From pli’s Course Handbook Communications Law in the Digital Age 2009

Real world dangers still persist. Many businesses use SSNs as passwords or for other forms of authentication, a practice that places consumers at risk. This includes being asked to provide only the final four digits, or serial number, since these digits are the most unique to an individual. Both the SSA and the researchers advocate against using SSNs as forms of identification beyond tracking a Social Security account. “Everybody who works in this area knows the numbers are bad passwords,” Acquisti said. “But they still are used that way.”⁸⁵

M.G.L. c. 93H, were intended to take effect Jan. 1, 2009, but enforcement for most of the law has been extended until Jan. 1, 2010.⁸⁷ A similar law in Nevada went into effect on Oct. 1, 2008,⁸⁸ and was later amended to closely align with the Massachusetts standard by requiring encryption of information in data storage devices. These data protection standards are scheduled to go into effect in Nevada on Jan. 1, 2010.⁸⁹ Michigan and Washington have also considered similar legislation and the list of states mulling a similar law will continue to grow.

Under both laws, “Personal information” is essentially a combination of a person’s name and one or more of the following: social security number, driver’s license number, credit or debit card account number or another financial account number. “Personal information” does not include what is lawfully obtained through publicly available data.
1. Massachusetts Law
a. To Whom Does it Apply?
The regulations apply to all persons, businesses and legal entities that “own, license, store or maintain personal information about a resident of the Commonwealth.”

b. Encryption Standard
The regulations define encryption generally without referring to a particular strength or technology, other than a form “in which meaning cannot be assigned without the use of a confidential process or key.” The regulations also require businesses that allow access to or share personal information with third parties to take “reasonable steps” to make sure those entities comply with the law.

The state plans to judge compliance on a case-by-case basis according to the size of a business, its available resources, the amount of data stored, and the need for confidentiality. State officials warned that unless a business has its own in-house IT staff, it will probably need to consult an outsider to determine if its computer system meets the encryption requirements. ⁹⁰

Data collectors that comply with the law but suffer a security breach would have their liability for damages capped at $1,000 per customer for each occurrence. Companies that do not comply would face unlimited civil penalties, according to James Earl, executive director of the state’s task force for technological crimes.⁹²

Many businesses already have encryption requirements that would meet or come close to meeting the new state laws. However, many attorneys are advising clients to err on the side of caution and address the encryption issue now rather than later. Doing so, they urge, will not only expedite compliance with any future laws, but also help ease fears of events such as stolen laptops that often lead to security breaches.

U.S. District Court Judge James Robertson preliminarily approved the settlement on Feb. 11, 2009.⁹⁵ According to its terms, all veterans, their spouses and military personnel who suffered actual damages as a result of the theft will receive a minimum of $75 and a maximum of $1,500 on all valid claims. These claims include the costs to protect or monitor personal financial information, expenses incurred as a result of physical manifestations of severe emotional distress and other reasonable expenses. Any remainder of the $20 million settlement after the payout of valid claims and attorney fees will be paid to veterans charities.

The lawsuit filed by Laura Krottner on behalf of all Starbucks employees whose personal information was contained in the stolen laptop accuses the company of fraud and breach of contract for its pledge to protect employees’ personal information. The suit asks that Starbucks be ordered to pay for credit monitoring services for at least five years and that Starbucks receive periodic compliance audits from an outside company about the security of its computer systems. According to the complaint, Starbucks in 2006 lost four laptops that contained the personal information of 50,000 former and 10,000 then-current employees.

On April 6, 2009, U.S. District Judge Samuel Conti found that Ruiz had standing to bring his suit because the theft of the laptop exposed him to an increased risk of identity theft. However, Conti granted summary judgment to the defendants. On the negligence claim, Conti noted that Gap had already agreed to pay for one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable harm necessary to assert a negligence claim under California law.”⁹⁹ On the breach of contract claim, Conti found that “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft of the two laptop computers.”¹⁰⁰

In Har

However, in Bateman v. American Multi-Cinema, 252 F.R.D. 647, 651 (C.D. Cal. 2008), the court declined to certify a class action against a movie theater chain that printed eight digits on a credit card receipt. The action sought potential damages between $29 million and $290 million and the court was “not persuaded by Plaintiff’s argument that an increased risk of identity theft, however slight, is sufficient to constitute actual harm.” Similarly, in Leysoto v. Mama Mia I., Inc., 255 F.R.D. 693 (S.D. Fla. 2009), the court declined to certify a class action that sought between $4.6 million and $46 million in damages against a restaurant with $40,000 in net assets. The court reasoned that to certify the class would give the plaintiffs the ability to “dangle the Sword of Damocles over Defendant, without any showing of actual economic harm.”¹⁰¹

The Indiana BMV, like similar agencies in at least 45 other states, has an agreement to verify its records with those of the SSA. In matching Social Security numbers between the two systems, the BMV found that the names of some license and card holders did not match those on file with the SSA. The BMV sent notices to those with name discrepancies placing the burden on them to correct the information or risk invalidation of their driver’s license or ID card. The court noted that discrepancies between the two systems often occurred because of legal name changes, using a nickname with one agency and not the other, or a name change due to marriage.

In denying a motion from a certified class seeking an injunction to prohibit enforcement of the policy, the court wrote that while it agreed a person is legally entitled to change his or her name, “it does not follow that all others, including government agencies like the BMV, are required to simply accept the word of the applicant that he is who he claims to be.”¹⁰²

The court did find that the policy violated the due process rights of card and license holders because of uncertainties in whether a person should correct their information with the BMV, SSA, or both agencies. However, the court refused to grant the injunction because “the policy effectively blocks a well-known avenue for identity theft by making it much more difficult to appropriate another’s social security number in order to obtain state identification.”¹⁰³

Hornby wrote that a reasonable jury could not find “an unqualified guaranty of confidentiality by the merchant is ‘absolutely essential’ to the contract for a sale of groceries” because there were no reason to believe customers would stop using their cards in lieu of a 100 percent guaranty of data safety.¹⁰⁴ However, Hornby allowed the one plaintiff whose bank did not reimburse her for the fraudulent charges to proceed against the grocer on claims of breach of implied contract, negligence, and a deceptive act under Maine’s Unfair Trade Practices Act, 5 M.R.S.A. §§ 205-214.

In early October 2007, Oleksandr Dorozhko, a Ukranian national and resident, opened an online trading account and spent almost all of his $42,500 investment on “put” options in IMS Health, Inc., which the SEC says amounted to a risky bet that the stock price of IMS would sharply decline. IMS had hired Thomson Financial Inc. for its Web-hosting services. The SEC alleges that on Oct. 17, 2007, hours before the scheduled public release of IMS’s quarterly earnings, Dorozhko hacked into Thomson’s computer system and that within six minutes of Thomson receiving the report, Dorozhko sold all of his IMS options for an overnight profit of $286,456.¹⁰⁶

The decision reversed a district court decision that relied on three Supreme Court cases¹⁰⁷ in refusing to grant the SEC an injunction which would have frozen Dorozhko’s assets from the sale. In his opinion, Circuit Court Judge Jose A. Cabranes wrote that although breaching a fiduciary duty satisfies the requirement of a “deceptive device” under § 10(b) of the Act, “what is sufficient is not always what is necessary, and none of the Supreme Court opinions considered by the district court require a fiduciary relationship as an element of an actionable securities claim under § 10(b).”¹⁰⁸ The case was remanded to determine “whether the computer hacking in this case involved a fraudulent misrepresentation that was ‘deceptive’ within the ordinary meaning of Section 10(b).”¹⁰⁹
2. Former Secret Service Informant Indicted in ‘Largest’ ID Theft Case Ever
On Aug. 17, 2009, a man who authorities say formerly helped the Secret Service hunt computer attackers, but also fed information to criminals, was indicted in what the Department of Justice called the largest reported data breach in U.S. history.¹¹⁰ According to the U.S. Attorney’s Office in Newark, N.J., the indictment describes a scheme between October 2006 and May 2008 in which more than 130 million credit and debit card numbers along with account information were stolen from Heartland Payment Systems, based in Princeton, N.J., 7-Eleven Inc., and Hannaford Bros. Co.¹¹¹

Prosecutors say Albert Gonzalez, of Miami, Fla., acted with two unnamed Russian conspirators to hack into the computer systems of the corporate victims after conducting reconnaissance at various retail locations. The scheme eventually reached a point where the trio conducted “real-time interception” of credit and debit card data being processed by the corporations.

The trio had a goal of selling the data to others who would use it to make fraudulent purchases, but the success of this plan was not known, according to prosecutors.¹¹² Gonzalez was previously indicted in New York and Massachusetts in 2008 for his involvement in conspiracies relating to data breaches of multiple companies. He was also arrested in 2003 in New Jersey for his role in ATM and debit card fraud. Gonzalez was being held in the Metropolitan Detention Center in Brooklyn, New York.¹¹³
3. TechCrunch Stirs Ethical Debate By Publishing Hacked Documents
In July 2009, the technology Web site TechCrunch published some of the “more than 300 confidential Twitter documents and screenshots” that TechCrunch says it received via e-mail from a hacker who swiped the information from Twitter.¹¹⁴ After combing through the vast amount of information, TechCrunch published documents that revealed, among other things, Twitter’s goal of becoming the first social networking site to reach one billion users, a pitch for a Twitter-based TV show, and plans for future revenue-producing models.¹¹⁵

Media ethicists and commentators debated whether TechCrunch crossed an ethical line by publishing the stolen documents. Al Tompkins of Poynter Online framed his concern in the context of a changed media landscape that he feared could lead to an erosion of journalistic ethics. “I worry that because we now have new competitive pressures from nontraditional sources such as bloggers, Twitterers, etc., we will be tempted to lower our standards and publish under the notion that confidential documents ‘will get out there anyway,’” Tompkins wrote.¹¹⁶

TechCrunch founder Michael Arrington was forthright in explaining the Web site’s decision. “We publish confidential information almost every day on TechCrunch,” Arrington wrote. “This is stuff that is also ‘stolen,’ usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.”¹¹⁷

Twitter said in its blog that the stolen documents did not reveal “some big, secret plan for taking over the world,” but that the publication “could jeopardize relationships with Twitter’s ongoing and potential partners.” Twitter specified that the hacker retrieved the company documents by accessing an employee’s e-mail account and not by hacking into the Twitter server.¹¹⁸

A federal grand jury in Virginia indicted McKinnon in 2002 of seven counts of computer-related crimes in 14 crimes after he was accused of breaking into 97 computers belonging to NASA, the Department of Defense and several branches of the military soon after the Sept. 11, 2001, terrorist attacks.¹²³ The indictment alleged McKinnon deleted critical system files and obtained classified information and encrypted passwords from the computers. McKinnon claimed he was searching for evidence of UFO’s and his lawyers portray McKinnon as an eccentric, but harmless man who did not have any malicious intent.¹²⁴

News Group Newspapers is a subsidiary of News International, which is owned by Murdoch’s News Corporation.