Publix hasn’t had a data breach but is already seeking PR help in case it does — good or bad?

Chaos? Plan Ahead!This is interesting. Publix grocery store chain has made the news because of data breach — not because they have had a data breach (though they probably have and just don’t know it) — but because it has been learned that it is sending out proposals for PR help in the event it does have a data breach. The reaction to this is mixed. Some people think it is good but many are taking a cynical view of this move.

What do I think?

Well, thank you for asking!

I like it. First, one of the most important messages I try to preach these days is the need for companies to take the threat of data breach seriously, to prepare ahead of time, and have a plan in place so that all they have to do is execute that plan in the event a breach occurs. Look, I blogged about this just this past week and a whole bunch of times before.

Does the fact that the attention to Publix’s preparation is being focused on the fact that it is seeking PR help in any way diminish this?

That depends.

One of the key components to any breach response and breach response plan is to involve PR to help the company properly “message” their response to its customers to help minimize the overall disruption to the business. If the business crumbles, nothing else matters — the PR side is a key component to this is crucial.

So, if Publix is screening and assembling its PR team in an overall effort to prepare for a breach, that tells me that it is taking data breach seriously [give it a check] and that it is putting resources behind that concern [give it another check], and putting a plan in place to be prepared to respond to the inevitable data breach [give it another check]. This is good — this is what we are encouraging.

What this also tells me, and that I hope is the case, is that if Publix is devoting energy and resources to this kind of preparation, there is at least a decent chance that it is putting energy and resources into actually hardening its data security systems and improving its overall cyber security as a company. If this is true, then this is great — this is exactly what we are trying to encourage!

Now, if my assumptions are wrong and all that Publix cares about is the PR message and nothing else, well, then that is a much different story. If it is, then I really have to question the wisdom of its leadership because what this shows is that Publix is aware of the threat, recognizes the harm it can cause, is devoting energy and resources to it but in a self-centered and careless way, and is making a conscious decision to not correct it — and when that happens, if it has a breach, it just may be the one to get it!

Check out the article for yourself, here’s a brief quote:

Publix operates 1,082 locations in six states across the South and Southeast, and ranks as one of the 10 largest supermarkets by volume. The company’s request for proposals says it “would like to understand how a PR company could provide assistance preparing for, and during a data breach, e.g. advice and assistance with messages.”That could include a “proactive review” of Publix customer relations and “rapid response scheduling in the event of a confirmed breach. Publix prides ourselves in the relationships we build with our customers and associates and as such will require a company with outstanding communications skills and experience.”

via ‘Proactive’ Publix seeks PR help in event of data breach | TBO.com, The Tampa Tribune and The Tampa Times.

Gov’t Contractors Must Notify of Data Breach Within 3 days

Is your company prepared to respond to aIf your business is a contractor for the federal government, you had better have your data breach response ducks in a row. The moment you detect a breach, the clock starts ticking and you have only 3 days to notify of the breach. Yes, I said 3 days!

You better already know who your legal counsel a/k/a “breach coach” will be.

You better already know who is on your company’s breach response team.

You better already know who your cyber security forensics and remediation firm will be.

You better already have your PR professional in place.

You better already have your notification vendor in place.

You better already know what information must be in your notifications, depending on the jurisdiction.

You better already know what information cannot be in your notifications, depending on the jurisdiction.

You better already have your cyber insurance in place.

In other words, you had better have your breach response plan in place and be ready to execute that plan within 3 days’ time.

Tick. Tock.

 If you are not prepared, now is time to get prepared. Take the first step by contacting Shawn Tuma and learning more about his unique CyberGard–Cyber Risk Protection Program.

 

Source: Feds to Toughen Up Data-Breach Reporting Rules | Corporate Counsel.

 

Two Step Data Breach Risk Test for Texas Businesses

What is a data breach under Texas law?

What is a data breach under Texas law? Hint: it doesn’t take much!

Does your business have this digital information about other people?

1. last name + first name or first initial +

social security number, driver’s license number, or other government issued identification, or

account or card numbers + access codes,

or

2. information that identifies an individual + concerns a health condition or healthcare 

If you answered “yes” to either of those two questions, your business is at risk of a data breach.

That information is called “Sensitive Personal Information” (SPI) under Texas law. If that SPI is taken, accessed, or its confidentiality or integrity is compromised, your business must give proper notification to all of the individual data subjects whose SPI was compromised. Because that SPI is entrusted to your business for safe keeping, a compromise can be something as simple as one of your employees taking copies of the SPI with her when she leaves to go work for a competitor, since that SPI is no longer secure within your business, but is now disclosed to another business.

The penalty for failing to notify the data subjects of the breach is up to $100.00 per individual per day for the time the notification is delayed but cannot exceed $250,000 for a single breach.

If the SPI is encrypted, however, there is no data breach unless the one who obtains the SPI has access to the decryption key.

You can read more about Texas’ Data Breach Notification Law in this post and the text of the actual statute titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code.

521.053 of


 

About the author

 

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

e Texas Business and Com

Breach Notifications Should Focus On Preserving The Customer Relationship First, Then On Legal Requirements

Hit or Miss?

When responding to a data breach, the company has two primary objectives that must be balanced: (1) complying with the legal notification and remediation requirements; and (2) preserving its relationship with its customers. In my opinion, the second is always the most important because if the business fails, we too have failed.

In order to focus on preserving its relationship with its customers, the business must put itself in the customer’s shoes and ask how the customer would feel upon receiving its communications. The article below looks at Target’s breach notification email and explains how something as simple as the choice of domain for the email address can impact customer confidence and perception.

James Lyne, global head of security for Sophos, received an email from Target—although he claims that he is not even a Target customer. There are apparently many people receiving breach notification emails from Target who did not shop at Target and are not affected by the breach.

Lyne dissected the email in a post on Forbes, breaking down point by point all the ways Target failed.

Target breach notifications are a perfect example of what not to do | PCWorld.

So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

Texas’ Amended Data Breach Notification Law

Texas amended its existing data breach notification law which became effective on September 1, 2012. The relevant section of the law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Data Breach – Who’s Gonna Get It?

Ford Pinto

Ford Pinto (Photo credit: Wikipedia)

The message–that’s what I’m talking about–who’s gonna get the message sent to them first?

UPDATE: Global Payments Inc. April 2012 Data Breach Costs $94 MILLION!

Data breaches, hacking, and privacy are one of the biggest news stories for 2011 and we are just just barely through the first half of the year. By now even the most zoned-out among us should have heard of the hacking that led to data breaches by businesses like Sony, Citigroup, and Lockheed Martin. The list of companies that have been hacked seems like the Who’s Who of the business world. Some reports even estimate that 90% of businesses have been hit by security breaches.

This is a big issue. Very big.

And you would think that business leaders would understand that their businesses could also be at risk for such a data breach and, if it were to happen, expose the business to significant liability under various data breach notification and privacy laws in many states. The hacking and data breaches are still happening, however. People’s personal information is still getting exposed and nothing seems to be slowing the hackers down.

Why? Can they not stop this?

Is it impossible for businesses to prevent these data breaches? Is it perceived as being too expensive? Too troublesome to bother with? Is it really? How about I tell you a story that may demonstrate why it is definitely worth the trouble?

Have you ever heard of the Ford Pinto? The car itself isn’t nearly as important as what it stands for in legal history: big punitive damages awarded by an angry jury.

The Pinto was an economy car that Ford built back in the 1970s that had one major problem:It exploded on impact. The structural design of the Pinto allowed the fuel tank filler neck to break off and the fuel tank to be punctured in rear end collisions which would occasionally cause deadly explosions. The even bigger problem according to the “Ford Pinto Memo” was that Ford knew it. Because it would cost $11 per vehicle to redesign Ford used a cost benefit analysis to determine that it would cost less to defend against wrongful death lawsuits stemming from such explosions of the car and consciously chose not to fix it.

In the case Grimshaw v. Ford Motor Co., Ford was sued over such a death and the jury, learning of Ford’s callous disregard for human life through this cost-benefit analysis, sent one heck of a message to Ford. It awarded the plaintiff $2.5 million in actual damages and $125 million in punitive damages. That’s a lot of money (especially in 1970s dollars)! Even though the punitive damages award was substantially reduced by the courts, it serves as a very good example of what juries can do when they get the feeling that big companies knowingly sacrifice the rights of individuals to save a couple of bucks.

What really impacted the jury was the fact that Ford knew the risks but consciously chose to do nothing about it because of what it would cost. Obviously the magnitude of loss of life is far greater than the loss of privacy so the situations are different in that regard. I can’t help but think, however, that since the risks to breach of people’s privacy rights are so well known now, companies that do not take adequate steps to protect those privacy rights are running a risk of being sent the same message that Ford got — especially if it is discovered that they could have prevented it but didn’t to save a couple of bucks.

So the question is, “who’s gonna get sent that message first?” Surely not your company, right?