Category Archives: PCI Compliance

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

Most Important Lesson Learned from Supermarket Data Breach

It has been over two years since the grocery chain Hannaford Brothers announced a breach of its network security that exposed over 4 million credit card numbers and led to 1,800 cases of fraud.   In fact, a quick review of the Privacy Clearinghouse’s Chronology of Data Breaches shows that Hannaford is not the only supermarket chain to have sustained a data breach. 

Several years ago, Ahold USA (parent company of Stop & Shop and Giant stores) sustained a breach via its subcontractor Electronic Data Systems.   Numerous Stop & Shop Supermarkets in Rhode Island and Massachusetts had credit and debit card account information stolen, including PIN numbers, by thieves who apparently tampered with checkout-line card readers and PIN pads.  Albertsons (Save Mart Supermarkets) in Alameda, California also had credit and debit card numbers stolen using bogus checkout-line card readers.   And, Lunardi’s Supermarket in Los Gatos, California had a similar experience with  ATM and credit card readers that quickly led to the theft of  $300,000.  

What makes the Hannaford incident noteworthy is the fact that the chain was supposedly PCI compliant at the time.  According to the indictment filed against the Hannaford mastermind, the theft was a result of a hack into corporate computer networks that allowed placement of malware which, in turn, provided backdoor access to the networks — and credit card information.  The means of attack was the commonly used SQL Injection Attack. 

In other words, being PCI compliant should never be the ultimate goal of your security strategy.   Whether you are a supermarket chain or a large law firm, a risk management approach to network security and privacy should always take precedent.   Most companies — large and small — still apply a uniform approach to security that treats all data the same.  The ultimate lesson learned from the Hannaford breach:   Always make sure your most valuable data is always most protected.   It really does not matter whether your company sells fruits and vegetables or builds nuclear missiles.

Are you ready for Data Privacy Day?

On January 28, 2010, the United States, Canada, and 27 EU countries will celebrate the second annual Data Privacy Day.  If you go to the Data Privacy Day website, you will see links to some helpful privacy resources.

It is with no small bit of irony that Data Privacy Day will also approximately mark the one-year anniversary of the Heartland Payment Systems data breach, the largest privacy data loss in history – potentially impacting over 100 million credit card transactions.   Heartland recently negotiated a $60 million Visa settlement fund that will be used to reimburse Visa’s issuing banks.