- Data Security & Privacy Alert
- November 22, 2005 | Author: Thomas F. Zych
- Law Firm: Thompson Hine LLP - Cleveland Office
The news is filled with reports of identify theft and data security breaches. As individuals, we understandably fear the loss of our private data and its potential use in ways that could cause us substantial financial and personal losses. Equally important, as business managers we worry about the liability and injury to reputation that could result from a breach in our own data security systems and the potential harm to our employees, customers, business partners and shareholders. Our federal and state governments have not been asleep on the issue and have begun (and will continue) to enact statutory and regulatory regimes focused on data security and identity theft. As with any legislative response to a business risk, the need to comply with these new rules will be an obligation added to the general imperative to prudently manage business and consumer data. We will outline some of the new and emerging laws you will need to consider when designing, implementing and managing your privacy and data security protocols.
Following California's example, as previously expanded into Arkansas, Georgia, Indiana, Montana and North Dakota, the states of Washington on May 10, 2005, and Illinois on May 18, 2005, adopted legislation requiring companies to notify consumers in the event of breaches in security related to personally identifiable information. The state statutes are designed to protect consumers residing in those states by requiring companies doing business in that state, regardless of their state of incorporation or principal location, to comply with the pertinent statute. While each state's definition varies slightly, a breach of security generally occurs when an unauthorized user gains or could gain access to electronic data that compromises the security, confidentiality or integrity of personally identifiable information. Personally identifiable information is typically defined as a combination of an individual's name, address, telephone number, social security number, email address, account number, email address, password or PIN. The statutes require companies to notify customers when it is likely that a security breach has occurred that would allow an unauthorized user to gain access to the personally identifiable information. Where it is known that a breach has occurred, the company has a duty to provide prompt notice to consumers. While the specifics of complying with each statute may vary, the bottom line is that leaving one's head in the sand in the face of a security breach may no longer be lawful, in addition to being somewhat less than prudent.
The wave of state action has prompted action at the federal level as well. Recognizing the advantage of a consistent, nationwide scheme of data security obligations, various congressional committees have held hearings in the past several weeks to explore proposed initiatives designed to protect personally identifiable information. An example of the type of legislation introduced is a variety of bills that each seek to require a company to notify its customers of how it will use the personally identifiable information it collects from them. The upshot of the proposed statutory solutions, if enacted, would be to curtail the use companies may make of business information. For example, if the legal department collects warranty information from a customer, the marketing department would not be allowed to use that same information for emailing the customer coupons unless that use was disclosed at the time the information was collected. Another example is similar to the state action described above, which requires companies to notify consumers when there has been a security breach. Proposed penalties for violations of these regulations includes fines ranging from $500 to $1,000 per violation and enforcement actions by the Federal Trade Commission. Companies can be confident that the various federal agencies will implement privacy regulation in the near term and as a result should take action to evaluate and improve data security standards now.
Data Security and Privacy Management
Adequate data security and management of personally identifiable information requires the input and support of every business unit within an organization including the marketing, information technology, legal and finance departments. It is recommended that a company review its actual (as opposed to assumed) data collection practices and determine whether they are critical to business function. This may help limit the organization's risks. Privacy policies should be drafted with an eye on the realities of the data collection activities of an organization -- in other words, say what you do and do what you say. Organizations also should be prepared to respond to a security breach and have procedures in place to ensure compliance with the aforementioned state legislation.
This is a fluid environment, and one should assume that the pressure for the government to do something in the face of the growing awareness of data vulnerabilities will result in more, rather than fewer, data obligations. Stay tuned.