“The reserve side also has a reverse side”. Japanese Proverb
Target and Nieman Marcus have suffered massive data
breaches. The New Mexico legislature
reacts with a Data Breach Notification Act (HB 224-Rehm) and Congress
reactivates numerous legislative proposals on data breaches, and brings forth
at least one new version.
Apparently New Mexico is one of the few remaining states in
the U.S. without some form of data breach notification statute. The ever present Consumer Protection section
of the New Mexico Attorney General’s office stepped in and pushed HB224. Although HB224 had significant committee
support it was deeply flawed in its scope.
It apparently went through five or six versions and died at adjournment. Banking legislative representatives managed
to get the final version of HB224 to except from its application any entity
subject to the Gramm-Leach-Bliley privacy provisions. HB224 still had a wide scope outside credit
card and banking, including applying the notification requirements to any
“person” who gathered sensitive data subject to the Act—Social Security data,
credit card, drivers’ license data, etc.
“Person” was not defined.
Before the New Mexico legislature convened, and
contemporaneous with it, the U. S. Congress got in the act. More than a half dozen forms of data breach
legislation had been introduced in 2011-2012 and died.
The most recent data
breach notification bill is broader than the New Mexico version (HB224). In mid-February, Senators Blumenthal and
Markey introduced the Personal Data Protection and Breach Accountability Act
(“PDPBA”). PDPBA applies to any commercial or non-profit association that
stores personal consumer information of a sensitive nature. It requires those subject to the Act to
implement data security and privacy programs, preempts other state or federal
notification laws, provides for civil and criminal penalties and requires
federal enforcement agencies to gather information on compliance with the Act. Under PDPBA the primary enforcement authority
is the Justice Department, with rules and some involvement by the Federal Trade
Commission. PDPBA also has a private
right of action. There is no Gramm-Leach-Bliley exception.
Senator Diane
Feinstein and others have introduced similar legislation, Data Security and
Breach Notification Act (“DSBA”) in the last days of January 2014. DSBA is not as broad in its scope and
primarily focuses on notification of data breaches. It is almost identical to legislation proposed
in 2011. The Federal Trade Commission is charged with
issuing standards for notification. There
is a significant question if DSBA would preempt state law on data breach
notification unless the state law was more lenient.
The data breach notification in the U.S. Congress has come
alive and the outcome in an election year with a divided Congress is anyone’s
guess.
At present for most New Mexico banks a far more dangerous
risk is presented by Patco Construction Co. v. People’s United Bank, a
2013 decision out of the federal Court of Appeal for 1st
Circuit—covering the most North-Eastern states above New York. I have discussed the case before, but it
continues to get attention in the legal journals. It bears revisiting. Patco lost over $345,000 when sophisticated
hackers got access to Patco’s ID and passwords for ACH transactions and started
withdrawing funds. After some time the
bank discovered the invasion of Patco’s accounts. Under a very one-sided ACH agreement between
Patco and the bank, Patco had no chance of recovery—the agreement limited
damages and essentially shifted all responsibility to Patco. The bank won. But on appeal the Court of Appeals
reversed. Applying Section 4A of the
Maine Uniform Commercial Code, the Court
of Appeals in effect held that although the bank could shift the risk of the
ACH account’s operation to the customer, but only if the bank’s security
procedures were “commercially reasonable”.
The bank did not have commercially reasonable security procedures and,
in this case, they were not applied in a commercially reasonable way. Thus under Patco the requirement that
the bank’s security procedures be commercially reasonable under Section 4A of
the Uniform Commercial Code overrides the most bank friendly agreement.
In my view Patco presents the best case for a bank’s
attorney (not its insurance agent) to review the risk of hacker’s invasion of a
customer’s accounts against the bank’s liability and cyber-insurance
policies. In a Patco situation it
is likely that the bank’s liability policy will apply. However, cyber-insurance policies are
changing with the risks and types of damages incurred and the cyber-insurance
should be reviewed,
At the urging of New Mexico Attorney General the District
Courts for Sandoval and Valencia Counties (13th Judicial District)
has just instituted a mandatory mediation procedure for all consumer
foreclosure cases filed in that District.
The procedures are similar to those in the Santa Fe District Courts. Experience has shown that the procedures add
more time to an already delay plagued process.
Although the plan does not apply to commercial foreclosures, the Santa
Fe courts did apply the mediation to some commercial foreclosures when
defendants urged the court to force mediation.
Do Good,
Marshall G. Martin
(505) 228-8506
