United States: Data Security: The Time Is Now

As we pass the midpoint of 2005, identity theft and information security issues are reaching critical mass in politics, law enforcement and the media. When corporate officers and attorneys return from their summer vacations, they will find a high-risk environment for any company that has failed to make data security a top priority. Among the recent developments:

• At least 13 states have passed new laws that require businesses to notify customers when personal information is compromised, and at least 22 other states are considering such laws. Several bills are pending in Congress that would impose similar duties on a nationwide basis.

• New Federal Trade Commission ("FTC") rules on proper disposal of customer information took effect on June 1, 2005. The FTC wants to prove that it is serious about enforcing those rules. One or more unfortunate companies will help the FTC prove its point.

• In a complaint against BJ’s Wholesale Club, Inc., the FTC for the first time brought a data security enforcement action against a company that had not promised to protect customers’ information. This action, and a lawsuit by the Ohio Attorney General against DSW, Inc., open an era in which companies that say nothing about their data security are as vulnerable as those that do.

• The media have discovered data insecurity with a vengeance. On June 15, The Wall Street Journal reported that losses of information, once publicized, reduce the stock prices of the affected companies for an appreciable time. On June 30, The Washington Post called for stricter enforcement of information security laws. On July 4, Newsweek put "The Scary New World of Identity Theft" on its cover. These print media reports have been supplemented by innumerable "ID theft" features on local and network television.

• Spectacular and well-publicized data security incidents have kept the issue in the spotlight. ChoicePoint and other companies have suffered data breach incidents that potentially affect tens of millions of customers. At least 50 such incidents are known to have occurred since February of this year, with as many as 50 million consumers compromised.

• On July 5, 2005, an amended class action complaint was filed against CardSystems Solutions, Inc., Merrick Bank Corporation, VISA and MasterCard for alleged violations of law in connection with the compromise of the account information of approximately 40 million credit card holders. If successful, this action will encourage the filing of similar suits against any company that suffers a loss of customers’ personal information.

• The FTC has asked Congress for new, tougher laws to punish companies that lose customer information. The Congress that returns from the summer recess will have read the press and heard from their constituents, and they will be inclined to give the FTC what it wants.

In this environment, any company that has put off addressing data security compliance should move that issue to the top of its list. Specifically, any corporate counsel or manager who is uncertain about his or her company’s data security status should seek answers to the following compliance questions:

Not all companies’ operations are extensive enough to justify appointment of a full-time Privacy Officer, but every business, regardless of size, should appoint a qualified person to take ownership of information security compliance. That person must have the resources, authority and backing to develop realistic policies and secure cooperation from all affected functions, including Human Resources, Marketing and Information Technologies.

The foundation of a credible data security policy is a formal, written risk assessment that identifies all of the internal and external threats to the integrity and security of personal information and other critical data maintained by the company. The risk assessment may be performed by the company’s personnel. However, if there is any doubt concerning the ability of available employees to perform that task, the job should be outsourced to an independent professional – preferably, to someone qualified as a Certified Information System Security Professional ("CISSP"), a Certified Information Systems Auditor ("CISA"), or a person holding a Global Information Assurance Certification from the SysAdmin, Audit, Network, Security ("SANS") Institute.

In the event of an investigation or lawsuit related to data security, the company will be asked whether it has a written data security plan. If the company is unable to produce such a document, it will have a difficult time proving that it has implemented appropriate measures to protect personal information.

Effective data security is not achieved by the creation of impressive documents. Risk assessment reports and data security plans are meaningless unless they are implemented. For that purpose, the company’s plan must be translated into specific policies and procedures, and employees must be trained to implement those policies and procedures.

If any of these compliance items is not in place, or if the company has not recently reviewed its plans and policies to ensure that they remain adequate in light of changed circumstances, immediate remedial action should be taken.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved