By Curtis Capeling & Jacob A. Feldman
April 2, 2009
Does your business maintain customer records that include customer names together with a social security number, driver's license number or an account number? If the answer is yes, then you have what many state laws call "personal information." Even if your business operates only in the state of Tennessee, if you have personal information on residents of other states, then you may need to act to avoid violating new state laws dealing with privacy, data security and identity theft.
Privacy
If your business has a website, chances are that it already has a privacy policy. However, if you have not updated your privacy policy and practices recently, they may not meet the requirements of some recent state laws, such as those of Connecticut and Texas.
The Connecticut law requires anyone who collects Social Security Numbers to create a "privacy protection policy" and post it on their website. The privacy protection policy must:
1) protect the confidentiality of SSNs;
2) prohibit unlawful disclosure of SSNs; and
3) limit access to SSNs.
A similar law in Texas goes further and prohibits businesses from requiring customers to disclose their Social Security Numbers except pursuant to a privacy policy that identifies:
1) how personal information is collected;
2) how and when the personal information is used;
3) how the personal information is protected;
4) who has access to the personal information; and
5) the method of disposal of the personal information.
You should make sure that your privacy policy accurately describes your business practices. If you do not follow your privacy policy, the FTC could bring an enforcement action against you for unfair and deceptive trade practices, or your competitors could bring a claim against you for unfair competition.
Data Security
Data protection laws generally fall into one of two categories — data breach notification laws, and data security laws. While many states now have data breach notification laws, few states have data security laws. However, the recent trend is data security laws requiring the encryption of personal information. Surprisingly, the laws of other states can apply to businesses in Tennessee if they have personal information on residents of those states.
For example, beginning January 1, 2010, a Massachusetts law requires businesses with personal information of a Massachusetts resident to have a written information security program, and to encrypt all records containing personal information that will travel across public networks or be transmitted wirelessly, and all personal information stored on laptops or other portable devices.
Similarly, a Connecticut law requires businesses with personal information to safeguard the data, computer files and documents containing that personal information, and destroy, erase or make unreadable such data, computer files and documents prior to disposal.
Identity Theft
The FTC's Red Flag Rules require "financial institutions and creditors" to have an identity theft red flags program. At first glance you may think that this does not apply to your business. You may be surprised, however, because the FTC has taken a very broad view of the rule.
If you provide goods or services to your customers before receiving payment, you may be a "creditor" and be subject to the rules. Enforcement of this rule begins May 1, 2009*. Compliance requires a written identity theft prevention program designed to detect, prevent, and mitigate identity theft.
To know if the rules apply to you, the first step is to decide if you are a "creditor." If so, the next step is to decide if you have "covered accounts." There are two types of covered accounts — transaction accounts (such as credit card, cell phone, and savings accounts), and any other accounts at risk for identity theft. If you determine that you are a creditor and that you have either type of covered accounts, it is important to have an identity theft red flags program.
*UPDATE: On April 30, 2009, the FTC announced a 3-month delay in enforcement of the Red Flags Rule. Consequently, creditors and financial institutions now have until August 1, 2009 (instead of May 1, 2009) to comply with the rule and develop and implement an identity theft red flags program.
**UPDATE: On July 31, 2009, the FTC announced another 3-month delay in enforcement of the Red Flags Rule. Creditors and financial institutions now have until November 1, 2009 to comply with the rule and develop and implement an identity theft red flags program.
For more information on these and other privacy concerns, please contact Curtis Capeling at 615.256.0500.
|