Pending litigation highlights demand for more stringent enforcement of privacy and network security policies; reiterates need for corporate risk mitigation strategies
DALLAS– LAWFUEL – Class Actions Law News –In response to the suit filed yesterday by the Texas Attorney General against Radio Shack Corporation, Scott & Scott (www.scottandscottllp.com), a Dallas-based law and technology services firm specializing in privacy and network security, reminds businesses how important it is to implement proactive processes and controls designed to comply with state laws requiring heightened document retention and destruction measures to protect personal information.
The suit accuses Radio Shack of illegally disposing of thousands of customer records containing non-public information without first shredding, erasing or otherwise making the information unreadable. The records were later discovered in a dumpster behind a Portland, Texas, store.
Although there are not yet any allegations that the identities of Radio Shack customers were stolen, the information found in the dumpster contained customers’ names, addresses, telephone numbers, credit card numbers, and expiration dates. With security events and identity theft on the rise, consumers and lawmakers alike are demanding corporations take ownership of the inherent responsibility, accountability and liability they assume when they collect customers’ confidential information. Corporations must implement policies and controls to ensure data is safeguarded, financial risks are mitigated, and the corporate reputation is protected.
Every business collecting and storing non-public customer information is at risk of a data security breach and should consider the following steps in arming their business against the potential risks.
Address Document Management in Privacy Policies: Stringent and secure privacy policies can protect corporate data against unauthorized access, use, disclosure, modification or destruction. By crafting privacy policies that adhere to the most stringent laws applicable, businesses can ensure they are protected across the nation and around the world.
In preparing privacy policies, Scott & Scott recommends businesses take the following steps:
Prepare a detailed inventory of sensitive data throughout the corporation.
Review controls being used to monitor and protect sensitive data.
Define authorization requirements to access data for executives, employees, temporary employees, and contract labor.
Enforce and monitor compliance requirements for third-party vendors.
Implement technology means for restricting access where necessary.
Restrict use of laptops and portable devices containing sensitive data.
Promote awareness and monitor employee compliance with privacy policies.
Outline and impose penalties for violation of privacy policies.
Implement Privacy Training for Employees: Whether it is inadvertent or malicious, employees pose one of the largest threats to data security. In fact, a 2005 academic study from the Better Business Bureau and Javelin Strategy found that in over half of the security incidents occurring at businesses, an insider in the organization was involved.
Businesses should also promote awareness of security and privacy policies through ongoing employee training programs designed to monitor employee compliance with stated privacy procedures. All employees, including temporary employees and independent contractors, should be subject to training and monitoring, and strict penalties imposed for violation of security policies that put customer information at risk.
Minimize Breach Notification Requirements:
The unfortunate truth is that your data can never be completely secure. Even those companies with the most advanced security initiatives in place remain at risk on some level. Businesses can drastically minimize the threat of a notice-triggering event by utilizing specific safeguards to protect the usability of non-public information should it find its way into the wrong hands. Such measures include privacy policies and procedures that outline what data should be kept, what should be discarded, and what steps should be taken to protect data after it has been discarded.
For electronic devices housing sensitive data, Scott & Scott recommends that companies equip devices with desktop security protection, including proper authentication and encryption technology. Encryption not only protects the data, it can reduce or eliminate breach notification obligations in many states. Maintaining confidentiality can significantly reduce the risk of potentially catastrophic business and public image implications that are associated with legally required breach notifications.
Mitigate Financial Risks With Insurance: Scott & Scott strongly recommends companies consider investigating and purchasing insurance coverage for potential corporate security failures to help mitigate the financial risks of a network security breach. Many forward-looking insurance providers have recognized the need for network security insurance coverage and are offering a variety of types, including inside job coverage, service provider coverage, employee claimant coverage, regulatory coverage and third-party handling coverage.
Because nothing is failsafe, even the select businesses that have implemented the most aggressive policies and technology safeguards are well advised to consider obtaining data security and privacy insurance to help mitigate the financial risks of a network security breach. Of the estimated 75% of companies that are less prepared, they should strongly consider insurance as a first step to protecting their valuable enterprise.
Editor’s Note:
An expert in privacy and network security, Julie Machal-Fulks vigorously represents Scott & Scott’s clients on all issues pertaining to network security, software compliance, and audit defense. She has co-authored numerous articles addressing the legal, financial, and regulatory risks associated with network security breaches, including her article entitled “Privacy, Network Security, and the Law,” on which she is often asked to present. Julie graduated with honors from Texas A&M – Corpus Christi, earning a B.A. in English. She received her law degree from The University of Houston Law Center, where was a member of the Order of the Barristers and served on the Executive Board of Advocates in 1998, 1999, and 2000. Julie is admitted to practice before all Texas state courts.
About Scott & Scott LLP
Scott & Scott is a leading national law and technology services firm dedicated to helping senior executives assess and reduce the legal, financial, and regulatory risks associated with information technology issues. An innovative approach to legal services, Scott & Scott believes that collaboration between legal and technology professionals is necessary to solve and defend against the complex problems our clients face, including privacy and network security, IT asset management, software license compliance, and IT transactions. Legal and technology professionals work in tandem to provide full-service representation. By combining these resources, Scott & Scott is better able to serve clients’ needs than law firms and technology services firms working independently of one another. Visit us on the web at www.scottandscottllp.com.
