Information about people possesses increasing currency in today’s economy. Social Security numbers, e-mail addresses, phone numbers and the like are leveraged daily by corporations seeking to gain intelligence about individuals.
Because we live in a telecommunicating, Wi-Fi, BlackBerry world, sensitive data now passes from machine to machine constantly, exacerbating the danger of loss or theft. It is no surprise that major data heists routinely make the news.
In response, state governments have rushed to pass hardnosed laws that force companies to investigate security breaches and inform citizens when their information has been compromised. Many of the laws also set vague data security standards, which will be clarified through our judicial process.
Maryland’s data security breach notification law, one of over 35 similar provisions in other states, came into effect this year, and several proposals for a federal law are pending in Congress.
All this legislative activity has made clear that no company can afford to ignore that personal identifiable data is an asset and a liability. When engaged directly or indirectly in the gathering and use of this data, businesses should ask and answer a series of questions:
Do the applicable contracts clearly identify who owns the data, how various parties involved can use it, and how such breaches will be handled?
Are the non-owning company’s information technology infrastructure, business processes and personnel prepared to responsibly manage the data?
How will each party behave when a security breach occurs and individuals must be notified?
Let’s begin with the first question. Many companies acquire valuable data through third parties. A company may rely on a vendor to operate and host the company’s Web site through which personal identifiable data is captured, for example. The Web site owner will want to own this data while granting a right to the hosting company to use the data.
But if a hacker breaks into the host company’s system and steals information on 5 million of the Web site owner’s customers, who will investigate the breach and how will the notification be handled? Who will pay for these procedures? Who will be liable if the victims sue?
The answers are not always obvious. The vendor whose system has been hacked would be in the best position to investigate the attack, but a state statute may very well place this burden on the company’s shoulders. Thus, the company would want to have a hand in the process to ensure that all bases are covered and their customers protected while permitting the vendor to investigate the breach, notify impacted individuals and remediate any flaws in the system.
Similarly, the owner of the data will want to control how the notification takes place. The situation is a public relations nightmare, but one the owner will want to manage without interference from the vendor. That said, the vendor is arguably to blame, particularly if its security was lax. So the owner will want the vendor to pay for the mailing and related legal fees. The owner will also want to be indemnified from liability in the event of litigation.
The initial contract between the two parties should address these issues explicitly, anticipating the need for quick action in the wake of a major breach.
Mitigating the risk of security breaches is a key responsibility for any party that maintains personal identifiable data. Companies in this position should regularly conduct data security audits. Doing so will help ensure that the procedures in place are adequately protecting customer, client and even employee information.
The audits should take into account emerging security threats that may arise from outside the organization (hackers and viruses) and from within (employees who lose laptops or steal records). The audits should look not only at security software issues but also computer usage, records retention/destruction policies, and general business practices. Vulnerabilities should be dealt with immediately.
But breaches can occur even at organizations that work diligently to mitigate risks. This brings us to the third problem: How would a company respond to a breach and conduct a notification?
Note that many organizations have already mapped out policies to help them respond to national security emergencies and natural disasters. A data security breach plan should go in the same file as these. The plan should be updated to reflect organizational changes.
Companies that routinely deal with security breaches will also want to draft in advance one or several notification letters that would break the bad news to individuals in a variety of states, in accordance with the various state statutes. Many of the laws, including Maryland’s, insist on timely notification.
Precautionary steps are advisable not only because so many states have enacted breach notification statutes, which in practice are likely to be difficult and costly to enforce; the existing patchwork of laws may be burdensome, but its spirit is not inconsistent with good business.
A company’s ultimate responsibility is to serve its public well. In the information age, good service demands aggressively protecting individuals’ information from misuse.
William A. McComas, a partner at Shapiro Sher Guinot & Sandler, practices technology law and can be reached at wam@shapirosher.com. Adam C. Zimmerman is an associate at the firm and can be reached at acz@shapirosher.com.