The evolving world of privacy and data protection
Electronically stored data has become a key and increasingly critical economic commodity. Not surprisingly, the concentration of electronic information has produced a concomitant increase in the theft and misuse of data. To quote Willie Sutton, it's "where the money is."Most businesses, both large and small, hold at least some personally identifiable information of customers or employees, such as names and addresses, Social Security numbers and credit card information. Granite State businesses that wish to avoid regulatory enforcement and penalties, civil lawsuits, and negative publicity need to understand the complex and evolving personal information regulatory landscape.Data breaches are most commonly associated with shadowy computer hackers. Moreover, as larger businesses have taken steps to fortify their computer networks, hackers have turned more attention to smaller businesses.A typical example was provided by an indictment unsealed in the U.S. District Court of the District of New Hampshire on December 8th. The indictment alleges that Romanian hackers stole credit card data from hundreds of small businesses, including more than 150 Subway restaurants franchises and at least 50 other small retailers, netting more than $3 million.In many cases, the thefts occurred because the businesses failed to use basic security measures, and now face significant penalties for failing to comply with industry standards, including large fines, revocation of card processing rights, federal and state enforcement actions, as well as civil suits.Beyond hacking, there are many other ways that personal information can be compromised, including the loss of portable devices -- such as laptops and smartphones containing unencrypted data, improper disposal of paper records and employee theft.Personal information is protected in the U.S. by a patchwork of laws, primarily at the state and federal levels.The sheer number of laws governing the information can make compliance extremely challenging, but several key areas merit particular attention: • Medical data: The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information for Economic and Clinical Health Act of 2010 (HITECH) specify how protected medical data may be used, restrict the disclosure of medical data, and specify procedures and practices that must be followed to secure medical data. • Financial data: The Gramm-Leach Bliley Act includes provisions governing the use and dissemination of personal information held by financial institutions. Specifically, there are the Privacy Rule, which among other things requires financial institutions to provide periodic notifications to customers of their privacy practices, and the Safeguards Rule, which mandates that financial institutions adopt administrative, technical and physical safeguards to ensure security and confidentiality. • Deceptive and unfair trade practices: Deceptive trade practices can occur when organizations fail to use or store personal information in accordance with privacy policies and other notices provided to consumers. Unfair trade practices usually arise from an organization failing to take reasonable and customary steps to protect PII. • State data security laws: Most states, including New Hampshire, require the holders of personal information to notify consumers of data breaches. But some states have gone much further. New Hampshire companies that do business with Massachusetts residents need to be particularly aware of the Bay State's strict laws for handling and processing personal information.What can businesses do to avoid the negative consequences of data breaches?Observing several key principles will significantly reduce the likelihood of a data breach: • Limit data collection: Businesses should never collect and store unnecessary data. It's very simple - critical data cannot be stolen if it doesn't exist. • Enact policies for handling personal information: Well-crafted policies should be implemented relating to the collection, storage and use of data. In addition, access should be given to employees and third parties only as needed and as allowed by law. All employees should be educated regarding the protection of personal information. • Auditing and monitoring: Regular auditing and monitoring must be performed to ensure compliance with internal data protection procedures, as well as regular monitoring of computer systems and access logs. • Retention schedules: All data should be subject to retention and destruction schedules. Data destruction plans should be created to ensure the safe and secure destruction of computer data and paper files. • Update hardware and software and remain vigilant in the cloud: Regular software and hardware updates are crucial pieces to any security plan. Cloud services with reputable providers can be an ideal solution because upgrades and monitoring should be performed automatically. But appropriate due diligence should occur in the cloud vendor selection process to ensure that data will be properly secured. • Contingency planning: Proper planning will significantly reduce the likelihood of a data breach, but even so, it is impossible to prevent breaches entirely. Data breach responses must occur immediately. It is simply not feasible to wait until after a breach occurs to consider the appropriate response.While data storage brings risks, with careful management and planning, the benefits will greatly outweigh the difficulty and cost of legal compliance with laws governing data security. Moreover, compliance efforts and costs are small compared to the costs that can be incurred as a result of a breach.Jon Wilkinson of Wilkinson Law Offices, Portsmouth, can be reached at 603-559-9300 or wilkinsonlawoffices.com.