11 January 2014

Breach and privacy penalties

The New York Times features more on the [US] Target data breach -
Target on Friday revised the number of customers whose personal information was stolen in a widespread data breach during the holiday season, now reporting a range of 70 million to 110 million people.
The stunning figure represents about a third of all American adults at the low end, and is nearly three times as great as the company’s original estimate at the upper end. The theft is one of the largest ever of retail data.
Not only did Target’s announcement disclose a vastly expanded universe of victims, but it revealed that the hackers had stolen a broader trove of data than originally reported. The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers or names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center.
On Dec. 19, Target confirmed reports that payment data was stolen from about 40 million customers who shopped in its stores in the United States from Nov. 27 to mid-December. As its investigation into the theft continued, the company said it had found that an additional quantity of data, collected over time on 70 million people and stored separately from the in-store data, was stolen. ....
The effect of the data theft has reached far beyond one of the nation’s largest retailers. Major credit card companies and banks have been issuing warnings about potential fraud to their customers and providing them with new cards and account numbers as a precaution. Some banks have limited cash withdrawals. As banks and companies continue to monitor customers’ accounts for suspicious activity, the Secret Service and the Justice Department have opened an investigation.
“This will impact many Target business partners — Visa, MasterCard and the host of banks and credit agencies that now have to keep an eye on the 110 million customers now vulnerable to identity theft,” said Hemu Nigam, founder of SSP Blue, a security and privacy consulting firm. “It affects more than Target customers. It affects mortgage lenders and car sales. It affects the entire economic infrastructure.”
Fraud experts said the information stolen from Target’s systems quickly flooded the black market. On Dec. 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a 10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.
The company apologized again on Friday for the broadening violation of its customers’ privacy.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg W. Steinhafel, Target’s chief executive, said in a statement....
After the initial breach, Target said that it had protected customers’ payment information with encryption and that it had stored the keys to descramble it on separate systems not affected in the breach. But the encryption algorithm Target used to protect that data — a standard known as triple DES, or 3DES — is vulnerable in some cases to so-called brute force attacks, when hackers use computers for high-speed guessing. In a breach on Adobe last year, hackers were able to bypass 3DES encryption through brute force attacks and exposed tens of millions of Adobe passwords within weeks of the breach.
On Friday, a Target spokeswoman would not comment on whether the second batch of information stolen from its 70 million customers was encrypted.
In Europe France's CNIL has imposed a €150,000 penalty on Google.

CNIL's action was foreshadowed here. A €900,000 penalty last year by the Agencia Española de Protección de Datos (AEPD) was noted here.

CNIL indicates that its Sanctions Committee imposed the penalty
upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification. 
On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned.
The G29 (the Working Group of all EU Data Protection Authorities) then decided to carry out an assessment of this privacy policy. It concluded that it failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google Inc. did not effectively follow-up upon. 
Consequently, six EU Authorities individually initiated enforcement proceedings against the company. In this context, the CNIL's Sanctions Committee issued a monetary penalty of €150,000 to Google Inc. on 3 January 2014, upon considering that it did not comply with several provisions of the French Data Protection Act.
In its decision, the Sanctions Committee considers that the data processed by the company about the users of its services in France must be qualified as personal data. It also judged that French law applies to the processing of personal data relating to Internet users established in France, contrary to the company's claim.
On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies.
Yet, it considers that the conditions under which this single policy is implemented are contrary to several legal requirements:
  • The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion. 
  • The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals. It fails to define retention periods applicable to the data which it processes. 
  • Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws. 
This financial penalty is the highest which the Committee has issued until now. It is justified by the number and the seriousness of the breaches stated in the case. 
Furthermore, the Sanctions Committee ordered Google Inc. to publish a communiqué on this decision on the website https://www.google.fr, during 48 hours, within eight days as of the notification of the decision. This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.