Data breaches are not just a consumer issue anymore. Following California’s earlier lead, at least 22 states and one municipality, New York City, have enacted laws requiring businesses to inform individuals of security breaches involving personal data particularly useful in ID theft and financial fraud. Data breaches can happen to a business regardless of their size. Therefore, businesses need to be aware of what they can do to protect themselves and their employees.
While the laws dealing with data breach vary from state to state, there are a few common factors regarding these laws. They do not apply to all aspects of personal data, but only to those involving a very restricted set of data (i.e., Social Security numbers, driver’s license numbers, bank or credit card numbers, etc.). The laws typically do not apply at all if the covered data elements were encrypted. They apply equally to improper and unauthorized exposures in or outside of the business.There are several steps you can take to ensure data protection, outside of the general data security measures. These include:
- Not collecting or storing data elements specified in breach notification laws. For example, don’t collect driver’s license numbers from California or other residents if you don’t have to.
- If it is necessary to collect and store covered data elements, strictly limit access to the data to those with an unquestionable need to know. When storing and transmiting the data, place it in an encrypted format.
- Avoid using covered data fields as employee identifiers such as Social Security numbers for ID badges.
- Review your current policies, training and confidentiality agreements. Do they address the particular risks and legal obligations involved in handling data elements covered by breach notification laws?