Conclusion There is an ongoing debate as to whether current data breach notification laws are effective in providing consumer protection and whether they should specifically provide for liability in all circumstances. Indiana University Health Foundation, Inc. Breslow Starling Frost Warner Boger Hiatt, PLLC, Inland Technologies Holdings Inc. ("Inland"), Clifty Creek Employees Federal Credit Union ("Clifty Creek"), MailMyPrescriptions.com Pharmacy Corporation, Central Illinois Carpenters Retirement Savings Fund, Citarella Operating, LLC and Lockwood & Winant Seafood, LLC, Armstrong Transfer & Storage Co., Inc. dba The Armstrong Company, Vermont State Colleges (which consists of Castleton University, Northern Vermont University, and Vermont Technical College), Rick L. Hug CPA, P.C. Indirect costs are any costs that are not considered direct costs, such as lost productivity. TABLE 8 DISTRIBUTION BY ASSET SIZE TJXHannaford Total Assets # FI% Cards% Exp% Fraud# FI% Cards% Exp% Fraud0 992222.115.82.33834.931.535.4100 2491433.137.01.81532.330.213.8250 49957.04.80.067.65.93.1500 74945.37.239.445.79.723.3750 999516.923.856.5613.518.816.91,000+215.511.50.025.93.97.4TOTAL52100.0100.0100.071100.0100.0100.0 Assets are in millions of dollars. For the TJX breach, 32 of the 52 affected institutions reported an Investigation Expense (Table 3), ranging from a low of $62 to a high of $21,000. The amendment requires notification of a data breach to affected individuals and the Indiana Attorney General without unreasonable delay, but no later than forty-five (45) days after discovery of the breach. According to state law, businesses in Maine that experience a data breach must notify affected residents "as expediently as possible and without unreasonable delay." Notices can be written or electronic, and must be submitted within 30 days after the discovery of the breach. Under Minnesotas law, these costs may include, but are not limited to: (1) the cancellation or reissuance of any access device affected by the breach; (2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts; (3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and (5) the notification to cardholders affected by the breach. 696 (signed into law June 28, 2019, Chapter 512). Notice may be provided by one of the following methods: Substitute Notice Available. Pursuant to the updated Authentication Guidance, the Federal agencies state that single-factor authentication is inadequate for high-risk transactions involving access to customer information over the Internet or the movement of funds to other parties. Scope Please provide information relating to data security breaches that have: (a) occurred since January 1, 2007; and (b) affected 25 or more customers at your financial institution who are Maine residents. Further, any person who maintains computerized personal information for another entity must notify that entity if the person learns or reasonably believes that an unauthorized person acquired personal information. Privacy, Identity Theft and Consumer Scams, Scams - Phone, Mail, Internet and Pyramid, Housing (Houses, Apartments, Mobile Homes), Charities and Public Benefit Corporations, Learn how to protect yourself from identity theft, http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business, Electronic Maine Security Breach Reporting Form, Maine Data Breach Notices (09/14/2020 - Present), Maine Data Breach Notices (12/6/2018 09/14/2020) (MS Excel), Maine Data Breach Notices (8/1/2010 12/5/2018)(MS Excel), Know what information you have and where you have it. For each breach that occurred at your financial institution, describe how and when the breach was first detected within your financial institution. The Court held that the economic loss rule barred the financial institutions' negligence claim because they claimed damages only for economic losses, not for damages to persons or property. Forefront Management, LLC and Forefront Dermatology, S.C. Gary Motykie, M.D., a Medical Corporation, Florida Conference of Seventh-day Adventists, focusIT, Inc. on behalf of 7 business customers, Creative Capital Management Investments, LLC, CopperPoint Insurance Company, Pacific Compensation Insurance Company, and Alaska National Insurance, American Council for International Studies, Certified Automotive Lease Corp. dba CAL Automotive, Greater Boston Legal Services, Inc. ("GBLS"), Electronic Maine Security Breach Reporting Form, Maine Data Breach Notices (12/6/2018 9/14/2020) (MS Excel), Maine Data Breach Notices (8/1/2010 12/5/2018)(MS Excel). An unauthorized acquisition, release, or use of an individuals computerized data that includes PI that compromises the security, confidentiality, or integrity of PI of the individual maintained by an Entity. computers, storage discs or tapes, flash drives, Blackberries, computerized phone systems. Mass., Inc., Personal-Touch Home Care of N.Y., Inc., Personal Touch Home Care of Baltimore, Inc., Personal Touch Home Care of VA, Inc. and Personal Touch Home Aides, Inc. (MA), MTC Holsters LLC d/b/a Crossbreed Holsters, The American Armed Forces Mutual Aid Association, Layman, Diener, and Borntrager Insurance Agency, Resource Anesthesiology Associates Of CT PC, Robin Van Vliet dba Van Vliet Wellness & Insurance Solutions, Hudson Envelope of New Jersey Corp. (Hudson). 3) Recovery from data breach a) State and federal laws protecting consumers from fraud loss When a persons personal information is lost pursuant to a data breach, there are a number of laws that help to protect against identity theft and also permit them to recover any losses they may have suffered. Timing of Notification. c) Responsibilities of other non-financial institution entities Although far less comprehensive, non-financial institutions are subject to some control over their use and storage of customer data. For each breach, the Bureaus asked each financial institution to describe if, when and how it notified its customers of the breach. against BJ's Wholesale Club Inc. were dismissed by a Pennsylvania Federal District Court. To view PDF or Word documents, you will need thefree document readers. Although there were occasional instances of other isolated data breaches, the survey results showed that they affected a small number of financial institutions and their affect on those financial institutions and customers was limited. The purpose of the Data Act is to warn those at risk of identity theft or other loss resulting from release of personal information so that they in turn can take steps to protect themselves. Similarly, the Office of the Attorney General is generally responsible for enforcing Maines Data Breach Law. Maryland ( HB 1154) - Maryland imposes new requirements on entities following a security breach Security breach notice requirements 1. Dental, LLC; Brasseler U.S.A. Medical, LLC, Equitable Financial Life Insurance Company, Tavistock Restaurants Upscale Group Holdings, LLC. On the financial institutions' claims for breach of contract against the retailer, the Pennsylvania Federal District Court held that the financial institutions were not intended third-party beneficiaries of the contracts between BJ's and the credit or debit card companies. Since January 1, 2007, there have been two major data breaches affecting Maines financial institutions. ( Item 7. Personal information is an individuals first name or first initial and last name in combination with any one or more of the following information: This definition applies if either the name or the other information is not encrypted or redacted. Health Insurance for Individuals and Families, http://www.mainelegislature.org/legis/statutes/10/title10ch210-bsec0.html, Driver's license number or state identification card number, Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords. For each breach that occurred at the financial institution, the Bureau asked the financial institution to describe how and when the breach was first detected within their financial institution. For the Hannaford breach, 62 of the 71 affected institutions reported a Communication Expense, ranging from a low of $24 to a high of $27,809. Everyone has personal information (such as credit card numbers, bank account numbers, and social security numbers) that can be misused when in the wrong hands. > 2 , 5 J) J) J) M> j J) J) J) : : : : j j $ In Maine, if you are a company that has experienced a computerized data security breach and are required to report the breach to the Attorney General, you can use this Maine Security Breach Reporting Form. For each breach, describe any media communications (oral, electronic and print) by your financial institution in relation to the breach. Notification to person maintaining personal information., [PL 2005, c. 583, 7 (AMD); PL 2005, c. 583, 14 (AFF). Goodwill Industries of Greater New York and Northern NJ, Inc. Lourdes University, Sisters of St. Francis of Sylvania, Various Data Owners, As Identified in Appendix to Letter, Berkshire Farm Center & Services for Youth, Legacy Operating Company d/b/a Legacy Hospice, The New York City Convention Center Operating Corporation d/b/a Javits Center, Donlen Corporation, now known as Sellerco Corporation, Vivendi Ticketing US LLC (d/b/a See Tickets US), The Research Foundation for the State University of New York. 672 (signed into law May 19, 2009, Chapter 161), L.D. Resolved: That the Department of Professional and Financial Regulation, Bureau of Financial Institutions shall submit its findings under section 1 to the joint standing committee of the Legislature having jurisdiction over insurance and financial services matters by December 1, 2008. Generally, financial institutions decided to mail notifications to customers, informing them that their accounts would be hot carded and that new cards would be issued together with pin numbers. The first part was comprised of twelve questions to which financial institutions provided narrative responses. PL 2019, c. 512, 2 (AMD). Reproductive Biology Associates / My Egg Bank North America, The Baton Rouge Clinic, A Medical Corporation. With this expansion, Connecticut's law will have one of the broadest definitions of personal information in any data breach law in the . Resolve, Directing the Bureau of Financial Institutions To Study Data Security Breaches in the State Sec. The Revisor's Office cannot provide legal advice or Notice must also be sent to the Department of Professional and Financial Regulation if the entity is regulated by the Department (i.e., a Maine-chartered bank or credit union). PART I: CURRENT LAWS AND REGULATIONS RELATING TO DATA PROTECTION AND RECOVERY 1) Disclosure of data breach a) Maines Notice of Risk to Personal Data Act Maines Data Breach Law requires disclosure to a Maine resident when a person or organization that maintains unencrypted computerized personal information becomes aware of a security breach and determines that misuse of the residents personal information has occurred or is reasonably possible to occur. However, this distinction was not explained. Before discussing the impact of data breaches on Maines financial institutions, Part I of this Report will review the various laws, guidelines and regulations that help prevent identity theft by requiring or encouraging safekeeping of personal information by financial institutions and other businesses. The Security Guidelines established standards relating to administrative, technical and physical safeguards to ensure the security, confidentiality, integrity and proper disposal of customer information. The Q&A also addresses the types of information protected by statute and enforcement mechanisms. The investigation must meet two goals: First, it must determine the scope of the security breach. The common goal of these programs was to create an additional level of protection for customers by ensuring that merchants met minimum levels of security when they stored, processed and transmitted cardholder data. Reissuance costs (a) credit card reissuance (b) debit card reissuance (c) other reissuance (e.g., checks)4. Agency for Community Treatment Services, Inc. Pennington Biomedical Research Foundation, Dr. Michelle A. Rivera d/b/a Arlington Skin, The Law Offices of Joseph L. Bornstein (Bornstein). 052-3069). TABLE 4 COMMUNICATION EXPENSE TJXHannaford# Affected5271# Report4262Highest$23,895$27,809Lowest$24$24Highest Individual16.2%12.7%Top 546.4%38.7% For the TJX breach, 49 of the 52 affected institutions reported a Reissuance Expense (Table 5), ranging from a low of $60 to a high of $32,146. As seen in Table 7 below, the total non-fraud expense is in all instances very proportionate to the cards reissued, for both the TJX breach and the Hannaford breach. Similarly, the Pennsylvania Federal District Court took a restrictive view of the types of losses that are compensable when the financial institutions' actions are framed in negligence. terminating their passwords and collecting ID cards). Good faith acquisition of personal information by an employee or agent of a person on behalf of the person is not a data security breach if the personal information is not used for or subject to further unauthorized disclosure. Data security breach" means the unauthorized acquisition of an individual's computerized data that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person, including banks and credit unions. National Board for Certified Counselors, Inc. Nevertheless, the summaries of these narratives paint a useful broad brush picture of how Maines financial institutions have been affected by data breaches and how they have responded to them. IC 24-4.9-2-1 Applicability Sec.