BANKS
AREAS OF SPECIALIZATIONWHAT OUR CLIENTS SAYRESOURCESNEWS & EVENTSCONTACT US
COMMUNITY BANK ADVISOR
Banks > Resources > Community Bank Advisor > 2008 Summer Issue

The State of Privacy  
By Joe Oleksak & Kurt VanderWal
Community Bank Advisor, 2008 Summer

Pointing the finger

Identity theft is one of the fastest growing problems in the United States. Estimates suggest that between 300 and 400 data breaches were reported in 2007, resulting in the compromise of more than 79 million records. This means that roughly 1 in 4 Americans were affected by a data breach in 2007 alone (an increase of nearly four times over 2006, in which there were 20 million reported compromises). So who are the 1 in 4 Americans? Could be anyone, but depending on the state in which they live, they may never know!  

To ensure the moral high road, many state laws were quickly introduced protecting the privacy of their citizens by requiring businesses to inform their customers/employees of a data breach. Therefore, regardless of where a company resides or where data is housed, the state laws of each customer govern the disclosure responsibility.  

The first of such laws passed was in California; 38 states and the District of Columbia have followed. However, the laws may be different in both definition of personal information and the responsibility of data owners. This disaggregated attempt to protect the customer has left companies in legal limbo, often not understanding their legal obligations to each customer/employee when a data breach occurs.  

Enter the federal government! While no federal laws are currently in place regarding data breach disclosures, a bill was introduced in Congress in February 2008 that would set the minimum corporate requirements for data breach notifications. The passage of this bill would provide a unified set of standards to follow regardless of the customer/ employee location.  

Prevent, prevent, prevent

Companies should proactively secure customer data and prevent the breach to avoid the confusion. Develop a risk based security control model built on the following five key principles:

  • Know the data — Inventory all customer data.
  • Keep the minimum — Keep only the data needed for business.
  • Encrypt — Protect personal information.
  • Dispose — Properly dispose of what’s no longer needed.
  • Plan for the worst — Have a plan to respond to security incidents.

It’s more cost-effective to secure customer information than to repair the damage and rebuild consumer confidence after a data breach. 

Know when it happens

Unfortunately, companies may not always be able to prevent a data breach, but in order to comply with requirements set forth in each of the state privacy laws, they should be able to detect (in a timely manner) when such an event occurs.  

Formal firewall monitoring and log reviews, implementation of an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS), and risk-based network event and database logging are all examples of effective detective controls that should be carefully considered by all companies. 

Correct the problem

Once the breach has been identified, state regulations require action. Be prepared to react by understanding applicable customer notification requirements. The first step is determining the state of residence for each customer or employee for whom personal information may have been obtained.  

Nuances in each state law make understanding compliance requirements difficult when the breach affects citizens in multiple states. However, existing state laws are similar enough to provide general guidance, which may help with compliance until more unified guidance is available. The common themes to each state law include:

  • What data was breached?
  • Was it encrypted?
  • Was the encryption key compromised?

Defining the data breach — Regardless of the state law, if the data breach meets the definition of “personal information,” customer notification is required unless protected properly. So what’s the definition of “personal information”?  

The National Conference of State Legislatures (NCSL) provides research and assistance related to each of the state privacy laws. Companies should consult legal counsel and/or visit http://www.ncsl.org/ to ensure the definition used is appropriate for their unique situation. 

Was the data protected? — Ideally all companies have implemented encryption, but in reality many have not. If the data obtained was not encrypted, customer notification is a requirement. 

Was the data protected properly? — If the data was encrypted and the encryption key was not compromised or disclosed, and the data is not in the possession of or known to the person who, without authorization, acquired or has access to the data, then customer notification may not be required. 

Informing Customers

If “personal information” was indeed breached, the next issue is to determine how and when to inform the customer. Most state laws require companies to inform customers without unreasonable delay. Acceptable delays may include taking time to determine the full extent of the breach.  

Guidelines to acceptable methods of informing customers may include:

  • Written notice to the customer’s postal address.
  • Written notice sent electronically if the recipient has expressly consented to this form of communication.
  • Notice by telephone by an individual representing your business if the message is not given as a recorded message and the recipient has agreed to this form of communication.
  • A “substitute notice” to assist in large-scale breaches. This includes posting relevant information on a website and notifying major statewide media of this event.

Third-party Responsibility

Many companies rely on third parties to provide technical resources to their business, including data storage. If a data breach occurs on the data stored at a third party, where does the responsibility lie? The answer is simple, with the data owner. Should the third party determine a data breach has occurred on the data stored at their location, their responsibility is to inform the data owner, not the customers. The responsibility of informing the customers is always in the hands of the business.  

Companies should require third parties who handle “personal information” to provide a SAS 70 report on the state of their internal controls. A SAS 70 is not the end-all, but it is a great place to start when attempting to gain comfort over the controls implemented by a third party to protect company data. 

Conclusion

No one expects to have a data breach, neither the business owner nor the consumer. However, chances are it will happen, and the publicity is generally unfavorable. Having a properly-implemented security control model can help manage the publicity and consumer fallout in the event of a breach. Remember: changes and updates to privacy and consumer notification laws occur frequently, so keeping up with the latest guidance from each state should be considered an important part of everyday business.
Downloads

Community Bank Advisor, 2008 Summer.pdf


 

Contacts

Joe Oleksak
248.223.3587
joe.oleksak@plantemoran.com


Kurt VanderWal
248.223.3119
kurtis.vanderwal@plantemoran.com




2008 Plante & Moran, PLLC. All rights reserved PMSecure File Exchange | Disclaimer | Privacy Policy | email webmaster
TO DOWNLOAD DOCUMENTS YOU MAY NEED TO INSTALL ADOBE ACROBAT TO ENHANCE EXPERIENCE YOU MAY NEED TO INSTALL FLASH