{"id":13235,"date":"2013-09-04T01:05:54","date_gmt":"2013-09-04T05:05:54","guid":{"rendered":"http:\/\/www.musicalamerica.com\/mablogs\/?p=13235"},"modified":"2014-03-15T15:37:18","modified_gmt":"2014-03-15T19:37:18","slug":"weve-been-hacked","status":"publish","type":"post","link":"http:\/\/www.musicalamerica.com\/mablogs\/?p=13235","title":{"rendered":"We’ve Been Hacked!"},"content":{"rendered":"

By Robyn Guilliams<\/p>\n

Dear Law & Disorder: Performing Arts Division,<\/em><\/p>\n

We are a small presenting organization, and we use an outside company to handle our ticket sales.\u00a0 The company provides us with cloud-based software, which we use to process both online and box office ticket sales. We were recently informed by the software company that they\u2019d been hacked!\u00a0 The company told us that all of our patrons\u2019 relevant information may have been compromised, including their credit card information. A lawyer on our board said that we are responsible for notifying all of our patrons of the security breach.\u00a0 Is this true?\u00a0 There are over 8,000 patrons in the system, going back quite a few years!\u00a0 We don\u2019t have the personnel to devote to this type of project.\u00a0 One of the reasons we out-sourced our ticketing was to avoid handling and storing this type of sensitive information.\u00a0 If we don\u2019t handle the credit card information, why are we responsible if that information is stolen?<\/em><\/p>\n

Oy, what a headache!<\/p>\n

Unfortunately, I would guess that the terms of your organization\u2019s contract with the ticketing software company require your organization<\/span> to notify its patrons in the event of this type of security breach.\u00a0 In fact, the contracts I\u2019ve seen for this type of service require that the presenting organization indemnify the software company in the event of a breach.\u00a0 This means that you are not only responsible for your own legal expenses and damages should one of your patrons suffer a loss as a result of the breach, but you\u2019ll have to pay the software company\u2019s legal expenses and damages as well!\u00a0 And usually, these types of provisions are not <\/em>negotiable.<\/p>\n

In addition, you may want to take a look at the website of the PCI (Payment Card Industry) Security Standards Council, which sets the standards for companies who process credit card transactions (like your ticketing software company.)<\/p>\n

See:\u00a0https:\/\/www.pcisecuritystandards.org\/faq\/<\/a><\/p>\n

Because your organization doesn\u2019t actually handle or store credit card data, it’s not required to be “PCI Compliant.”\u00a0However, as stated on this site,\u00a0“it is the responsibility of the merchant to ensure that the data they share with third parties is properly handled and protected \u2013\u00a0just because a merchant outsources all payment processing does not mean that the merchant won\u2019t be held responsible by their acquirer or payment brand in the event of an account data compromise<\/span>.”<\/p>\n

The good news here (such as it is) is that most states provide a mechanism for an organization like yours to protect itself in the event a third party credit card processor is hacked.\u00a0 Generally, if you provide timely notice to your patrons of the breach, you can\u2019t <\/em>be held liable for your patrons\u2019 damages (the theory being that if your patrons know about the breach, they can take steps to protect themselves.)\u00a0 For instance, in New York (and many other states), your organization is protected from liability if you notify your patrons of the security breach \u201cin the most expedient time possible and without unreasonable delay.\u201d\u00a0 The notice can be made in writing, electronically, or by phone.<\/p>\n

Also, there are insurance policies that cover this type of cyber liability.\u00a0 These policies usually cover the cost of notifying your patrons, as well as any legal expenses or damages you may have due to the breach.<\/p>\n

In short, the volunteer lawyer on your board is correct. (As we don\u2019t often agree with most lawyers, this is a rare occurrence, indeed!) Given the vulnerability of identification fraud and the potential exposure of your organization, you\u2019d be wise to find a way to notify your patrons.<\/p>\n

_________________________________________________________________<\/p>\n

Brian Goldstein and Robyn Guilliams will be attending the 2013 Midwest Arts Conference in Austin, Texas next week. <\/span><\/span><\/p>\n

Our next blog will be on September 17, 2013.<\/span><\/span><\/p>\n

_________________________________________________________________<\/p>\n

For additional information and resources on this and other\"\"<\/a> legal and business issues for the performing arts, visit ggartslaw.com<\/a><\/p>\n

To ask your own question, write to lawanddisorder@musicalamerica.org<\/a>.<\/p>\n

All questions on any topic related to legal and business issues will be welcome.\u00a0However, please post only general questions or hypotheticals. GG Arts Law reserves the right to alter, edit or, amend questions to focus on specific issues or to avoid names, circumstances, or any information that could be used to identify or embarrass a specific individual or organization. All questions will be posted anonymously.<\/p>\n

__________________________________________________________________<\/p>\n

THE OFFICIAL DISCLAIMER:<\/strong><\/p>\n

THIS IS NOT LEGAL ADVICE!<\/strong><\/p>\n

The purpose of this blog is to provide general advice and guidance, not legal advice. Please consult with an attorney familiar with your specific circumstances, facts, challenges, medications, psychiatric disorders, past-lives, karmic debt, and anything else that may impact your situation before drawing any conclusions, deciding upon a course of action, sending a nasty email, filing a lawsuit, or doing anything rash!<\/p>\n