E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.		 LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


HOW FAST IS FAST ENOUGH TO TELL CUSTOMERS ABOUT DATA BREACHES?

Source: Corporate Counsel

Posted on July 27, 2011

In financial data breaches, timing is almost everything. On June 13 a federal court held Comerica Bank liable for data breach losses even though it notified the customer and stopped all account activity within six hours. Two days later Citigroup Inc. was explaining why it took nearly a month to start notifying 360,000 customers of a breach. While Comerica didn't act fast enough for the court, experts say Citi's delay may have been justified.

Confusing? Such disparities can baffle not only companies and consumers, but also lawmakers trying to create a uniform standard for handling breaches.

As cybercrimes run rampant, notifying customers has become a hot-button issue. And it's only grown hotter with new studies suggesting that all companies are vulnerable. A survey released in April by the Michigan-based Ponemon Institute, which specializes in research on privacy and security issues, showed that data theft is growing "more frequent, more severe, and harder to detect and stop."

Privacy gurus like Marc Rotenberg are worried. Rotenberg, executive director of the Electronic Privacy Information Center, has joined a cyberchorus calling for the federal government to act.

Politicians are listening. In June alone, there were three House and Senate hearings on cybercrimes and identity theft. Citing a dramatic increase in attacks that "threaten the future of electronic commerce," Representative Mary Bono Mack (R-California), chairwoman of the House subcommittee on commerce, manufacturing, and trade, introduced a draft bill in June that would establish national standards for data security and breach notification.

Though Mack is open to some changes, she said at one hearing that she wants any new law to require fast notification to consumers. There are 46 state laws on data breaches, with differing requirements. Some demand prompt notice, while others simply say "in a reasonable time" or "without undue delay." Mack prefers the fast track, arguing, "Consumers should be promptly informed when their personal information has been jeopardized."

Even the U.S. Chamber of Commerce agrees that Congress needs to do something. Jason Goldman, Chamber counsel for telecommunications and e-commerce, says his group supports a national uniform standard on data breaches, "but we need to work out the details."

What Goldman means is that not everyone agrees on what a new law should require. While there are several points of contention - preemption of state laws is one - a key sticking point continues to be timely notification of customers.

Finding a solution won't be easy. While not the largest cyberattack of a bank this year - that dubious honor belongs to Citigroup - the Comerica case shows how easily banks can be duped into handing over huge sums to sophisticated crooks. And even relatively quick action didn't protect the bank from liability.

It started with a simple e-mail that landed in the inbox of Experi-Metal Inc.'s controller, Keith Maslowski, in January 2009. The message appeared to come from the company's bank, and Maslowski followed the directions to click on a link and enter confidential log-in data and other codes as part of routine maintenance. The details are laid out in a lawsuit that the small metal shop in Sterling Heights, Michigan, filed against Comerica. Scam artists used Maslow?ski's codes to initiate more than 85 wire transfers, moving $1.9 million out of the company's account to China, Estonia, Finland, Russia, and Scotland.

It took the bank only six hours to spot the unusual activity, notify the customer, and stop the transfers. But it wasn't good enough for the federal judge. Court documents show that the company had only two prior transfers in two years. On June 13 U.S. district court judge Patrick Duggan in Detroit ruled that Comerica was responsible for the $560,000 that remained unrecovered because the bank didn't act "in good faith." The judge ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."

Timing is also an issue as various government agencies probe Citigroup's breach. That case began on May 10, when routine monitoring detected compromised credit card information affecting some 360,000 customers. To determine cardholder impact, Citigroup analyzed "millions of pieces of data," according to a later press release. The bank said it began notifying affected customers on June 3.

Connecticut attorney general George Jepsen, joined by several other state regulators, is investigating. In a June 13 letter to Citigroup CEO Vikram Pandit and general counsel Michael Helfer, Jepsen wrote: "The absence of detailed information in public reports of this incident heightens my concerns." Among other things, Jepsen requested copies of all notifications sent to customers as well as a final date when Citigroup expects all affected customers to be notified.

Jepsen's office says that Citigroup, which has pledged to repay the $2.7 million its customers lost, has said that it will respond to his questions. Helfer declined to comment for this article, and spokesman Sean Kevel?ighan would say only, "Considering this is still an ongoing investigation and for security reasons, we will not be commenting further."

Not all companies are so secretive about breaches. On March 30 Epsilon Data Management, LLC, the world's largest e-mail marketing service, discovered that it had a problem. Epsilon's general counsel, Jeanette Fitzgerald, outlined the facts in June testimony before Mack's House subcommittee, and added details in an interview.

The company first detected a breach when an employee noticed suspicious activity on his account. Epsilon began investigating immediately and found that the employee's log-in credentials had been compromised. At this point Fitzgerald was brought in. "I focused on the breach nearly 24/7, along with others on the internal response team, and outside legal and forensics experts," she says.

Epsilon contacted the Federal Bureau of Investigation and the Secret Service, which is the official guardian of the nation's financial system. The feds began investigating just two days after the attack, and Epsilon simultaneously began notifying affected customers and posted a notice on its Web site. It appears that millions of names and e-mail addresses were taken.

Company executives have granted interviews and testified before Congress about what happened. Epsilon responded rapidly, Fitzgerald told Congress, because customer trust is essential to its relationships with some of the largest consumer and financial services companies in the world. "We had to be open to ideas to properly evaluate the situation and to take the appropriate steps," she says.

Bottom line: Comerica took only hours to notify its customers; Epsilon took two days; Citigroup took nearly a month. The "winner" (in terms of quickest notification) is the only one that has chalked up a courtroom loss.

Yet, such disparities have led some to call for a fixed notification period. But not Eric Goldman (no relation to the Chamber's Jason). A professor at Santa Clara University School of Law who also heads its High Tech Law Institute, Goldman says it doesn't make sense for a company to communicate when it doesn't know what happened or who was affected. It can take a forensic team weeks, or even months, to find answers, he says: "Don't underestimate how hard it is.

"Consumers don't really want information unless they can act on it," he continues. "The real question is: When is the right time to notify consumers?"

Lisa Sotto agrees. The managing partner of Hunton & Williams's New York office, Sotto focuses her practice on privacy and data security. And she doesn't like notification deadlines. "Data breach is a culture unto itself," Sotto says, and "it goes beyond interpreting the law."

She's worked on breach cases that required 50 consultants four months to figure out. Getting facts takes time. And notifying customers before a company has all the facts, she says, can be irresponsible and cause unnecessary anxiety.



CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.