It’s Monday morning and one of your employees notifies you that they lost their laptop at a Starbucks over the weekend, apologizing profusely. Aside from the cost and inconvenience of buying a new laptop, could you be on the hook for bigger costs and should you notify all your clients? Maybe, depending what type of data was stored on that laptop and whether or not it was encrypted.
An Emerging Trend in Business Law
Since companies are storing more and more data on the devices of their employees and clients, most states (including Arizona) are starting to aggressively enforce data breach and security laws that set out the responsibilities for businesses capturing and storing personal data. Notification of breach is not just limited to covered entities under the Health Insurance Portability and Accountability Act (HIPAA). Arizona Rev. Statute § 44-7501 requires notification of unauthorized acquisition and access to unencrypted or unredacted computerized data, including personal information. Arizona Statute § 44-7601 goes on to enforce requirements before disposing or discarding personal data.
What is considered confidential or sensitive data? Definitely medical and financial records, such as credit card numbers, credit scores and bank account numbers, but also addresses and phone numbers, social security numbers, birthdays and in some cases, purchase history – information that almost every single company normally keeps on their clients. The Arizona statute defines personal information as unencrypted or unredacted information, including a person’s name and any combination of social security number, driver’s license number, or financial account or credit card number in combination with access codes.
“We Did Our Best” is No Longer an Acceptable Answer
With millions of cyber criminals working daily to hack systems and with employees accessing more and more confidential client data, there is no known way to absolutely, positively guarantee you won’t have a data breach. However, your efforts to put in place good, solid best practices in security will go a long way to help you avoid hefty fines. Here are some basic things to look at to avoid being labeled irresponsible:
- Managing access. Who can access the confidential information you store in your business? Is this information easily accessible by everyone in your firm? What is your policy about taking data out of the office on mobile devices?
- IT security and passwords. The more sensitive the data, the higher the level of security you need to keep on it. Are your passwords easy to crack? Is the data encrypted? Secured behind a strong firewall? If not, why?
- Training. One of the biggest causes for data breaches is the human element: employees who accidentally download viruses and malware that allow hackers easy access. Do you have a data security policy? A password policy? Do you have training to help employees understand how to use email and the Internet responsibly?
- Physical security. It’s becoming more common for thieves to break into offices and steal servers, laptops and other digital devices. Additionally, paper contracts and other physical documents containing sensitive information should be locked up or scanned and encrypted.
The bottom line is this: data security is something that every business is now responsible for and not addressing this important issue has consequences that go beyond the legal aspect; it can seriously harm your reputation with clients. So be smart about this. Talk to your firm’s counsel about your legal responsibility and think about policies and procedures for systems that should be encrypted. Ensure that your IT vendors are implementing the proper safeguards. Dave Kinsey