What was Stratfor’s obligation to secure data and what might this breach cost them?

Posted on by Dissent

I thought it might be useful to post part of Texas law that may apply to Stratfor’s duty to protect subscriber data:

Sec. 521.002. DEFINITIONS. (a) In this chapter:
(1) “Personal identifying information” means information that alone or in conjunction with other information identifies an individual, including an individual’s:

(A) name, social security number, date of birth, or government-issued identification number;
(B) mother’s maiden name;
(C) unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;
(D) unique electronic identification number, address, or routing code; and
(E) telecommunication access device as defined by Section 32.51, Penal Code.

(2) “Sensitive personal information” means, subject to Subsection (b):

(A) an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:

(i) social security number;
(ii) driver’s license number or government-issued identification number; or
(iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or

(B) information that identifies an individual and relates to:

(i) the physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the individual.

(3) “Victim” means a person whose identifying information is used by an unauthorized person.

(b) For purposes of this chapter, the term “sensitive personal information” does not include publicly available information that is lawfully made available to the public from the federal government or a state or local government.

Added by Acts 2007, 80th Leg., R.S., Ch. 885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch. 419, Sec. 1, eff. September 1, 2009.

Sec. 521.052.  BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION. (a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.

(b)  A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business by:

(1)  shredding;

(2)  erasing; or

(3)  otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.

(c)  This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809.

(d)  As used in this section, “business” includes a nonprofit athletic or sports association.

Added by Acts 2007, 80th Leg., R.S., Ch. 885, Sec. 2.01, eff. April 1, 2009.

Amended by:
Acts 2009, 81st Leg., R.S., Ch. 419, Sec. 2, eff. September 1, 2009.

At least I think those are relevant sections – unless some Texas lawyers would care to jump in and point us to other sections.

So here’s what I was mulling over:

  • Would the Texas Attorney General consider it “reasonable”  to retain full credit card numbers with their CVV’s in databases that were not encrypted? The Texas AG’s office has sued businesses over data breaches in the past, but those cases all involved improper disposal of paper records containing personally identifiable sensitive information. To my knowledge, they have never sued a business over a security breach of an electronic database.
  • Would the FTC consider Stratfor’s data collection and storage deceptive or unfair business practices in light of their stated privacy policy? That seems more likely, but if the FTC got involved in every breach involving inadequate security, they’d have to quintuple their staff and budget, to say the least.
  • Was Stratfor obligated to be PCI-DSS compliant? If so, when were they last certified as such?  And will they incur fees or penalties passed along by banks?
  • If charities incur chargebacks from misuse of data that Stratfor failed to adequately secure, can Stratfor be held liable for the chargebacks?  Any Texas lawyers around who can clarify liability issues?

I know there are a lot of politically related agendas on both sides of this breach, and that law enforcement’s primary focus right now will be on identifying the hackers, but I’m just looking at if from the standpoint of the Office of Inadequate Security and this has the makings of a very costly breach.  If we simply use the $214/record figure, at 90,000 records (assuming the hackers’ reports are accurate), that would put the cost of this breach at $19.2 million.  Does Stratfor have breach insurance?  And if so, would it be voided by them having stored CVV’s in clear text?

There’s a lot we don’t know as yet.

Category: Breach IncidentsBusiness SectorHack

6 thoughts on “What was Stratfor’s obligation to secure data and what might this breach cost them?

  1. You do not save CVV numbers. Not even encrypted. Storing them somewhere renders the whole concept of CVV useless.

  2. Trust and reputation aside, what this may cost them is the ability to process credit card transactions directly. Storing CVVs flies in the face of PCI DSS, as does the fact that a public-facing system stored – or was able to query – payment data in batch. Don’t be surprised if Stratfor is bouncing subscribers to a third party payment service by the new year. That means a slice of gross revenue and friction for automatic renewals.

  3. There’s another factor that is particularly galling: many of the compromised credit card numbers were from FORMER Stratfor subscribers—folks who haven’t subscribed in well over a year or two. Why did Stratfor keep their personal information on file (apparently unencrypted) well after theses former subscribers ceased dealing with Stratfor? How would this affect their liability? It should also be noted that Stratfor was a target of deported Russian spies (Anna Chapman’s gang), so they had plenty of warning that their info was targeted by high tech thieves.

  4. The challenge of such breach is that it has a global impact. It hits customers of Stratfor all over the world. All of them are not covered by US regulations and may not get the protection

  5. I received numerous emails from Stratfor apologizing , and suggesting to subscribe to “CSID” service (one year/provided by Stratfor) providing “Global ID protector coverage”
    I am surprised to find out that Stratfor didn’t erase my data since my “membership” ended over 2 years ago , and was wondering if there is any liability claim for putting my personal info at risk ?
    I am not an American, and particularly comment about “(Anna Chapman’s gang)” in previous post is making me nervous !
    I’m not sure who to contact regarding this matter !?
    Looking forward to any reply !

    1. I am not a lawyer, but U.S. courts have generally not found for plaintiffs who allege increased risk of identity theft. If you incur unreimbursed costs, then they might, but other than that, the courts are not too helpful.

      If it were me, I wouldn’t sue but I would file a complaint with the FTC (Federal Trade Commission) about unfair and deceptive business practices. In a previous blog entry, I posted Stratfor’s privacy policy. Based on that, would you have expected them to retain your data – and in clear-text? Or did they deceive you?

      The FTC provides an online complaint form at https://www.FTCComplaintAssistant.gov/FTC_Wizard.aspx?Lang=en

Comments are closed.