Can You Keep a Secret?

Does your company collect confidential information from clients or employees?

Social Security numbers? Credit card numbers? Driver’s license information? If so, there’s a new crop of information privacy laws that apply to you. These laws involve notifying individuals if sensitive data is breached. And beware: The penalties for non-compliance are high.

According to Privacy Rights Clearinghouse, 91 million data records affecting nearly 10 million U.S. citizens have been exposed due to security breaches since February 2005. Breaches occur from someone hacking into a database, a disgruntled employee stealing information, or sheer stupidity — as in a lost or misplaced information disk.

Faced with a public outcry, the U.S. Congress has proposed new laws to address general data privacy and security concerns, although none has yet been enacted. However, 33 states, including New York, New Jersey and Connecticut, have passed data breach legislation within the past three years.

What does this mean for small businesses? In short, more compliance requirements. But first, a look at what these various laws are meant to protect.

Compliance Requirements

No person, system or law can completely guarantee the safekeeping of personal information. Therefore, legislation has focused instead on providing those affected with notice of a security breach in a timely manner.

What Kind of Information Are We Talking About?

Data privacy laws are concerned with the unauthorized access of “personcol_al information.” Many statutes define personal information as an individual’s first name (or first initial) and last name linked with: (1) a Social Security number; (2) a driver’s license number or state identification card number; and/or (3) an account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Clearly, this pertains to your clients’ credit card payment information; but also think about your employees’ driver’s license information, provided for form I-9 identification purposes. Statutes like New Jersey’s Identity Theft Prevention Act of 2005 (the NJ Act) specifically exclude personal information that is publicly (and lawfully) available, such as through government records. New York’s Information Security Breach and Notification Act (the NY Act) does, too.

Who Has to Be Notified of a Security Breach?

Notification requirements vary among the states. New York has a blanket requirement that “individuals whose personal information data has been compromised must be informed.” Under most statutes, this notification can be given either in writing or electronically. New Jersey and Connecticut require notification only if the business “establishes” (under the NJ Act) or “reasonably determines” (under Connecticut’s law) that misuse of the information, or harm to the individual, is likely. Yet, they only require notification to residents of their state. However, if you have customers outside your home state, consider notifying all who are affected. Otherwise, the situation could turn into a public relations nightmare.

Furthermore, in many states (New York and New Jersey, for example), individuals need not be notified if the information breached was encrypted (and the encryption key was not accessed). Frustratingly, the current laws do not define the encryption standard.

When Must You Notify Customers of a Breach?

Should your business suffer a breach, when would you have to notify people? The language varies slightly from state to state, but overall (in characteristically vague terms), “within the most expedient time possible and without unreasonable delay.” New Jersey’s law actually provides that a customer may not be notified prior to reporting the breach to law enforcement authorities for investigation or handling.

What Are the Penalties for Non-compliance?