On March 17, the Hannaford Brotherssupermarket chain announced that “a noveland sophisticated attack” on computers asso-ciated with its point-of-sale checkout systemresulted in the theft of customers’ debit andcredit card numbers. The company is aware of 1800 cases of fraud resulting from the attack.

This represents a high prole instance of an

increasingly prevalent corporate malady: thedata security breach.States have responded, passing laws requir-

ing notication of individuals victimized by suchbreaches. The rst such

law, California’s SecurityBreach Information Act(SBIA), took effect onJuly 1, 2003. Four yearslater, Massachusetts has joined 38 other states andthe District of Columbiain passing legislationrequiring such notice. The Massachusetts Act,effective February 3, 2008, builds on otherstates’ laws while adding a few new wrinklesof its own.The Massachusetts law applies to anyperson, business or governmental agencythat owns, licenses, maintains or stores thepersonal information of Massachusetts resi-dents. Unlike many data security laws, whichare limited to those that do business in thestate, the Massachusetts Act attempts toreach beyond its borders and has applicationto anyone using the personal information of Massachusetts residents.The Act protects the “personal information”

of residents, dened to include a resident’s

name in combination with that person’s (1)social security number, (2) driver’s license

number, (3) state identication number, or (4)nancial account, debit or credit card number

(with or without any required access codesor passwords) such that would permit accessto the resident’s account. Legally obtainedpublic information is not considered personalinformation under the Act. Although the

Massachusetts denition may seem broad,

some states have gone further to includemedical, health insur-ance and educational data,dates of birth, electronicsignatures and biometricand DNA information.But while the scope of the law may seem objec-tive, it applies a subjectivetest to determined whether notice must be

provided. Specically, Massachusetts denesa breach of security as “the unauthorizedacquisition or unauthorized use of unen

-crypted data…that is capable of compromising

the security, condentiality, or integrity of

personal information…that creates a substan-tial risk of identity theft or fraud against aresident of the commonwealth.” This standardwas clearly meant to leave some discretionin the hands of the information holder anddoes not trigger notice where the risks toMassachusetts residents are remote.

“States have responded,passing laws requiring

notication of individu

als victimized by [datasecurity] breaches.”

TLB

Technology Law Bulletin

Hannaford Data Breach MayTrigger New Massachusetts Law

by Joe Laferrera Joe.Laferrera@gesmer.com

a publication

Spring 2008

When comparing notication laws, report

-ing standards vary widely. In contrast to theMassachusetts law, some states have optedfor acquisition-based standards which typicallymandate at least some form of notice whenprotected personal information is accessed oracquired without authority. Acquisition-basedstandards are more rigid than risk-basedstandards and leave little or no discretion inthe hands of the information holder.The Massachusetts Act also containsa major exception to the notice require-ment even if a security breach does occur.

Specically, Massachusetts does not require

notice if the data subject to the breach was “encrypted” and that encryption process wasnot compromised by the breach. This excep-tion is unique in that it requires an encryptionprocess that meets certain technical criterion.In order to rely on this exception, data mustbe encrypted with “a 128-bit or higher algo-rithmic process.” In the event of a security breach involvingunencrypted data, there are two distinct noticerequirements under the law. First, notice mustbe sent directly to every affected resident inwriting or in electronic form. Additional noticeoptions are available if the cost of giving writ-ten or electronic notice will exceed $250,000,over 500,000 Massachusetts residents areaffected or the party required to give noticehas inadequate contact information to doso. These alternative forms of notice includee-mail, “clear and conspicuous” online post-ing on the information holder’s website andpublication or broadcast that “provides noticethroughout the commonwealth.” Second, written notice of a security breachmust be given to the Massachusetts AttorneyGeneral and the Director of Consumer Affairsand Business Regulation. This follows a grow-ing trend among states of requiring notice tostate agencies.

The content of this notice differs signi

-cantly based on the recipient. For example,notice to the state agencies must featurethe nature of the security breach and thenumber of residents affected, while notice tothe affected persons “shall not” include thisinformation. At a minimum, Massachusetts

residents must be notied of their right to

obtain a police report concerning a securitybreach as well as information about how to

place a “security freeze” on their credit report.The “security freeze,” which is unique to the

Massachusetts Act, allows consumers to limitaccess to and gain greater control over theircredit reports.In addition to the notice obligationsdescribed above, the Massachusetts Actrequires proper disposal of personal informa-tion about its residents. What is unique about

this feature is the specicity of the standard

for the destruction of data. Every person

and organization covered by this law must

ensure proper disposal of records (includ-ing electronic records) containing personalinformation so that they “cannot practi-cally be read or reconstructed.” Appropriatemethods of data destruction mentioned inthe Massachusetts law include having paper

documents “redacted, burned, pulverized or

shredded” and electronic records “destroyedor erased.” Failure to properly destroy recordscontaining personal information could result

in nes of $100 per occurrence. Accordingly,

those in possession of personal information of Massachusetts residents must have appropri-ate measures in place.

Data security breach notication laws are

becoming increasingly prevalent. Meanwhile,as e-commerce thrives a growing number of companies are maintaining personal infor-mation about residents of multiple states.It is imperative that businesses and entre-preneurs know what data they have in theirpossession so it be managed properly. Whilethe Hannaford situation is still developing,the fallout could be devastating. Sound datamanagement policies limit risk for businessesand protect consumers, and now they aremandatory for those who do business withMassachusetts residents.

♦

(Data Breach Law, continued from p. 1)

MA Court Decision IntroducesDispute About Online Infringement

by Joe Laferrera Joe.Laferrera@gesmer.com

For several years, the Recording IndustryAssociation of America (RIAA) and record com-panies have attempted to protect the musicindustry by aggressively pursuing individualswho make copyrighted music freely available toothers over the Internet. To thwart the illegaldissemination of copyrighted music, the RIAAhas instituted thousands of lawsuits against

people who have offered up music les to

so-called peer-to-peer networks, where theycan be downloaded for free. With some high

prole exceptions, these lawsuits have been

largely successful, leading to settlements orfavorable verdicts in court.There is no longer much legal doubt thatdistributing hundreds or thousands of copiesof a song to the public without permissionconstitutes copyright infringement, but evi-dentiary and technical hurdles can still make

these cases difcult to pursue. First, the

RIAA typically requires assistance identifyingthe infringing parties, since the exchange of

les over peer-to-peer networks can be done

anonymously. The RIAA only has the “IP” orInternet addresses of the computers involved,and it frequently issues subpoenas to Internetservice providers (ISPs) that provide theInternet connections in order to match the IPaddresses to actual names. Once a defen-

dant is identied, proving that the songs in

question were actually copied by third par-

ties can also be difcult. So, the RIAA has

argued that simply making copyrighted music “available” over the Internet is tantamount tocopying, and therefore establishes proof of illegal infringement.On March 31, 2008, United States DistrictCourt Judge Nancy Gertner, sitting in theDistrict of Massachusetts, largely rejected themusic industry’s “access equals infringement” position. Her 55-page decision in

London-Sire Records, Inc. v. Does 1-21

addresses therecord company’s attempt to compel BostonUniversity to identify the users of certainsuspect IP addresses. Judge Gertner grantedthe defendants’ motion to quash the subpoe-nas, although she left open the possibility of

a modied subpoena to address privacy andidentication issues.

The most interesting part of the decision,however, concerns the applicability of copy-right law to plaintiffs’ allegations: whetherthe defendants have violated the stricturesof the Copyright Act, which prohibits unau-

thorized “distribution” of protected works, by

making copyrighted songs freely available onthe Internet. Judge Gertner concluded that

“merely exposing music les to the Internet

is not copyright infringement.” She rejectedthe efforts by the plaintiffs (and some othercourts) to equate the defendants’ “publica-

tion” of the les with their illegal “distribution,”

stating that “even a cursory examination of the statute suggests that the terms are notsynonymous.” She holds that “the defendantscannot be liable for violating the plaintiffs’ dis-tribution right unless a ‘distribution’ actuallyoccurred.” In short, a college student who

made hundreds of music les available over

a peer-to-peer network has not violated the

This view suggests a departure from sev-eral older decisions, and even some recentones. Indeed, on the day the decision in

London-Sire

issued, the federal District Courtfor the Southern District of New York reacheda contrary conclusion in

Elektra Entertainment Group, Inc. v. Barker

, stating that “Severalcourts (including the Supreme Court) thathave wrestled with the Copyright Act havegenerally found…‘distribution’ and ‘publication’ to be synonymous.” Whether, and how, the courts reconcilethis issue is still unclear. But until they do,

the music industry may nd some places far

less hospitable than others when pursuingtheir lawsuits.

♦