Until recently, Google’s informal corporate motto – “Don’t be evil” – brought to mind good guys wearing white hats. But in May, Google came under intense scrutiny for unintentionally collecting personal information from residential WiFi networks. In an instant, it could be your business or organization in the harsh media glare, struggling to bolster customer confidence, comply with legal requirements and avoid lawsuits, money damages and governmental enforcement actions.
How could this happen to you? Easily. A laptop is stolen from an employee’s car. A compact disk is lost in transit. A disgruntled employee walks off with customer data on a flash drive. Students at a local school get unauthorized access to the IT system. A customer’s social security number is visible through the window on an envelope. A hacker taps into your technology system. However it happens, a security breach can compromise the personal information of your employees and customers and have drastic effects on your business.
Whether or not your company is prepared for a security breach, it almost certainly is required to comply with one or more of the complex patchwork of state, federal and international laws designed to protect the privacy of personal information. While many of the U.S. federal privacy laws have been around for years and were designed to protect limited kinds of information, such as those held by banks and hospitals, the more recent “data security breach laws” adopted in D.C.1, Delaware2, Maryland3, Virginia4 and 45 other U.S. states and territories5 tend to be much broader and to govern any business that holds the personal information of a resident from a particular state. So, for example, if your business holds the personal information of residents from D.C., Delaware, Maryland and Virginia, then you must comply with the data security breach laws of each of those jurisdictions.
What do state data security breach laws require?
There are critical differences among the various data security breach laws. For instance, in most states, “personal information” means a person’s name in combination with their social security number, driver’s license number, bank, credit or debit card number, or taxpayer identification number, while some states limit the scope of protected information to that which is stored electronically, and still others expand the scope to include medical information. But, in essence, the data security breach laws require businesses to conduct a reasonable and prompt investigation and notify affected individuals, the state government (and sometimes others, such as credit reporting agencies) in the event of a personal data security breach. Some states do not require businesses to report security breaches that affect only encrypted data.
A handful of states and territories, including Maryland (but not D.C., Delaware or Virginia) also require businesses to take certain preemptive actions intended to minimize the risk of unauthorized access or use of personal information. For example, if your business owns or licenses the personal information of an individual residing in Maryland, it must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information, and the nature and size of your business and its operations. And when a business governed by the Maryland law destroys records that contain a customer’s personal information, the business is required to take reasonable steps to prevent unauthorized access to, or use of, the personal information, taking into consideration factors that include the sensitivity of the records, costs and available technology.
Also, if your business uses a nonaffiliated third party to perform services and discloses personal information about a Maryland resident under a written contract with that party, then your business must by contract require the third party to implement and maintain its own reasonable and appropriate security procedures and practices to help protect the personal information from unauthorized access, use, modification, disclosure or destruction.
The best first steps are prevention and planning
If your business has not yet suffered a security breach, count yourself lucky – the Privacy Rights Clearinghouse6 now conservatively estimates that a whopping 230 million records have been compromised since January 2005. But, don’t count for too long; instead, spend your time wisely by preparing for the worst. Doing so will help you minimize the likelihood of a breach by bolstering your security systems and policies, ensure that you comply with applicable state data security breach laws (and any other applicable U.S. or international privacy laws), and establish safeguards and plans that will bolster customer confidence, both in good times and in bad.
Make no mistake, prevention and planning for a security breach can be a big and complex job, but so are the stakes. We recommend the following four-step prevention and planning process:
- Audit – audit your security practices and how you collect, share and use personal information, and learn which laws apply to your business.
- Implement - design and implement a privacy and security plan that complies with applicable laws, limits exposure, and increases customer confidence.
- Comply – follow the plan, but update it as technologies and laws change.
- Mitigate – prepare a risk mitigation plan, and swiftly implement it if the worst happens.
No security system, not even Google’s, is perfect. But in view of the complex patchwork of state-level data security laws (and other privacy laws), taking preventive measures to minimize the likelihood or scope of a future security breach, and establishing contingency plans in case a breach occurs, is most likely to ensure legal compliance, not to mention a win-win outcome for your customers, your company and your pockets.