Massive Retail Cyber Attacks Prompt Legislation and Call for Criminal Liability of Companies that Conceal These Security Breaches

POSTED BY Kaleigh Fitzpatrick

 

In 2013, over 600 major data breaches occurred. The Home Depot data security breach, is officially the largest retail card breach to date.  Such news first broke on September 2, 2014. The cyber criminals that hacked into the Home Depot system were armed with custom-built malware and stole an estimated 56 million debit and credit card numbers from customers between April and September 2014. Home Depot later reported that hackers additionally stole 53 million customer email addresses.

 

Hackers were able to breach the Home Depot system by using credentials stolen from a third party vendor. That vendor’s user name and password was then used to enter the perimeter of Home Depot’s network. The hackers then targeted a weakness in sales registers running Microsoft Windows. Those registers were infected with a strain of malware that allowed data from cards swiped at those registers to be siphoned.

 

Subsequently, multiple banks confirmed that tens of thousands of their customers’ cards had just shown up for sale on the underground cybercrime shop rescator[dot]cc. This carding shop typically pushes the stolen cards onto the black market. These tactics used to attack Home Depot mirror the methods employed in the 2013 Target breach. A reasonable inference would be that both data breaches involve the same cyber criminals. In response to these recent large-scale breaches, numerous bills have been introduced in the House and the Senate that call for new legislative enactments to address such data security issues.

 

These recently proposed bills include Senator Patrick Leahy’s (D-Vermont) January 2014 Personal Data Privacy and Security Act. This bill would enact a federal security breach notification law that includes criminal sanctions for entities that conceal a security breach. In September 2014, Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) called on the Federal Trade Commission (FTC) to investigate and address the recent data breach at Home Depot. Additionally, in February 2014, these Senators introduced the Personal Data Protection and Breach Accountability Act that also criminalizes the concealment of a security breach.

 

Senator Leahy’s bill would find those who have knowledge of a security breach and intentionally and willfully conceal that breach when it results in economic harm to any individual in the amount of $1,000 or more criminally liable. Similarly, the Personal Data Protection and Breach Accountability Act would target entities that intentionally or willfully conceal a security breach when that breach results in economic or substantial emotional distress to one or more persons.

 

An entity’s concealment of a security breach would likely result in a multitude of seriously dire and far reaching consequences. However, it seems unclear as to whether concealment of security breaches is presently a significant issue among companies that must be rectified through a federal statute. Alternatively, if concealment of breaches are uncommon among companies, it would be more productive for the Federal Trade Commission to provide extensive and consistent guidelines to companies outlining protocol on how to deal with and notify consumers about the security breach.

 

However, if criminal liability is necessary, it will be important to define the type of activity that makes up criminal concealment. Generally, companies require some time to determine the scope of the security breach in order to prevent further damage.  Companies should conduct a risk assessment, and develop a plan to notify customers.  Such notice should provide guidance for consumers to ensure they take the necessary steps to protect themselves. Consequently, entities must develop a reasonable timeline in order to ensure they accurately and effectively respond to security breaches and to warn consumers, so they can seek the necessary protection.

 

Blogger Bio:

Kaleigh is a Staff Member of the Journal of High Technology Law. She is currently a 2L at Suffolk Law. She holds a Combined Masters in Child Development and Urban/Environmental Policy and Planning and Bachelor of Arts from Tufts University.

 

Print Friendly, PDF & Email