When Fast Is Too Slow: Notification Compliance Following Target’s Data Breach

Thursday, January 16, 2014 - 23:55

On December 19, 2013, Target publicly announced that computer hackers had stolen data from as many as 40 million credit and debit cards of shoppers who visited its stores from November 27 to December 15.  On that same date, Target also emailed shoppers explaining that it uncovered the problem on December 15, and that it had informed authorities and financial institutions once it became aware of the breach.[1] Notably, news of the breach was first published by a blogger (Brian Krebs of http://krebsonsecurity.com/) on or about December 18, 2013, and the breach was widely reported by multiple news services on December 19, 2013. This was before Target had made any attempt whatsoever to notify affected customers thus creating the appearance that Target was dragging its feet.

As the news broke on December 19, Target released a statement from its CEO concerning the data breach. Target posted the message from its CEO on its corporate website instead of the shopping site regularly accessed by customers, leaving an opening for the allegation that the message was not designed to notify affected customers directly. The statement confirmed “that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”[2] A later press release further explained that the company was withholding additional details at the request of law enforcement and that the Department of Justice was investigating the security breach.[3]

This article addresses the ramifications of delay in notifying consumers, including (i) the state-level notification requirements; (ii) best practices in how a company should respond; and (iii) the risks of delay, whether the product of intentional delay or compliance with law enforcement requests.

1. Notification Requirements

Forty-six states and the District of Columbia have enacted legislation requiring notification of security breaches involving personal information.[4] Though state notification laws differ as to the manner of disclosure and individuals or entities that must be notified, most states uniformly require companies to notify customers of a breach when their personal information has been compromised.

Most states’ data breach statutes are vague about the timeliness of when a company must notify consumers of a data breach. In 29 states, disclosure of a breach must be made “in the most expedient time possible” and “without unreasonable delay.”[5] Six states require notification of the breach to be made “as soon as possible,” “as quickly as possible” or “as soon as practicable.”[6] The 12 remaining states impose a simple reasonableness requirement and require notice to be made “without unreasonable delay.”[7] The ambiguity of these terms may cause confusion for companies attempting to comply with states’ laws in the aftermath of a breach. So far, only Connecticut, Florida, Ohio and Vermont have mandated that notification be made within a specific time period, i.e., within 45 days of discovery of the breach.[8]

All states permit a reasonable delay in notifying affected customers where notification will impede a criminal investigation, and delay is permitted in order to comply with the legitimate needs of law enforcement.[9] Laws differ on whether the burden is on the law enforcement agency to request that the company delay the notification.

2. Responsiveness In Times Of Breach

The common theme among the states is that, if an entity is breached and personal information is taken, the breached entity has a duty to notify those potentially affected. A delay may be reasonable where it is necessary to discover the scope of the breach or in response to a request from law enforcement where disclosure would impede an investigation.

Where a large-scale data breach occurs, as in the case of Target, however, a company may be required to do more than the law requires in order to manage the public perception of responsiveness and mitigate attendant risks. From the public’s perspective, timely notification is critical to allow consumers the fair opportunity to secure their data through fraud alerts, credit freezes and communication with credit card companies. Timely disclosure also supports consumer confidence. In the case of Target’s breach, the apparent leak allowed public and media outlets the opportunity to react to the breach before an official announcement from Target. This created an appearance of impropriety. In turn, this apparent failure spurred dozens of lawsuits only days after news of the breach.

To ensure timely and effective notice to affected individuals, companies should immediately contact law enforcement agencies, such as the Federal Bureau of Investigation, the United States Secret Service and local police. In the case of a large-scale breach such as Target’s, many states also require that the business entity report the breach to the state’s attorney general and credit reporting agencies.[10] Notification also should be given to the affected individuals as fast as possible and in the manner in which normal communication is given, i.e., first class mail or email, if permitted. Where the identity of individuals affected by a breach is known, the company should notify all those persons. In order to mitigate legal and reputational risk for the company, the process for notification and all public disclosures relating to the same should be managed by a multidisciplinary team of privacy professionals assisted by competent outside counsel.

While Target may have acted in a legally prudent manner, Target’s announcement came after an outside source leaked information about a possible breach. The placement of the CEO’s message on the non-consumer website further aggravated the problem. The barrage of consumer lawsuits resulting from these alleged missteps suggests that, in addition to complying with requests of law enforcement agencies, companies that are the victims of a data breach must do their best to proactively manage possible unauthorized leaks and public communications when a breach is suspected.

3. Risks Of Delay

At this point, it is not clear how much time elapsed between Target’s discovery of the security breach and when it officially notified consumers of the breach. In a statement posted to Target’s website on December 19, CEO Gregg Steinhafel claimed, “Target alerted authorities and financial institutions immediately after we discovered and confirmed the unauthorized access. . . .”[11] At least one court has held, however, that a retailer cannot “rely[] on self-serving statements from its website that it learned of the security breach the same week it notified consumers” in order to show that it timely notified customers.[12]

The question going forward will be whether Target was sufficiently responsive. In the days following news of the breach, more than a dozen Target customers filed lawsuits against Target. In a complaint filed in the District of Minnesota, the plaintiff claimed that Target “indicated that it began investigating the incident ‘as soon as (they) learned of it,’ but it did not contemporaneously disclose the breach to Plaintiff and putative class members,” and that Target had “not made efforts to directly notify individuals whose information was compromised.”[13] While most states do not provide for a private right of action for failure to comply with the notification requirements,[14] some permit an injured customer to “institute a civil action to recover damages.”[15] For example, in addition to allegations of individual states’ notification statutes, plaintiffs have brought claims for failing to timely disclose the breach on grounds of negligence,[16] consumer fraud,[17] breach of implied contract,[18] concealment,[19] negligent misrepresentation,[20] and invasion of privacy.[21]

In addition to the fact that Target exposed itself to consumer class actions, United States senators from several states have called for an investigation by the Federal Trade Commission and Senate Banking Committee.[22] Target also suffered a decrease in sales during the holiday shopping season.[23] Target was likely hoping to minimize the publicity damage in the middle of its busiest shopping season by offering a 10 percent discount and free credit-monitoring services; however, this may be too little, too late to overcome the loss in consumer confidence.

It appears that the Target data breach was the first in a potential tsunami of similar breaches directed at business-to-consumer companies, especially retailers. [24] JPMorgan Chase CEO Jamie Dimon predicts that these breaches will become more common unless banks, retail stores and similar consumer-facing companies begin working together to further protect consumer data.[25] Business-to-consumer entities are at greater risk because potential hackers know they gather and retain consumer personal information. By comparison, business-to-business companies typically store only employee and related party information.

While it is likely cost prohibitive for consumer-facing companies to guarantee 100 percent protection of personal information via increased physical and electronic security, it is reasonable for the consuming public to expect earlier detection and responsiveness. The pending lawsuits against retailers like Target, enhanced enforcement by state attorney general offices, and the push for new legislation[26] should serve to shift the cost-benefit analysis in favor of enhanced security for personal information, earlier detection of breaches, and more effective management of breach incidents. With better data protection and breach detection measures in place, consumer-facing companies will be able to better protect and notify consumers.

4. Conclusion

Companies have a legal responsibility to notify consumers about incidents that have caused their personal information to be acquired by unauthorized persons. Providing consumers with early notice that their personal information has been breached enables them to mitigate damages by canceling credit cards and alerting credit bureaus to prevent further fraud, and, in turn, will minimize any potential loss of consumer confidence. General counsel are well advised to consult outside counsel concerning data breach management, especially when balancing the interests of law enforcement with those of the consuming public. While Target appears to have complied with the law, the leak about the breach and apparent lag time in public notice to consumers appear to have created an otherwise avoidable risk.



[2] Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target’s payment card issues, Target.com, (Dec. 20, 2013), available at https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca.

[3] Press Release, Target Data Security Media Update #2, Target (Dec. 23, 2013), available at http://pressroom.target.com/news/target-data-security-media-update-2.

[4] Alabama, Kentucky, New Mexico, and South Dakota have not yet enacted related legislation.

[5] See, e.g., Alaska Stat. § 45.48.010 (2013); Arizona Rev. Stat. § 44-7501(A) (2013); Ark. Code Ann. § 4-110-105(a)(2) (2013); Cal. Civ. Code § 1798.29(a) and § 1798.82(a); Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code. Ann. tit 6, § 12B-102(b) (2013); D.C. Code § 28-3852 (2013); Ga. Code Ann. § 10-1-912(a) (2013); Idaho Code Ann. § 28-51-105(1) (2013); 815 Ill. Comp. Stat. § 530/10(a) (2013); Iowa. Code § 715C.2(1) (2013); Kan. Stat. Ann. § 50-7a02(a) (2013); La. Stat. Ann. § 51:3074(C) (2013); Me. Rev. Stat. tit. 10, § 1348(1) (2013); Minn. Stat. § 325E.61 (2013); Nev. Rev. Stat. § 603A.220 (2013); N.J. Stat. Ann. § 56:8-163 (2013); N.Y. Gen. Bus. Law § 899-aa(2) (2013); N.D. Cent. Code § 51-30-02 (2013); Ohio Rev. Code. Ann § 1349.19 (2013) (“but not later than forty-five days following its discovery or notification of the breach”); Okla. Stat. tit. 74 § 3113.1 (2013); Or. Rev. Stat. § 646A.604(1) (2012); R.I. Gen. Laws § 11-49.2-3(a) (2013); S.C. Code Ann. § 39-1-90 (2013); Wash Rev. Code § 19.255.010(1) (2013); Tenn. Code Ann. § 47-18-2107 (2013); Utah Code Ann. § 13-44-202 (LexisNexis 2013); Vt. Stat. Ann. tit 9, § 2435 (2013) (but not later than forty-five days following the discovery); Wyo. Stat. Ann. § 40-12-502(a) (2013).

[6] See, e.g., Md. Code. Ann, Com. Law § 14-3504 (2103); Mass. Gen. Laws ch. 93H, § 2 (2013); Neb. Rev. Stat. § 87-803 (2013); N.H. Rev. Stat. § 359-C:20 (2013); Tex. Bus. & Com. Code § 521.053 (2013); Wis. Stat. § 134.98(2)(bm) (2013).

[7] See, e.g., Conn. Gen. Stat. § 36a-701b(b)(1) (2013); Fla. Stat. § 817.5681(1)(a) (2013) (but disclosure “must be made no later than 45 days following the determination of the breach”); Haw. Rev. Stat. § 487N-2(a) (2013); Ind. Code § 24-4.9-3-3(a) (2013); Mich. Comp. Laws § 445.72(4) (2013); Miss. Code Ann. § 75-24-29 (2013); Mo. Rev. Stat. § 407.1500 (2013); Mont. Code Ann. § 2-6-504 (2013); N.C. Gen. Stat. § 75-65 (2013); 73 Pa. Cons. Stat. §§ 2303-2305, § 2308 (2013); Va. Code Ann. § 18.2-186.6(B) (2013); W. Va. Code §46A-2A-102(a) (2013).

[8] Conn. Gen. Stat. § 36a-701b(b)(1) (2013); Fla. Stat. § 817.5681(1)(a) (2013); Fla. Stat. § 817.5681(1)(a) (2013); Ohio Rev. Code. Ann § 1349.19 (2013); Vt. Stat. Ann. tit 9, § 2435 (2013).

[9] See, e.g., Alaska Stat. § 45.48.020 (2013); Colo. Rev. Stat. § 6-1-716(4). Cal Civ Code § 1798.29(c) and § 1798.82(c); 815 Ill. Comp. Stat. § 530/10 (b-5) (2013).

[10] See, e.g., Ga. Code Ann. § 10-1-912(d) (2013) (requiring notification to consumer reporting agencies where breach affects more than ten thousand residents); Haw. Rev. Stat. § 487N-2(f) (2013) (if business provides notice to more than 1,000 residents due to single breach, it must “notify in writing, without reasonable delay,” the state’s “office of consumer protection and all consumer reporting agencies”); Idaho Code Ann. § 28-51-105(1) (2013) (requiring notification to Idaho attorney general within twenty-four hours of the breach); Me. Rev. Stat. tit. 10, § 1348(4) (2013) (entity must also “notify, without unreasonable delay, consumer reporting agencies” where there is “a breach of the security of the system that requires notification to more than 1,000 persons at a single time”); Va. Code Ann. § 18.2-186.6(B) (2013); Colo. Rev. Stat. § 6-1-716(2)(d) (requiring an entity to notify consumer reporting agencies if it “is required to notify more than one thousand Colorado residents of a breach of the security”).

[11] Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target’s payment card issues, Target.com (Dec. 20, 2013), available at https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca.

[12] In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 527-28 (N.D. Ill. 2011).

[13] Complaint at 3-4, Horton v. Target Corp., No. 0:13-cv-03583-PAM-JJK, (D. Minn. Filed Dec. 12, 2013), ECF No. 1.

[14] See, e.g., Arizona Rev. Stat. § 44-7501(H) (giving state attorney general sole enforcement power); Ark. Code Ann. § 4-110-108 (2013); Fla. Stat. § 817.5681(1)(b)(2) (2013) (establishing a civil penalty for non-compliance up to $ 500,000); Idaho Code Ann. § 28-51-107 (2013) (Failure to provide notice will subject an entity to a fine of up to $25,000 per breach of the security system); Iowa. Code § 715C.2(8)(a) (2013); Mich. Comp. Laws § 445.72(4) (2013) (imposing a civil fine or imprisonment for violations); N.C. Gen. Stat. § 75-65 (2013) (prohibiting a private cause of action unless that individual is in fact injured because of the violation); 73 Pa. Cons. Stat. §§ 2303-2305, § 2308 (2013); Vt. Stat. Ann. tit 9, § 2435 (2013).

[15] Cal Civ. Code § 1798.29(b); see also D.C. Code § 28-3852 (2013) (permitting injured residents to collect actual damages, not including pain and suffering); La. Stat. Ann. § 51:3075 (2013) (permitting a civil action to “recover actual damages resulting from the failure to disclose in a timely manner”); S.C. Code Ann. § 39-1-90 (2013). In a lawsuit concerning the largest security breach to date, Amerifirst Bank v. TJX Cos. (In re TJX Cos. Retail Sec. Breach Litig.), the First Circuit suggested that failed to promptly notify consumers of the security breach may constitute an unfair practice because it causes substantial injury to consumers, thereby giving consumers an alternative claim. 564 F.3d 489, 496 (1st Cir. 2009).

[16] Complaint at 11, Lagarde v. Target Corp. of Minn., No. 3:13-cv-00821-BAJ-SCR, (M.D. La. Filed Dec. 24, 2013), ECF No. 1; Complaint at 9, Wredberg v. Target Corp., No. Case3:13-cv-05901-MMC, (N.D. Ca. Filed Dec. 19, 2013), ECF No. 1; Complaint at 13, Kirk v. Target Corp., No. 3:13-cv-05885-SC (N.D. Ca. Filed Dec. 19. 2013), ECF No. 1; Complaint at 13-14, Switzer v. Target Corp., No. 3:13-cv-01319-DRH-PMF (S.D. Ill. Filed Dec. 19, 2013), ECF No. 2; Complaint at 8-9, Tirado v. Target Corp., No. 1:13-cv-13212-FDS (D. Mass. Filed Dec. 19, 2013), ECF No. 1; Complaint at 8-9, Dickson v. Target Corp., No. 2:13-cv-00939-WC (M.D. Ala. Filed Dec. 20, 2013), ECF No. 1; Complaint at 14, Bohannon v. Target Corp., No. 3:13-cv-03139-JAH-BLM (S.D. Cal. Filed Dec. 20, 2013), ECF No. 1; Complaint at 7, Burkstrand v. Target Corp., No. 0:13-cv-03593-RHK-FLN (D. Minn. Filed Dec. 20, 2013), ECF No. 1; Complaint at 7, Gray v. Target Corp., No. 0:13-cv-62769-RNS (S.D. Fla. Filed Dec. 20, 2013), ECF No. 1; Complaint at 11, Purcell v. Target Corp., No. 3:13-cv-02274-JE (D. Or. Filed Dec. 20, 2013), ECF No. 1; Complaint at 9-10, Sylvester v. Target Corp., No. 2:13-cv-02286-RAJ (W.D. Wash. Filed. Dec. 20, 2013), ECF No. 1; Complaint at 9, Council v. Target Corp., No. 1:13-cv-03479-CMA (D. Co. Filed Dec. 23, 2013), ECF No. 1; Complaint at 9, Hawkins v. Target Corp., No. 2:13-cv-06770-LMA-KWR (E.D. La. Filed Dec. 23, 2013), ECF No. 1; Complaint at 9, Heller v. Target Corp., No. 1:13-cv-13257-FDS (D. Mass Filed Dec. 23, 2013), ECF No. 1.

[17] Complaint at 6-7, Novak v. Target Corp., No. 1:13-cv-09165 (E.D.Ill. Filed Dec. 23, 2013), ECF No. 4; Complaint at 8, Sylvester v. Target Corp., No. 2:13-cv-02286-RAJ (W.D. Wash. Filed. Dec. 20, 2013), ECF No. 1; Complaint at 14, Kwan v. Target Corp., No. 8:13-cv-03252-VMC-EAJ (M.D. Fla. Filed Dec. 27, 2013), ECF No. 1.

[18] Complaint at 8-9, Knowles v. Target Corp., No. 1:13-cv-00793-ML-PAS (D.R.I. Filed Dec. 20, 2013), ECF No. 1; Complaint at 11-12, Heller v. Target Corp., No. 1:13-cv-13257-FDS (D. Mass Filed Dec. 23, 2013), ECF No. 1.

[19] Complaint at 9-10, Guzman v. Target Corp., No. 3:13-cv-05953-JCS (N.D. Cal. Filed Dec. 24, 2013), ECF No. 1.

[20] Complaint at 7-8, Derba v. Target Corp., No. 1:13-cv-13267-RWZ (D. Mass. Filed Dec. 24, 2013), ECF No. 1.

[21] Complaint at 15, Kwan v. Target Corp., No. 8:13-cv-03252-VMC-EAJ (M.D. Fla. Filed Dec. 27, 2013), ECF No. 1.

[22] See Letter from Senator Robert Menedez, Senator Mark Warner, and Senator Charles Schumer to Hon. Tim Johnson. Chairman, Senate Committee on Banking, Housing, and Urban Affairs, and Hon. Mike Crapo, Ranking Member, Senate Committee on Banking, Housing, and Urban Affairs (Dec. 30, 2013), available at http://www.menendez.senate.gov/download/?id=CD49C91F-BDD7-4F53-A5CE-198835C074C8; Stacey Jones, "Menendez announces safeguards for consumers in wake of Target data breach," The Star Ledger (Dec. 26, 2013), available at http://www.nj.com/business/index.ssf/2013/12/menendez_to_announce_safeguards_for_consumers_in_wake_of_target_
data_breach.html
.

[23] Sara Germano, "Target Says Encrypted PIN Data Taken in Breach," Wall Street Journal (Dec. 27, 2013), available at http://online.wsj.com/news/articles/SB10001424052702303345104579284440022934198?mod=djemalertNEWS.

[24] For example, Neiman Marcus and at least three other retailers experienced data breaches during the 2013 holiday season. See Jim Finkle and Mark Hosenball, "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources," Reuters (Jan. 12, 2014), available at http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112.

[25] Ken Sweet, "JPMorgan’s Dimon: Target breach is a wake-up call," Associated Press (Jan. 14, 2014), available at http://www.usnews.com/news/technology/articles/2014/01/14/jpmorgans-dimon-target-breach-is-a-wake-up-call.

[26] Press release, Sen. Judiciary Committee Chairman Patrick Leahy (D-Vt.), "Leahy Reintroduces Data Privacy Legislation: Personal Data Privacy and Security Act Would Protect Americans In Digital Age" (Jan. 8, 2014), available at https://www.leahy.senate.gov/press/leahy-reintroduces-data-privacy-legislation.

 

Luis J. Diaz is a Director in the Intellectual Property Department at Gibbons P.C., and Caroline E. Oks is an Associate in the firm's Business & Commercial Litigation Department. Both attorneys are members of the Gibbons Privacy & Data Security Task Force. 

Please email the authors at ldiaz@gibbonslaw.com or coks@gibbonslaw.com with questions about this article.