Related Articles
Choicepoint and Paris Hilton got the message: Revealing secrets has its consequences. Only days before Hilton’s cell phone was hacked last month, exposing friends’ e-mail addresses and phone numbers, Choicepoint said its security breach put 145,000 people at risk of identify theft. It was a well known 2003 California law that forced the Georgia-based information broker to notify consumers their privacy may have been compromised, but a new law that further tightens the screws of accountability has drawn little notice outside legal and privacy circles.
Beginning Jan. 1, any business collecting personal information about a California resident must have implemented “reasonable security procedures and practices” to protect against unauthorized access. Further, businesses are now legally bound to ensure — by contract — that third parties handling that data on their behalf have reasonable safeguards in place.
While it’s unclear what constitutes “reasonable” in the language of California’s General Security Standard for Business (also known as Assembly Bill 1950), it’s abundantly clear that the law reaches beyond the Golden State’s borders.
“Any retailer with an online presence is quite likely to transact business with a California resident and obtain personal information,” and is therefore subject to the law, said Sam Hudson, attorney at Foley Hoag, Boston.
Companies already regulated by federal laws HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Gramm-Leach-Bliley Act, protecting individual financial information, are excluded from the new law.
The Federal Trade Commission and the New York State Attorney General’s office investigated a number of customer data security violations in retail over the last two years and this latest legislation may bring yet more enforcement action this year, said attorney Lisa Sotto, partner of New York-based Hunton & Williams and head of the legal firm’s Regulatory Privacy and Information Management Practice.
The cumulative effect of the new law imposing security standards for personal information — a first for any state — together with an existing law that requires companies to inform California residents of security breaches involving their personal data, is intriguing: “You are telling people they can sue you,” said Sotto.
Retail technology executives who were willing to discuss their customer data security practices declined comment on the statute. Many claimed the sensitive nature of the topic prevented them from addressing it, but others confided they had little knowledge of the privacy law. Still others feared that speaking openly about security would only invite computer hackers to have a go at invading their networks.
You May Also Like
But Michele Demaree, director of privacy at the $25 billion Best Buy consumer electronics chain, said, “Every company would be wise to pay attention to California. They are setting national trends” on protecting the privacy of customer data. Best Buy’s wireless network was targeted by a hacker in 2002.
Privacy Policy: A Delicate Balance
Demaree was involved in drafting Best Buy’s privacy policy in collaboration with other departments at the company. Cross-functional input is needed so that assurances outlined in a privacy policy are in fact supported by business practices and security technologies.
Accordingly, technology executives need to be involved in drafting their company’s privacy statement so that the policy does not overstate security protection.
It is for this reason that apparel retailer Guess, Petco Animal Supplies and Tower Records found their customer data security practices under investigation, said Hudson of Foley Hoag. Each company settled charges brought by the FTC through consent agreements that do not constitute admission of a violation, but do impose adoption of stepped-up security practices and oversight (see related story, page 10).
“These are cases where the companies thought they were doing the right thing, and they simply hadn’t recognized the gap between the [security] practices in place and the standards they imposed on themselves with their privacy policies,” said Hudson.
“One statement people love to say is, ‘We are committed to protecting your privacy,’ but that is a bit of a ‘motherhood and apple pie’ statement,” he said. “It sounds warm and comfy but the implications are rather more serious.” Hudson said an IT executive might be inclined to sign off on such a statement, fully supporting the intent. However, the courts could interpret the word “committed” to mean committed to invest considerable financial resources for security technology — and that must be substantiated.
In its complaint, the FTC charged that Tower Records and its parent company, MTS, misrepresented the extent of security measures in place with a privacy statement claim of using “state-of-the-art technology” to safeguard data.
Increasingly, retailers’ privacy statements favor subdued language, such as Best Buy’s “we take reasonable precautions” to prevent unauthorized access to customer data.
Customer data privacy policies must inspire confidence and allay customer concerns, while at the same time, refrain from promising too much. “It’s definitely a balance,” said Best Buy’s Demaree.
“We work with a lot of different departments to make sure our privacy policy reflects our current business practices,” she said. “The technology is constantly changing and business practices as well, so companies are very wise to not only listen to consumers continually but also try to be honest about their practices.”
What Is ‘Reasonable’?
The language of the new California law stipulates that companies handling personal information about residents must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The law gets no more specific about what “reasonable” or “appropriate” might mean, however.
SSL — or Secure Sockets Layer — is a technology protocol for transmitting data, such as credit card information, over the Internet in encrypted form. Because SSL is the de facto industry standard for protecting data from unauthorized access, a company might believe it to be a “reasonable” security measure. Guess learned otherwise. In response to FTC charges of misrepresenting its security practices, Guess cited its use of SSL. The FTC deemed that defense insufficient and claimed customer data was not encrypted “at all times,” as was promised in Guess’ privacy policy.
The takeaway, says Best Buy’s Demaree, is that smart companies will not wait for the law to clarify what is reasonable security and instead define it themselves.
The California law requires companies collecting California residents’ personal data to ensure that third-party firms with access to that information must have reasonable security measures in place as well. Responsible companies already take pains to partner with others that have sound security, but no law has mandated it before.
While a retailer and its partners may agree to minimum security measures, not all retailers have the resources to continually monitor those companies to ensure compliance.
“It is a challenge,” said Terry Zych, director of information technology at The Timberland Co.
At Timberland, security due diligence takes place before an agreement is struck with any company proposing to offer services related to its Internet business, he said. A two-page checklist covering security, privacy, encryption and data utilization practices is prepared before a meeting takes place to discuss the issues in detail. Once Timberland’s requirements are met, the document becomes an addendum to the contract.
“We have turned people away from doing business with us, in a nice way,” Zych said. “We say, ‘Either you can go back and take some time and tighten up your security or rethink your privacy, or you can consider this conversation done.’”
Most often, Zych added, the security weaknesses identified relate more to process than to technology-based safeguards.
Credit Cards Step Up
Credit card fraud remains a serious threat, Zych said, and he welcomes recent moves by card issuers to impose stricter security requirements on merchants, while also moving toward uniform standards. Until recently, Visa International, MasterCard, Discover Card and American Express each had its own set of requirements for retailers to meet before they were certified to accept the cards.
Last year, Visa and MasterCard announced plans to support a unified standard for consumer data protection, called Payment Card Industry Data Security Standard. All retailers are expected to be in compliance by June 30. The PCI security requirements address technical issues, such as secure storage, processing and transmission of customer data, and process issues such as adherence to auditing procedures.
Tier 1 companies, which include merchants accepting more than six million credit card transactions each year, are subject to independent audits of security compliance. Companies processing 20,000 to six million transactions are required to perform self-audits and retailers processing fewer transactions are encouraged, but not required, to perform self-audits.
“It’s a good thing. It puts continuous credibility on our ability to protect consumers’ data,” Zych said. “I am confident we will do well” when Timberland’s audit results are complete in March or April, he added.