5-week Privacy Law Series
Reason 2 – Security
All companies that handle personal information or other confidential or sensitive information should have a written information security program (WISP) in place to protect that data. Not only is it a best business practice, it is necessary to avoid liability arising from improper access to, use or disclosure of, or alteration or loss of the data. Some laws require a business (regardless of size or revenue) to have a WISP in place if certain types of personal information are collected. Under the Massachusetts WISP regulations, for example, that would mean a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; although under the Massachusetts law “personal information” does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Failure to have a WISP in place may lead to violation of applicable laws, and could provide additional ammunition for a lawsuit by an aggrieved person. Some of the largest penalties imposed on businesses have been based on failure to maintain adequate security of personal information.
Check back next week for Reason 3 – Specific Laws