Data Breach Could Test Massachusetts Law

Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."

Internal Termoil.

[tc3driver]

This one has me torn... On one hand I would like to see companies held accountable for the damage that a breach can cause to an end consumer... the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Re:Internal Termoil.

[psithurism]

They are not necessarily in trouble for being breached. It appears the breach highlighted the fact that they were not compliant with the law. The customer records should have been encrypted and the extent of data retained seems excessive.

Though, we don't know whether they are in violation of the law.

Re:Internal Termoil.

[cappp]

TFA claims all files need to be encrypted but the law doesn't. I pasted the text a couple of replies down..there's nothing in there about encrypting records if they're not on portable media, being broadcast wirelessly, or travelling across public networks.

Re:Internal Termoil.

[Ritchie70]

Yes, this has been a major point at work - we're a retailer with locations in Mass, and many of our in-store systems date from the 1980's, so there's no encryption. The law says encryption is required when the data is in transit, including being on portable devices, not when it's sitting in a database.

Violation of Payment Card Industry regulations?

[PatPending]

Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen (emphasis added)

The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

Re:Violation of Payment Card Industry regulations?

[PatPending]

Not law but:

Penalties for Non-compliance

25. Are there fines associated with non-compliance of the PCI Data Security Standards?

Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

26. Are there fines if cardholder data is compromised?

Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

• Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
• All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
• Cost of re-issuing cards associated with the compromise.
• Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25

Re:Violation of Payment Card Industry regulations?

[PatPending]

The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.

Re:Violation of Payment Card Industry regulations?

[terraformer]

if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

They store data that is useless to others. They don't need to store the card's data, only data about their first transaction with you.

Re:Violation of Payment Card Industry regulations?

You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.

Re:Violation of Payment Card Industry regulations?

[MichaelKristopeit317]

so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

Test the Law

[cappp]

I'm not so sure it's a test of the law at all. At least there's no way to know without more details about how the breach occured. The law can be found here (pdf). TFA states the breach occured because of an SQL injection - but nothing beyond that.

In the interests of stimulating a little chatter, the law calls for

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Re:Test the Law

I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"

This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.

Re:Test the Law

[cappp]

Note the use of the qualifier "reasonable"...the get out clause in every law ever written.

I'm not.

. the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.

And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someone breaks in? Too fucking bad. It's their fault - no excuses.

Encryption not much use against SQL injection

[JSG]

The linked article mentions only that the law requires that data be held encrypted. That is not much use in this case where a SQL attack was used.

Does anyone know whether the law requires a certain standard for the front ends to the data. I'm pretty sure that PCI DSS - as another applicable standard - defines no such thing either.

So...

[Evets]

What is the penalty for violating the law?

Re:So...

[Monkeedude1212]

What happens if you are hit by a bus and don't serve your penalty?