A Brief Teach On Data Breach

Access key on a laptopToday’s guest post comes from Robert E. Bershad, a former attorney and a B2B communications professional who writes articles about the internet and information technology.  He may be reached at rbershad@comcast.net

Since January 2005, over 263 million electronic records have been compromised in the United States alone, according to the Privacy Rights Clearinghouse. These records, many containing personally identifying information, were compromised through data breaches: a hack, a stolen laptop, a misplaced back-up drive, etc. If your company collects personally identifying information and someone breaches the security of your data, then you may have to notify the people in your database. If you don’t, your company could suffer millions of dollars in fines and litigation, loss of reputation, and other complications we would all prefer to do without.

That is the law in forty-five states and Washington, DC. These laws are called “Data Breach Notification Acts.” Their purpose is to warn people that their personal information may have fallen into the wrong hands. And it is your responsibility to let them know.

Of course just because there has been a breach doesn’t mean someone is pouring over the personal data for malicious ends. But in some states that doesn’t matter. If you simply have a ‘reasonable belief’ that identity thieves or the like are responsible, then you still have a duty to notify.

If you don’t notify, and quickly, then a State’s Attorney General might sue you, and any number of the people in your database could sue you as well. So it behooves companies who collect personally identifying information to ensure their data are secure. Encryption is key. If there is a breach but the data is encrypted, then the laws do not require you to notify unless you have reason to believe the encryption itself was compromised.

Nevada and Massachusetts are advancing the scope of these laws by requiring businesses to encrypt personal information that is transferred electronically to PDAs, thumb drives, etc. California, perhaps the strictest state in the country, has provided guidance on how to navigate their law.

There is some latitidue for marketing research panel companies. Most states only care about a person’s social security, driver’s license, and credit card numbers. That is information most if not all marketing reseach panels don’t have. But some states, Arkansas and California among them, do care if there is healthcare information involved. That kind of information is commonplace is almost every panel in the land.

If a breach occurs, you must notify “without unreasonable delay” in some states or “immediately” in other states. You can notify by mail, email, or telephone. Not the kind of call a call center would enjoy making. If the number of people to contact is massive or the cost of contacting them is prohibitive, it might be okay to post a conspicuous website notice or alerting statewide media. Neither option is good.

Perhaps the stickiest part of all of this is that the location of the people in your database determines which laws apply, not the location of the company victimized by the breach. For example, if a company in Massachusetts sustains a breach of data connected to Californians and Texans, then the laws of California and Texas apply to the situation. With each additional state represented in your database comes an additional set of state laws. The only states without these laws right now are Alabama, Kentucky, Mississippi, New Mexico, and South Dakota.

Rob DiMarco, President of 416Software and author of the Innovation On The Run blog, recommends considering these steps while consulting with an IT Security professional:

  • Collect only what you need. The best way to protect against losing sensitive data is to never store it in the first place.  Ask yourself if you really need to save personally identifying information like social security numbers or if there are other, less sensitive pieces of data that will suffice
  • Use one-way encryption to turn identifiers into unique keys. Social security numbers and driver license numbers are often used to track data records over time.  Instead of storing this sensitive information, a better approach is to use a hashing algorithm such as MD-5 or SHA-1 to transform the data into an encrypted string. This process will transform sensitive data into trackable data, but it is done in such a way that the original sensitive cannot be reconstructed.
  • Use software to create encrypted drives. Encrypting a drive protects your data in the case the drive the data is stored on is compromised.  DiMarco recommends TrueCrypt, a free, cross-platform tool that you can use to easily encrypt hard drives and USB flash drives. This tool will be useful when Nevada and Massachusetts (and other states that follow) begin requiring businesses to encrypt personal information that is transferred electronically to PDAs, thumb drives, etc.

There is some movement on the federal level to enact a one-size-fits-all law for everyone to follow. That may eliminate the burden of tracking the laws in the several states, but it won’t eliminate your responsibility to protect the personally identifying data that you collect.

Disclaimer: This post is not legal advice and is not intended as legal advice. It is intended to provide only general, non-specific legal information. This article is not intended to cover all the issues related to the topic discussed.