The State of Privacy Regulation

By Elizabeth Wasserman

ChoicePoint Inc., the Atlanta-based provider of identification services for the insurance and real estate industries, revealed in March that criminals had gained unauthorized access to aggregated personal data of 145,000 people. What followed provides a good lesson for CIOs about the impact an assortment of new privacy laws in the U.S. will have on business and technology.

ChoicePoint was required, under a California privacy law enacted in 2003, to notify consumers in that state of any unauthorized acquisition of personal information about them -- such as first and last name combined with social security number, driver's license number, or other personal identifiers. But ChoicePoint didn't just mail notices to the 35,000 California residents impacted by the security breach and covered under that state's law, according to the company's filing with the U.S. Securities and Exchange Commission. Instead, ChoicePoint -- noting the ripple effect the California law has had in other states -- mailed notices throughout the 50 states to all 145,000 affected consumers, whether those states had data breach notification laws or not.

"When a company has customers in multiple states, it's not really wise for them to give residents of one state more notification than residents of other states," says Rebecca Herold, an author, instructor, and independent information privacy consultant. "Most of the companies that have created breach notification procedures and processes are doing it for the most stringent requirements across the board."

The fact is that misuse of private information is becoming more common; as a result, legislators are responding with new restrictions on companies that collect or maintain sensitive personal data. The U.S. Federal Trade Commission in February reported that 39 percent of the 635,173 fraud complaints by citizens in 2004 year were due to identity theft. Another recent survey by the FTC estimated that the dollar value of identity theft crime amounted to $52.8 billion in 2004 -- much of that cost absorbed by businesses.

FTC Chairman Deborah Platt Majoras urged Congress earlier this year to put new legal requirements on data brokers and other companies that keep sensitive personal information. Some lawmakers have already heeded the call; Sen. Dianne Feinstein (D-Calif.) has proposed legislation extending California's notification statues for breaches of private consumer information nationwide.

While corporations have been taking matters into their own hands to better protect sensitive company information, CIOs should also understand the laws governing the handling of sensitive customer data. An assortment of new state and federal legislation has been rolled out -- and additional laws may be on the horizon -- to curb the potential for such substantial customer data loss.

Here is an update on privacy regulations that impact businesses:

• California Database Protection Act  The law took effect in 2003 and requires organizations to publicly disclose breaches of private information about California residents, such as the ChoicePoint violation. Any entity doing business in the state -that fails to -provide notification of a privacy breach could face class-action lawsuits or be liable for civil damages. Other states -- including Arkansas, Connecticut, Florida, Georgia, Illinois, Indiana, Minnesota, Texas and Washington -- quickly followed suit and passed their own notification statutes.
• California Assembly Bill 1950  This law went into effect Jan. 1, 2005 and requires any businesses or entities that hold information about state residents to maintain "reasonable security procedures and practices appropriate to the nature of the information" to keep this information from illegal use or disclosure. This measure also requires partners of companies that keep private information to meet these standards, too.
• U.S. Fair and Accurate Credit Transactions (FACT) Act  In effect as of Dec. 1, 2004, this law is an amendment to the Fair Credit Reporting Act, which entitles consumers access to their credit reports. The FACT Act extends the protections of personal information to a wide variety of businesses that keep data on customers or even employees. FACT requires financial institutions, merchants, and credit agencies to develop plans to identify potential identity theft and to better protect sensitive information from disclosure.
• U.S. Gramm-Leach-Bliley Act  Also known as the Financial Services Modernization Act, this became law in 1999. GLBA is targeted at financial institutions and their partners, requiring them to better protect the confidentiality of customer information, beef up security of this information (such as by the use of encryption of electronic data), and protect against unauthorized access. The penalty for violators ranges from regulatory fines to legal liabilities for CEOs and directors.
• Health Information Portability and Accountability Act (HIPAA)  This 1996 law requires privacy protection of electronic health information by health insurers, hospitals, physicians, pharmacies and medical clearinghouses. In 2003, the laws provisions for the health care industry to restrict access to and protect confidential patient data went into effect.

Armed with knowledge about the various privacy laws, CIOs can work within their organizations to help meet both the letter and the spirit of the law. The first step a CIO should take is to urge C-level counterparts to support the creation of an inventory of personally identifying information the organization keeps.

"They need to ask themselves questions," Herold says. "What types of personally identifiable information do they keep? Where are they collecting information from -- Web sites, conferences, response forms? Are these in hard copy or electronic format?"

Eric Schmitt, a Forrester analyst, recommends that CIOs start looking at customer data the same way they look at employee data or payroll data. "Be very careful with it," Schmitt says.

CIOs also need to urge their organizations to have a privacy policy in place. Schmitt advises companies to make sure they have documented policies for how they collect, use, and dispose of personally identifying information. But he also suggests making distinctions between the types of data collected from customers. Whereas a returned warrantee card may not have to be encrypted, certainly a consumer's credit card number should be protected with the most sophisticated technology.

Herold urges executives to make sure that some person or position is given direct responsibility for privacy-related compliance. Lastly, a breach notification policy should be put in place before any theft or loss of data occurs so that an organization can effectively deal with the disclosure and minimize damage to customers and to the organization's reputation.

The bottom line is that it makes good business sense to protect the personal information of customers. And, now, of course, it's also the law.

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.