In July 2006 I wrote about New Jersey’s Identity Theft Prevention Act (business-newsletter-vol-1). I also gave a presentation to the Pennington Business & Professional Association on the Act (pbpa-presentation). At that time the Act still required that rules be proposed. Since then the Division of Consumer Affairs, in conjunction with the Department of Banking and Insurance, proposed rules implementing the Act in April of 2007 and partially adopted those rules one year later. Although the DCA decided not to adopt the rules setting forth the hardware and software requirements of the law, this article seeks to examine the proposed rules regarding a company’s obligations to maintain the confidentiality of a person’s private data. Even though it was not adopted, I think what was proposed is instructive because DCA will have to re-propose standards at a later date.
One part of the proposed regulations, which was not adopted, defined personal information as any information that combines a person’s first name or initial and last name with any of the following information: social security number, driver’s license number, or account/credit card numbers. Another section of the regulations, which was adopted, defined “business” in a manner that included any and all businesses – no matter the size. The rules would have applied to a sole proprietorship all the way up to the largest corporation in the State. The adopted regulations provides that any business that maintains a client’s credit card information or social security number must have in place technology and office policies to protect the privacy of this information. With one minor and unimportant exception the regulations do not differentiate between the size of the business – this applies whether the business is a three person operation or a 1000 person operation.
The Department did not adopt the Section 3 requirements due to the large number of negative comments. While the department did not publish all of the comments, it did indicate the objections ranged from the cost of implementing the requirements to the ability of businesses and public entities to comply. Other commentators from large entities noted that they already had extensive systems in place and complying with the proposed regulations would be counterproductive.
Other provisions in Section 3 that were not adopted set forth business practice requirements or policies that should be in place. While these sections were not adopted, the business practices that were suggested should be examined as they will likely find their way, in a modified form, upon re-proposal. First, only those who need access to the personal data should be allowed access to the data. Former employee’s user ids and passwords should be deactivated immediately. This is not only required for compliance with the act and proposed regulations, but is a good business practice in and of itself. Employees should be trained on how to recognize personal information and understand how that information should be treated. Businesses with five or more employees must have a written information security policy that details the security of computerized personal information and explains each employee’s responsibilities regarding the use and maintenance of that information.
The systems in place need to be regularly reviewed because the proposed rules require daily scans. In other words, the business needs to ensure that the antispyware and antivirus programs are actually up-to-date and running daily scans. The proposed rules require that the firewalls keep logs of incoming and outgoing communications and ensure that those communications are authorized and not the result of a breach in security. Documentation must be maintained detailing the business’ security protocols and audits.
As I noted in the last article, in the unfortunate event of a breach, the particulars of the breach must be reported to the Division of State Police of the Department of Law and Public Safety. The proposed, but not adopted, regulations require that this report be made within six hours of discovery of the breach. Despite the amount of press identify theft receives, it continues to occur on sometimes scary scales. These thefts are the result not only of direct malicious attacks, but also of negligence on the part of employees and contractors or just bad luck. There have been several instances when an employee has taken home a business laptop only to have that laptop stolen when the employee stopped along the way to pick something up. For this reason, laptops should be encrypted – and it may also be a good practice to use a cable lock to secure the laptop within your car if you plan on making stops on the way home. While it may be a pain to secure your laptop that “pain” is negligible when compared to the headaches of having to report the theft and explain to your customers, employee and others why their identities may be at risk.
Subsection 3.5 of the proposed regulations detailed how personal information should be destroyed. The proposed regulations provides that the records, whether paper or electronic, must be destroyed in such a way (such as shredding, erasing or otherwise modifying the information) so that it is “unreadable, undecipherable or noreconstructable.” The business must keep track of how the records were destroyed and when and these records must be maintained for a period of five years. Keep in mind that hitting the delete key on your computer is not the same as placing a piece of paper through a shredder. “Deleting” a file on a hard drive really does not delete the record. In fact, the deleted record can be recovered fairly easily. There are programs available at little or no cost, however, which will ensure that the record should be unrecoverable. This is important to remember when you need to have hard drives replaced or when you are donating or discarding old computers. This will probably be something to consider when the DCA issues a new proposal.
As if all of the possible repercussions of violating the act are not significant enough, Section Five of the regulations, that were adopted, set forth the penalties for violating the act or its regulations. Failure to comply with the time lines for reporting a breach, failure to maintain the required records, or failure to maintain the required computer security systems is deemed to be a willfully, knowingly or recklessly violation the act. It will also result in liability under the consumer fraud act. A violation of the consumer fraud act will result in triple damages, possible punitive damages and attorney fees. That can be a very hefty price to pay for not maintaining proper records and security procedures.
Taking a proactive approach to maintaining personal information has the potential to save you thousands of dollars and lots of headaches in the future. If you have any questions regarding how to comply with the law contact your attorney and your technology consultant and ask them to walk you through the policy and hardware/software you need to ensure a headache free future.