While financial institutions have long been subject to federal and state law requirements relating to protection of nonpublic personal information gathered from consumers, it is now clear that businesses of all types will be subject to similar regulations in the future. For example, California law requires that companies that own or license unencrypted personal information about California residents must implement and maintain reasonable security procedures and practices for that data. The California statute does not specify the required level of security, other than to say that it must be "appropriate to the nature of the information" to protect the personal information from unauthorized access, destruction, use, modification or disclosure, including prohibitions on disclosure of such information to unaffiliated third parties unless such parties contractually agree to maintain reasonable security procedures. As such, more and more companies will need advice on how to comply with personal information security requirements, including preparation and implementation of appropriate policies and procedures. The need to provide assistance in this area is even more acute given that consumers have become increasingly sensitized to the risks of identify theft and have become more adamant in their demands that the companies from which they procure goods and services demonstrate that they are committed to protecting personal information they receive from their customers.
When establishing appropriate compliance strategies and information security procedures for collecting personal information, companies should:
- Establish internal guidelines and policies that assure the uninterrupted security of nonpublic personal information.
- Create and implement employee training measures and supervision systems to ensure that personal information is protected during day-to-day handling and use.
- Establish and continuously evaluate information security systems that include adequate protective physical safeguards and technological measures in support of information security policies.
- Inform all business partners and service providers that handle personal information of their responsibility to ensure that their policies, procedures and practices maintain a level of security consistent with the company’s own information security policies.
- Establish procedures for disposal of personal information in a secure manner and in keeping with the approved records retention schedule and the company’s overall policy objective of minimizing the risk of loss or unauthorized access, use or disclosure of such information.
- Implement plans for conducting an independent assessment of the effectiveness of the policies and procedures that have been put in place by the company for the protection of nonpublic personal information.
The process of developing an appropriate and effective set of information security procedures is a time-consuming process that requires participation and support from various functions within the company, including sales, accounting, credit, human resources and information technology. In order to make sure that the programs and procedures are effective companies must designate an employee or employees to coordinate the information security program. In addition, senior management should be publicly committed to the initiative based on the realization that information security has become a globally recognized element of business ethics policies and practices for companies in a wide range of industries.
The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West. Copyright 2008 Thomson/West. For more information or to order call 1-800-762-5272.