Can your business protect the data it collects?
There recently have been many disturbing data security breaches. Some have been high-tech (transaction data intercepted in the payment system) and some have been amazingly low-tech (laptops and tapes were stolen; rogue employees sold protected information). But one thing is for sure: Information about individuals and their financial accounts is valuable because there is a market for it, and because the “bad guys” can use that information for personal gain. Information will be misused unless it is protected. Businesses and other providers of products and services routinely ask for (and consumers routinely provide) personal and financial data in all sorts of situations: as a retailer, over the Internet, as a restaurant, government agency, employer, vendor, doctor, a bank - virtually everywhere there is a payment for a product or service via a method other than cash. Every business collects information about its customers. Every business also transfers payment information (i.e., someone’s personal and financial information) through the financial system to collect payment. These payments could be made by check, credit card, debit card, Automated Clearing House (ACH), wire transfer, online bill pay, demand drafts, etc. While this information and the payment mechanisms (checks, credit card slips, demand drafts, etc.) are in your business’ possession, you have the responsibility to protect the information (for example, so that a rogue employee does not steal it and sell it), and you might be held liable for a compromise or misuse of the information. Additionally, for any payment method, a web of various vendors are needed to process the payment. For example, a business must set up a merchant account (with a vendor) in order to process credit card payments. Businesses also generally process payments through a depository institution of some type. Every business that is not paid solely in cash must use other vendors to ultimately “collect” from receivers of its goods and services. As a business, you trust that the vendors through which your payments are processed are diligent in protecting data. How can a business reduce its potential liability for a data breach? One way is to self-regulate and use guidance that applies to other highly regulated businesses. Recently, the federal banking regulatory agencies issued a Guidance which addresses procedures to be used by financial institutions to respond to unauthorized access to or use of customer information by third parties. First, each business should assess the particular risks that its business and operations present to the security of customers’ information. Where might a physical, technical or administrative breach occur? Each business should then develop its own information security program to address these risks. Certain minimum elements for all such information security programs, no matter the results of the business’ own risk assessment, should be considered. These elements include: • Access controls on customer information systems, which include controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means. • Employee background checks should be considered for employees who are authorized to access customer information. • A risk-based response program to address incidents of unauthorized access to customer information systems. At a minimum, the business’ response program should contain procedures to address the following elements: • Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused. • Notifying its primary regulator (if none, then the state attorney general) as soon as possible whenever the business becomes aware of an incident involving unauthorized access to or use of sensitive customer information. • Notifying appropriate law enforcement authorities. • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information. • Notifying customers as soon as possible when warranted (i.e., the business determines that misuse of its information about a customer has occurred or is reasonably possible). Each business also should consider requiring its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Susan N. LeDuc is a regulatory specialist for the Concord law firm of Gallagher, Callahan & Gartrell who works as a consultant to banks and financial service companies on a wide array of issues involving the New Hampshire, Massachusetts and federal regulatory processes.