From 2005 to 2007, TJX fell victim to a breach in which more than 45 million customer credit card numbers were pilfered from its databases.

The good news: The thief was caught by the Feds and sentenced to a 20-year prison sentence.

The bad news: The company got hit by lawsuits from every direction. First were the banks and credit card issuers, who had been hit by false claims and the need to help untangle the mess caused by TJX’s IT vulnerability.

Then came the class-action suits by groups of customers who were stung or at least inconvenienced by the breach.

And recently, TJX settled a lawsuit from investors, including pension funds, who sued the board of directors, alleging that those individuals, failed in their duty to protect customers’ personal data (and thus lowered stock prices).

That suit was settled at a reported cost of $595,000, with the board admitting to no wrongdoing. All in all, TJX had to set aside $178 million cash reserves to settle the lawsuits.

The lesson: Courts and plaintiffs are getting serious about data breaches. And the number of parties willing to sue is growing. It may in the end be impossible to outwit the most determined and crafty data thieves, but being able to demonstrate in court that your company was not negligent, that it had a rational, constantly updated data protection initiative certain won’t hurt, whether with judges or with insurers.

Called the 2010 Data Security Act, the Data Breach Notification Act, and the Personal Data Privacy and Security Act, these laws offer a wide-ranging response to the growing problem of identity theft.

The idea of the bills is to establish national standards for cases of data breaches – an issue that is now handled by varied and conflicting state laws. One new law would have federal agencies set up standards and procedures to handle any sensitive data. Another would also set requirements for notification in case of a breach, along with stronger criminal penalties for identity thieves and for companies that willfully conceal a breach. It would also mandate preventative measures from businesses. A third would tighten and spell out notification laws for both government and business.

A standardized set of federal laws, it is argued, would simplify compliance for companies and help law enforcement officials. Let’s hope that party squabbling doesn’t deep-six legitimate moves to attack a national crisis.

For more info click here.

That fact was made clear by some recent news stories:

• Google has been collecting passwords and e-mail messages, it is claimed. Apparently, Google’s roving Street View cars that present neighborhood views of locations across the world, have been intercepting local Wi-Fi communications. A lawsuit has been brought in France, but the practice goes on in a number of countries. Google’s response: Yes we collect the info, but it’s fragmentary, and we don’t use this stuff. Trust us.
• Twitter recently settled a suit with the Federal Trade Commission, admitting that allowed hackers to take control of several Twitter accounts, including those of President Obama and Fox News. The agreement sets up an independent security auditor that will assess how the company is doing, The company has vowed to take measures to prevent “unauthorized access to nonpublic information and honor the privacy choices made by consumers.”
• Social networking giant Facebook faces a number of class-action lawsuit over its callous disregard for customer privacy, by making so-called private information on user accounts easily available, both to the general public and to marketers. The controversy was inflamed by Facebook founder Mark Zuckerberg’s public pooh-poohing of anyone’s privacy concerns, the company’s default setting of having the default set at no privacy at all and its policy of making that hard to change.
• AT&T is, for now, the sole mobile source for iPad 3G users in the United States. Well, it didn’t take long. A group of hackers easily obtained the e-mail addresses of 114,000 iPad owners, using a security hole in AT&T’s website. Fortunately, in this case the hackers were part of a group that it specializes in exposing security vulnerabilities, and they quickly informed AT&T, who fixed that vulnerability. The conclusion: AT&T should have a lot of expertise on board, but they left a door wide open. How many more are there?

The suit says that HP, in negotiating with Turbon to subcontract the refilling of its own returns cartridges, had demanded full disclosures of Turbon’s business and technology processes. It then dropped Turbon and, according to the suit, made use of the trade secrets to improve and expand its own recycling and refilling program. HP then ramped up its own cartridge return program, making fewer empty available for Turbon to convert.

According to a Reuters article: “The lawsuit seeks damages for fraudulent inducement, misappropriation of trade secrets and unfair competition, a ban on the use of improperly obtained secrets, and other remedies.”

As with any lawsuit, the filing is just the beginning. The lawsuit is, however, part of an ongoing struggle between the original manufacturers and the remanufacturers/refillers that strikes at the center of all profitability in the printer business. The original manufacturers leave themselves vulnerable thanks to very high prices on most toner cartridges, especially for the lower-speed machines.

For Turbon, as for other reputable remanufacturers, they are hurt by a wide-open market with lots of poor-quality fly-by-night competitors that give bad experiences and a bad name to all remanufacturers. In the end, even the better firms have trouble piercing through the general distrust in the market.

Texas-based PlainsCapital Bank recently sued Hillary Machinery, Inc., a business customer, after criminals hacked into Hillary’s account and stole more than $800,000.

The bank recovered about $600,000 of that money. Hillary sent a letter demanding PlainsCapital pay the difference, claiming the bank’s lack of proper security measures was to blame for the theft.

PlainsCapital promptly filed a suit against Hillary. The accusation: Well, there was no accusation, really. The bank was trying to get the court to confirm that its security was adequate.

Hillary filed a countersuit to recover the funds, arguing the bank should never have allowed the suspicious transfer to happen. Given the facts of the case, it’s hard to disagree:

• The accounts receiving the cash were located in Eastern Europe, which should have been red flag,
• Hillary had previously only transferred money to a few other accounts, but the theft involved moving huge sums to multiple accounts within 48 hours, and
• E-mails authorizing the transfer came from Romania, even though Hillary is based in Texas.

Who won the case? We may never know the real outcome. The two sides recently settled, but, as ComputerWorld reports, would not disclose any details.

An employee sued the company for discrimination. After the suit was filed, the company archived everything saved on her work computer to preserve evidence.

The saved files included e-mails she sent via a personal, password-protected account. The company didn’t access the account directly, but copies of the messages had been automatically saved to her browser’s cache.

Some of the e-mails were conversations between the employee and her attorney, which contained evidence the company felt would help its case.

After the employer presented the messages in court, the employee claimed her rights to privacy and attorney-client privilege had been violated.

The company argued the employee had no such rights — its computer use policy stated that anything done on workplace computers could be monitored.

But the court disagreed. The judge ruled the employee had a “reasonable expectation of privacy,” because the policy didn’t mention that e-mails sent using a personal account would be saved to her hard drive.

It didn’t matter that she sent the e-mails at work — since the account was password-protected and not administered by the company, she reasonably assumed the company wouldn’t be able to read them.

Add to that the fact that the e-mails were between the employee and her lawyer, and the court ruled the company was at fault when it read the messages and tried to submit them as evidence.

What can companies monitor?

In most cases, whether monitoring is legal or not comes down to one question: Who owns the e-mail?

In other words, are the messages stored on the company’s network or by a third party (as is the case with personal accounts, like Yahoo and Gmail)?

While employers are normally within their rights to monitor employees’ work e-mail, courts will usually draw the line when the data’s stored by a third party.

Also, keep in mind:

• Have a clear-cut computer use policy – Employees can also win in court when they show they have a “reasonable expectation” of privacy. So inform all employees that their Web use at work will be monitored — and think twice before conducting any monitoring that isn’t clearly mentioned in the policy.
• Train managers – Some supervisors will go to great lengths when they suspect an employee of wrongdoing. But they should be warned that an investigation could become an invasion of privacy.

Cite: Stengart v. Loving Care Agency

The survey, conducted for security audit toolmaker nCircle, talked to 257 experts nationwide.

One of the key reasons for a federal law is that state after state is now passing data collection and breach laws with different provisions, giving national companies an increasingly tangled set of requirement for customer consent, notification and liability when a data breach occurs.

“Security professionals know that allowing private industry to ’self-regulate’ on security issues hasn’t worked so far,” stated nCircle CEO Abe Kleinfeld, and it’s unlikely to improve without some external stimulus. “A federal data breach law could become a catalyst for increased security investment and awareness for businesses of every size.”

But…

The big problem is passing any meaningful legislation in a U.S. Congress that is riven with partisan strife, powerful interest groups and vast technical ignorance.

The latest attempt at such a bill, the so-called Boucher Bill, drafted by several congressmen from both parties, deals with companies that gather and store information about consumers online, The draft bill has been submitted to get conversation started. Has it ever! The proposal has been strongly attacked by both corporate interests and by consumer groups.

Here’s a sample of the reactions:

• The Direct Marketing Association is going ballistic over requirements that before companies collect marketing information on consumers, that they get the consent of that consumer.
• The Progress and Freedom Association, an industry trade group, claimed that the bill would be the death of the “free” Internet.
• The Electronic Privacy Information Center declared that the law doesn’t do anything but maintain the unsatisfactory status quo.
• Consumer Action is complaining that the privacy provisions of the law are actually far weaker than those already in place for some states, and that the law would limit liability in cases where critical personal information leaks out and harms a consumer.

Companies like Microsoft and Google are holding their fire, “welcoming” the chance to discuss the bill. But you know that they and many others who have built a business on collecting such data have lobbyists lining up to write in exceptions to the already mild provisions of the bill.

Count us as cynical, but even if a law gets passed, it will be so watered-down and filled with loopholes that it will create more problems than it solves.

The 1991 Telephone Consumer Protection Act (TCPA) sets up opt-out provisions for blocking telemarketers from making “calls” using “automatic dialing systems”, and carries a hefty fine for violators. When the TCPA was established, the world hardly knew about cell phones, let alone text messages. But the Federal Communications Commission (FCC) has ruled that the law applies equally to text as well as voice messages.

And the judges are beginning to agree. In a class-action suit brought by a consumer against Twentieth Century Fox for sending out an unwanted text ad pushing a newly available DVD, Fox tried to have the suit thrown out, claiming the TCPA did not apply, since a text message is not a “call.”

A Federal district court judge in Illinois, after consulting some other recent decisions in other federal courts, eventually ruled that the text message is, for the terms of the law, a call, and that the class-action suit can proceed. This does not mean that the suit will win, but it does mean that the applicability of the TCPA is being extended to cover changes in technology.

For a more detailed legal analysis, check here.

A Supreme Court case is on the docket that may be a landmark event for users of cell phones, instant messaging, social networking sites, e-mail and Web searches. The result of this case may go a long way to deciding privacy rights for new media in the 21^st century.

The case, City of Ontario vs. Quon, involves the Ontario, CA, police department giving pagers to its SWAT team officers. The officers were told that while the devices were intended for official business, they could use them for private purposes, as long as they paid for any overcharges on their accounts. The department would consider those added messages as private.

At a later point, the department suddenly shifted policy, and had the pager company deliver the records of pager use, including the messages sent. They found that one officer had exchanged hundreds of sexually explicit messages with several women. When he was reprimanded, he and three of the women he was in touch with (two outside the police force) sued for violation of privacy.

The case hinges on Fourth Amendment rights against unreasonable searches. An appeals court determined that the police officer and his (ahem) correspondents had their privacy rights violated. The city of Ontario appealed to the Supreme Court.

This case may be settled narrowly, but the issues may be significant since the whole area of electronic privacy is still not firmly decided. While the employee using an employer-supplied device may not have an expectation of privacy, what about the people he is in contact with who were not employees? What rights do employees have if any? To what extent are any online communications subject to government review, without warrant? This case could have repercussions far beyond police department internal affairs.

The great irony, as pointed out in this NPR article, is that the Supreme Court is barely past the era of quill pens and typewriters, yet is about to decide on the direction of 21^st-century technology.

The Cybersecurity Act of 2009 was originally introduced last August, but it was stalled amidst controversy over some of its provisions. The opposition’s main gripe: The bill would have allowed the president to take control of the Internet in the event of a serious security threat, effectively giving him access to a “kill switch” that would shut down all online traffic.

A new version of the bill, now called the Cybersecurity Act of 2010, calls for the creation of a joint public-private body that will oversee the response to a cybersecurity emergency, FOX News reports.

Meanwhile, Congress is also considering passage of the Personal Data Privacy and Security Act of 2009, which would place more specific data protection mandates on employers.