Power of Attorney - February 2007

Power of Attorney

When Data is “Lost”:

Should Customers Be Notified?

by Kelly Testolin

The last 10 years have produced an “explosion” of narrowly targeted information privacy rules. Navigating the patch-work of potentially applicable laws can be a continuing headache for Nevada businesses that maintain personal data regarding their customers. One common question concerns whether a business that has lost control of customer data (e.g., through theft or misplacement) is required to notify the involved customers. Consider a typical situation:

“An employee’s car was broken into late last week and our system back-up tapes were stolen. We called our software company and they said the information is not encrypted. However, the thieves would have to create our environment with the same back-up and operating system to access the information. They may just be kids fooling around and the tapes could be in a dumpster, but they could also be sophisticated enough to find a hacker to see what is on the tapes. Do we need to notify the customers in our database? If so, what should we tell them?”

Many Nevada businesses are affected by Graham-Leach-Bliley, the Fair Credit and Reporting Act, the Fair and Accurate Credit Transactions Act and/or the Privacy and Security Rules under HIPAA. Prior to 2006, when a situation like the one described above occurred, only Graham-Leach-Bliley- regulated entities have been required to report data loss to the customer or the government.

However, Nevada’s recently-enacted “personal information” security law (NRS 603) places a reporting requirement on many other types of businesses. Under Nevada’s law, “personal information” means a natural person’s first name in combination with one or more of the following data elements, when the data elements are not encrypted:

1. Social Security number

2. Driver’s license or ID card number

3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to that person’s financial account.

If a Nevada business collects, handles or disseminates “personal information,” the business must “disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.”

It should be noted that the disclosure requirement only applies to the acquisition of unencrypted personal information. Also, entities that are subject to and comply with Graham-Leach-Bliley are exempt from this Nevada reporting requirement. NRS 603 requires notification to be provided “in the most expedient time possible,” and provides alternative notification methods.

Even in the most secure environments, data losses and security breaches occur. The reporting required by NRS 603 can be expensive and injurious to customer relations. (Personal notification of each involved customer is required unless the cost will exceed $250,000; in which case substitute notification procedures can be followed if the company sends a notification of the data loss to all major statewide media.)

Companies that maintain “personal information” as defined by NRS 603 should carefully consider encrypting that data. Since NRS 603 does not apply to encrypted data, its reporting requirements do not apply to a loss of encrypted data, even where that data contains “personal information.” Where unencrypted personal information must be maintained, the company should have a written plan in place to deal with breaches of security. At a minimum, such a plan needs to address the following:

• Training company personnel to report data loss or security breaches timely.

• Establishing a method for reporting data losses/security breaches to a central authority within the company.

• Establishing methods for determining the identities of customers whose security has been breached.

• Determining whether reports to customers need to be made in accordance with NRS 603 following a data loss/security breach.

• Determining the appropriate method of customer notification.

• Ensuring notifications are made timely, if required.

• Follow-up mechanisms for improving security procedures and taking any disciplinary action that may be required.

In some situations where customer notification is not required by statute, companies may still want to notify their customers of a data loss or security breach so that customers can take precautions to protect themselves from identity theft or financial fraud, and so the company’s liability for any ensuing fraud can be reduced. For this reason, companies maintaining “personal information” may want to identify knowledgeable legal resources in their contingency plans for consultation in breach situations.





 

Kelly Testolin
Kelly Testolin is a shareholder in the Nevada firm of Hale Lane in Las Vegas.

Email this article to a friend. Print Like this article? Subscribe to Nevada Business Journal

Access NBJ Features

Utrack Login

NBJ

Subscribe to NBJ

The Red Report
Face to Face
NBJ Polls
Subscriptions Features Book of Lists Services Advertising Contact Home

Post & Track Nevada's Biggest Real Estate Deals: Only at THE RED REPORT.COM