transmission of the required notice,
which is dependent upon the costs
of notification and the number of
customers entitled to receive notice,
and can include written notification,
e-mail notification, conspicuous
posting on the business's webpage
and, in certain circumstances, through
notification to major statewide media.
Substantial Exposure
to the ITPA. A business that violates
the security breach notification
obligations is exposed to substantial
costs, fines and penalties, as well as
private actions by affected customers.
There are steps that can be taken
to minimize the likelihood of a data
security breach. First, a business
should evaluate the need to retain
personal information and for how long.
Next, perform a survey and pinpoint
sources of both electronic data and
hard copy unsecure retention of data,
including assessment of existing (1)
administrative procedures and what
changes should be made to reasonably
prevent unauthorized access to records
containing personal information (2)
existing technology, such as firewalls,
policies and procedures for use of
remote devices (e.g., laptops and
employee-owned equipment) (3)
assessing updating hardware and
software to reasonably secure the
access. Although encryption of personal
information does not equal compliance
and should not be presumed to do
so, unauthorized access to personal
information secured by encryption
that does, in fact, render the personal
information unreadable or unusable may
excuse a business from the notification
obligation.
ITPA also requires that a business
that compiles or maintains customers'
personal records, or otherwise has such
records in its custody and control, must
arrange for destruction of records that are
no longer to be retained, by shredding,
erasing or otherwise modifying the
records so that they are unreadable,
undecipherable or nonreconstructable
through generally available means or
technology. This provision addresses
hard copy records, as well as electronic
data, and the hard drives and servers that
the data is stored on. Therefore, whether
or not a business actually uses personal
information records in the course of its
business, if it has custody and control of
such records, it must destroy the records
as directed by the statute.
For example, if a business that
prepares mass personalized mailings
for other businesses is provided mailing
lists containing personal information,
the business is required to destroy the
records once the project is completed.
In an effort to limit the use of
Social Security numbers as a means
of identifying an individual, ITPA
restricts the use of an individual's Social
a private entity or public agency from
posting or displaying an individual's
Social Security number, or any four or
more consecutive numbers of the entire
number. The provision also prohibits
use of the Social Security number on
mailed materials unless required by
state or federal law, printing the number
on a card required for an individual to
access products or services provided by
a business, intentionally communicating
or making the number available to the
general public, requiring an individual
to transmit the number over the Internet,
or requiring the number to access an
Internet Website, unless a password, PIN
or other authentication device is also
required. However, a business is entitled
to continue to use Social Security
Numbers for internal verifications of an
individual.
Every business should re-evaluate its
existing uses of Social Security numbers
and determine if the use complies with
the provisions of ITPA, and, if it does
not, to modify the use accordingly.
We recommend that each of you
familiarize yourself with your state's
security breach notification or similar
law. A good beginning point is the
website www.ncsl.org/issues-research/
telecom/security-breach-notification-
laws.aspx and Congressional Research
Service Data Security Breach
Notification Laws www.fas.org/sgp/crs/
misc/R42475.pdf.