Threatpost.com has an article wondering whether CitySightsNY's recent data breach would test Massachusetts's data breach law, which went into effect nine months ago. I covered the law in earlier posts since it had much in common with our company (among other things, the law requires the use of laptop encryption software if any sensitive information is stored in it. I mean, it literally makes a point of saying "use encryption on laptops.")
CitySightsNY admitted that a SQL injection attack let hackers download the company's customer list, which included full credit card information, including CVV2, the security codes that is never, ever supposed to be stored. Ever. Other breached information include names and e-mail addresses. The breach occurred in September and was discovered in October. State Attorney Generals were contacted in December. A total of 11,000 customers were affected, including 300 New Hampshire residents and 1,800 Massachusetts residents. Credit card information is not supposed to be stored (and as I already observed, this is even more true of CVV2 data). Supposedly, hashes of the card number and expiration date can be stored -- allowing a vendor to charge cards on file, but disallowing data thieves from using the data; or at least, that's the idea. In CitySightsNY's situation, it looks like this was not the case at all.
CitySightsNY admitted that a SQL injection attack let hackers download the company's customer list, which included full credit card information, including CVV2, the security codes that is never, ever supposed to be stored. Ever. Other breached information include names and e-mail addresses.
The breach occurred in September and was discovered in October. State Attorney Generals were contacted in December. A total of 11,000 customers were affected, including 300 New Hampshire residents and 1,800 Massachusetts residents.
Credit card information is not supposed to be stored (and as I already observed, this is even more true of CVV2 data). Supposedly, hashes of the card number and expiration date can be stored -- allowing a vendor to charge cards on file, but disallowing data thieves from using the data; or at least, that's the idea. In CitySightsNY's situation, it looks like this was not the case at all.
Since we know that hackers made off with sensitive information, we also know there was data breach. And, because Massachusetts's law focuses not on geography (where the breach took place) but on who was affected (MA residents), we also know that MA law ought to kick in. As far as I know, there haven't been any fines handed out due to this law so far, so this case could be the first case. The thing is, I'm not sure this case is so clear cut. As I understand it, MA law requires laptops and any portable devices with sensitive data to be encrypted (it's spelled out, as I observed earlier). This is also true for any information that is being moved from one place to another. One would imagine that it refers to data passed over the internet, but it also pertains to "physical manifestations" of that data. Take, for example, backup tape encryption under Mass Law. It was noted that for backup tapes, you encrypt it prior to transporting it, if possible. If not, there's a recommendation that you could perhaps hire an armored truck to transport the tape! Obviously, it depends on the circumstances. Computers such as servers and desktops, however, are left out from the encryption requirement completely (I noted this before in this post about MA laptop encryption and SMBs). It's almost as if the lawmakers avoided the issue of desktops and servers on purpose. CitySightsNy could be whacked on the requirement that their system was not reasonably up-to-date...but then, how do you define "reasonable?" I guess threatpost.com is right. The law will be tested, since the incident manages to fall through several nebulous areas.
Since we know that hackers made off with sensitive information, we also know there was data breach. And, because Massachusetts's law focuses not on geography (where the breach took place) but on who was affected (MA residents), we also know that MA law ought to kick in.
As far as I know, there haven't been any fines handed out due to this law so far, so this case could be the first case. The thing is, I'm not sure this case is so clear cut. As I understand it, MA law requires laptops and any portable devices with sensitive data to be encrypted (it's spelled out, as I observed earlier). This is also true for any information that is being moved from one place to another.
One would imagine that it refers to data passed over the internet, but it also pertains to "physical manifestations" of that data. Take, for example, backup tape encryption under Mass Law. It was noted that for backup tapes, you encrypt it prior to transporting it, if possible. If not, there's a recommendation that you could perhaps hire an armored truck to transport the tape! Obviously, it depends on the circumstances.
Computers such as servers and desktops, however, are left out from the encryption requirement completely (I noted this before in this post about MA laptop encryption and SMBs). It's almost as if the lawmakers avoided the issue of desktops and servers on purpose.
CitySightsNy could be whacked on the requirement that their system was not reasonably up-to-date...but then, how do you define "reasonable?"
I guess threatpost.com is right. The law will be tested, since the incident manages to fall through several nebulous areas.
Related Articles and Sites:https://threatpost.com/en_us/blogs/data-breach-could-test-massachusetts-law-122110