Identity theft victimized approximately 9 million Americans from 2003 to 2005, according to a Federal Trade Commission survey. It's among the fastest-growing crimes in the United States and around the world. In 2005 alone, businesses spent $56 billion on fixing identity theft issues caused by poor data-privacy procedures, according to a 2005 Javelin/Better Business Bureau survey.
Consumers expect businesses to safeguard data, and executives must take the proper steps to enact sound data-privacy policies to protect data against internal and external threats. Businesses must also publish privacy policies to tell customers what information about them is collected, how it's collected and what's done with that information.
Applicable Laws
Certain federal and state laws apply to data-privacy protections. On the federal side, the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA) carry the most weight.
The GLB requires companies to provide customers with an annual privacy statement. The notice must be a clear, conspicuous and accurate statement of the company's privacy practices. It should include what information the company collects about its consumers and customers, with whom it shares the information and how it protects or safeguards the information. For additional information on the GLB, see the Federal Trade Commission's Web site.
HIPAA requires that many health care and financial institutions create written privacy procedures that safeguard someone's medical records. For additional information on HIPAA, see the Department of Health & Human Services Web site.
On the state side, California law specifies that any person or entity doing business in California must take the appropriate security measures to protect specified personal information of California residents, including Social Security numbers, driver's license or state ID numbers, financial account numbers or medical information.
This means creating business practices to protect personal information from unauthorized access, destruction, use, modification or disclosure. In addition, businesses must contractually obligate their service providers to the same standards, and notify anyone affected when a security breach occurs.
California also passed its own version of the GLB Act, entitled the California Financial Information Privacy Act, to require additional notification practices for financial institutions that share, or want to share, nonpublic personal information. Customers may choose to "opt-out" of their information being disseminated by financial institutions.
Although legislators introduced other bills to require California businesses to do more, Gov. Schwarzenegger has yet to sign any of those bills into law. Instead, he reiterated that California businesses must use "reasonable measures" when dealing with privacy issues.
Tips for Employers
When dealing with privacy issues, it's always best to err on the side of caution when confronted with anything questionable. Courts place a very high value on privacy rights, so contact the California Department of Consumer Affairs (CDCA) or an attorney for guidance whenever you're in doubt.
Smaller companies may not have the infrastructure to implement most, or even some, of the CDCA's data-protection recommendations. Depending on your type of business, you might want to consider outsourcing your infrastructure creation. Plenty of companies provide this service, but it's important to weigh the cost of the initial service and continued monitoring. Remember, the law says that reasonable steps must be taken -- one size does not fit all.
Remember, California employers not in compliance with existing privacy laws expose themselves to fines and possible litigation from customers or employees whose confidential information is compromised.
Many employers worry about data privacy in the workplace. They struggle with devising methods of protecting customers' information, both internally and externally, that don't make employees feel that they need to request a security clearance to perform even the simplest of tasks.
It's a delicate balance, but employers can strike that balance by understanding the applicable laws and studying recommended best practices for executing a sound data-privacy policy.