|
July 12, 2011, Number 17
By: and , Esquires
Joe Burshki from your accounting department leaves for the day without logging off of his computer. On his screen is a spreadsheet containing customers’ names and bank account information. Lynn Smith, your CFO, leaves her business laptop on an airplane. Bob Nye, an office assistant, believes he is sending an inter-office email regarding client accounts, but instead the email is misdirected and sent to an outside email address. All of the above are examples of potential data breaches. There was a time when “hacking” was rare and only affected huge businesses with massive databases of information. Times have changed. Now, hackers are digitally accessing and/or acquiring personal information of small business customers and clients from any location, even internationally.
What To Do In The Event Of A Breach:
The Breach of Information Notification Act The Breach of Information Notification Act (the “BINA”) defines your notification obligations to Pennsylvania residents when there is a digital information breach. With an effective date of June 20, 2006, the BINA was enacted specifically for consumer protection.
Under the BINA, all businesses, even non-profits, sole proprietorships, political subdivisions, and state agencies, must provide notification to any Pennsylvania resident whose personal information is breached. Under the BINA, a breach occurs upon the unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information maintained by an entity, and that access actually causes, or the entity reasonably believes has caused or will cause, loss or injury to any resident of Pennsylvania. Simply stated, if you believe that your customer or client information has been compromised, you must notify any affected Pennsylvania resident.
Avoid Negligence Liability and Notification Requirement
As noted above, your notification requirements only are triggered where “personal information” is unlawfully accessed and acquired. Knowing what is “personal information” potentially can save your clients from the theft of their information and, in turn, can eliminate some of the exposure of your business to negligence liability.
Information is only considered personal information if it includes the following: An individual’s first and last names or first initial and last name, plus one or more of the following: (A) Social Security number; (B) Driver’s license number; and/or (C) Credit card or debit card account number in combination with any access code.
However, none of the listed information is deemed “personal” if it is encrypted or truncated. Encryption is an algorithmic process that creates a low probability of assigning any meaning to the information without a key or a confidential process. Truncation is the redaction of numerical information so that only the last four digits of a card or identification number are accessible. If your clients’ personal information is compromised and your business failed to encrypt or truncate any of the above-listed information, your business could be exposed to negligence liability. On the other hand, if your clients’ information is encrypted or truncated, you have no obligation to provide notification in the event that the information is unlawfully viewed or acquired, (unless the “hacker” has somehow navigated through the encryption or truncation.)
Disclosing the Breach To Your Customers
Under the BINA, once it is determined that personal information is compromised, you must provide notification “without unreasonable delay.” Essentially, the law requires you to provide notice as soon as you are able. While not completely clear under the BINA, it is best to first contact your local law enforcement office to explain the situation and obtain permission to notify your Pennsylvania customers or clients. This is because your notification could interfere with their investigation.
Notification to your affected customers should be provided via written correspondence that informs your clients of the breach in a clear and conspicuous manner. The law also allows telephonic and email notification to Pennsylvania residents under certain specific conditions, but we do not recommend this.
Third Party Vendor Situation
Third-party vendors create a unique problem under the BINA. When a third-party maintains, stores, or manages digital data on your behalf, such as an insurance carrier or payroll company, notifying you is that vendor’s only obligation in the event of a breach. It is then your obligation to provide notification to your affected clients who are Pennsylvania residents. Therefore, under the BINA, it is your obligation to provide notification if your clients’ information is lost or otherwise compromised in the hands of a third-party vendor.
On the Proverbial Hook: Penalties for Non-Compliance or Mishandling of Information Any violation, however unintentional, is considered an “unfair or deceptive act or practice under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (the “UTPCPL”). An individual cannot sue your business under the UTPCPL, but the Attorney General can. Costs can be assessed and damages ordered for anyone who is injured by your failure to provide notification.
Even if you comply with the notification requirements, your business could suffer reputational damage. Therefore, even though this it is not required under the BINA, you may want to take steps to minimize such damage such as credit monitoring for your affected customers. Credit monitoring is the most common form of assistance to customers’ whose information has been compromised.
Bottom Line for Businesses
Here are suggestions for you to avoid legal liability and protect your reputation in the wake of the “new burglar”:
(1) First things first. Truncate and/or encrypt all customer Social Security numbers, account numbers, and driver’s license numbers.
(2) Trust your instincts. If you have a “gut feeling” that your customers’ personal information has been compromised, contact an attorney.
(3) Contract Out of Third-Party Blunders. In cooperation with an attorney, draft your contracts with third party vendors to shift the digital breach notification requirement to the third party vendor.
Also, remember that the BINA only applies to Pennsylvania residents. When the information of an out-of-state client is breached, you must comply with that state’s digital information notification laws.
If you have any questions regarding digital data breaches, please contact one of our Employment Law Attorneys.
* KingSpry Employment News is meant to be informational and does not constitute legal advice.
|
