Developments in privacy law: Does your business have a legal obligation to encrypt sensitive personal information?

Fast forward one year from now and imagine that one of your employees has just returned from a successful business trip to Boston. Actually, the employee killed it and he is coming home with a lot of new customer names and corresponding credit card numbers!

The employee comes into the office Monday morning and reports, “Boss, I have some good news and some bad news. Which would you like first?” You opt for the good news – and he informs you that he is pretty sure that he broke the company record for sales. Now the bad news, he informs you that his laptop was stolen or lost sometime during the return trip. However, he says everything will be fine because he has all of the customer’s business cards and he is planning on calling each customer today to recover all of the lost data. Is everything “fine”?

It depends… but chances are high that you will have a few legal problems on your hands. If your business is like most, you do not have any company rules regarding encryption of sensitive personal information and stored in the laptop was a spreadsheet containing all of the customer names and credit card numbers for new customers acquired during the business trip to Boston.

What legal problems might you have on your hands?

1. For starters, over 40 states now have “security breach notification statutes” which obligate you to notify customers that their credit card information may have been compromised. You have a lot of explaining to do! (Note that most of these laws provide an exception to your obligation of providing notice if the sensitive personal information has been encrypted.)

2. On top of that your legal counsel informs you that Massachusetts has just adopted a law, which makes it illegal to store unencrypted sensitive personal information on a laptop. Additionally, your company was supposed to have a comprehensive written information security program in order to comply with the Massachusetts law.

Let’s briefly dissect this new Massachusetts law:

The law is aimed at protecting sensitive personal information (“SPI”). What exactly is SPI?

Typically this includes a person’s first and last name or first initial and last name plus a social security number, driver’s license number, credit card number (with or without a security code), or other financial account number.

The law requires that certain categories of information be encrypted. So what is mandatory encryption?

Massachusetts requires encryption of all sensitive personal information of a Massachusetts’s resident that is stored in portable devices or transmitted electronically.
(Please note that this requirement applies to all businesses.)

Requirements for implementing a Comprehensive Information Security Program:

Without getting into all of the specific requirements, let me just tell you that the law requires your security program contain 12 specific procedural elements and 8 specific technical elements.

In particular, businesses must now take “reasonable steps” to ensure and verify that all third-party service providers with access to your customer or employee sensitive personal information have the ability to protect that information. This includes written certification that the provider also has a written, comprehensive information security program.

So what are the risks of non-compliance?

Nobody really knows. The Massachusetts law simply states that the attorney general may bring an action for violation of the state’s requirements. IMO, this would most likely be a fine.

So, beyond guessing what the attorney general may or may not do – what are the practical consequences of non-compliance with this law?
In my opinion the real risk of non-compliance is the possible damage to your brand image.

So the question becomes, how valuable is your brand’s image?
For many organizations it is the most valuable asset that you have. The funny thing about brand value is that it can only be built over the life span of a business, however it can be lost over night.

In today’s world of identify theft paranoia, your company’s ability to protect its customer and employee sensitive personal information greatly impacts your brand’s image. Simply put, handling people’s sensitive personal information is a high stakes venture.

I have often heard lawyers say that one of the chief purposes of business law is the allocation of risk. That statement is applicable here. One risk that a business can hope to allocate properly through practical legal planning is protection of its customers “sensitive personal information.” In other words, if you can protect their SPI you can protect your company’s brand image.

Privacy protection matters are a hot legal topic
and in recent years there has been an expanding legal framework for the protection of sensitive personal information. Let me provide you with just three examples:

1. The Presidential Identity Theft Task Force (did you know we had such a group?) recently asked the FTC to explore identity theft issues. After a year of exploration the FTC has now developed the a lengthy list of recommendations and is expected to bring this list to Congress for action in the very near future, this list includes a recommendation for implementation of national standards for data protection and breach notification.

2. A Nevada law requiring encryption of customer personal information went into effect on October 1, 2008. This law requires “that businesses in this State (Nevada) shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

3. As of May 1, 2009 Massachusetts law requires that all businesses that own, license, store or maintain sensitive personal information concerning any Massachusetts resident must take comprehensive measures to protect that information from unauthorized access, disclosure, or misuse. This law includes a requirement to encrypt all sensitive personal information of Massachusetts’s residents that is stored on any portable device or that is transmitted over the Internet or by wireless connections.

So, what does all this mean for your business?

IMO, regardless of whether your business handles the sensitive personal information of Massachusetts residents or not, you cannot afford to ignore these privacy developments. A pattern is being established and you should evaluate your company procedures regarding safeguarding customer and employee sensitive personal information.

Please be aware that there are already a variety of federal and state laws that require businesses employ “reasonable safeguards” for the protection of SPI. Although, the phrase “reasonable safeguards” is still somewhat undefined, the Nevada and Massachusetts laws addressed today go a long way toward moving encryption from a mere recommended practice to an actual legal obligation.

Best Practices Checklist

1. Review the SPI information you are collecting.
2. Is it necessary to both collect and store the SPI?
3. If so, where do you store the SPI? Do you send the SPI to any third parties?
4. Review your Privacy Policy to make sure it is consistent with your business practice of collecting and storing data.
5. Take inventory of how the data is protected. Should it be encrypted?
6. Do you have a written “comprehensive information security plan?” Do the third parties with access to your SPI have a written security plan?