What was Stratfor’s obligation to secure data and what might this breach cost them?

I thought it might be useful to post part of Texas law that may apply to Stratfor’s duty to protect subscriber data:

Sec. 521.002. DEFINITIONS. (a) In this chapter:
(1) “Personal identifying information” means information that alone or in conjunction with other information identifies an individual, including an individual’s:

(A) name, social security number, date of birth, or government-issued identification number;
(B) mother’s maiden name;
(C) unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;
(D) unique electronic identification number, address, or routing code; and
(E) telecommunication access device as defined by Section 32.51, Penal Code.

(2) “Sensitive personal information” means, subject to Subsection (b):

(A) an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:

(i) social security number;
(ii) driver’s license number or government-issued identification number; or
(iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or

(B) information that identifies an individual and relates to:

(i) the physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the individual.

(3) “Victim” means a person whose identifying information is used by an unauthorized person.

(b) For purposes of this chapter, the term “sensitive personal information” does not include publicly available information that is lawfully made available to the public from the federal government or a state or local government.

Added by Acts 2007, 80th Leg., R.S., Ch. 885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch. 419, Sec. 1, eff. September 1, 2009.

Sec. 521.052.  BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION. (a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.

(b)  A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business by:

(1)  shredding;

(2)  erasing; or

(3)  otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.

(c)  This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809.

(d)  As used in this section, “business” includes a nonprofit athletic or sports association.

Added by Acts 2007, 80th Leg., R.S., Ch. 885, Sec. 2.01, eff. April 1, 2009.

Amended by:
Acts 2009, 81st Leg., R.S., Ch. 419, Sec. 2, eff. September 1, 2009.

At least I think those are relevant sections – unless some Texas lawyers would care to jump in and point us to other sections.

So here’s what I was mulling over:

  • Would the Texas Attorney General consider it “reasonable”  to retain full credit card numbers with their CVV’s in databases that were not encrypted? The Texas AG’s office has sued businesses over data breaches in the past, but those cases all involved improper disposal of paper records containing personally identifiable sensitive information. To my knowledge, they have never sued a business over a security breach of an electronic database.
  • Would the FTC consider Stratfor’s data collection and storage deceptive or unfair business practices in light of their stated privacy policy? That seems more likely, but if the FTC got involved in every breach involving inadequate security, they’d have to quintuple their staff and budget, to say the least.
  • Was Stratfor obligated to be PCI-DSS compliant? If so, when were they last certified as such?  And will they incur fees or penalties passed along by banks?
  • If charities incur chargebacks from misuse of data that Stratfor failed to adequately secure, can Stratfor be held liable for the chargebacks?  Any Texas lawyers around who can clarify liability issues?

I know there are a lot of politically related agendas on both sides of this breach, and that law enforcement’s primary focus right now will be on identifying the hackers, but I’m just looking at if from the standpoint of the Office of Inadequate Security and this has the makings of a very costly breach.  If we simply use the $214/record figure, at 90,000 records (assuming the hackers’ reports are accurate), that would put the cost of this breach at $19.2 million.  Does Stratfor have breach insurance?  And if so, would it be voided by them having stored CVV’s in clear text?

There’s a lot we don’t know as yet.

About the author: Dissent