A security breach at grocery chain Hannaford Brothers Cos. is testing the teeth in Massachusetts' new data-privacy law.
The law, passed last year, requires companies to notify officials and residents when they lose control of records that could lead to the theft of such information as a person's name and credit card number. State officials say the law applied in the case of Hannaford, which disclosed on March 17 that 4.2 million credit and debit card numbers were potentially exposed to fraud.
But executives at Hannaford, based in Scarborough, Maine, say the company was not required to make such a disclosure, even after it learned that software illicitly placed on servers in its stores captured card numbers and expiration dates and sent them overseas. The chain eventually disclosed details of the breach in stages through a press release, a statement on its website, and a letter to Massachusetts regulators that it said it wasn't required to send.
Some outside legal and security specialists say Hannaford has a point. Thirty-nine states have laws requiring some form of disclosure after a data breach; most of those laws, such as the one in Massachusetts, say companies must file reports when they lose payment card data connected with customers' names or other personal details. Many of the laws don't address what happens when only payment card numbers and expiration dates - with no names - are lost, as in the Hannaford case.
The point of the laws, say the specialists, was to strike a balance between guarding against the worst forms of identity theft and ensuring that companies are not subjected to undue burdens.
Now this balancing act is being tested. In a letter sent last week to Massachusetts officials after they asked about the incident, Hannaford's general counsel Emily D. Dickinson wrote that the loss of card numbers alone did not amount to the loss of "personal information" as defined in the Massachusetts law. "We provide this notice as a form of voluntary cooperation," she wrote, adding that company officials believed "notice of this event is not required."
Cynthia J. Larose, a Mintz Levin attorney in Boston who advises retailers on privacy matters, said others also have argued such laws didn't compel them to disclose all security problems. In practice, however, telling all customers and regulators is best, Larose said.
"If I had a client in this situation, I'd still recommend disclosure," she said. "You're relying on that loophole that no names were lost, but there was indeed a breach."
Hannaford said the exact cause of the breach is under investigation with the US Secret Service and declined to make executives available to be interviewed. It said sophisticated "malware," or malicious computer code, had been placed on servers in each of the 300 stores operated by the company and its partners in states including Maine, Massachusetts, New Hampshire, Vermont, New York, and Florida.
Hannaford says it knows of around 2,000 cases of fraud tied to the breach. It learned of "unusual credit card activity" on Feb. 27, it said. The company controlled the damage by March 10 and sent a press release on March 17 once it fully understood the issue, a spokeswoman said. It also posted a note on its website.
The chronology of Hannaford's disclosures shows why officials should clarify the new law, said Eric Bourassa, analyst for the Massachusetts Public Interest Research Group, a consumer advocacy organization. Hannaford's March 17 release did not mention the more worrisome details about the software being placed on its servers and sending numbers overseas. These emerged publicly because of its follow-up letter to Massachusetts regulators eight days later, after regulators reminded the company of the new Massachusetts law.
Although Hannaford might have told officials in any case, Bourassa said, "It's definitely important for the authorities in our state, whose job it is to protect us, to know" such details.
Massachusetts Attorney General Martha Coakley said that Hannaford had an obligation to report the breach but said she won't focus on that issue because Hannaford ultimately came clean. "At this stage, the important thing is that they did notify and we believe they followed the appropriate steps," she said. Neither Coakley nor her office would discuss their precise reading of the law, a spokeswoman said.
Daniel Crane, the top consumer protection official in the administration of Governor Deval Patrick, went further. He cited a provision of the law requiring that an intrusion be reported directly to officials when it creates a "substantial risk of identity theft or fraud."
"The circumstances here are very clear, where the data has been stolen and there have already been over 1,800 episodes of consumer fraud. Under those circumstances, it's clear there has been a breach of security" that requires notification, Crane said.
The first breach-disclosure law was passed in California in 2003 as a way to encourage companies to tighten security standards. The law in Massachusetts was passed following a breach at Framingham retailer TJX Cos. that compromised as many as 100 million card numbers - a record.
Chris Hoofnagle, a specialist in privacy law at the University of California, said most of the laws were written to focus on the loss of data in conjunction with names because together they can lead to "identity theft," the creation of such instruments as bogus credit cards that can create false debts against a real individual. Losing only credit-card numbers was considered less threatening because they are harder to abuse and because card issuers will forgive many fraudulent charges.
The law has created a flood of reports to the Massachusetts Office of Consumer Affairs ranging from the routine to the worrisome.
On Nov. 30, Prudential Insurance Co. reported that a former employee was arrested and charged with stealing personal information and identity theft and that the company was notifying 954 Massachusetts residents who were potentially affected. (A Prudential spokesman said further investigation showed fewer than 10 residents were actually affected and the firm is offering them free credit-monitoring services.) Stolen laptop computers with unencrypted data were also reported.
Other reports involved goofs, such as one from MassMutual Financial Group telling the state it was informed by a client she incorrectly had received a form that included the Social Security number of another MassMutual client with the same name.
Larose, the attorney, said tightening the laws would lead to more filings - which might create more unnecessary reports and card cancellations by banks. Larose herself got her third replacement credit card in 18 months recently, probably because of the Hannaford breach, even though she said it's unclear how thieves might make use of the data.
Jamie C. Pole, a North Carolina security specialist with corporate and government clients, said cases such as Hannaford's show it is time to look again at data-breach notification laws. Requiring the loss of both financial information and a person's name in order to trigger the law is too lax a standard, he said, and it gives such companies as Hannaford a way to avoid embarrassing disclosures.
"Companies will choose the most rosy picture of what happened," he said.
Todd Wallack of the Globe staff contributed to this report. Ross Kerber can be reached at firstname.lastname@example.org.