Data security: it’s your problem too
Q Your company possesses a spreadsheet of customers’ names and their Social Security numbers for transactional purposes. Grant, your sales manager, takes this list with him one night to update his contacts list. He stuffs the few sheets of paper in the outside pocket of his briefcase and sets off for the parking lot. As he strides to his car a brisk wind snatches the spreadsheet from his briefcase and sends it down Route 3. Is this the company’s problem? Should the company have policies in place to prevent incidental disclosure of customers’ personal information?
A. Even if your company does not possess millions of credit card numbers, like many major retailers, the unintentional disclosure of even some of your clients’ Social Security numbers can have devastating consequences for your company.
Putting the threat of lawsuit aside, the bigger issue for your company is protecting your clients’ hard-earned trust.
How would you feel if you received a letter from your bank informing you that it unintentionally e-mailed your Social Security number to 100 people? You would certainly be concerned about what those people might do with this information. You also might take your business elsewhere.
Avoiding such a breach of trust is one of the most important reasons for your company to protect the personal information it maintains, stores or possesses.
Nearly every state and many federal agencies now have statutes and regulations requiring your company to secure “personal information” in its possession and/or notify its owners if it is reasonably likely that unauthorized access to that information has occurred. Before determining how to protect the information, you must know what kinds of information need protection.
Variations of the meaning of “personal information” exist among the states and federal agencies. New Hampshire follows the most common description, in that “personal information” means an individual’s first name or initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver’s license number or other government identification number; account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Notably, “personal information” does not include a person’s date of birth, cell phone number, or e-mail address, although it makes good business sense to protect this information as well.
Protecting personal information
The most effective way to protect personal information is to develop and implement a written information security program for your business. In fact, the Commonwealth of Massachusetts has propounded administrative regulations (effective March 1, 2010) through the Office of Consumer Affairs and Business Regulation (OCABR) that mandate such a program in any business that possesses personal information about a Massachusetts resident. If you have Massachusetts clients or employees, your business is required to have a written information security program. A PDF version of the regulations exists on the OCABR home page (mass.gov/consumer).
Even if your company does not possess personal information about a Massachusetts resident, these regulations provide a valuable roadmap to developing a plan to curtail data breaches.
Some of the most crucial program elements include:
• Appointing a data security chief in your company
• Developing a security program that assesses the risks of data breach and then moves to mitigate those risks
• Taking reasonable steps to ensure third-party vendors you give the personal information to also are securing the information
• Training your employees
Sometimes even the best protective measures cannot prevent an inadvertent disclosure of personal information. In these cases, your company is required to notify the individual about the data breach — often within certain time limits. In many states, notification to the attorney general’s office or designated state regulatory agency also must occur.
Great care should be taken when performing notification, as the specific content and particular recipients of the notice depends on keen analysis of that state’s statute. If you are doing business in New Hampshire and sustain a breach involving personal information of an out-of-state resident, notification is almost certainly required to that out-of-state resident, and perhaps to that state’s designated central data breach repository.
In light of the amount of personal information that circulates among businesses, especially electronically, data breach prevention must be at the forefront of your company’s risk management considerations. Given increasingly complex regulations and the variance of requirements from state to state, it is wise to consult counsel for assistance in developing a plan that includes prevention of data breaches and an appropriate means of complying with notification requirements if a breach occurs.
Neil B. Nicholson, an attorney at the law firm of McLane, Graf, Raulerson & Middleton, can be reached at 603-628-1483 or firstname.lastname@example.org.