How to Comply with the Recently Enacted Data Protection Laws by Mark W. Klein

In recent years, an alarming number of businesses have victimized by the theft of their customers’ and/or employees’ personal data. Many of these thefts occurred because the businesses did not have adequate safeguards in place. In response, new laws have been enacted requiring businesses to implement data protection policies and imposing stiff penalties for non-compliance. It is important for your business to comply with each applicable law.
Connecticut’s Law. Connecticut General Statutes §42-471, requires all businesses collecting personal information, including Social Security numbers, driver’s license, state ID card, alien registration and health insurance numbers, credit, debit card or account numbers to “safeguard the data, computer files and documents containing the information from misuse by third parties” and “destroy, erase or make unreadable such data, computer files and documents prior to disposal.” It also requires businesses collecting Social Security numbers to create, and publicly display (including on its website) a privacy protection policy that: (1) protects the confidentiality of Social Security numbers; (2) prohibits their unlawful disclosure; and (3) limits access to them.

Other States’ Laws. Some states have data protection laws that can be enforced against out-of-state businesses collecting personal information from their residents. So a Connecticut business that, e.g., accepts nation-wide credit card orders may have to comply with multiple state laws. One of the strictest of these laws – Massachusetts regulation 201 CMR 17.00 – just went into effect on March 1, 2010. This regulation requires businesses collecting personal information from Massachusetts residents to implement a written information security plan that, among other things, assesses foreseeable risks to the personal information it handles, develops security policies for its employees and establishes regular monitoring for compliance. It also imposes additional requirements, such as data encryption, on companies that store information electronically.

Federal Laws. Businesses that are creditors (i.e. those that provide customer financing) and financial institutions must implement a written program to identify and detect the “red flags” of identity theft, such as unusual account activity, consumer report fraud alerts, or suspicious application documents, per the FTC’s Red Flags Rule. There are also other federal laws requiring data protection from financial institutions and health care providers.

Ensuring Compliance. First, you should inventory where any data containing personal information is being stored (physically and electronically) and then indentify who has access to the personal information. You should then decide whether the personal information is needed for your business purposes. You should shred all paper documents and delete all computer files containing unnecessary personal information. You should also install scrubbing software should on all computers to ensure that deleted files cannot be retrieved. If unnecessary personal information is contained in documents you need to keep, the personal information should be redacted.

Next, you should assess your internal risks for security breaches with the assistance of an attorney or independent security expert. You should then develop data protection procedures in response to the risks. Normally, these will include: encrypting all emails; installing data protection software; installing firewalls for internet connections; securing computer passwords; restricting access to personal information only to those employees who need it; keeping documents containing personal information in locked offices or cabinets; preventing personal information from being accessed via an office-wide network or the internet; restricting and/or preventing access by non-employees and former employees; and regulating the out-of-office use of laptops. Once they are finalized, your attorney can help document these procedures in compliance with the applicable laws.

Subsequently, you must ensure your procedures are followed. Accordingly, you should require your employees to agree in writing to follow them and impose punishment for violations. You should also continually train your employees to identify potential security threats. Finally, you business should make your service providers agree to follow these procedures and indemnify your business for any damages from its non-compliance.

Additional information can be found here:
www.ftc.gov.

© 2022 • Brody Wilkinson PC
This website may constitute Attorney Advertising in some jurisdictions | Prior results do not guarantee a similar outcome | Terms & Conditions | Privacy Protection Policy
Photographs by Diana DeLucia