VOICES FROM THE INDUSTRY: New law requires disclosure of business security breaches

A new law that’s designed to protect Indiana consumers changes the way businesses interact with their customers living in Indiana.

Public Law 125, passed in the last session of the Indiana General Assembly and effective as of July 1, requires businesses to notify customers that reside in
Indiana if there’s been a security breach in which personal data has been stolen.

The law defines “personal information” as a Social Security number that is not encrypted or redacted, or a person’s name with any of the following unencrypted or unredacted data: a driver’s license number, a state identification card number, a credit card number, or a debit card or other account number with the corresponding pass code. As more businesses collect and store customer information electronically, consumers are increasingly vulnerable to savvy hackers and data thieves.

A win for consumers

The law provides significant protection for Indiana consumers. Consumer fraud and identity theft, both relatively modern crimes, have become progressively common problems. Nationwide, the Federal Trade Commission reported consumer complaints about consumer fraud and identity theft increased more than 50 percent from 2002 to 2004.

And the FTC also reported that in 2004, Indiana ranked 17th out of the 50 states in identity theft victims with 4,275. More than 900 victims resided in Indianapolis.

While this law is new to Indiana, other states-more than 20, in fact – have similar laws in place to protect consumers. By January 2007, 30 states will have laws like these on the books. And while each state’s law has its own nuances (slight variances in the definition of “personal information,” for example), the bottom line is the same: businesses must take steps to protect their customers’ sensitive information and be prepared to react quickly if information is made public.

What does “react quickly” mean? The law says “without unreasonable delay.” While Indiana’s law does not require notice to be sent in any particular time period, states that do, define it as 45 days. In any event, notice should be delivered once the company understands what happened and which customers were affected, and has restored the integrity of the system.

Swift notification

Public Law 125 places more responsibility on businesses to safely collect and protect customer data. Because the law requires swift notification, there are measures every business should consider.

Consider how your business collects and stores customers’ personal data. Many states’ notification laws do not apply to secure data. Encrypting data protects information and, in some cases, exempts firms from adhering to the reporting laws.

Update your company’s privacy policies and internal procedures. Many states,
including Indiana, do not require notice if the company’s own policy meets the standards outlined in the state law.

Think about how your company would respond to customers in the event of a breach. Will your company send individual notices? (Indiana law allows notice by mail, e-mail, phone and fax.) Will your company provide any perks to affected customers, such as a toll-free hotline or free credit report monitoring?

Develop a public relations crisis plan. Include strategies for issuing news to media, and consider media outlets in addition to the local newspaper, such as business
journals, on-line bulletin boards and blogs.

Have a data security breach notification kit on hand. Create a template for a notice letter that complies with relevant state laws where your company has customers. Include relevant Web sites and governmental materials for reference.

Update your agreements with vendors and other third parties. Clarify which company is responsible for compliance with consumer notice requirements, and re-visit provisions like indemnification obligations.

As of July 1, businesses also are required to render personal data unusable once it is discarded. Businesses that collect
personal identification information will want to re-visit or create documentdestruction policies.

Congress has been considering legislation to regulate this issue on the national level. In the meantime, business still must comply with the various state laws in place. In addition, if the federal law is not as strict as the state laws, many states may want to keep their heightened requirements to protect their residents.