Data Security: Are you doing all you can?

Hinckley Allen Privacy & Data Security Alert

September 24, 2015

UCLA Reports Stolen Laptop with 1,200 Patient Names

The University of California, Los Angeles, Health System on Tuesday said that a laptop containing medical record numbers, health information used for treatment plans and the names of about 1,200 patients was stolen from a faculty member in July. – Law360, September 3, 2015

Could that be your company? Businesses today are holding more and more personal information, but their data security systems may or may not have kept pace. It’s important to right-size the security system for your business, and that starts with making a plan. Here are five steps to building a data security plan that works for your business:

  • Know what you have
  • Know what you need
  • Destroy what you don’t or no longer need
  • Keep what you have secure
  • Have a breach response plan in place

1. Take Inventory

Know what you have and where you keep it. Employee information? Social Security Numbers? Customer information? Credit or debit card numbers? Is it on computer servers? Laptops? Mobile devices? Digital copiers? Paper files in file cabinets? On desks? In briefcases?

There are many state and federal laws about protecting personal information and they don’t all use the same definition of “personal information.” In general, however, “personal information” is information about an individual that identifies the individual (such as name and address) combined with health information, social security number, government-issued ID number, payment card number, or financial account number. There are many nuances, but that’s a good basic rule of thumb to use as a starting place.  But note that, in certain contexts (such as for bank regulatory purposes), the mere fact that someone is a customer of your business can be confidential information.

2. Focus on What You Need

Don’t collect information that you don’t need. Look at what you typically collect: are you collecting it because you always have, or because you have a legitimate business need for which nothing else will do? Don’t use Social Security Numbers (SSNs) as file or account numbers. Don’t collect SSNs – or anything else – at all unless you really need them.

3. Destroy Unneeded Information Regularly

We’re all better at collecting new information than we are at discarding data that are old, outdated, or no longer needed. But data that you no longer have cannot be leaked or accessed.

  • Establish procedures for identifying information that your business no longer needs.
  • Implement reasonable and appropriate disposal practices:
    • Shred, burn, or pulverize paper records
    • Erase data on hard drives by overwriting it or by using a software utility program designed for the purpose. Simply using “delete” commands with your keyboard or mouse is not usually sufficient.
  • Establish procedures for disposing of old or outdated computers and portable devices to ensure that the information they contain cannot be retrieved or reconstructed.

4. Keep It Secure

If you keep sensitive information (such as employee records) on paper, it should be in locked file cabinets or offices whenever it is unattended. That certainly includes nights and weekends, but it also means whenever human resources personnel leave their desks for meetings, lunch, or just to use the restroom. The same is true of
anything on paper, including client records with Social Security Numbers, customer records with credit card numbers, and sometimes even vendor records with payment account numbers.

Increasingly, of course, information is kept in electronic form: on servers, desktops, laptops, and mobile devices. And it’s often in transit: from the customer to your business, from your business to your employees, and between your employees and your service providers. Your security practices need to keep the information safe in all of those places. Have you assessed the vulnerability of your system? Do you monitor your system for intrusions? Is the information encrypted in storage and in transit? When encryption isn’t practical, do you have alternative plans? For example, if an employee’s mobile device is lost or stolen, can you clear its memory remotely? Have you assessed the security of your vendors’ systems?

A federal appeals court in
FTC v. Wyndham Worldwide Corp. recently upheld the Federal Trade Commission’s (FTC’s) authority to regulate a company’s data security practices under Section 5 of the FTC Act, which regulates “unfair practices.” Wyndham, which operates a group of hotels and resorts, failed to encrypt data stored on its servers, implement firewalls to protect its servers from the internet, monitor its system to detect unauthorized access, or implement industry-standard password protocols. The vulnerability of Wyndham’s system allowed repeated security breaches, exposing 619,000 customers’ records (including payment card numbers and security codes) and leading to $10.6 million in fraud losses. The FTC brought an action against Wyndham, alleging that Wyndham’s failure to protect customer information constituted “unfair” or “deceptive” practices in violation of the FTC Act. Wyndham filed a motion to dismiss the FTC’s action, claiming that the FTC did not have the authority to regulate cybersecurity under the “unfairness” provisions of the FTC Act. The Court, in a 40-page opinion that virtually dripped with incredulity, held that the FTC did have the authority to regulate cybersecurity. The Court even pointed out that, “[a]lthough not before us on appeal, the complaint also raises a deception claim,” because Wyndham’s Privacy Policy stated that it used “industry standard practices” and made “commercially reasonable efforts” to keep data secure, although it appeared that Wyndham had done nothing of the sort.

The Court in
Wyndham did not decide that Wyndham’s failure to use firewalls, encryption, and industry-standard password protocols constituted “unfair trade practices,” but this was only because that question was not before the Court. All the Court had been asked to decide was whether the FTC had the authority to regulate cybersecurity practices: it answered that question with a resounding “yes.”

The lesson other businesses should learn from the Wyndham decision is that the failure to implement reasonable data security systems could – in and of itself – constitute an “unfair practice” in violation of the FTC Act (and possibly also state mini-FTC Acts, like Massachusetts General Laws ch. 93A). And the use of off-the-shelf privacy policies that promise more data security than the business actually delivers could give rise to an additional “deception” claim.

5. Make a Data Breach Response Plan

Even with the best of systems, breaches do occur: briefcases are stolen out of parked cars, smartphones are lost, backup tapes go missing, hackers hack. Once any of those things happens, investigations need to occur, decisions must be made, law enforcement may need to be contacted, reports may need to be filed, and affected individuals may need to be alerted. You will need to know which states are relevant for your purposes, which of those states have breach notification and other data security laws, and what requirements – and what deadlines – are applicable to you. The moment when a data breach occurs is not the moment to be figuring all this out. So, before anything goes wrong, your business should:

  • Identify the team that will deal with a known or suspected data breach. Depending on the size and nature of your business, the team should include:
    • executive officers who have the authority to make decisions quickly and allocate the necessary resources;
    • information technology and security personnel who can assess the nature and extent of the breach and can stop the unauthorized access;
    • public relations personnel who can manage communications with customers and the media;
    • customer service personnel who can handle incoming calls from concerned customers;
    • HR personnel who can manage security breaches affecting employee records; and
    • compliance or legal personnel who can ensure that you fulfill all legal response requirements.
  • If your response team will include external resources (lawyers, forensics experts, computer security consultants, or the like), establish relationships in advance, when you have time to consider proposals from multiple vendors, evaluate services, and negotiate rates.
  • Consider insurance coverage options. Although most general commercial policies exclude coverage for data security breaches, specialized policies are available. And, of course, once the breach has happened, it’s too late to buy insurance.

CONCLUSION

This Client Alert is only a brief introduction to the topic of data security. In today’s world, every business collects personally identifiable information that must be kept secure and every business runs the risk of financial and reputational damage from a security breach. You can minimize the risk facing your business by evaluating the information you collect, establishing commercially reasonable practices and procedures to protect that information, and making sure you have a well-thought-out preparedness plan for responding to any breaches that do occur.

We have updated our Privacy Policy. Click here to view changes.