Under the Gramm-Leach-Bliley Act, the Federal Trade Commission enforces the “Safeguards Rule,” requiring financial institutions to, among other things, identify one or more individuals to coordinate the institution’s information security program, identify and assess the risks to personal information in the financial institution’s possession, evaluate the effectiveness of safeguards for controlling those risks and select service providers that can maintain appropriate safeguards. The FTC has publicly stated its position that, under the Federal Trade Commission Act, it can impose the same kinds of standards to non-financial institutions, and it has even brought enforcement actions in the case of a few, highly publicized data breaches.
But are there other laws that explicitly impose standards on how records containing personally identifiable information should be maintained or safeguarded from unauthorized access, even for non-financial institutions? You may be surprised to learn that the answer is: “Yes.”
A variety of state laws impose some responsibility on non-financial institutions for protecting different types of personally identifiable information. For example, California law requires businesses that own or license personal information about California residents to implement and maintain reasonable security procedures and practices. The law sets forth general standards of care for maintaining and protecting personal information in a business’ possession. Other states regulate the use of the bogeyman of all personally identifiable information – the Social Security number. For example, many states prohibit companies from using Social Security numbers as account identifiers or from printing the numbers on letters or other communications.
In addition, when an organization decides to dispose of records containing personal information, it is not enough to just throw them out with yesterday’s newspaper. For one thing, the FACT Act Disposal Rule specifically requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports. In addition, many states have enacted specific document disposal statutes requiring particular methods for getting rid of records that contain sensitive information. For example, Georgia law requires a business to shred a customer record before disposal. Just recently, the Texas Attorney General announced legal action against CNG Financial Corporation and its subsidiaries for “discarding business records in easily accessible trash cans behind stores.” This is the sixth enforcement action filed by the Texas AG since March. According to the Texas AG, these actions violated the 2005 Identity Theft Enforcement and Protection Act, which could result in penalties up to $50,000 per violation.
Congress is considering legislation that would explicitly impose GLB-like standards on all businesses that store personally identifiable information on more than 10,000 individuals, which will definitely give the FTC legislative authority to regulate the data protection practices of a wide-variety of non-financial organizations. But, even without such legislation, organizations that collect personal information about employees, customers, or consumers should be aware that standards regarding some types of information already exist, and it is a good idea to implement a comprehensive information protection and management program – that accounts for these standards – aimed at safeguarding such data.
From Venulex.com
Copyright © Troutman Sanders LLP. VenuLex resources are intended for informational purposes only and should not be construed as legal advice.