(Article originally published in the New Hampshire Business Review, September 2009)
Your company possesses a spreadsheet of customers’ names and their social security numbers for transactional purposes. Grant, your sales manager, takes this list with him one night to update his contacts list. He stuffs the few sheets of paper in the outside pocket of his briefcase and sets off for the parking lot. As he strides to his car a brisk wind snatches the spreadsheet from his briefcase and sends it down Route 3. Is this the company’s problem? Should the company have policies in place to prevent incidental disclosure of customers’ personal information?
This is the company’s problem, and the company should have policies in place to prevent disclosure of personal information in its possession. This article defines “personal information,” and provides guidance on how to protect that information and respond in the event of a data breach.
Why should I protect this information?
How would you feel if you received a letter from your bank informing you that it unintentionally emailed your social security number to 100 people? You would certainly be concerned about what those people might do with this information. You might also take your business elsewhere. Avoiding such a breach of trust is one of the most important reasons for your company to protect the personal information it maintains, stores, or possesses.
What to protect
Nearly every state and many federal agencies now have statutes and regulations requiring your company to secure “personal information” in its possession and/or notify its owners if it is reasonably likely that unauthorized access to that information has occurred. Before determining how to protect the information, you must know what kinds of information need protection.
Variations of the meaning of “personal information” exist among the states and federal agencies. New Hampshire follows the most common description in that “personal information” means an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver’s license number or other government identification number; (3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Notably, “personal information” does not include a person’s date of birth, cell phone number, or email address, although it makes good business sense to protect this information as well.
How to protect the personal information
The most effective way to protect personal information is to develop and implement a written information security program for your business. In fact, the Commonwealth of Massachusetts has propounded administrative regulations (effective 3/1/10) through the Office of Consumer Affairs and Business Regulation, (“OCABR”) that mandate such a program in any business which possesses personal information about a Massachusetts resident. If you have Massachusetts clients or employees, your business is required to have a written information security program. A PDF version of the regulations exists on the OCABR home page.
Even if your company does not possess personal information about a Massachusetts resident, these regulations provide a valuable roadmap to developing a plan to curtail data breaches. Some of the most crucial program elements include: (1) appointing a data security chief in your company; (2) developing a security program that assesses the risks of data breach and then moves to mitigate those risks; (3) taking reasonable steps to ensure the third party vendors you give the personal information to are also securing the information; and, (4) training your employees.
Sometimes even the best protective measures cannot prevent an inadvertent disclosure of personal information. In these cases, your company is required to notify the individual about the data breach – oftentimes within certain time limits. In many states, notification to the Attorney General’s Office or designated state regulatory agency must also occur. Great care should be taken when performing notification as the specific content and particular recipients of the notice depends upon keen analysis of that state’s statute. If you are doing business in New Hampshire and sustain a breach involving personal information of an out-of-state resident, notification is almost certainly required to that out-of-state resident, and, perhaps to that state’s designated central data breach repository.
In light of the amount of personal information that circulates among businesses, especially electronically, data breach prevention must be at the forefront of your company’s risk management considerations. Given the increasingly complex regulations in this area and the variance of requirements from state to state, it is wise to consult counsel for assistance in developing a plan that includes prevention of data breaches and an appropriate means of complying with notification requirements if a breach occurs.
Neil B. Nicholson is an attorney at the law firm of McLane, Graf, Raulerson & Middleton, P.A. Neil can be reached at 603-628-1483 or [email protected]. The McLane Law Firm is the largest law firm in the State of New Hampshire, with offices in Manchester, Concord, and Portsmouth, NH, and Woburn, MA.