UPDATE: The Massachusetts Attorney General has been notified that financial data on 1,800 residents were exposed in a database breach linked to CitySights NY, a sightseeing firm. The case could set the stage for enforcement of the State’s nine month-old data privacy law.Financial data on 1,850 Massachusetts residents was among account information for 110,000 customers stolen from servers belonging to Twin America LLC, the parent company of CitySights NY, according to Amie Breton, Deputy Press Secretary in the Office of Massachusetts Attorney General Martha Coakley.
As Threatpost reported yesterday, Twin America has disclosed that it was the victim of a SQL injection attack on a CitySights Web server that provided unknown assailants with access to the company’s customer list, including names, addresses, credit card account and CVV2 (card verification value) data.
The breach, which occurred in September, was discovered by a Twin America Web programmer in October and came to light when the company’s attorney wrote letters to states’ attorneys general disclosing the breach. A copy of the attorney, Theodore P. Augustinos’, letter to the Attorney General of New Hampshire, dated December 9, was published online. Approximately 300 of the victims were New Hampshire residents.
A call from Threatpost to the Massachusetts Attorney General’s office confirmed that Coakley’s Office received a similar letter on December 10, specifying that 1,850 victims were Massachusetts residents.
The case could be a test of Massachusetts’ new data privacy law, known as 201 CMR 17. That law, which took effect on March 1, 2010, is one of the toughest in the nation, addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.
The Massachusetts Attorney General has not yet made any moves to enforce the law, nor has it given much guidance on what kinds of enforcement actions may be pending, said Cynthia Larose of the law firm Mintz, Levin, Cohn, Ferris, Glovsky
and Popeo, P.C.
“We’ve been trying to engage folks from the (Attorney General’s) Office on what their thinking is and there’s been no comment,” Larose said. “I think they’re waiting for the right matter to come along.” The CitySights case may be just such a matter, Larose said.
Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.
Attorney General Coakley’s Office said it doesn’t confirm or deny investigations and it is not clear whether there were any violations of 201 CMR 17 in the CitySights case. However, it appears the possibility of cases being brought under 201 CMR 17 or similar state laws at least occurred to Twin America. The letter sent from Attorney Augustinos of Edwards Angell Palmer & Dodge to New Hampshire Attorney General Michael Delaney notes, specifically, that the compromised database did not contain “Social Security numbers, drivers’ license or other state-issued identification or other personal information” – all types of personal information called out in the Massachusetts law.
Larose said that, while Twin America/CitySights attorneys may be hoping to slip under the radar, the combination of Massachusetts residents’ name with the credit card number is enough to put the company on the wrong side of 201 CMR 17.
“It would seem to be a matter that would be ripe for further investigation,” LaRose said.
Among the questions the Attorney General’s Office would want to answer was whether Twin America had a written information security plan (or WISP) as required by the Massachusetts law. If the Attorney General’s Office does deside to pursue the matter, LaRose said that attorneys in state and around the nation would be looking for what kind of case they bring forward.
For example: the Attorney General might decide to pursue CitySights for violations of the State’s consumer protection laws (Massachusetts General Laws Chapter 93A) or to made inaccurate claims to customers about how they would protect their data, or to pursue the company for specific violations of 201 CMR 17. Whatever the case, some action would be welcomed by the legal community by helping to clarify the Attorney General’s interpretation of the scope and force of the new law, LaRose said.
Twin America’s attorney did not immediately respond to requests for comment on the case.
Federal privacy legislation has been on the back burner on Capitol Hill for years, and this year’s 111th Congress will adjourn without meaningful reform. In recent days, both the Federal Trade Commission and the Department of Commerce have called on the U.S. to improve privacy protections for consumers. The FTC released a report (PDF) dubbed “Protecting Consumer Privacy in an Era of Rapid Change” on December 12. That report included a call for a “Do Not “track” mechanism for Web browsers, among other changes. The Department of Commerce issued a similar call for a privacy “Bill of Rights” that would replace a universal federal law with industry-specific rules negotiated with commercial players and with input from the DOC and FTC.