Today’s article covers the relevant federal and state laws regarding the collection and sharing of personal information, as well as the notification requirements when data breaches occur in a public or private workplace.
The Gramm-Leach-Bliley Act (the “Act”) requires qualifying financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The FTC Safeguards Rule under the Act requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
Disclaiming guaranteed protection of customers’ information is not an acceptable measure, and therefore not a defense. Qualifying businesses have a responsibility to proactively take measures to ensure that all subsidiaries and affiliates safeguard the customer information that they collect. Financial institutions covered by the Act must inform customers about in-house information-sharing practices and their right to “opt out” if they don’t want their information shared with certain third parties.
A crucial aspect of data breach risk management is notification about any data breach to those affected. California was the first state to enact a data breach notification law, which requires a business [California Civ. Code s. 1798.82(a)] or state agency [California Civil Code s. 1798.29(a)] to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. If a single data breach affects more than 500 persons, the business must submit a copy of the notice to the California Attorney General.
In addition to the safeguarding of primary personal information, data relating to salary, benefits and employee contracts must be protected. Outside payroll and cloud-based services connected to a company’s information system must be constantly monitored. Standard policies must be implemented for electronically transmitting important company documents and all other types of information through computer networks.
The FTC prescriptions include first assessing the sufficiency of any safeguards currently in place to control data breach risks. Then, an employee or employees should be designated to coordinate an information security program, identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure or other compromise of this information.
This risk assessment should minimally include consideration of the risks in each relevant area of the operations of the business. These areas include:
- employee training and management;
- information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
- detecting, preventing and responding to attacks, intrusions, or other systems failures.
Employers must design and implement safeguards to control the risks identified through risk assessment, while regularly testing or otherwise monitoring the safeguards’ effectiveness. Adjustments to an information security program must be made to reflect the findings of testing and monitoring. Business owners must select service providers that are capable of maintaining appropriate safeguards for customer information, as well as be willing to contractually implement and maintain any necessary safeguards related thereto.
Implementing A Data Breach Plan At Your Workplace
Companies should use the FTC’s prescriptions to protect personal information as guidelines to the implementation of an information security program that meets the requirements of federal and state law. Employers must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of a business, the nature and scope of business activities, and the sensitivity of all customer information.
The best measures are always those that are preventive rather than curative. The best initial policy for preventing losses is to not simply reduce, but eliminate the possibility that a company’s information system is a viable, easy target. Some tips for doing this include:
- drafting provisions in an employee manual that more than adequately detail the use, possession and protection of sensitive information;
- disallowing the transmittal of sensitive information over all electronic communications, including phone, e-mail, and social media;
- encrypting every company computer;
- storing sensitive materials in a separate database on an isolated server, which is not connected to any other computer or communications network;
- utilizing spam systems that scan outgoing emails, preventing key data from exiting the information system;
- web filtering to scan web pages for malicious content;
- managing mobile devices; and
- scanning continuously to detect network threats.
It is important for California employers to have a data protection and data breach notification plan. If you are an employer in California, it is important to obtain sound legal guidance for your business. DeAnn Flores Chase and her team of experienced attorneys can advise you on all your business needs. Contact Chase Law Group, P.C. at (310) 545-7700 or visit www.chaselawmb.com to schedule a consultation.