Continuing with the theme of my last two posts, I want to touch on an issue facing more and more companies doing business in the U.S. That is, the loss, theft or other unauthorized access to the customer data you collect. And, more specifically, your obligations under various state laws when it happens.
It is, of course, quite common for companies to collect and retain information about the identities and buying habits of their customers. Various state and federal laws address what can be collected and the steps companies must take to restrict access to that information. As noted earlier, in the U.S., these rules generally apply only to specific types of protected information – financial, health, and information about children – and particular methods of collection. But, the fact that you may not collect information that is subject to these laws and regulations does not mean you are home free. To the contrary, even if the information you collect is not protected information, you may have obligations if the information falls into the wrong hands.[1] And, in some instances (as under Minnesota’s law), you may have financial liability for losses that result from a security breach.
The newspapers in recent months have been filled with stories of data breaches – accidental and intentional. This runs the gamut from selling a computer without removing the hard drive to a major hack of a company’s security system. If this happens to you and you have customers in the U.S., it is quite likely you will be subject to one (likely more) of the state laws governing data security and breach. Indeed, at this point more than 44 states have enacted data breach laws. Several have adopted or proposed laws that, in addition to requiring customer notification in the event of breach, go further and impose criminal penalties for failure to notify customers of a data breach and civil liability to banks for breaches of payment card data.
So, what is covered here and what are your obligations if it happens to you? As you might expect, the various state laws are not identical. As a result, if you are the victim of a data breach you will need to examine where your customers reside and examine/comply with the laws for each implicated jurisdiction.[2] Fortunately, however, these laws do have some common features:
First, most of these laws cover only personally identifiable information. That is, information from which a person might be able to identify the customer. This would include the customer’s name, social security number, date or place of birth, mother’s maiden name, identification card or credit card number in combination with a password or access code. Most, but not all, of the state laws provide a safe harbor for information that is encrypted.
Second, most states require you to give notice regardless of the potential risk that the information will be misused.
Third, the statutes define how you must deliver the notice and when. Typically, notice may be delivered in writing, electronically (with the customer’s consent) or by publication (web site or newspaper, etc.) if other methods are not likely to result in notice to the customer or the cost of notice would exceed a specified dollar amount, usually $250,000. Although some laws specific time periods within notice is required to be given (10- 45 days), others require notice “in the most expedient time possible and without unreasonable delay”.
Fourth, some state laws also require you to make arrangements for consumers to obtain a credit freeze to prevent disclosure of a credit report to a credit bureau.
Finally, many of the state laws provide forms for the notices you must use.
The bottom line here is that if you collect information from customers located in the U.S. you need to be aware not only of the rules governing the collection and security of such information, but your obligations if your security efforts fail. And, as part of this process, you should adopt policies regarding the collection and access to such information, with regular audits to confirm compliance with these policies. Of course, these policies also need to address who within your company will be responsible for determining if a breach has occurred and if notice or more aggressive steps are required to comply with applicable laws.
Be sure to tune back in a couple of weeks. We will look at user generated content and other ip issues. And, for questions about various privacy and data breach requirements, contact Scott Warner (sgwarner@gsblaw.com) or James Dunstan (jdunstan@gsblaw.com).
[1] This would be in addition to any contract liability you may have to your customer if you fail to comply with the terms of your privacy policy. And, remember, that in some states failure to comply with your privacy policy may be a violation of state law. See, for example, California Bus. and Prof. Code section 22575-22579.
[2] These laws are not limited to customer information; they apply to anyone about whom you collect information. And most impose obligations regardless of where you are located; the obligations are triggered based on where the customer resides.
It is, of course, quite common for companies to collect and retain information about the identities and buying habits of their customers. Various state and federal laws address what can be collected and the steps companies must take to restrict access to that information. As noted earlier, in the U.S., these rules generally apply only to specific types of protected information – financial, health, and information about children – and particular methods of collection. But, the fact that you may not collect information that is subject to these laws and regulations does not mean you are home free. To the contrary, even if the information you collect is not protected information, you may have obligations if the information falls into the wrong hands.[1] And, in some instances (as under Minnesota’s law), you may have financial liability for losses that result from a security breach.
The newspapers in recent months have been filled with stories of data breaches – accidental and intentional. This runs the gamut from selling a computer without removing the hard drive to a major hack of a company’s security system. If this happens to you and you have customers in the U.S., it is quite likely you will be subject to one (likely more) of the state laws governing data security and breach. Indeed, at this point more than 44 states have enacted data breach laws. Several have adopted or proposed laws that, in addition to requiring customer notification in the event of breach, go further and impose criminal penalties for failure to notify customers of a data breach and civil liability to banks for breaches of payment card data.
So, what is covered here and what are your obligations if it happens to you? As you might expect, the various state laws are not identical. As a result, if you are the victim of a data breach you will need to examine where your customers reside and examine/comply with the laws for each implicated jurisdiction.[2] Fortunately, however, these laws do have some common features:
First, most of these laws cover only personally identifiable information. That is, information from which a person might be able to identify the customer. This would include the customer’s name, social security number, date or place of birth, mother’s maiden name, identification card or credit card number in combination with a password or access code. Most, but not all, of the state laws provide a safe harbor for information that is encrypted.
Second, most states require you to give notice regardless of the potential risk that the information will be misused.
Third, the statutes define how you must deliver the notice and when. Typically, notice may be delivered in writing, electronically (with the customer’s consent) or by publication (web site or newspaper, etc.) if other methods are not likely to result in notice to the customer or the cost of notice would exceed a specified dollar amount, usually $250,000. Although some laws specific time periods within notice is required to be given (10- 45 days), others require notice “in the most expedient time possible and without unreasonable delay”.
Fourth, some state laws also require you to make arrangements for consumers to obtain a credit freeze to prevent disclosure of a credit report to a credit bureau.
Finally, many of the state laws provide forms for the notices you must use.
The bottom line here is that if you collect information from customers located in the U.S. you need to be aware not only of the rules governing the collection and security of such information, but your obligations if your security efforts fail. And, as part of this process, you should adopt policies regarding the collection and access to such information, with regular audits to confirm compliance with these policies. Of course, these policies also need to address who within your company will be responsible for determining if a breach has occurred and if notice or more aggressive steps are required to comply with applicable laws.
Be sure to tune back in a couple of weeks. We will look at user generated content and other ip issues. And, for questions about various privacy and data breach requirements, contact Scott Warner (sgwarner@gsblaw.com) or James Dunstan (jdunstan@gsblaw.com).
[1] This would be in addition to any contract liability you may have to your customer if you fail to comply with the terms of your privacy policy. And, remember, that in some states failure to comply with your privacy policy may be a violation of state law. See, for example, California Bus. and Prof. Code section 22575-22579.
[2] These laws are not limited to customer information; they apply to anyone about whom you collect information. And most impose obligations regardless of where you are located; the obligations are triggered based on where the customer resides.
Posts
No comments:
Post a Comment