April 2007 - Data Security

Protecting Consumer Information Is Good Business

By Stuart Ingis

Privacy and security of personal information is an important part of doing business as well as establishing and maintaining customer trust in the Internet and information age. Developments in the law and policy of data privacy in the past two years have been driven by-and focus on- so-called data security “breaches.”

In dozens of incidents over the past two years, companies have suffered negative public and customer attention resulting from such breaches. In most cases, the breaches are a result of bad actors who exploit a company’s data security vulnerabilities. Unfortunately, companies that have not fully and regularly assessed their data security and privacy practices are prime targets for these bad actors. Even the most reputable companies with the best of practices still can be vulnerable and have been victims of breaches.

Thirty-four states have passed laws requiring notification to individuals when certain information-usually social security numbers, driver’s license numbers or financial account information-is breached. As these laws have been enacted and companies have suffered breaches, there are frequent questions as to whether data has been “accessed” or “acquired”such that individual notification is required. Much of this debate occurs because most of the data breaches resulted in little or no identity theft. Recent studies have shown very limited correlation between data breaches and identity theft. Notification in these instances may, therefore, be over-reacting, and could result in negative public relations and consumer mistrust of the company.

In order to avoid this negative public and customer relations, there are a number of steps that companies can take now, learning from the experiences of businesses that have had publicly disclosed breaches.

Evaluate data security for sensitive personally identifiable information. Retailers should regularly analyze the types of sensitive personal information that they possess and how such information is handled. Retailers should consider encryption or similar technologies that make information unreadable and, therefore, unusable by perpetrators of identity theft. Increasingly, businesses are deploying such technologies across their information systems. The use of technologies such as these also has the benefit of affording companies an exemption from the consumer notification requirements in the event of a breach under the state laws that have been enacted in this area.

Develop an incident response plan. No company is immune to the sorts of data breaches that have occurred in recent years. Computer hackers and wrongdoers are in technological “wargames” with legitimate companies that provide goods and services that consumers desire. Companies that are best prepared to respond to data breaches are those that have developed comprehensive plans to deal with such incidents. The creation and implementation of response plans should span companies’ divisions, and should include representatives of the business’ management, information security, legal, PR, HR and other teams, depending on the nature of the business.

Companies have found that strong security and privacy practices are critical to successful consumer offerings.

Stuart Ingis is a partner at Venable LLP. He can be reached at (202) 344-4613, or via e-mail at [email protected].


No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment