According to a recent report, almost 340 million records containing "sensitive personal information" have been involved in security breaches since January 2005. Consumers have begun to realize how easily their private and personal information can become vulnerable or accessible. Over the last 5 years, there have been dozens of reports in the media of large corporations and institutions who have had the information of their customers breached in some way. But how many smaller organizations have had a breach that we haven't heard about? Do you know what the law requires if your customer's information is compromised?
There is a federal bill (Data Accountability and Trust Act) that has been passed by the House and is awaiting a vote in Congress. It would require, among other things, that all businesses implement safeguards to protect data, and to notify customers if their personal information is breached. In the meantime most states already have a law requiring notification of security breaches. In general, consumers are to be informed of a breach when their information is lost or compromised, putting them on alert for possible identity theft. The individual laws differ as to what is defined as "personal information" and under what circumstances the notification must be made. Some laws, including those in New York State, require notification to consumers any time there has been a breach of unencrypted data- regardless of whether the company determines there was not a significant risk.
The laws also dictate when and how the notification must be made. A recent study relating to 2009 data security breaches in the US shows an average cost of $204 per customer with a potentially compromised data record. In addition to the cost of notification and remediation, companies who have a breach will be subject to the costs of regulatory investigations, as well as penalties and fines.
There are numerous practical steps you can take to ensure compliance and prevent breaches. Review how your firm safeguards non-public customer and employee data, and implement safeguards and controls using industry best practices. You should also take a look at the organization's data privacy policies and notices, and make changes if necessary. In addition, consider the acquisition of a Privacy Breach and Network Security Liability policy. Although these policies have been available for quite some time, over the last few years both coverage and accessibility have improved significantly. In addition to the expense of notification and remediation following a breach, there is also the potential for suits filed by consumers which will result in defense costs- at a minimum.
In this current regulatory environment, every company is susceptible to these threats and need to take appropriate steps to address them.
This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.
No comments:
Post a Comment