Nuts & Bolts: Eye on Privacy
The April release of the president’s Identity Theft Task Force’s report, “Combating Identity Theft: A Strategic Plan,” offers a convenient reason to revisit the subject of protecting customer data. The report contains a comprehensive overview of existing laws that relate to the protection of customer data, such as the Gramm-Leach-Bliley (GLBA) and its attendant Safeguards Rule, the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act (HIPAA). The report also discusses the data breach notification laws that currently have been enacted by 38 states.
Instead of this patchwork of state laws, the task force’s report recommends the passage of pre-emptive federal legislation that will give all businesses—not just those already regulated—a single, flexible national standard for safeguarding data as well as one for notifying authorities and affected consumers in the event of a data breach. The report recommends that the standards consistently be applied to both paper documents and electronic records. The task force also recommends that the trigger for notification in case of a breach should be “a significant risk of identity theft.” This would reduce the likelihood that consumers would become inured to such notices and help ensure they would take action only when needed. The task force also recommends that any such federal legislation should provide for no private right of action.
Until such comprehensive federal legislation replaces state identity theft laws, any company that maintains personal information about customers or employees—essentially every company—should put in place reasonable security measures for both electronic and paper records. They also should have a mitigation plan in case of security breaches. Given how quickly technology evolves, it’s crucial to stay on top of security procedures.
For example, TJX’s colossal data breach could have been prevented with minimal cost to the company had it replaced its network’s outdated and flawed wireless security protocol with the industry standard that came out four years ago. According to The Wall Street Journal, TJX’s wireless network “had less security than many people have on their home networks.” The company also supposedly failed to install firewalls and data encryption on many of its computers that used its unprotected wireless network and incorrectly installed an additional layer of security software.
Now, several bank associations are suing the retail giant, and the Federal Trade Commission (FTC) is investigating it. If the FTC finds TJX’s security procedures would not reasonably safeguard its customers’ data, it could find TJX guilty of engaging in unfair practices.
Consumers believe the companies they trust protect their personal information. But, as the TJX debacle shows, consumers’ trust is not always justified. TJX’s inattention to its customers’ data does not yet seem to have affected its bottom line. But only time will tell.
Elise Berkower is executive vice president of privacy strategy at Chapell & Associates, a privacy consulting firm in New York. She can be reached at email@example.com.