Businesses maintain incredible amounts of confidential, sensitive and private information about their consumers, clients and employees. This personal information is fuel to a would-be identity thief. Whether it’s preventing security breaches before they happen or dealing with security breaches after they occur, a business must act aggressively to minimize workplace-related identity theft.
The personal information of others is the currency of the would-be identity thief. With increasing frequency, identity thieves are gaining ready access to this personal information by exploiting the security vulnerabilities of a business’ computerized data. These security breaches come in all kinds. For example, hundreds of laptops containing sensitive information go missing from a federal administrative agency. A hacker accesses a university’s extensive data system containing the social security numbers, names and addresses of thousands of students. A busy senior executive accidentally leaves a PDA holding sensitive client information in the back of a taxicab. Whether a security breach is malicious or unintentional, whether it affects thousands of people or only a handful, a prudent business is prepared not only to prevent potential security breaches, but also to properly handle such breaches in the event that they occur. A business must take security breaches seriously, because the failure to manage a security breach effectively can result in negative publicity, a tarnished reputation and legal liability.
That courts and legislatures take seriously a company’s duty to properly handle these breaches is evidenced by the fact that at least 35 states have enacted legislation requiring businesses to comply with certain disclosure and notification procedures in the event of a security breach involving personal information. In order to understand its statutory obligations to notify potentially affected individuals, a company must be aware of what constitutes “personal information” and what qualifies as a security breach involving that personal information.
'Personal Information' and 'Security Breach'
“Personal information” is generally defined as an individual’s name (the person’s first name or first initial and last name) plus any of the following: (1) a social security number; (2) a driver’s license number or state identification card number; or (3) an account number or credit or debit card number in combination with and linked to any required PIN, access code or password that would permit access to an individual’s financial account. It is important to note that personal information does not include publicly availably information that is lawfully made available to the general public from public records or media distribution. In addition, personal information does not include data that is encrypted, redacted so that only the last four digits of any identifying number is accessible, or altered in a manner that makes the information unreadable. States generally define a “security breach” as the unauthorized access and acquisition of computerized data that compromises or is reasonably believed to have compromised the security and confidentiality of “personal information” maintained, owned or licensed by an entity.
Prevent Breaches From Occurring
The best approach to security breaches is to prevent them from occurring in the first place. Businesses can take the following preemptive measures to ensure the integrity and privacy of personal information:
- Limit the type of personal information that is collected: Whenever possible, a company should try to limit the type of personal information collected to the minimum amount necessary to adhere to the law and accomplish business objectives.
- Limit access to personal information: Restrict access of personal information to qualified personnel.
- Store personal information on secure computerized systems: Enable firewalls and other high-security settings on network and wireless systems to prevent unauthorized access by employees or third parties. Use encryption technologies to protect data systems. Proper encryption should not be limited to desktop computers. Encryption is especially important on portable devices like laptops, BlackBerrys, PDAs and mobile phones.
- Train employees and third-party vendors on compliance measures: All employees should be trained in the company’s security and privacy policies. A company’s security and privacy policies should also be enforceable by contract on any third-party vendor that manages personal information on behalf of the company.
When a breach of personal information occurs, the business must quickly notify the affected individuals following the discovery of the breach. State notification statutes generally require that any business that has been subject to a security breach as defined by the statute must notify an affected resident of that state according to the procedures set forth in the state’s regulations. Therefore, if the compromised personal information consists of personal information of employees who reside in several different states, the business must comply with the effective regulation of each applicable state. There are subtle differences in the notification procedures themselves. In general, a business should follow the following general guidelines:
- Notify affected individuals: Notice to affected persons should occur through written means if possible. Although some statutes will allow notification telephonically, a business should establish a “compliance paper trail” by notifying individuals through written communications.
- Provide conspicuous notification: A security breach demands transparency. Once the damage is done, a business should make every effort – and in some situations may be statutorily obligated – to notify individuals as conspicuously as possible. This may include emailing affected employees, conspicuously posting information about the breach on the business’ website, and notifying major media outlets within the geographic area where the business is located.
- Notify consumer reporting agencies: A business may have a statutory obligation to inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and content of the disclosure given by the business to the affected residents.
Other Goodwill Measures
Dealing with a security breach is difficult enough in terms of the potential fiscal and legal consequences. Just as important as these potential financial and legal liabilities is the possible long-term effect of a security breach on a business’s public image. A properly disclosed security breach will garner a certain amount of public attention, some of which may be negative. Rather than attempting to shield the breach from public scrutiny, a prudent company will engender goodwill by going above and beyond the bare minimum of its notification obligations and providing additional assistance to individuals whose personal information has been compromised. The following are some strategies for avoiding unflattering publicity:
- Act quickly: Most state notification statutes require notification of a security breach to occur “expeditiously” or without “unreasonable delay.” Although these terms are generally undefined, it is important that a company alert affected individuals as promptly and conspicuously as possible. In the event of subsequent legal action, any unreasonable delay in notification will be tantamount to acting recklessly or in bad faith.
- Establish an information hotline: Set up a designated call center or task representatives to handle the potential influx of inquiries regarding the security breach.
- Provide credit monitoring services: Demonstrate support and restore confidence by offering free credit monitoring tools to affected individuals. These complimentary gestures help to restore confidence and repair damaged relationships.
- Notify credit reporting agencies: Although affected individuals should be advised of measures they can take on their own, companies may wish to notify consumer reporting agencies, even if they have no statutory obligation to do so.
- Notify law enforcement: Alerting law enforcement officials to the breach may prevent additional fraudulent activity.
Security breaches of personal information are an unfortunate consequence of technological advances in communications. A company must arm itself with the tools to prevent these breaches before they occur. In the event of a breach, a business should view full compliance with state regulations as the minimally acceptable response. Beyond basic compliance, prudent companies should move aggressively to restore confidence, repair reputations and prevent further abuses.