7/9/2007 – Intellectual Property
Data Protection
Information Security & Risk Management
25 February 2007
Article by William J. Heller Esq
New York’s new data security law impacts every financial institution and employer in New York, and probably every business that conducts business in New York. Simply discarding records (paper or electronic) containing “personal identifying information” now is prohibited. You must shred or destroy the record so that no one can obtain unauthorized access to the social security numbers, driver license numbers and other key information about your customers. “Personal identifying information” is defined to include any record containing information by which an individual customer can be identified, a broad definition. New York joins other states in adding the patchwork quilt of federal and state laws governing privacy and data security, and the cost and complexities of compliance. The law takes effect on December 04, 2006.
The New York Attorney General is authorized to obtain injunctions against violations of the Act, even without proof that any damages have occurred to anyone. Civil penalties of up to five thousand dollars, apparently per violation, are authorized. The newsworthiness of data security breaches and an activist attorney general’s office makes business an easy target for bad press and civil penalties.
There is a vague safe harbor in the new law. “Due diligence,” a term nowhere defined in the Act, is a defense. However, the law follows the guidance of recent Federal Trade Commission rules enacted under the federal Fair and Accurate Credit Transactions Act (FACT Act.) This gives business guidance as well: with “due diligence” undefined in the new law, it is advisable to look at FTC publications on privacy and data security for efforts that businesses can undertake to prove due diligence and avoid not only the wrath of the New York Attorney General, but also the damning publicity that follows data security breaches. For example, the FTC has published guidelines on data security, found at http://www.ftc.gov/privacy/index.html.2 Browsing the FTC site to determine the latest data privacy rules is a start towards meeting this due diligence standard. Consulting with counsel to audit your data security procedures under the protections of applicable privileges also is advisable.
florida shredding |