Years ago, legally imposed data security requirements were rare and limited to those in specific industry niches. Those in the financial services industry had the Safeguards Rule under the Gramm-Leach-Bliley Act of 1999 (GLB) and members of the health care industry had the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Today, GLBA and HIPAA are just the tip of the iceberg when it comes to laws that require an organization to implement, maintain and document adequate security measures, regardless of its line of business. In fact, a company can find itself under such an obligation through multiple sources. Therefore, a prudent firm should not wait until a clear and direct obligation exists before taking steps to secure its systems and processes. A legal obligation to do so may be just around the corner, or one may already exist unbeknownst to the entity.
Contained within the American Recovery and Reinvestment Act of 2009 is the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. One of the many changes brought on by the HITECH Act was the modification of HIPAA to significantly increase the obligations imposed on business associates. Business associates are those organizations that perform activities on behalf of a covered entity that involve protected health information.
The PCI Security Standards Council is continuously updating its data security standards (PCI DSS). PCI DSS was established by the credit card companies to ensure the security of cardholder data. Among the changes is a recognition of the various parties who may have access to cardholder data, and therefore, an assurance must be made that all such parties maintain adequate security over such data. Though this is a self-regulatory process, the PCI DSS has been incorporated into some state laws.
Perhaps overlooked are requirements that can be imposed on an organization merely by signing a contract with another business. Many business-to-business agreements contain data security requirements, sometimes buried within an exhibit to the contract.
How to respond? Companies should take numerous steps to mitigate potential risks, including: Maintain a written information security program, train employees, perform annual security assessments/audits, and use intrusion detection systems.
Despite a company’s best efforts, breaches can still occur. When they do, a company should first gather internal resources to review what type of incident has occurred. A team of individuals should be in place from human resources, legal, public relations, information technology and top management. IT should review the data that was potentially exposed to determine what type is involved. The type of data will determine if notification is required under state law. Next, notification letters to affected data subjects may need to be drafted in compliance with applicable state breach notification laws. If credit card data is involved, the company may need to notify affected card brands.
Call centers should be set up if the breached company does not have internal resources to handle call volumes should the population exceed reasonable numbers. After the data breach is handled, the company should analyze the incident and outline potential areas of improvement to avoid future incidents.
Whether required by law, sound data security practices, and taking a proactive approach to these issues, is always advisable.
Richard Blumberg is director of data breach response services at Equifax, and Gary Kibel (pictured above) is a partner at Davis & Gilbert LLP.