The impact of Data breaches, breaches of privacy and the need for mandatory data breach notification laws

March 2, 2015 |

Data breaches are bad enough.  Often disastrous for an organisation and the customers.  They are sometimes caused by hackers breaching sophisticated cyber defences.  Usually they are the product of inadequate protections, out of date programs, poor maintenance and poor understanding of what data security means and woeful practice manuals and a lack of training.  To the extent that data breaches are brought to the attention of the Privacy Commissioner they may be a breach of Australian Privacy Principle 11. The problem is that without mandatory data breach notification it is a matter of good/bad fortune that the Privacy Commissioner finds out about such lapses or intrusions.  That is a flaw in the legislative structure.  In the United States even though there is no Federal mandatory data breach notification laws there are such laws in most of the States and Territories.  if anything the States are increasing their data protections laws, most recently amendment to the Wyoming Data Breach Notification legislation (see bill here).  To show how data breaches have an impact on businesses and consumers read the Cyber angst: Orange County companies zero in on data breaches.

It provides:

The accusations read like a whodunit.

Last year, according to the Mount Olympus Mortgage Co. in Irvine, several of its officers secretly downloaded confidential information on hundreds of loan customers and transferred five gigabytes of data to a competitor.

The loan officers then deleted files and emails on their computers and went to work for that rival, Chicago-based lender Guaranteed Rate, which has offices in Irvine, Newport Beach and Santa Ana.

But Mount Olympus, a 38-employee operation also known as MOMco, recovered the information, including more than 1,000 emails between its former mortgage bankers and their soon-to-be new employer, according to a lawsuit it filed last year in Orange County Superior Court.

“It’s nerve-wracking and obscene,” said MOMco President Michael Arnall. “The damage to our business is very, very high.” His company’s lawsuit calls the breach “corporate espionage.”

Guaranteed Rate officials deny the charges, and the bankers accused of the breach say they only took information on longtime personal contacts.

But the California Attorney General’s office lists the MOMco case as one of 508 major data-breach incidents that affected Californians over the past three years.

Since 2012, California has required businesses and institutions to post any cybersecurity incident involving more than 500 consumers on the attorney general’s website, along with letters describing the event and the kind of data stolen.

Some cases involve big national companies: The Home Depot, Target, JPMorgan Chase Bank, Sony Pictures Entertainment. Anthem, the state’s largest for-profit health insurer, disclosed last week that data on 13.5 million current and former California customers were hacked, among more than 78 million people compromised nationwide.


But any business or institution, large or small, is vulnerable to breaches that expose customers and employees to identity theft.

The incidents may be the result of disgruntled employees compromising data, of negligence in the case of lost flash drives or stolen laptops, or of hacking by cybercriminals, many of whom operate from overseas.

Several Orange County companies have reported major breaches. Besides MOMco, they include, in Irvine, Mesa Energy Systems, a heating and air conditioning company; Silversage Advisors, a financial firm; and La Jolla Group, which sells its clothing brands at retail outlets and over the Internet.

Among nonprofits, Kaiser Permanente’s Anaheim Medical Center, UC Irvine’s Student Health Center and Chapman University have reported cybersecurity lapses in the past two years.

“There are two kinds of companies,” California Sen. Dianne Feinstein told an audience at the Orange County Business Council’s annual dinner earlier this month. “Those who have been hacked and those who don’t know they have been hacked.”

That oft-repeated maxim was on the minds of many of the 650 businessmen and women who attended the dinner. The theme, projected onto a large screen, was “Secure the Future 2015.”


Feinstein and other lawmakers are pushing legislation in Congress that would offer companies protection against potential lawsuits so they’ll be more willing to share information about cybersecurity threats.

“Who knows what the next thing will be and how serious it will be,” she said. “We need companies to talk to each other. If they need help, then government should provide that help.”

In the evening’s keynote speech, Western Digital CEO Steve Milligan noted, “The global economy is in the midst of a data explosion with nearly 5 billion connected devices expected to come online this year and 30 billion by 2020.”

The Irvine-based company, a major manufacturer of hard drives and solid-state drives, is now offering data storage on the cloud. And the cloud, Milligan said, “is fundamentally about safe storage.”

He warned, “With the rapid progress of technology, and evolutions in cyberthreats, there is a need for heightened awareness in order to stay one step ahead. Companies of all sizes should subject themselves to regular security audits.”

Businesses that make their money in cybersecurity are seeing explosive growth – from insurance firms to ID-protection services to fraud-detection software companies. The world’s largest company in the data-breach business is Experian, with North American headquarters in Costa Mesa and global revenue of $4.8 billion.

In the case of security lapses, companies typically offer consumers a year or more of free credit monitoring and identity-theft protection. Experian’s “ProtectMyID” package was used in three of the seven biggest data thefts: Adobe, with 152 million affected customers; eBay, with 145 million; and Target, with 110 million.

Other companies, such as Austin-based All Clear ID, which has teamed up with Anthem, offer similar services.


However, Consumer Reports warned after the Target breach that Experian’s ProtectMyID package offered “a false sense of security” because it monitored only Experian’s credit report, not those of the two other major credit-reporting bureaus, Equifax and TransUnion.

“By not monitoring two of three bureaus, the service could miss fraudulent activity,” the magazine contended. “Industry best practices recommend three-bureau monitoring when Social Security numbers have been stolen, because those are the golden key to new credit.”

Michael Bruemmer, Experian’s vice president of data breach resolution, said the company offers both one-bureau and three-bureau packages. Target chose the one-bureau version, he said.

The one-bureau package is available to retail customers for $15.95 a month. The three-bureau package costs $31.95.

In 2003, California was the first state to pass a consumer protection statute for data-theft cases. Although 46 other states have enacted laws since then, California’s statute, refined several times, remains the strongest of any state, Bruemmer said.

“Outside of California, no other state requires a business to provide identity-theft protection after a breach,” he added. “California does, if the breach involves medical records, driver’s licenses or Social Security numbers. We’d love to see that carried over to other states.”


Notification is another key issue. California requires companies to advise consumers of any health-data breach within five days of its discovery. Many states give companies 30 or 60 days, enabling thieves to take advantage of the time lag.

The only federal notification rule is in cases of medical-data theft, and it gives companies 60 days to notify consumers, Bruemmer said.

Nearly half of the 3,100 company breaches Experian serviced last year involved medical data. Some 40 million Americans are still uninsured, and “you can go on the black market and for 50 bucks you can buy stolen health care information to get medical services,” he said.

The circumstances of data breaches in Orange County vary widely.

In the case of Silversage, the Irvine money managers wrote clients in March 2013 that “back-up computer drives were stolen from a secure offsite location used as part of our disaster-recovery plan.”

The drives, swiped by professional thieves who cracked open a safe at a private home, contained names, addresses, Social Security numbers, driver’s license numbers and account information of hundreds of the firm’s clients.

In its notification letter, the company wrote, “we have already modified our security.” It advised “immediately placing a fraud alert on your credit line.”

Mesa Energy, the heating and air conditioning firm, reported the theft of a company laptop that may have contained employee information such as Social Security numbers, dates of birth, dates of hire, addresses, salaries, gender and ethnicity.

In the case of La Jolla Group, which licenses such brands as O’Neill Clothing USA, Metal Mulisha Clothing and FMF Clothing, three e-commerce websites were hacked in November and December. Names, addresses, phone numbers, emails, credit card numbers, CVV2 data and card expiration dates of 3,100 customers were “compromised,” according to CFO Cristy Abella.

“While we experienced a cyberattack, it is worth noting that as a result of a successful diagnostic and deployment of solutions we are more secure than ever,” she wrote in an email last week.


In the case of Kaiser’s Anaheim hospital, the nonprofit notified 49,000 patients in November 2013 that a USB flash drive with names, medical record numbers and dates of birth was missing.

The drive, from the hospital’s Nuclear Medicine Department, was not encrypted or password protected, a spokesman said last week, but, he added, “There has been no indication that this information was ever used for fraudulent purposes.”

At UC Irvine, Information Security Officer Isaac Straley said three computers at the Student Health Center were infected in February and March 2014 with a malicious virus – a keystroke logger that captured data as it was entered. The computers contained unencrypted data on 1,846 patients.

“We were definitely horrified,” Straley said. “We reacted quickly and strongly.”

Straley said the virus may have come from employees browsing outside websites such as that of a sandwich shop, but no culprit was definitively identified.

“People don’t understand how easy it is to hack websites,” he said. “But so much business happens on the Web. When no place is safe, how do you deal with it?”

Western Digital’s Milligan, in an interview, expressed similar frustration. Cybertheft, he said, “is a pervasive threat. You have nation states involved, and criminal syndicates. And some guy in the basement down the hall.

“You get a strange email and you click on it,” he added. “There’s only so much you can do with training. It’s like telling your teenager not to text and drive.”

For CEOs, the issue has grown in intensity, with boards of directors involved, Milligan said. “It is no longer something you delegate to the IT department,” he noted. “You make sure you are sufficiently paranoid but not over-the-top paranoid.”

One Response to “The impact of Data breaches, breaches of privacy and the need for mandatory data breach notification laws”

  1. The impact of Data breaches, breaches of privacy and the need for mandatory data breach notification laws | Australian Law Blogs

    […] The impact of Data breaches, breaches of privacy and the need for mandatory data breach notification… […]

Leave a Reply