Data Security Breaches: A New Form of Shoplifting
By Theodore J. Kobus III, Esq., [email protected]
Data security and privacy issues are in the headlines nearly every day. Unfortunately, the retail sector has become a priority target for data thieves because of the amount of personal data collected by retailers and the lack of control many retail chains have at the franchise level. Retailers have also suffered significantly due to the recession – resulting in reductions in staff and computer upgrades – reductions that can be costly! As consumer spending bounces back, don’t forget that you need to renew efforts to safeguard the data you maintain and understand how privacy laws may impact your relationship with your customers.
Over 46 laws now require notification when a data breach occurs.
During 2010, there were several retail chains that were victim to hackers and other data thieves. In retail, personal data at risk includes customer names, credit card numbers, credit card expiration dates, dates of birth, driver’s license numbers, passport numbers, and bank account information.
The U.S. currently has 46-plus notification laws in place that require notification when a data breach occurs. The laws are triggered not by the location of the business, but rather the location of the person whose data was affected. State regulators may need to be notified as well as your merchant bank if credit cards are involved. When a breach occurs, an organization’s reputation is at risk. There are significant decisions to be made involving crisis management, communication with customers, and involvement of law enforcement. These decisions are not easy and the organization should seek contribution and consideration from the C-Suite.
There is no shortage of proposed data security legislation.
At last count, there are at least 15 pending bills in Congress that contain the phrase “data security.” The list of disparities between states’ notification statutes is lengthy – and while it provides justification for a single federal law – any federal law will not necessarily be helpful to organizations faced with breaches or their customers.
It is difficult to say whether or not organizations would be better off navigating the maze of state laws, or facing a federal statute that leaves the organization vulnerable in litigation or a regulatory investigation.
After being introduced four times by Senator Patrick Leahy (D-Vt.), The Personal Data Privacy and Security Act of 2011 has gained traction and was approved by the Senate Judiciary Committee. The legislation is intended to replace the 46-plus notification laws in the U.S. that are in effect related to data breach notification requirements. The very large (and well publicized) breaches that occurred in 2011 have been a motivating factor for the continued push toward a national strategy to protect personal information. If passed, the law would apply to both private organizations and government agencies.
Some key provisions include:
- Preemption of most state data breach laws;
- Federal Trade Commission (FTC) and attorney general enforcement and penalties;
- Notification by mail, telephone or e-mail;
- Media notification when 5,000 or more individuals are involved;
- Notification to the Secret Service within 14 days in certain circumstances; and
- Third-party contractor requirements.
While it is clear that pending legislation is aimed at making organizations more cognizant of their obligations to protect personal information of customers and employees, there are provisions in these bills that are not practical or helpful – including to those affected by breaches. So many notification letters are being sent (both voluntarily and because of a statutory requirement) that consumers are becoming immune to the message in the letter, often discarding the notification immediately in the trash. As such, the focus should not be on how fast or when an organization needs to notify an individual, but rather how companies can better protect themselves from a breach happening in the first place.
The regulators are watching.
Over the past 10 years, major retailers have seen investigations led by the FTC regarding privacy issues and the level of technology used to protect customer data. The FTC oftentimes targets representations in a company’s privacy policies. One of the settlements entered into last year also related to violations of the United States-European Union (U.S.-EU) Safe Harbor Framework which allows U.S. companies to collect data about EU residents in a manner that will provide an adequate level of privacy protection. Settlements with the FTC can result in 20 years of privacy audits.
The FTC is not the only active regulator. Enforcement actions by state Attorneys General are also on the rise. In Massachusetts, probably the strictest state when it comes to data security requirements, a settlement required a restaurant chain to pay $110,000 in penalties, as well as to prove compliance with the Massachusetts data security regulations and the Payment Card Industry Data Security Standards (PCI DSS).
Moreover, it is not uncommon for retailers to collect data about its customers and provide such data to third parties for targeted marketing and other reasons. Too often, however, the privacy policies in place are either inadequate on the corporate level, the franchise level, or both. Often, customers are not provided an opportunity to opt-out of having their information collected, and the customers do not know the extent to which information is being collected and distributed. As the FTC and state Attorneys General increase their efforts to target companies with inadequate privacy policies and practices, and consumer spending begins its recovery from the recession, now is the time to revisit whether your policies need to be updated. Additionally, the credit card brands are serious about PCI compliance – accordingly, education of employees is critical so that incidents involving credit card data can be investigated timely and reported when appropriate to your merchant bank. Not only will these steps help to protect your customers, they will protect your brand.
Ted Kobus is national co-leader of the privacy, security and social media team at Baker & Hostetler LLP. He frequently discusses privacy topics on the firm’s blog at Dataprivacymonitor.com; also, follow him on Twitter @tedkobus. He can be reached at (212) 271-1504 or [email protected].
Weis rolls out mobile app, refreshes blog
SUNBURY, Pa. — Weis Markets is expanding its presence in the digital space.
The company earlier this month launched a free mobile application, which allows customers to view its weekly circulars and compile detailed shopping lists on their iPhone and Android smartphones. Settings for the app can be customized so customers can view weekly circular specials at their local store and lists can be synchronized between the list on their device and their list on WeisMarkets.com. Additional features include:
Automatic pricing updates every Sunday;
Allows customers to view products to build a list quickly and browse circular specials;
Pre-loads product photos to make it easy to find items on the shelf;
Automatically puts customer items in categories for easy in-store use;
Allows customers to add any item with the text option; and
Allows customers to email their list and task someone else to do their shopping.
In addition to the app, the company also has debuted a new blog on its website. The blog, which can be accessed here, provides "[information] on healthy living, sustainability, new products and company news," according to one of the retailer’s Twitter posts. It also touts the slogan, "it’s in the bag … an unmistakably Weis blog on food and life."
The rollouts follow last year’s launch of the retailer’s new social media aggregator, which compiles all of Weis’ official social media outlets into a single, easy-to-read page.
Kohl’s gets piece of American Idol action
MENOMONEE FALLS, Wis. — Kohl’s Department Stores is looking to cash in on the popularity of the music competition show, "American Idol," by launching an exclusive American Idol apparel collection. The line will be called Authentic Icon and will be available exclusively at Kohl’s and Kohls.com beginning in April.
“This launch brings together a national retailer and award-winning television show to create a new collection for customers,” said Kevin Mansell, Kohl’s chairman, president and CEO. “We are excited to collaborate with American Idol, a leading entertainment platform in pop culture, and are confident this partnership makes Kohl’s an immediate consumer destination this spring.”
Prominently positioned in the junior’s and young men’s departments, the AI spring collection will be available in Kohl’s stores through June to coincide with American Idol’s 11th season.
LF USA’s MESH division will design and produce the AI collection. Kohl’s will be the exclusive retailer and support the brand with marketing such as national advertising, in store graphics, online and digital media, direct mail and public relations.
"American Idol" is produced by 19 Entertainment, a division of CKX, Inc. and FremantleMedia North American Inc.