Keeping data safe: new legal standards for companies doing business in the digital age.If you keep information about your customers, soon you may be responsible for keeping it safe from hackers and identity thieves. Privacy laws dictate what businesses can do with the personal information that they collect from their customers, but until now, no legal obligations have been imposed on how companies maintain this information within their databases. A new California law California Law consists of 29 codes, covering various subject areas, the State Constitution and Statutes. See also
Many companies today maintain databases of customer information. This information may include an individual's name, address, telephone number, email address See Internet address. , birth date, credit card number, passwords and shopping preferences. Businesses use this information not only to record transactions, but also for direct marketing and market research. California's legislature has recognized that the widespread collection of personal information puts the privacy and financial security of individuals whose information is being collected increasingly at risk. Recent security breaches by hackers and break-ins at company facilities have prompted the public increasingly to demand that companies protect the personal information they collect. On April 5, 2002, a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. broke into a computer system at the Stephen P. Teale Data Center, the payroll facility for California State employees, which contained payroll information, Social Security numbers, and other sensitive personal information for approximately 265,000 California State employees. Concerned with the growing number of identity thefts, and in response to the incident at the Stephen P. Teale Data Center, the California legislature enacted Senate Bill 1386, which requires companies doing business in California and government agencies whose databases have been broken into to notify individuals if their personal information may have been acquired by an unauthorized person. California's notification law went into effect on July 1, 2003 and applies to businesses and government agencies that own or maintain unencrypted personal information of California residents. The required notice must be made in the "most expedient ex·pe·di·ent adj. 1. Appropriate to a purpose. 2. a. Serving to promote one's interest: was merciful only when mercy was expedient. b. time possible" and may be in writing or in the form legally prescribed pre·scribe v. pre·scribed, pre·scrib·ing, pre·scribes v.tr. 1. To set down as a rule or guide; enjoin. See Synonyms at dictate. 2. To order the use of (a medicine or other treatment). for electronic records and signatures. Under certain circumstances, substitute notice can be given either by e-mail, a conspicuous con·spic·u·ous adj. 1. Easy to notice; obvious. 2. Attracting attention, as by being unusual or remarkable; noticeable. See Synonyms at noticeable. posting on the company's website or notification to major statewide media. Companies that do not comply with California's notification law can face civil claims by residents who are harmed. Providing notice of an electronic break-in may be sufficient to comply with California's new law and similar federal legislation currently being proposed, but it probably is not enough to insulate in·su·late tr.v. in·su·lat·ed, in·su·lat·ing, in·su·lates 1. To cause to be in a detached or isolated position. See Synonyms at isolate. 2. a business from liability for harm resulting from electronic crimes such as identity theft emanating from the security breach. Future lawsuits will likely center on the actions a company took after the break-in to minimize damage and to prevent a reoccurrence. Because laws tend to develop more slowly than business practices, legal rules and guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. have yet to be formulated for the standard of care a business must follow to avoid liability for database security breaches. At a minimum, management teams will need to adopt data security practices as a hedge against future legal claims. Choosing which practices to adopt will be a challenge for companies with limited IT budgets and resources. There are measures a business can take to comply with California's new security breach notification law and to minimize its exposure to lawsuits in the future for failing to ensure the security of personal information held in its databases. Some suggested measures include: 1. Establish an Information Security Program. An information security program contains not only technical safeguards, but administrative and physical safeguards as well. A company should assess internal and external risks to the security, confidentiality and integrity of its customer information and design and implement safeguards for preventing, detecting, and responding to database intrusions. 2. Unify 1. (database, product) Unify - A relational database produced by Unify Corporation. 2. (algorithm) unify - To perform unification. Physical and Data Security Functions. A company's facilities management The management of a user's computer installation by an outside organization. All operations including systems, programming and the datacenter can be performed by the facilities management organization on the user's premises. department typically handles physical security functions while the IT department handles database security. Unifying these functions, including creating a single reporting scheme for management of physical and data security operations within a company, will eliminate vulnerabilities that electronic intruders often exploit. Further, facilities access control systems should be integrated with computer network security systems to better enable managers to detect physical or electronic intrusions as they occur. 3. Establish an Electronic Communications Policy. Companies should implement an electronic communications policy governing employee access and use of the company's computer network and electronic communications devices Typically refers to a terminal used to send voice, video or text. Mobile phones, wireless PDAs and personal computers equipped with microphones, speakers and cameras are all considered communications devices. See modem. . The policy, in conjunction with employee training, informs employees of restrictions on their access to company databases and computer networks and the consequences of accessing information without authorization. 4. Establish A Privacy Policy and Follow it. Companies should establish a privacy policy that is complete and accurate. The policy should describe the types of information the company collects, as well as how that information is used and what security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are employed. The company must adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. the policy in its collection, storage, use and transfer of personal data in order to avoid liability for misrepresentation misrepresentation In law, any false or misleading expression of fact, usually with the intent to deceive or defraud. It most commonly occurs in insurance and real-estate contracts. False advertising may also constitute misrepresentation. or similar claims. 5. Establish Reasonable Notification Procedures. Companies that have a reasonable notification procedure in place as part of an information security program can fulfill ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. the notification requirements of the new California law and proposed federal legislation. Notifying affected persons in accordance with an established notification procedure in the event a breach occurs provides a company flexibility in determining how to inform consumers of the security breach. Additionally, having notification procedures in place may help a company build trust with its customers who provide their personal information. If a company discovers an unauthorized intrusion into its customer information database, the company should immediately seek the advice of experienced counsel to ensure that the steps it takes next do not make a bad situation even worse. Kevin D. DeBre is a partner in the Intellectual Property and Technology Department of Greenberg Glusker Fields Claman Machtinger & Kinsella LLP LLP - Lower Layer Protocol . Denica E. Anderson was a summer clerk at the same firm and is presently attending law school at the University of Southern California The U.S. News & World Report ranked USC 27th among all universities in the United States in its 2008 ranking of "America's Best Colleges", also designating it as one of the "most selective universities" for admitting 8,634 of the almost 34,000 who applied for freshman admission . Joel Rakow of Tatum Partners LLP contributed to this article and the authors would like to thank Joel for his assistance. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion