Data Security: A Growing Concern

Published: September 30, 2005, By Sheila A. Millar Attorney-at-Law, Keller & Heckman, Washington, DC

Legal Briefs

Since the beginning of 2005, report after report has surfaced related to breaches of security that have affected more than 50 million records containing personal information. The breaches may be caused by hacking, loss of records in transit, criminal insiders, or stolen laptops or disks. The incidents have generated legislative concern, particularly since identity theft is perhaps the fastest-growing crime in the US.

New laws have been adopted, and more are on the way. In addition, they have triggered investigations by agencies like the Federal Trade Commission (FTC) and state Attorneys General, private law suits, and attendant external relations problems. While many members of the converting industry deal largely with employee or shareholder data rather than consumer data, it is important to be mindful of data security risks and to take steps to address data security in light of existing laws.

Two state laws adopted in California are of special note. The first is SB 1386, a law that requires companies to notify California residents about breaches of security affecting their personal data. This law is largely the reason we now are hearing about security breaches, and similar legislation has been adopted in multiple states. (Some industry members believe federal preemptive legislation now is needed to establish a national standard for notifications about data security breaches.)

The second California law of significance is AB 1950, which went into effect January 1. It requires businesses that own or license personal information about California citizens to adopt reasonable security procedures and practices to protect the information from unauthorized access, destruction, and use. It also requires businesses contractually require third parties to whom they disclose personal information to maintain reasonable security procedures.

These laws affect not only companies based in California but also companies that collect information about California citizens.

Other California laws restrict the display of Social Security numbers; mandate that Web sites post a privacy policy; give consumers more control over data sharing; require destruction of customer records; and protect loyal customers from having to share drivers’ license or Social Security numbers.

Relevant federal laws include the Fair and Accurate Credit Transactions Act (FACTA) amendments to FCRA, under which businesses (or individuals) using a credit report for a business purpose are subject to certain requirements, including standards for proper disposal of consumer reports or information derived from consumer reports. Reasonable disposal methods may include shredding of paper files and destroying or erasing electronic files.

Another important law is the Gramm-Leach-Bliley (GLB) Act, which governs financial privacy. The so-called GLB “safeguards” rule outlines security measures to protect financial data. There are five basic elements: 1) identifying one or more responsible employees; 2) conducting a risk assessment; 3) implementing a safeguards program and monitoring and testing its effectiveness; 4) incorporating due diligence standards with outside service providers; and 5) conducting periodic reviews and updating the plan as needed.

Although GLB applies to” financial institutions,” the FTC has initiated enforcement actions in several instances against companies that experienced breaches of security resulting in the exposure of personal information. The consent orders involved suggest the FTC considers a failure to maintain security to constitute an unfair practice under the Federal Trade Commission Act (FTCA), and it relies on the principles in the GLB safeguards rule as basic elements of a security program.

Laws on notifying affected individuals about security breaches are in effect in 11 states; similar laws will be in force in six more by next summer. Some include specific obligations to destroy records containing personal information and to implement reasonable data security procedures.

Converting industry members likely already are covered by some existing laws on data security and privacy, as this brief overview demonstrates. With identity theft growing, and more laws on the way, adoption and implementation of corporate data security and privacy policies are essential in the current environment.

Sheila A. Millar, a partner with Keller and Heckman LLP, counsels both corporate and association clients. Contact her at 202/434-4143; This email address is being protected from spambots. You need JavaScript enabled to view it.; packaginglaw.com.