blog on the cybersecurity breach with company wawa in 2019

Defining 'Reasonable Security' in Data Protection and Privacy Laws

By:
Bill Tolson |
September 22, 2022 |
minute read

In June 2022, convenience store operator Wawa Inc. agreed to pay six states and the District of Columbia more than $8 million to settle a 2019 data breach incident that impacted 34 million payment cards that were used at the company's Mid-Atlantic convenience stores in New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida, and DC.

Between April and December 2019, hackers deployed malware to access sensitive customer data from Wawa's security system. The jurisdictions involved charged that the Wawa, PA-based retailer failed to utilize reasonable security measures that would have prevented the hacker's breach.

Cardholder names, credit card numbers, and expiration dates were exposed. However, it was determined that debit card information, personal identification numbers (PINs), credit card CVV numbers, and driver's license data were not impacted. Approximately 850 Wawa locations and more than 30 million payment records were affected. Wawa acknowledged that by late April 2019, malware was present on most of its convenience store payment systems.

The July 2022 Wawa data breach settlement is the third-largest over a credit card breach, behind Target's $18.5 million settlement with 47 states in 2017 and Home Depot's $17.5 million settlement with 46 states in 2020.

Current privacy laws are weak around data security

Followers of Archive360’s past blogs, podcasts, and webinars know that I have questioned the non-prescriptive data security provisions in current data privacy laws, including the GDPR. They all use derivations of the same data security provisions. For example, specifying that data controllers must maintain reasonable administrative, technical, and physical data security practices to protect personal data's confidentiality, integrity, and accessibility.

My question to the state senators who authored the laws, as well as privacy subject matter experts, has been: why aren't the data security provisions more prescriptive? Why aren’t they demanding specific data security requirements such as:

All PII must be encrypted in transit and while at rest (as well as while in use)
PII cannot be downloaded from its original application and repository without written approval and ongoing tracking
All PII shall be protected from unauthorized access and viewing using role-based access controls (RBAC)
PII shall not be transferred to portable devices

These are basic common-sense examples of non-proprietary security controls that could dramatically lower the risk of PII theft.

What is reasonable security for data protection?

Last year (2021), the Sedona Conference, a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law, published a paper on reasonable security titled: The Sedona Conference Commentary on a Reasonable Security Test. This paper addresses the "legal test" a court or other legal body should apply in a situation where a party (data collector or data processor) has a legal obligation to provide "reasonable security" for personal information and whether the party did enough to protect the sensitive data.

There is no question that courts recognize that data security is not foolproof and that even the best security protocols and technology can be defeated. Given that, the question courts will be asking is: did the data collector/processor at least attempt to meet industry data security best practices to ensure secure sensitive data?

The challenge for data collectors is determining what your industry's data security best practices actually are. President Biden's Executive Order 14028 attempts to address this challenge by including a provision that creates a working group comprised of representatives from both the federal government and private industry focused on information dissemination on cyber-related issues and news.

In the meantime, the question persists "what is reasonable data security?"

Six States layout reasonable security requirements

My interest in the Wawa data breach settlement centers on the specific data security requirements it sets out. While we wait for additional clarification from lawmakers regarding what defines “reasonable protection”, organizations considered with protecting customer data should review them and assess the impact of implementing them.

Under the settlement, Wawa agreed to a series of provisions designed to strengthen its data security (reasonable security and protection) practices. They include:

Maintaining a comprehensive information security program designed to protect consumers' sensitive personal information.
- This first provision works to ensure the company continuously reviews and updates its information security program. The use of the word “comprehensive” implies an ongoing review and updating of security procedures and technology.
Employing a qualified employee with appropriate credentials, background, and expertise in information security who will oversee Wawa's implementation and maintenance of the information security program.
- The second provision requires a "qualified" and credentialed employee to be responsible for reviewing, managing, and ensuring the security program is active and followed.
Providing resources necessary to fully implement the company's information security program.
- The third Wawa settlement provision makes it clear that the necessary budget, and additional employees (if needed), are required to ensure the security program can be successful.
Providing appropriate security awareness and privacy training to all personnel with key responsibilities for implementing and overseeing the information security program.
- This provision ensures that employees (and possibly third-party data processors) have up-to-date data security and privacy training.
Employ specific security safeguards for logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management.
- In my opinion, the fifth provision is the most prescriptive and far-reaching. It lays out detailed logging and monitoring requirements to recognize when outsiders are attempting to access the enterprise, the need for role-based access controls to protect against insider theft or signs of privilege escalation, file integrity monitoring to look for signs of malware, firewalls for perimeter security, ongoing risk assessments to ensure the organization can meet the most recent cyber-threats, and a regular program of simulated cyber-attacks to test overall security.
Consistent with previous state data breach settlements, the company will undergo a post-settlement information security assessment that, in part, will evaluate its implementation of the agreed-upon information security program. Additionally, Wawa must conduct an annual information security assessment.
- And the last provision includes a third-party security assessment to ensure the company has followed the six states' requirements and the requirement that the company conducts annual security assessments.

Reasonable [data] security defined

Circling back to my main question of defining reasonable security for data privacy laws, it would seem that the six states agreement has made an attempt at defining minimum data security requirements and could be used as a precedent in future data breaches and act as a roadmap for organizations to follow when setting up policies, procedures, and technology to protect sensitive data, including personally identifiable information.

Archive360 is the leader in secure cloud-based information management and archiving.

Unlike SaaS platforms, Archive360 offers a customizable, extremely secure platform to archive and manage your most sensitive data in the cloud. Based on a Zero Trust PaaS-based intelligent information management and archiving platform, our platform is installed in the customer's own cloud tenancy. Customers can implement additional levels of security, including fully private, isolated enclaves, and create and store their own encryption keys. As a PaaS solution, our customers retain complete control and direct ownership of their encryption keys and their data.

Unlike the SaaS shared cloud model, the Archive360 cloud Platform can support and be a part of Zero Trust security architecture, i.e., a private/secure enclave, to ensure there are no shared resources, shared encryption keys, or common security certificates.

Archive360 offers the industry's only Cloud Security Gateway, which provides encryption of all data before movement to the cloud, on-premises encryption key storage, access controls, and homomorphic and field-level encryption for total data security in transit, at rest, and WHILE IN USE.

These security capabilities ensure data collectors and processors can meet and exceed the new privacy compliance standards.

For more information on the emerging data privacy laws and new data security requirements, please contact the experts at Archive360 by emailing us at info@archive360.com or calling us at +1 (212) 731-2438.

Bill Tolson

Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.