Prepare now to prevent a ‘security breach’
What should you do if you learn that someone without permission has acquired credit card information, or other sensitive data, that was stored on your company’s computer network?
Since 2005, 45 states, plus the District of Columbia, have enacted laws answering this question. These laws essentially require certain types of notice when such a security breach of personal information has occurred.
For the most part, a breach of personal information requires certain types of notices to be issued. Each state’s law defines the terms “breach” and “personal information” and sets forth the type of notice required. Although the laws share some common elements, each state’s law should be consulted.
The laws also provide very specific definitions of “personal information” and each state’s definition varies. The definition typically includes a person’s first name or initial and last name, along with one or more additional elements that are stored on the computer.
Some laws limit the definition of personal information to information that is unencrypted.
Examples of “personal information” could include the following information stored on a computer system:
• First initial and last name of a person, along with that person’s date of birth
• First and last name of a person, along with the person’s Social Security number or driver’s license number
• First initial and last name of a person, along with that person’s medical information.
An account number or credit or debit card number can be an additional element, but only if it is stored with the codes or passwords that would permit access to an individual’s account.
If your business stores these types of information, you should become familiar with these laws to minimize liability for a security breach.
Some states (Georgia, Maine and Oregon, for example) do not require any portion of a person’s name to be stored on the computer system for the information to constitute “personal information.” Where any information, without any part of a person’s name, would be sufficient to perform, or attempt, identify theft, those states deem that information to be “personal information.”
Into the ‘breach’
Again, the laws vary throughout the country, but “breach” or “security breach” is typically defined as unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.
Each part of the definition matters. For example, unauthorized acquisition of computerized data that does not compromise the security, confidentiality or integrity of personal information probably should not be considered a breach.
Several states include the concept of reasonableness, meaning that merely a reasonable belief that personal information has been compromised could be considered a breach, rather than an actual compromise of personal information. Another variation is that many states require that the compromise be material. A further notable variation is that some states require an element of causation — to constitute a breach, the compromise of personal information must have created “a substantial risk of identify theft or fraud” or “have caused or reasonably believed to have caused loss or injury to a resident.”
Is it a security breach if employees access personal information? Probably not. Nearly all of the states (except Alaska and Connecticut) have an exception for good-faith or inadvertent access of personal information by an employee, so long as the personal information is not used or subject to unauthorized acquisition or disclosure. This exception also applies to agents of a business.
In the event of a security breach, notice is generally required to be given to the person whose personal information has been breached. Also, notice may be required to the government, to the regulating agency in the case of a regulated industry, or to an agency — such as the attorney general or state department of justice, in the case of a non-regulated industry.
Notices are generally required to be in writing. However, in certain circumstances, notice via electronic or telephonic means is permitted. Notices generally must contain a description of the security breach in general terms (including the date), the type of personal information acquired, and the telephonic contact information for the entity issuing the notice.
Security breaches of personal information are bound to become increasingly more common as the workplace and nearly all businesses store more and more data about employees, customers and patients. Protect yourself by knowing and complying with the laws designed to protect personal information. Determine the particulars of the state laws in which your company does business.
Specifically, determine how the laws define “personal information,” and then ascertain whether your computer system stores personal information. If so, determine how the laws define “security breach” and what notices the laws require in the event of a security breach.
Finally, develop and implement policies regarding the security of personal information to minimize the chance of a security breach, while maximizing compliance with the laws.
Amy Manzelli of the Concord-based law firm of Sulloway & Hollis can be reached at 603-224-2341 or firstname.lastname@example.org. This article was reprinted with permission of M. Lee Smith Publishers LLC, HRhero.com.