Data security: it's your problem too.* Q Your company possesses a spreadsheet of customers' names and their Social Security numbers for transactional purposes. Grant, your sales manager sales manager n → gerente m/f de ventas sales manager n → directeur commercial sales manager sale n → , takes this list with him one night to update his contacts list. He stuffs the few sheets of paper in the outside pocket of his briefcase In Windows 95/98, a system folder used for synchronizing files between two computers, typically a desktop and laptop computer. Files to be worked on are placed into a Briefcase, which is then transferred to the second machine via floppy, cable or network. and sets off for the parking lot. As he strides to his car a brisk wind snatches the spreadsheet from his briefcase and sends it down Route 3. Is this the company's problem? Should the company have policies in place to prevent incidental Contingent upon or pertaining to something that is more important; that which is necessary, appertaining to, or depending upon another known as the principal. Under Workers' Compensation statutes, a risk is deemed incidental to employment when it is related to whatever a disclosure of customers' personal information?. A. Even if your company does not possess millions of credit card numbers, like many major retailers, the unintentional disclosure of even some of your clients' Social Security numbers can have devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. consequences for your company. Putting the threat of lawsuit aside, the bigger issue for your company is protecting your clients' hard-earned trust. How would you feel if you received a letter from your bank informing you that it unintentionally e-mailed your Social Security number to 100 people? You would certainly be concerned about what those people might do with this information. You also might take your business elsewhere. Avoiding such a breach of trust is one of the most important reasons for your company to protect the personal information it maintains, stores or possesses. Nearly every state and many federal agencies now have statutes and regulations requiring your company to secure "personal information" in its possession and/or notify its owners if it is reasonably likely that unauthorized access to that information has occurred. Before determining how to protect the information, you must know what kinds of information need protection. Variations of the meaning of "personal information" exist among the states and federal agencies. New Hampshire New Hampshire, one of the New England states of the NE United States. It is bordered by Massachusetts (S), Vermont, with the Connecticut R. forming the boundary (W), the Canadian province of Quebec (NW), and Maine and a short strip of the Atlantic Ocean (E). follows the most common description, in that "personal information" means an individual's first name or initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science : Social Security number; driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something number or other government identification number; account number, credit card number, or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Notably, "personal information" does not include a person's date of birth, cell phone number, or e-mail address See Internet address. e-mail address - electronic mail address , although it makes good business sense to protect this information as well. Protecting personal information The most effective way to protect personal information is to develop and implement a written information security program for your business. In fact, the Commonwealth of Massachusetts has propounded administrative regulations (effective March 1, 2010) through the Office of Consumer Affairs An Office of Consumer Affairs most often refers to a government office dealing with matters of consumer protection. In different jurisdictions, it may be referred to as a department, an office, a ministry or a more local title. and Business Regulation (OCABR OCABR Office of Consumer Affairs & Business Regulation (Massachusetts) OCABR Official Control Authority Batch Release (European Directorate for the Quality of Medicines) ) that mandate such a program in any business that possesses personal information about a Massachusetts resident. If you have Massachusetts clients or employees, your business is required to have a written information security program. A PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. version of the regulations exists on the OCABR home page (mass.gov/consumer). Even if your company does not possess personal information about a Massachusetts resident, these regulations provide a valuable roadmap to developing a plan to curtail cur·tail tr.v. cur·tailed, cur·tail·ing, cur·tails To cut short or reduce. See Synonyms at shorten. [Middle English curtailen, to restrict data breaches. Some of the most crucial program elements include: * Appointing a data security chief in your company * Developing a security program that assesses the risks of data breach and then moves to mitigate those risks * Taking reasonable steps to ensure third-party vendors you give the personal information to also are securing the information * Training your employees Sometimes even the best protective measures cannot prevent an inadvertent disclosure of personal information. In these cases, your company is required to notify the individual about the data breach-often within certain time limits. In many states, notification to the attorney general's office or designated state regulatory agency state regulatory agency A state body responsible for establishing professional standards, and for certifying professionals or organizations through appropriate documentation also must occur. Great care should be taken when performing notification, as the specific content and particular recipients of the notice depends on keen analysis of that state's statute. If you are doing business in New Hampshire and sustain a breach involving personal information of an out-of-state resident, notification is almost certainly required to that out-of-state resident, and perhaps to that state's designated central data breach repository. In light of the amount of personal information that circulates among businesses, especially electronically, data breach prevention must be at the forefront of your company's risk management considerations. Given increasingly complex regulations and the variance of requirements from state to state, it is wise to consult counsel for assistance in developing a plan that includes prevention of data breaches and an appropriate means of complying with notification requirements if a breach occurs. Neil B. Nicholson, an attorney at the law firm of McLane, Graf, Raulerson & Middleton, can be reached at 603-628-1483 or neil.nicholson@mclane.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion