- About PS&F
- Industry Focus
- Client Tools
- Education & Events
- Case Studies
October 1, 2008
By Cliff Rudolph
In today’s data age, almost all organizations store some form of private or confidential information, whether it is employees, customers, or information obtained from vendors. Since 2005 more than 200 million records containing sensitive personal information have been reported in a security breach in the United States.
Major banks, media companies, credit bureaus and many sizable local organizations have reported data breaches. Some examples include:
The Privacy Rights Clearinghouse, a nonprofit consumer organization, has compiled a chronological list of reported data breaches, available here: https://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm.
Data Breaches and Privacy Rights
In 2003 California was the first state to require notice of security breaches. Since then more than 30 states have followed suit. The laws typically require that any state or local agency—or any person or business which conducts business in the state and that owns or licenses computer data that includes personal information—must notify in the most expedient time possible the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
This means that a firm must give notice (written or electronic) immediately should the information be compromised regardless if the personal information that was compromised actually was used illegally. In some cases, substitute notice (such as e-mail, Web site postings and notification to statewide media) may be given in the event that notification costs exceed a certain dollar amount. It is important to check with state laws.
On March 4, 2008, the FTC settled a 17th Security Breach case (FTC File No. 072-3013) www.ftc.gov/os/caselist/0723013/index.shtm.on on 34,000 consumers. The settlement bars the firm from future data security misrepresentations and requires the company to implement and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. The settlement also requires the company to obtain, every two years for the next 10 years, an audit from a qualified, independent, third party professional to ensure that its security program meets the standards of the order.
Finally, insurance products have been developed to cover financial losses that occur due to data breaches and unauthorized access. When considering insurance it is important th at you work with a broker who understands your organization and how an insurance policy will respond. Some key features of a strong data liability policy will include coverage for:
The costs associated with notification and the liability that is arising out of privacy and security matters is costing millions of dollars to organizations of all sizes and types. One insurance carrier recently produced a data loss calculator that estimates that on average the costs associated with data loss are about $166 per record. It also provides information on pending class action lawsuits where plaintiffs are requesting $1 million to $21 million per person for damages due to data loss.
As more private data is stored electronically—and the definition of private data is broadened—it is important to understand how these issues impact your organization and how your organization will respond.
If you have any questions or would like to discuss please call us on 425.709.3600.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.