, in conjunction with the NPRM, would shift the weight of regulatory authority over ISPs from the FCC to the FTC.
The Bill would “require providers of broadband internet access service and edge services . . . to give users opt-in or opt-out approval rights with respect to the use of, disclosure of, and access to user information collected by such providers based on the level of sensitivity of such information, and for other purposes,” according to its title. Although the full text of the Bill has not yet been released, the Title II Order mandated that ISPs require users to opt-in to any collection of personal information and data of such users by their ISP rather than providing an opt-out mechanism. Because requiring users to opt-out allows ISPs to engage in such collection practices until they are told not to by individual users, opt-out regimes arguably afford users fewer privacy protections than an opt-in scheme. An opt-in scheme allows ISPs to engage in such collection practices only when authorized by individual users, thus adding an additional hurdle ISPs must clear before engaging in such data collection practices. Whether the Bill provides additional, alternative privacy protections to counteract any perceived flaws with an opt-out scheme will be known once the full text of the Bill has been released to the public.
No votes or hearings are scheduled for the Bill at this time, likely because the relevancy of the Bill is tied to the FCC’s ultimate decision on the NPRM, for which the 90-day comment period is open until July 26, 2017.
Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com