GMCC Media Room
Privacy and Information Security — Laws - Part 2 of 3
March 01, 2010
Privacy and Information Security — Laws
The following article is part two of a three-part series (Part 1, Part 2, Part 3) on privacy and information security written by members of the GMCC Small Business Advisory Council (SBAC).
This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
The fi rst part of this series discussed why all businesses and organizations should care about privacy and information security in the workplace.
In addition to laws requiring best practices, consumers are demanding it and businesses are using their commitment to privacy and information security as part of a “privacy friendly” marketing message. Most every organization is covered by multiple federal and state identity theft, privacy and information security laws. Different laws protect different types of information and are generally intended to assure consumer privacy rights and prevent identity theft.
Each law has penalties and fines associated with violations. The violation of some of the federal information security laws include criminal penalties as high as one million dollars and up to 10 years in prison for executive managers.
However, the most probable fi nancial liability to small businesses is that a consumer or group of consumers that initiate a lawsuit for damages related to mishandling of their information. Even a poorly conceived privacy lawsuit can cost tens, if not hundreds, of thousands of dollars to defend. If you are found negligent, penalties can amount to millions of dollars.
For example, a small employer in Illinois was recently ordered to pay a former employee $1.8 million in damages for violating the employee’s privacy by accessing the employee’s telephone records. Familiarizing yourself with privacy and information security laws and taking steps to protect sensitive information is the best prevention.
The following is a brief summary of a few selected laws that should convey the types of information that must be protected under law. In Part III of this series a process will be discussed that allows most small organizations to protect all information and to meet the expectations of most privacy and information security laws.
Federal Laws
Red Flags Rule — applies to any organization that bills customers after goods or services have been delivered. It also applies to all traditional types of fi nancial institutions. The purpose of the law is to prevent identity theft by requiring that the identity of the customer be authenticated by the business before a credit or financial account is established.
This law applies to the majority of businesses and other organizations in the U.S. because many bill consumer and business customers. (See “Red fl ags—if you bill your customers,” Business Beat, Vol. 39, Issue 9, September 2009. Link available at end of this article.).
Disposal Rule — requires that sensitive electronic and paper consumer records are secured and appropriately disposed by permanent destruction.
The law is intended to protect consumer information from misuse such as identity theft by requiring the appropriate storage and subsequent destruction of the information. Broadly interpreted the law includes customer and employee records that contain Social Security Numbers as well as other financial account numbers.
Some states have enacted legislation that expands what is considered sensitive or personally identifiable information for the purpose of defining records that must be appropriately secured and destroyed upon disposal. Wisconsin also has a law that requires certain industry group to dispose of sensitive records properly.
The Red Flags Rule and Disposal Rule each allow for federal and state penalties, actual losses to consumers, damages of $100 to $1000 to consumers, class action lawsuits with no statutory limit, and punitive damages.
A small mortgage broker in Illinois agreed to pay $50,000 as a settlement for improperly disposing paper records containing social security numbers and other financial information in an unsecured dumpster.
The Financial Modernization Act of 1998 (Gramm-Leach-Bliley Act) — includes privacy and safeguards rules that apply to financial information. The rules apply to broadly defined financial institutions and their business associates.
Financial institutions include traditional financial institutions as well as many others such as mortgage brokers, auto sales, real estate appraisers and schools that offer student loans. Service providers are those businesses that provide services to financial institutions where sensitive consumer information is shared or handled.
Among many, service providers include mailing and courier services, accounting and audit firms, collection services and data processing firms. If your business provides services to a financial institution, as defined by the act, your business is subject to this law.
HIPAA — Health Insurance Portability and Accountability Act, applies to a narrowly defined group of healthcare organizations (covered entities). The purpose of the HIPAA privacy and security rules is to protect personal health information (PHI). The rules also apply to small medical and health-related practices and to business associates.
Similar to the Gramm-Leach Bliley Act, business associates are any business or other organization that provide services to covered entities where patient information is shared or handled. Business associates include medical billing, accounting, legal, administrative and management services among others. It is very likely that HIPAA privacy and security rules will be expanded in the future to include any organization that handles personal health information.
Recently, the HIPAA privacy rule was amended to require that covered entities and their business associates promptly notify all affected consumers in the event that PHI is improperly accessed, stolen, lost, or misused.
State Laws
Many states have privacy and security laws that compliment federal laws and that cover issues neglected by federal laws. For example, Wisconsin has over 25 privacy related laws.
Businesses that have customers, employees or accounts in multiple states are required to comply with the laws of each state in which they do business. This can be complex and time consuming for small businesses.
Most states, including Wisconsin, have breach notification laws. When an organization detects or becomes aware that personally identifiable information in their possession was lost, stolen or improperly accessed, they are required to notify each of the consumers who were probable victims of the breach.
Failure to provide appropriate notice is used as proof of negligence in Wisconsin with respect to prosecuting under other privacy and information security laws. In other states, specific penalties apply.
Industry Regulation
The Payment Card Industry Data Security Standard (PCI-DSS) applies to any business or organization that accepts credit cards.
The purpose of the regulation is to safeguard credit card information, especially information that is electronically stored and transmitted. The purpose of the regulation is to prevent credit card fraud and identity theft.
In the event of a breach, merchants that are not in compliance are held financially and legally responsible for all costs and damages associated with the breach. They may be fined up to $500,000 and have their merchant agreement terminated. While these laws and regulations are varied, they all have best practices in common.
The next part of the series will review the four steps to privacy and information best practices.
Coming in the April Business Beat - Part III of this series will review the four steps to privacy and information best practices.
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf
More Information on the Small Business Advisory Council (SBAC):
www.greatermadisonchamber.com/about/small-business-advisory-council
Privacy and Information Security — Laws
The following article is part two of a three-part series (Part 1, Part 2, Part 3) on privacy and information security written by members of the GMCC Small Business Advisory Council (SBAC). This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
In addition to laws requiring best practices, consumers are demanding it and businesses are using their commitment to privacy and information security as part of a “privacy friendly” marketing message. Most every organization is covered by multiple federal and state identity theft, privacy and information security laws. Different laws protect different types of information and are generally intended to assure consumer privacy rights and prevent identity theft.
Each law has penalties and fines associated with violations. The violation of some of the federal information security laws include criminal penalties as high as one million dollars and up to 10 years in prison for executive managers.
However, the most probable fi nancial liability to small businesses is that a consumer or group of consumers that initiate a lawsuit for damages related to mishandling of their information. Even a poorly conceived privacy lawsuit can cost tens, if not hundreds, of thousands of dollars to defend. If you are found negligent, penalties can amount to millions of dollars.
For example, a small employer in Illinois was recently ordered to pay a former employee $1.8 million in damages for violating the employee’s privacy by accessing the employee’s telephone records. Familiarizing yourself with privacy and information security laws and taking steps to protect sensitive information is the best prevention.
The following is a brief summary of a few selected laws that should convey the types of information that must be protected under law. In Part III of this series a process will be discussed that allows most small organizations to protect all information and to meet the expectations of most privacy and information security laws.
Federal Laws
Red Flags Rule — applies to any organization that bills customers after goods or services have been delivered. It also applies to all traditional types of fi nancial institutions. The purpose of the law is to prevent identity theft by requiring that the identity of the customer be authenticated by the business before a credit or financial account is established.
This law applies to the majority of businesses and other organizations in the U.S. because many bill consumer and business customers. (See “Red fl ags—if you bill your customers,” Business Beat, Vol. 39, Issue 9, September 2009. Link available at end of this article.).
Disposal Rule — requires that sensitive electronic and paper consumer records are secured and appropriately disposed by permanent destruction.
The law is intended to protect consumer information from misuse such as identity theft by requiring the appropriate storage and subsequent destruction of the information. Broadly interpreted the law includes customer and employee records that contain Social Security Numbers as well as other financial account numbers.
Some states have enacted legislation that expands what is considered sensitive or personally identifiable information for the purpose of defining records that must be appropriately secured and destroyed upon disposal. Wisconsin also has a law that requires certain industry group to dispose of sensitive records properly.
The Red Flags Rule and Disposal Rule each allow for federal and state penalties, actual losses to consumers, damages of $100 to $1000 to consumers, class action lawsuits with no statutory limit, and punitive damages.
A small mortgage broker in Illinois agreed to pay $50,000 as a settlement for improperly disposing paper records containing social security numbers and other financial information in an unsecured dumpster.
The Financial Modernization Act of 1998 (Gramm-Leach-Bliley Act) — includes privacy and safeguards rules that apply to financial information. The rules apply to broadly defined financial institutions and their business associates.
Financial institutions include traditional financial institutions as well as many others such as mortgage brokers, auto sales, real estate appraisers and schools that offer student loans. Service providers are those businesses that provide services to financial institutions where sensitive consumer information is shared or handled.
Among many, service providers include mailing and courier services, accounting and audit firms, collection services and data processing firms. If your business provides services to a financial institution, as defined by the act, your business is subject to this law.
HIPAA — Health Insurance Portability and Accountability Act, applies to a narrowly defined group of healthcare organizations (covered entities). The purpose of the HIPAA privacy and security rules is to protect personal health information (PHI). The rules also apply to small medical and health-related practices and to business associates.
Similar to the Gramm-Leach Bliley Act, business associates are any business or other organization that provide services to covered entities where patient information is shared or handled. Business associates include medical billing, accounting, legal, administrative and management services among others. It is very likely that HIPAA privacy and security rules will be expanded in the future to include any organization that handles personal health information.
Recently, the HIPAA privacy rule was amended to require that covered entities and their business associates promptly notify all affected consumers in the event that PHI is improperly accessed, stolen, lost, or misused.
State Laws
Many states have privacy and security laws that compliment federal laws and that cover issues neglected by federal laws. For example, Wisconsin has over 25 privacy related laws.
Businesses that have customers, employees or accounts in multiple states are required to comply with the laws of each state in which they do business. This can be complex and time consuming for small businesses.
Most states, including Wisconsin, have breach notification laws. When an organization detects or becomes aware that personally identifiable information in their possession was lost, stolen or improperly accessed, they are required to notify each of the consumers who were probable victims of the breach.
Failure to provide appropriate notice is used as proof of negligence in Wisconsin with respect to prosecuting under other privacy and information security laws. In other states, specific penalties apply.
Industry Regulation
The Payment Card Industry Data Security Standard (PCI-DSS) applies to any business or organization that accepts credit cards.
The purpose of the regulation is to safeguard credit card information, especially information that is electronically stored and transmitted. The purpose of the regulation is to prevent credit card fraud and identity theft.
In the event of a breach, merchants that are not in compliance are held financially and legally responsible for all costs and damages associated with the breach. They may be fined up to $500,000 and have their merchant agreement terminated. While these laws and regulations are varied, they all have best practices in common.
The next part of the series will review the four steps to privacy and information best practices.
Coming in the April Business Beat - Part III of this series will review the four steps to privacy and information best practices.
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf
More Information on the Small Business Advisory Council (SBAC):
www.greatermadisonchamber.com/about/small-business-advisory-council