Thursday, September 24, 2009

Protecting Employee Information in the Hands of Others

In Business Management Daily, Susan Lessack of Pepper Hamilton LLP offers guidance on protecting employee data handled by third-party vendors. Lessack says: "A good contract with your vendor is your best protection against liability," and cites specific terms to include in contracts, such as those that limit the number of people who can access the data. Lessack says that, although the vendor may be reluctant to enter into such a term, the contract "should stipulate that the vendor is legally responsible for any data breach that occurs during its engagement, and that it will indemnify you and your employees for any actions resulting from a breach." Full Story

At Pre-Paid Legal those of us who are qualified to work with companies in establishing a policy framework for information protection and risk management have taken this provision of the Red Flags Rule to heart as it deals with 3rd party contractors. We ask every client company to inform all of their contractors of the efforts they have made to protect PII and to request that they do the same or similar. It is just smart business to complete the loop of data security. Even an office cleaning service should adhere to the basic rules of security. I have visited numerous businesses where the cleaning service has more or less unlimited access to hard copy left on desks, in wastebaskets, and left on file cabinets, to name a few. When we include all contractors in the security formula a much better understanding of personal information security is created which gives rise to the FTC term "Culture of Security" that we are hopefully all striving for.

The recommendations of the FTC are sound. All RFIs and contracts should contain such language. In the not too distant future all federal government contracts will contain this kind of clause I believe. As regards liability FACTA clearly gives liability to all parties who share non-public information. If a company hires an HR service for example and that contractor suffers a breach of that information then the liability is shared by both companies. Even if identity theft does not occur both firms can be sued for a "Failure to adequately protect the information." There is no requirement under such circumstances to prove penury damage.

Monday, September 21, 2009

New ID Theft Bill Introduced in the Senate

A new bill was introduced in the US Senate that would establish a new FTC office. This notice is very timely for me since I have been talking about such legislation.
New York State Senator Charles Schumer has introduced a bill aimed at helping prevent and diagnose identity theft, reports the Evening Observer. The Personal Data Privacy and Security Act would increase penalties for those who commit the crime and would make it illegal for organizations to conceal a security breach involving personal data. The law would also require entities that hold personal data to establish data protection policies. "Identity theft is a scourge on hard-working Americans, and it is a problem that is getting worse," said Schumer. The act would also establish an Office of Federal Identity Protection within the Federal Trade Commission. Full Story

For about 6 years the Federal Trade Commission has offered guidelines for businesses and other enterprises that have files and records containing personal data either of employees past and present, or of customers, or client companies such as HR and payroll businesses.
These guidelines were offered as a way for industry to police its' own operations and to train personnel on protecting the non-public info they handle.

These recommendations have been largely ignored by all but the companies regulated by the banking authorities such as the FDIC. During that time identity theft has become epidemic and is currently costing American business and individuals in excess of $45 billion annually. This figure does not reflect the identity theft losses due to personal theft and fraud, only those incidents that are the result of database losses.

Now in 2009 we are faced with legislation that will require all businesses, schools, and municipalities to take specific measures to thwart these crimes. This will likely be more costly than the voluntary measures previously on the table.

Moreover, the reporting aspect of this bill requiring business to reveal breaches to potential victims will have a profound effect on the public confidence of the breached businesses. In economic times such as we are in that is something businesses can hardly afford. Investigations into breaches will also be hampered by this requirement, and I'm certain that we will see push back from business on that point.

It is sad to see that businesses would rather do nothing than to take basic measures to safeguard information. My mantra holds true that; "When you protect the information you hold on others you are protecting them. When someone else does it they are protecting you."

Our data is only as safe as the weakest link. And with literally thousands of databases containing our personal data there are thousands of weak links to contend with.