Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Information Security Breaches: Privacy Laws and Procedures
Part Two of a Two-Part Series
Part One of this series discussed security breach notification laws. The conclusion addresses security procedures laws.
In addition to the California security breach notification law, California was the first state to enact a security procedures law (A.B. 1950), which became effective Jan. 1, 2005. This law requires that a business implement and maintain reasonable security procedures and practices to protect personal information. A few other states, namely 1) Arkansas, 2) Nevada, 3) Rhode Island, and 4) Texas, also have enacted security procedures laws. In addition, Utah has passed such a law, which became effective Jan. 1, 2007. Again, for purposes of the utility of any overview, and because this California law also serves as the model for a number of the other state laws, a step-by-step analysis of this law is also set out here for consideration by landlords and managers.
Who is covered? The California law applies to any business that owns or licenses personal information about a California resident.
Who is not covered? The California law does not cover two types of record holders: 1) a business that is regulated by state or federal law that provides greater protection to personal information; and 2) a business that is either a Health Insurance Portability and Account-ability Act entity, a health care entity, or a financial institution.
What is the security procedures obligation? Businesses covered by the California Act must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
What is the third-party security procedures obligation? A business that discloses personal information about a California resident under a contract with a nonaffiliated third party must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
What is personal information? Personal information is defined the same as under the California security breach notification law, except that medical information is cited as an additional data element.
Federal Trade Commission Involvement
While there is no specific federal security procedures law, the Federal Trade Commission has weighed in by seeking to punish information security breaches. The standards for security-related procedures that the FTC considers appropriate have been described in a number of recent cases. By way of example, a significant case in this area was brought against BJ's Wholesale Club in 2005. The FTC charged that BJ's failure to provide reasonable security for sensitive customer information was an unfair act or practice in violation of '5 of the Federal Trade Commission Act because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.
The FTC alleged that BJ's: 1) failed to encrypt consumer information when it was transmitted or stored; 2) stored the information longer than it had a need to do so; 3) stored the information in files that could be accessed using commonly known default user IDs and passwords; 4) failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and 5) failed to use measures sufficient to detect unauthorized access to the networks. The settlement order that resolved this case requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards and to obtain regular third-party professional audits of this program for compliance with the FTC Order and with bookkeeping and record-keeping requirements. The FTC Order is in effect for a 20-year period. In the Matter of BJ's Wholesale Club, Inc.,File No. 042 3160, June 16, 2005.
Conclusion
As is the case in many other operational areas, information maintenance is becoming increasingly regulated. Landlords and property managers must take three steps to avoid costly violations. First, the relative utility of information to be gathered and maintained must be balanced against the burdens and risks associated with possessing the information. Second, appropriate internal policies and systems must be created to fulfill mandatory security requirements. Third, a plan must be established to provide requisite notification and otherwise address incidents of security breaches. For each of these steps, careful reference to applicable local and developing federal law is essential.
Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP (e-mail [email protected]) and Randolph M. Perkins is a partner in the Real Estate and Corporate Groups of Schiff Hardin LLP (e-mail [email protected]).
Part Two of a Two-Part Series
Part One of this series discussed security breach notification laws. The conclusion addresses security procedures laws.
In addition to the California security breach notification law, California was the first state to enact a security procedures law (A.B. 1950), which became effective Jan. 1, 2005. This law requires that a business implement and maintain reasonable security procedures and practices to protect personal information. A few other states, namely 1) Arkansas, 2) Nevada, 3) Rhode Island, and 4) Texas, also have enacted security procedures laws. In addition, Utah has passed such a law, which became effective Jan. 1, 2007. Again, for purposes of the utility of any overview, and because this California law also serves as the model for a number of the other state laws, a step-by-step analysis of this law is also set out here for consideration by landlords and managers.
Who is covered? The California law applies to any business that owns or licenses personal information about a California resident.
Who is not covered? The California law does not cover two types of record holders: 1) a business that is regulated by state or federal law that provides greater protection to personal information; and 2) a business that is either a Health Insurance Portability and Account-ability Act entity, a health care entity, or a financial institution.
What is the security procedures obligation? Businesses covered by the California Act must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
What is the third-party security procedures obligation? A business that discloses personal information about a California resident under a contract with a nonaffiliated third party must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
What is personal information? Personal information is defined the same as under the California security breach notification law, except that medical information is cited as an additional data element.
Federal Trade Commission Involvement
While there is no specific federal security procedures law, the Federal Trade Commission has weighed in by seeking to punish information security breaches. The standards for security-related procedures that the FTC considers appropriate have been described in a number of recent cases. By way of example, a significant case in this area was brought against
The FTC alleged that BJ's: 1) failed to encrypt consumer information when it was transmitted or stored; 2) stored the information longer than it had a need to do so; 3) stored the information in files that could be accessed using commonly known default user IDs and passwords; 4) failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and 5) failed to use measures sufficient to detect unauthorized access to the networks. The settlement order that resolved this case requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards and to obtain regular third-party professional audits of this program for compliance with the FTC Order and with bookkeeping and record-keeping requirements. The FTC Order is in effect for a 20-year period. In the Matter of
Conclusion
As is the case in many other operational areas, information maintenance is becoming increasingly regulated. Landlords and property managers must take three steps to avoid costly violations. First, the relative utility of information to be gathered and maintained must be balanced against the burdens and risks associated with possessing the information. Second, appropriate internal policies and systems must be created to fulfill mandatory security requirements. Third, a plan must be established to provide requisite notification and otherwise address incidents of security breaches. For each of these steps, careful reference to applicable local and developing federal law is essential.
Melissa J. Krasnow is a partner in the Corporate Group of
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
How Secure Is the AI System Your Law Firm Is Using?
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.