By AARON B. LATTO, vice president, Business Torts Group, business insurance claim, Travelers
Technology makes it possible for businesses to transact with customers and interact with partners in sophisticated ways, without regard to geography. While technology does enable the building of broader, deeper business relationships, it also opens a Pandora's box of privacy considerations that can make today's borderless geography a major business challenge.
The American legal landscape heightens the challenge. With no unified federal standards to govern key issues such as what data is considered private, how a company must respond when data is impacted, what protective steps are adequate to avoid liability, businesses are left to cope with an industry-by-industry, state-by-state patchwork of laws. As data mishaps have become more pervasive, many states have ratcheted up their responses, as well as the punishments for ignoring the issue.
As these laws evolve, companies are hard-pressed to keep up with changing requirements in each jurisdiction where they may have customers or partners. Unless a business is prepared to go "off the grid" and forego the benefits of technology tools, it should be sure to understand its data profile, create a strong data protection and response plan, and ensure that it is adequately protected against liabilities.
NUMBERS UP, CASES DOWN
Today, a storefront business in Ohio may have customers in states as diverse as Massachusetts, Minnesota, Kentucky, Nevada and California--let alone Canada, Europe or other parts of the world. Each jurisdiction may require a different level of private data protection and a range of responses when data is lost or stolen.
Just how often data is lost or stolen is tracked by the Privacy Rights Clearinghouse, a nonprofit organization that posts a daily chronology on its Web site (with cases beginning in January 2005). As of mid-2009, the group has recorded the exposure of more than 250,000,000 individual records.
These numbers may seem overwhelming, but the volume should be kept in perspective. Well-documented cases reveal hackers stealing personal information that they then use to set up false accounts and fraudulently run up huge bills under borrowed identities. Far more often, however, reports involve a laptop stolen by thieves who likely have no interest in accessing its contents, or a missing flash drive that never turns up, or even the inadvertent, momentary posting of data in an unsecured area online with no indication that anyone made use of it.
In fact, the incidence of identity theft fell each year from 2003 and 2007. The Identity Fraud Survey Report, released each year by Javelin Strategy and Research, found the number of U.S. adult victims of identity fraud decreased from 10.1 million in 2003 to 9.3 million in 2004, and down to 8.1 million in 2007. Over the same time period, the total annual amount fraudulently spent decreased from $55.7 billion in 2006 to $49.3 billion in 2007, and the average fraud amount per victim declined from $6,278 to $5,720.
However, it appears that the downward incidence trend has recently reversed, likely due to the poor economic conditions. In 2008, Javelin found that identity fraud cases jumped to 9.9 million. Fortunately, Javelin further determined that the total annual fraud amount only increased slightly over the past year, likely due to improving detection and resolution efforts. These efforts have reduced the mean consumer costs of identity fraud by 31 percent to $496 per incident in 2008.
EVOLVING LEGAL REQUIREMENTS
The number of laws adopted to address data breaches, however, are not decreasing. The first laws were driven by consumer advocates who realized that individuals had no recourse and often were not even informed when their private information was stolen, lost or inadvertently exposed.
Today, a new driving force for legislation and regulation is financial institutions that are increasingly unhappy about the costs they bear when credit and debit cards must be cancelled and reissued in the wake of data mishaps. Financial institutions are also active in lawsuits used to allocate responsibility for the costs of data breach responses.
From notification about security lapses, to identifying who is responsible for costs, to requirements that all private data be encrypted--the laws adopted by various states are continuing to evolve. Some highlights include:
-- Notification. In 2003, California became the first state to require businesses to notify customers when certain private data is or may have been breached. Today, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted similar laws, according to the National Conference of State Legislatures. Only Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota haven't followed the trend. But critically for businesses, these laws are not uniform--differing provisions include what data is covered, how notifications should be issued, and whether criminal or civil penalties attach for failing to comply.
-- Retention of credit card security data. Although payment card industry standards have long addressed how merchants handle transaction data, in 2007 Minnesota became the first state to turn such requirements into law. The state's Plastic Card Security Act, which applies to companies that process more than 20,000 transactions annually, governs how long payment card data (security codes, PINs, magnetic stripe data) may be retained. If a company does not comply and suffers a data breach, it must reimburse financial institutions for costs such as blocking transactions, reissuing cards and notifying customers.
Nevada was the first state to require protection of personally identifiable customer data that is transmitted electronically. Massachusetts then passed stiffer encryption rules that mandated encryption, to the extent technically feasible, of personal information that "will travel across public networks" or "be transmitted wirelessly," as well as for personal information stored on portable device. Full implementation of the new Massachusetts requirements, which are broad and potentially expensive and cumbersome, has been delayed until January 2010.
With these and other legal developments, the bar has been raised as to businesses' obligations to protect private information. Many state laws are designed to apply when a company's customer is a resident of the state, not simply when a company has its headquarters or data center located there. But questions abound regarding how far these state statutes may reach. Does a California law govern technical business conducted in Tennessee? The answer may well be yes. Thus, companies would do well to be aware of the differing requirements.
4 STEPS TO ADDRESS LIABILITY
No company needs the harm to its reputation or the costly mitigation steps that may come with a data security breach. Running afoul of legal requirements will only make the problem worse. To help manage the risks that come with today's technology-based business processes, a company should evaluate its operations and consider taking action in the following areas:
1. Create and implement an effective information security program. An increasing number of businesses may be required to develop written information security programs due to their size, industry type or state of operations. Indeed, all businesses should consider such a program.
In evaluating business operations, a program should address building, maintaining and updating secure networks; implementing strong access control measures; regularly monitoring access to network resources; and maintaining an information security training and compliance policy applied to all employees.
No one program is appropriate for all businesses, but one approach may be to create a data breach response blueprint designed to comply with the most-restrictive requirements that might apply to the company (based on state laws or industry regulations). Look for guidance from state officials, such as this checklist from the Massachusetts Office of Consumer Affairs & Business Regulation. Seek the advice of legal counsel and security professionals in crafting any such program.
2. To encrypt or not to encrypt? Some businesses may be wary of encryption because of expense, complexity and accessibility. Nevertheless, encryption has become an increasingly common requirement for handling private information--whether by contract, regulation, or voluntary adoption. And breach notification laws may not be triggered when a data incident involves encrypted data. Compared with the cost of responding to a breach and the ensuing reputational harm, encryption costs may well be a smart investment.
3. Think paper. New privacy laws and media coverage tend to focus on electronic data. But paper records remain a key point of vulnerability. In a recent California case, a man admitted he stole the identities of more than 500 people and created checking accounts in their names based on information he dug out of bank dumpsters. He stole more than $1 million before he was caught. An effective information security program should address proper access to, use of, and disposal of sensitive paper records.
4. Have the right insurance coverage. Sometimes the best procedures will still not be good enough, and a mishap will take place. That is the wrong time to find out that a company's insurance coverage doesn't respond to information security risks. Specialized policies and add-ons are increasingly available to cover costs of breach notification, reputation management services, litigation defense costs and third-party damages. Consult with your agent or broker to review your existing insurance program to understand what's covered and what's not.
Technology allows businesses to grow and prosper in exciting new ways, but increasingly it also creates pitfalls for the unwary company that overlooks good data protection practices. As state laws evolve, businesses should pay attention to changing requirements, build strong data management plans and ensure that their liabilities are covered when things go wrong.
September 15, 2009
Copyright 2009© LRP Publications