Lawyer Article

This article was originally published in Focus Extra, the Washington Metropolitan Chapter of the Association of Corporate Counsel newsletter.

The advantages that flowed to retail business through the information revolution – automated accounting through point-of-sale systems, payment card scanning and immediate verifications, wireless connectivity between company computers, broader reach through online marketing, mining consumer data to better target profitable customer populations – have arrived with some hidden costs that, for many businesses, have been slow to reveal themselves. Now those costs are clear.

Under new rules, businesses are required to protect this data in specific ways and audit their compliance with new information security standards. And those requirements are being enforced by the government and by other businesses.

Fifteen years ago, very few companies were forced to comply with data security requirements. Customer records were just being moved to stand-alone computers running customized software. Few companies aggregated information about consumers. But new information technology changed everything. Companies realized that the transactional data gleaned from sales and the personal information of their customers could be a valuable commodity. As more important personal data migrated from the paper world to the digital world, and more digital files became connected to the Internet, the general public became aware of the risks to their identities. In reaction, regulators and legislatures around the world moved to protect the privacy of personally identifiable information.

The first United States rules addressed categories of information that we believe to be particularly important to protect –information about children, about personal finances, and about personal health. In addition, companies were pressured to explain to customers how they would treat or use personally identifiable consumer information.

Regulated industries like banking and healthcare were required by the government to carefully mind the privacy of customer information. Longstanding banking data privacy requirements were updated and codified in the Gramm-Leach-Bliley Financial Services Modernization Act, and applied to many types of companies holding personally identifiable financial information. Similarly, the Health Insurance Privacy and Portability Act ("HIPAA") and its regulations imposed strict privacy requirements on the health care industries.

In addition, the government pursued those companies that did not protect information in a manner consistent with their published privacy policies. If your business privacy policy claimed that customer information would not be sold to third parties, and your business sold the information to third parties, then the Federal Trade Commission and various state attorneys general were prepared to take your business to court and to impose fines.

The other shoe soon dropped. Using the logic of the new privacy regulations, information security became an issue of regulatory attention. If data privacy was important, and companies were restricted from intentional disclosure of customer or patient data, then shouldn’t those companies be restricted from recklessly or carelessly disclosing the same important information? Leaving the door wide open to identity thieves can be just as destructive as handing those thieves the valuable data. Therefore, companies holding private information must be responsible for gathering it, keeping it, using it and disposing of it safely.

Because the security obligations imposed on business have followed the path of privacy obligations, the financial and health care industries were the first to feel specific information security standards imposed upon them. The regulations flowing from Gramm-Leach-Bliley and HIPAA included detailed standardsfor information security.

These published standards addressed all aspects of information security, from protecting networked technology, to training employees, to producing an information security plan, to contingency planning. They required that regulated businesses regularly test their own systems for vulnerabilities and audit their data security for compliance with the changing standards. The regulations were vague in some ways, in order to allow smaller businesses some flexibility in addressing the requirements. But the regulations were specific in requiring attention to policies, personnel, and technology.

California enacted another type of information security law in 2004, and while it claimed to protect the data of California residents, it affected nearly every business that gathered customer information across many states. The California law required that every company suffering a breach of secure, personally identifiable consumer information relating to California residents was required to promptly inform those California resident customers that their data was compromised.

Prior to this time, information security breaches, including hacker attacks or lost laptops containing valuable data, were handled quietly by the business suffering the violation. The California breach notification law was the first to force companies not only to admit that their security failed, but also to send notices to company customers of the problems. As a practical matter, a multi-state company that sent such a notice to California customers as required by law and did not send a similar notice to its other affected customers was making a poor business decision, so many companies have applied the California notice requirements to security breaches involving all of their customers.

More than thirty states have joined California in enacting an information security notice requirement, and the financial services industry regulators have instituted a similar nation-wide requirement. The United States Congress may soon enact a federally mandated notice requirement to preempt those of the states and clarify data breach notice obligations for companies.

In addition, enforcement authorities have begun broad information security standard enforcement across consumer facing industries. At first, the FTC and state attorneys general prepared complaints against companies suffering data security behavior that violated stated privacy policies, finding that behavior to be "deceptive" to company customers. In the past three years, these enforcement agencies have broadened their reach with regard to customer privacy so that companies that accept a customer’s personal financial information without maintaining adequate information security to protect this information face FTC action for "unfair" practices. At least two companies have paid fines and/or executed consent orders with the FTC because of inadequate data security practices.

Finally, many retailers have recently begun compliance with information security requirements imposed under contract by Visa, MasterCard, Discover, and American Express. Companies may be fined for not meeting these Payment Card Industry (“PCI”) data security standards even if the companies have not suffered from a breach in security. The payment card companies made their rules more compulsory in late 2006 and this year have issued significant fines for violating the rules.

The standards call for following twelve security requirements that are generally recognized as a basic data protection regime. The broad themes of these requirements include building and maintaining a secure network, protecting cardholder data through encryption, managing vulnerabilities (like regularly updated anti-virus programs), implementing access control procedures, monitoring and testing networks, and following an information security policy. The PCI rules also require outside audits of many retailers. The PCI Security Standards Counsel provides public documents that can help any merchant learnthe rules and move toward compliance, including a self-assessment questionnaire, a detailed description of security audit procedures, and a list of qualified security assessors.

A variety of new rules, regulations and contractual obligations assure that any company requesting and holding consumer data must now pay attention to the security of that data, or risk significant fines. The cost of data security compliance can be high, but the cost of non-compliance may be much greater.