Who Are Breach Disclosure Laws Meant to Protect? One Merchant Held up Notifications for More Than a Year at the Request of Federal Authorities

Linda Musthaler
By | April 04, 2014

Posted in: Network Security Trends

I live in Texas, and there’s a regional retailer that has just announced a data breach that is believed to have affected more than half a million customers. The announcement is controversial because the company, Spec’s, supposedly knew about the theft of payment card data almost a year ago and is just now telling customers. As you might imagine, people affected by this breach are rather upset.

Let me lay out the details, as reported by the Houston Chronicle newspaper. (I have no first-hand knowledge of this breach, although I am a Spec’s customer and could possibly be a victim of the breach. I have not received any such notice, though.)

On March 29, the Houston Chronicle reported that “a sophisticated computer scam” was perpetrated against the Spec’s retail payment system for a year and a half. The breach is believed to have started October 31, 2012, and continued as late as March of 2014. The article suggests that authorities within Spec’s knew early last year (2013) that the computer system had been compromised. In fact, customers were beginning to approach Spec’s to let the retailer know that their payment cards had fraudulent transactions that they traced back to Spec’s. (More on this in a moment.)

If it’s true that Spec’s knew of the breach more than a year ago, why was it only announcing now that so many customers may have had critical financial information stolen some time in that year and a half? According to a Spec’s spokesperson Jenifer Sarver, federal investigators had asked the retailer not to divulge any details during the ongoing investigation. Sarver said, “It took professional forensics investigators considerable time to find and understand the problem, then make recommendations for Spec’s to fully address and fix them.”

With most of Spec’s stores being in Texas, it’s reasonable to assume that a majority of the customers who might be impacted by this breach are Texas residents. The following is an excerpt of the Texas breach notification law. Note that the bold emphasis is mine to draw attention to specific points.

NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA.  (a)  In this section, "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b-1)  If the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security required under Subsection (b) may be provided under that state's law or under Subsection (b).

(c)  Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(d)  A person may delay providing notice as required by Subsection (b) or (c) at the request of a law enforcement agency that determines that the notification will impede a criminal investigation.  The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation.

In other words, it’s OK not to disclose a breach of personal financial data to the owner of that data if law enforcement tells the merchant not to disclose any details so the investigation won’t be compromised.

Needless to say, there are plenty of Spec’s customers that are pretty upset that they weren’t told a year ago that their financial data was known to have been stolen. According to Spec’s, debit card, credit card and personal check information was stolen. The Houston Chronicle reports “the exposure may include customers’ bank routing numbers, card security codes and other payment card and check information.” At least one customer alleges his debit card PIN was compromised. (Spec’s gives a discount for the use of cash or debit, so it’s likely the company has a greater percentage than other retailers of customers who use debit.)

Dwight Silverman is a technology writer employed by the Houston Chronicle. He shared his personal experience with the Spec’s breach here. In his first-hand account, Silverman writes that last year, his bank contacted him about fraudulent use of his debit card and PIN. He couldn’t figure out how a thief got his PIN, unless it was through a skimming device. Once the Spec’s breach was announced, Silverman put two and two together and he now suspects that a shopping trip to a Spec’s store was the source of his compromise. He writes:

One thing that really bothers me – and I suspect it irks other Spec’s customers, too – is that the feds asked the company not to divulge the breach, even though it was discovered some time ago. Law enforcement officials wanted time to figure out how the breach worked and possibly gain clues to apprehend the bad guys, but by doing so it left Spec’s customers’ vulnerable for an extended period of time.

According to the Houston Chronicle, another customer learned in 2012 that $1,500 had been fraudulently charged to three bank cards at the Spec’s store where he shops. The charges had been made electronically at a time when the store was closed. He contacted his Spec’s store to ask what was going on and he was told by a store employee that they’d been getting similar calls from other customers.

The U.S. Secret Service is involved in this investigation. Cynthia Marble, special agent in charge at the Houston field office declined to comment on the investigation, other than to say the federal agency’s law-enforcement duties extend to the nation’s financial infrastructure. Spec’s spokespeople acknowledge that they could not go public about the breach sooner than this week at the request of law enforcement. And we see that the Texas breach notification law specifically says that people whose data has been compromised don’t need to be told if an announcement might compromise an investigation.

All I can say is, the feds better catch the people responsible and bring them to justice in order to justify having kept half a million people in the dark about their financial data being stolen more than a year ago.

You May Also Be Interested In: