New Data Security Breach Laws in Alaska and South Carolina Take Effect July 1, 2009

Posted on June 16, 2009 by Privacy and Data Protection Practice Group

On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

Required Notices To Third Parties

If an entity is required to notify 1,000 or more Alaska residents, it also must provide the three national credit bureaus (such as TransUnion®, Experian®, and Equifax®) with the timing, distribution, and content of the notices to state residents.

If a business is required to notify 1,000 or more South Carolina residents of a security breach, that entity must notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs as well as the national credit bureaus.

Penalties

Both statutes provide stiff penalties for businesses that fail to provide the required notice to affected individuals. In Alaska, offending business are subject to a civil penalty of up to $500 per resident not notified, with the total penalty capped at $50,000. Moreover, the offending business may be held liable for any actual economic damages suffered by affected individuals as a result of the failure to provide notice.

In South Carolina, businesses that fail to provide notice to affected individuals are subject to civil lawsuits by residents who are injured. Injured individuals may also recover attorneys’ fees and court costs, if successful. Moreover, the law permits the Department of Consumer Affairs to administratively fine knowing and willful violators $1,000 for each resident whose information was accessible by reason of the breach.

Scope Of Alaska’s New Law

In addition to the notice of security breach law, Alaska enacted a comprehensive statute involving protection of social security numbers, care of records, disposal of records and security freezes.

This entry was written by Katherine Dix.
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Nevada Law Mandates Encryption of Sensitive HR Data

Posted on June 15, 2009 by Philip Gordon

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Philip Gordon Answers Questions About Workplace Privacy Issues

Posted on June 11, 2008 by Philip Gordon

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link