Information management extends beyond eDiscovery and e-mail archiving. Indeed, in 2005, over 80 companies, universities, hospitals and government entities suffered security breaches that compromised various personal and fi nancial data. The majority of these breaches affected tens of thousands of individuals, with some affecting millions. The largest, involving a company called CardSystems, resulted in the disclosure of data of approximately 40 million people.
The loss of customer data can result from negligence, hackers or theft. By way of example, in February 2005, ChoicePoint, a company that collects and compiles personal and fi nancial information, disclosed that it had been a victim of a security breach. Criminals gained access to ChoicePoint’s database by signing up for the company’s service using stolen credit cards and posing as legitimate businesses. The criminals then created up to 50 different accounts to search the fi les of up to 145,000 people nationwide.
These security breaches have prompted states to introduce legislation requiring organizations to disclose to consumers security breaches involving personal information. As of January 9, 2007, 35 states have enacted legislation requiring companies to disclose data security breaches concerning personal information.1
The legislation typically requires notice-triggering information to have been compromised before requiring notifi cation. In some states, the legislation requires an organization to notify individuals of a security breach when personal information has been materially compromised. In other states, the legislation requires notifi cation when there is a likelihood of harm to the consumer due to the security breach. Some states, such as California, require notifi cation when personal information has been or is reasonably believed to have been acquired by an unauthorized person. The purpose of notifying individuals is to enable them to take actions to protect themselves against identity theft or other possible harm.
When determining whether to notify individuals of a security breach, consider whether the information is in the physical possession and control of an unauthorized person (such as in the case of a lost or stolen computer or other device containing notice-triggering information). Also consider whether the information has been downloaded or copied and whether the information was used by an unauthorized person to establish fraudulent accounts or for identity theft. When notifi cation would allow individuals to take action to protect themselves from possible harm, consider providing notice even if the compromised information is not notice-triggering information. However, keep in mind that continual notifi cation of non-notice-triggering information can make many individuals complacent, which minimizes the effectiveness of the notice.
Notify the affected individuals in the most expedient and timely way possible after discovery of an incident involving unauthorized access to noticetriggering information. Take steps to contain and control the systems affected by the breach and conduct a preliminary internal assessment of the scope of the breach. Once you have determined that the information was, or is reasonably believed to have been, acquired by an unauthorized person, notify affected individuals within 10 business days unless law enforcement authorities tell you that providing notice at that time would impede their investigation.
When notifying individuals, include a general description of what happened, the type of personal information that was compromised, what has been done to protect the individuals’ personal information from further unauthorized acquisition, what your organization will do to assist individuals and information to help individuals protect themselves from identity theft (including contact information for the three reporting agencies).
Make sure that the notice is clear, concise and conspicuous. Use clear, simple language, guiding subheadings, and plenty of white space in the layout. Avoid using jargon or technical language. In addition, avoid using a standard format, which may result in complacency toward the notice.
Send the notice by fi rst-class mail. Alternatively, consider sending notice by e-mail if you normally communicate with the affected individuals by e-mail and have received their prior consent to that form of notifi cation. If you cannot identify the specifi c individuals whose notice-triggering information was acquired, notify all those in groups likely to have been affected. When a large number of individuals have been affected (e.g., 500,000), or you do not have adequate contact information on those affected, provide notice using public channels. Post the notice conspicuously on your website, notify through major statewide media (television, radio and print), and send notice by e-mail to any affected party whose e-mail address you have.
If you believe that the incident may involve illegal activities, report it to the appropriate law enforcement agencies. When contacting law enforcement agencies, inform them that you intend to notify affected individuals within 10 business days. If a law enforcement agency tells you that giving notice within 10 days would impede the criminal investigation, ask them to inform you as soon as you can notify the affected individuals. It should not be necessary for a law enforcement agency to complete an investigation before notifi cation can be given. Upon notifi cation from the law enforcement agency, send notice to affected individuals immediately.
These recommendations can serve as guidelines for organizations to assist them in providing timely and helpful information to individuals whose personal information has been compromised while in the organization’s care. However, these recommendations do not include all the practices that should be observed. Organizations should periodically review and update their own situation to ensure compliance with the laws and principles of privacy protection. It should be recognized that specifi c or unique considerations, including compliance with other laws, may make some of these practices inappropriate for some organizations.