By Mark G. McCreary
May 6, 2010
As a part of daily business, you likely collect protected personal information (PPI) from employees, customers, vendors and third parties through your Web site or by paper correspondence. If you collect PPI, you owe a duty to the owners of this information to safeguard and not unreasonably disclose it. Unfortunately, many businesses have undertaken a minimalist approach to protecting PPI and complying with (or even learning about) the relevant laws, requirements and consequences for failure to comply.
The Identity Theft Resource Center noted that 656 data breaches were reported in 2008, exposing more than 35 million records, an increase of 47 percent from 2007. Those numbers rose to more than 222 million records exposed in 2009. The average cost for responding to a breach was $204 per affected customer in 2009, which seems small until you consider that breaches often involve from hundred of thousands to millions of records.
Implementing protection measures for the PPI in your business’ possession is essential. PPI generally includes first name or initial and last name with one or more of the following: Social Security number, driver’s license number, credit card or debit card numbers, financial account number with information such as PIN verification codes, passwords or security codes that could gain access to the account, or medical or health insurance information. Some jurisdictions include other types of information. Even with best practices and good intentions, there is always the risk of a careless or rogue employee, just as much as the risk of a cyber hacking.
There are 46 states, and the District of Columbia, Puerto Rico and the U.S. Virgin Islands, that have data breach notification laws, many with unique requirements. Nuances among the state statutes include that 35 jurisdictions require notification only if there is likely to be a resulting risk of harm, 13 require notice to the applicable attorney general or other state agency, some have specific language to be included in the notification letter, many have requirements about timing of the notice and/or notification to law enforcement before notification to residents, and a handful of states apply their law to both paper and electronic records. Also, depending on the nature of the information and your field, federal laws may apply (although there is no general federal breach notification law).
Because the risk of a data breach can never be completely eliminated, your business should establish a written data breach response plan. Such a plan must take into account:
-¢ the types of information to be collected,
-¢ deadlines for notice to affected individuals, and
-¢ what actions should be taken to curtail or stop the breach and its effect.
The data breach response plan must address the collection of relevant documents and information, such as:
-¢ data location lists,
-¢ confidentiality agreements,
-¢ customer contracts,
-¢ third-party vendor contracts, and
-¢ any privacy policy, information security policy and ethics policy.
You should have a first response team in place that includes persons in information technology, information security, compliance, business heads, human resources, legal counsel and public relations/investor relations. Your plan will assign tasks to team members and establish a point person, identify key personnel for each task, calculate timelines and set deadlines, communicate with management and establish attorney-client privilege for investigation and communications.
Once a data breach occurs, you must determine its nature and scope. Tasks should include investigating facts, interviewing witnesses, determining the type of information compromised, identifying and assessing potential liability, and identifying individuals potentially at risk and determine state or country of residence.
Once the nature and scope of the breach is known, your focus should turn to determining who must or should be notified of the breach (consumers, employees, law enforcement, federal regulatory agencies, state agencies, consumer reporting agencies, third-party vendors, insurers and media).
As noted above, depending on the residencies of the affected individuals, you may have to prepare state law notices that comply with the laws of several states. Generally, your notice will include:
-¢ a description of the incident,
-¢ type of information that may have been compromised,
-¢ steps taken to protect information from further unauthorized access, contact information and
-¢ advice to affected individuals (e.g., credit reporting, review account activity).
Also, consider your duties to notify governmental and/or law enforcement agencies (and whether that must be done prior to notifying the affected individuals) and the delivery method (e.g., certified letters, e-mail, Web site).
If the breach occurred while information was not in your possession (e.g., your vendor experienced the breach), your obligations do not change. Generally, the PPI owner or licensee has ultimate responsibility to notify the affected individuals. Thus, your contracts with third-party service providers should provide protections for you if there is a breach by your service provider.
Threats to physical data will always exist in some form or another, and despite advancements in network and data security, cyber criminals will likely remain well ahead of even the newest measures. Planning and preparation are the best steps that your business can take before a data breach happens.
Mark G. McCreary, a partner in the law firm of Fox Rothschild LLP, focuses on compliance with privacy-related laws, rules and regulations, as well as responses in the event of a data breach. He can be reached at [email protected].
