We’ve Been Hacked!
By Robyn Guilliams
Dear Law & Disorder: Performing Arts Division,
We are a small presenting organization, and we use an outside company to handle our ticket sales. The company provides us with cloud-based software, which we use to process both online and box office ticket sales. We were recently informed by the software company that they’d been hacked! The company told us that all of our patrons’ relevant information may have been compromised, including their credit card information. A lawyer on our board said that we are responsible for notifying all of our patrons of the security breach. Is this true? There are over 8,000 patrons in the system, going back quite a few years! We don’t have the personnel to devote to this type of project. One of the reasons we out-sourced our ticketing was to avoid handling and storing this type of sensitive information. If we don’t handle the credit card information, why are we responsible if that information is stolen?
Oy, what a headache!
Unfortunately, I would guess that the terms of your organization’s contract with the ticketing software company require your organization to notify its patrons in the event of this type of security breach. In fact, the contracts I’ve seen for this type of service require that the presenting organization indemnify the software company in the event of a breach. This means that you are not only responsible for your own legal expenses and damages should one of your patrons suffer a loss as a result of the breach, but you’ll have to pay the software company’s legal expenses and damages as well! And usually, these types of provisions are not negotiable.
In addition, you may want to take a look at the website of the PCI (Payment Card Industry) Security Standards Council, which sets the standards for companies who process credit card transactions (like your ticketing software company.)
See: https://www.pcisecuritystandards.org/faq/
Because your organization doesn’t actually handle or store credit card data, it’s not required to be “PCI Compliant.” However, as stated on this site, “it is the responsibility of the merchant to ensure that the data they share with third parties is properly handled and protected – just because a merchant outsources all payment processing does not mean that the merchant won’t be held responsible by their acquirer or payment brand in the event of an account data compromise.”
The good news here (such as it is) is that most states provide a mechanism for an organization like yours to protect itself in the event a third party credit card processor is hacked. Generally, if you provide timely notice to your patrons of the breach, you can’t be held liable for your patrons’ damages (the theory being that if your patrons know about the breach, they can take steps to protect themselves.) For instance, in New York (and many other states), your organization is protected from liability if you notify your patrons of the security breach “in the most expedient time possible and without unreasonable delay.” The notice can be made in writing, electronically, or by phone.
Also, there are insurance policies that cover this type of cyber liability. These policies usually cover the cost of notifying your patrons, as well as any legal expenses or damages you may have due to the breach.
In short, the volunteer lawyer on your board is correct. (As we don’t often agree with most lawyers, this is a rare occurrence, indeed!) Given the vulnerability of identification fraud and the potential exposure of your organization, you’d be wise to find a way to notify your patrons.
_________________________________________________________________
Brian Goldstein and Robyn Guilliams will be attending the 2013 Midwest Arts Conference in Austin, Texas next week.
Our next blog will be on September 17, 2013.
_________________________________________________________________
For additional information and resources on this and other
legal and business issues for the performing arts, visit ggartslaw.com
To ask your own question, write to lawanddisorder@musicalamerica.org.
All questions on any topic related to legal and business issues will be welcome. However, please post only general questions or hypotheticals. GG Arts Law reserves the right to alter, edit or, amend questions to focus on specific issues or to avoid names, circumstances, or any information that could be used to identify or embarrass a specific individual or organization. All questions will be posted anonymously.
__________________________________________________________________
THE OFFICIAL DISCLAIMER:
THIS IS NOT LEGAL ADVICE!
The purpose of this blog is to provide general advice and guidance, not legal advice. Please consult with an attorney familiar with your specific circumstances, facts, challenges, medications, psychiatric disorders, past-lives, karmic debt, and anything else that may impact your situation before drawing any conclusions, deciding upon a course of action, sending a nasty email, filing a lawsuit, or doing anything rash!
Tags: box office, brian goldstein, credit card information, credit card transactions, damages, insurance, patrons, Robyn Guilliams, security breach, software company, ticket sales, ticketing software