Data Security: Protecting Personal Information
As more and more information is created, communicated and stored in electronic formats, data security has become an increasingly important concern for businesses and individuals. Unauthorized disclosure of personal information can cost a business dearly, not only in terms of lost customer confidence and trust, but in actual damages caused by such disclosures. The fast changing nature of technologies, coupled with the increasingly higher standards of acceptable information protection in the market place, require businesses to become more proactive and viligant in their protection of sensitive personal information. Our clients should be mindful of their basic obligations in the protection of personal information they accumulate and use in the conduct of their businesses.
What is considered protectable personal information?
Businesses are required to protect what is termed under applicable privacy laws as "personally identifiable information"; that is, any data that can be used to uniquely identify a single person. More particularly, it consists of any information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. The combination of any two items of personally identifiable information is enough to uniquely identify almost every individual.
Consequently, most information a business has relating to its clients or customers would qualify as personally identifiable information. Although this information may require protection on its own in some contexts, it should be assumed that any personally identifiable information which includes a customer's financial data (e.g. credit card or bank account numbers) requires a heightened level of data protection.
What protective measures are required by law?
Unfortunately, data security laws vary widely. It is difficult to set specific standards or requirements because of the constantly changing nature of technology. Illinois does not have a state law specifically governing the protection of personal information. However, Illinois businesses may be subject to other states' laws. For example, the Massachusetts law on the protection of personal information applies to "all persons that own or license personal information about a resident of the Commonwealth." There are also Federal laws which apply to specific industries over which the Federal government retains jurisdiction. The most prominent of these is the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999. This law applies to "financial institutions," defined as "companies that offer financial products or services to individuals, like loans, financial advice, or insurance." It requires institutions to provide consumers with privacy notices, to establish safeguards for the protection of personal information, and to institute efforts to prevent "pretexting," or the attempt to gain access to personal information.
Even in the absence of specific regulations regarding personal information, businesses have a duty to take "reasonable" or "appropriate" steps to protect personal information or they could be liable for negligence.
How to take Reasonable Steps to Protect Personally Identifiable Information
A basic step in the protection of personally identifiable information is the use of strong passwords wherever personal information can be found—including smartphones which send and receive e-mail. This is one example of an area in which the advance of technology means that passwords which afforded "reasonable" protection in years past no longer meet minimum requirements because of the advance of hacking techniques. The New York Times recently reported that the majority of internet users are still using basic passwords such as "123456" and "password" despite the risk of internet security breaches, and noted that using a simple password is now "the digital equivalent of leaving a key under the doormat."
Strong passwords use at least two different character types (i.e., lowercase letters, capital letters, numbers or symbols), and are at least 6 characters long. In addition, the use of names (especially those that could be easily connected with the user) should be avoided—seven of the top thirty most frequently used passwords are first names. The strongest passwords contain no recognizable dictionary words and more than two different character types, and are 8 or more characters in length.
Businesses should be viligant in recognizing what are commonly known as "pretexting" or "phishing" techniques. Pretexting or phishing is the attempt by a third party to gain personal information without proper authorization. This could be an attempt by an individual to impersonate a client or customer and obtain that client's personal data. More frequently, it occurs over e-mail, where a phisher will impersonate a bank or other institution and attempt to convince a user to volunteer their account information.
A key rule of thumb is that legitimate financial institutions will never ask for account numbers, passwords or other sensitive information over the internet. If a request seems legitimate, make independent
phone contact with the customer service number associated with the institution to verify its legitimacy. Also ensure that every employee with access to confidential information is familiar with the basics of pretexting or phishing. One of the most important steps in protecting sensitive data is guarding against inadvertent disclosure.
While it may seem that simply deleting a customer's personal information is one method of protecting its confidentiality, in reality, the deleted information doesn't magically disappear. Simply deleting a document usually does not completely erase it—instead it still can be easily accessed from the computer's recycle bin. Most e-mail programs are similar. In order to "fully" erase a document the "deleted items" folder or "recycle bin" must be emptied as well. In addition, old equipment should be electronically "scrubbed" of data before it is discarded or recycled. This can include photocopy machines, which store an electronic image of every document copied.
Navigating the requirements of compliance with constantly evolving data security standards is a challenge for any business. However, the potential consequences of failing to adequately protect personal information are significant. Businesses can address this risk by avoiding practices that create an unreasonable risk of harm to consumer data, creating heightened safeguards for the protection of sensitive information, encouraging the consistent use of these guidelines and practices, and updating standards and practices to conform with the requirements of changing technology.
If you have any questions regarding the protection of sensitive business information, please feel free to contact Anne M. Skrodzki for further information: (630) 655-6000.