March 29, 2017
Whether kept on servers or sent through email, nearly every business or organization controls, manages, transmits, or stores a certain type of data known as “personally identifiable information.” Personally identifiable information (PII) is generally understood as a collection of sensitive material which, taken together, would be sufficient to locate, contact, or otherwise identify a single person. Companies may maintain PII on their employees, customers, clients, students, patients, or other individuals, depending on the industry.
Common examples of data considered to be PII include an individual’s full name, street address, social security number, passport and driver’s license numbers, credit card and bank account numbers, telephone numbers and biometric data. Other information, such as a date and place of birth, or information on an individual’s race or religion, may seem harmless, but can often be used in conjunction with other data to identify a person. For instance, the United States General Accounting Office estimates that 87% of the American population can be individually identified using only their gender, date of birth, and ZIP code.
As companies compile PII on their employees, customers, or third-parties, companies also inherit responsibilities related to this data and expose themselves to potential threats. As advancements in telecommunications and computing have created the ability to process vast amounts of information, new challenges have also emerged. As seen in the examples of Yahoo! and Target, data breaches occur at all levels of corporate sophistication, and the resulting fallout stemming from these breaches can be costly, time-consuming, and damaging to a company’s reputation. Further, data breaches need not occur from malicious attack or phishing only. Often, employee carelessness can result in sharing PII with a much wider audience than intended. Regardless of the method by which the data is lost, companies face many of the same consequences: fines, litigation expenses, the costs of implementing better systems, and the damage of negative publicity.
Recognizing the potential harm to American consumers, Congress has enacted numerous statutes related to data privacy, often in industry-specific contexts. Examples of federal statutes protecting PII include:
- Gramm-Leach-Bliley Act – for financial information;
- Fair Credit Reporting Act (FCRA) – regulating how consumer reporting agencies use credit information;
- Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) – for healthcare related information;
- The Family Educational Rights and Privacy Act (FERPA) – relating to PII protections for student educational records;
- The Children's Online Privacy Protection Act (COPPA) – relating to the privacy of children under 13;
- The Privacy Act of 1974 – requiring fair information practices regarding PII held by federal agencies;
These laws attempt to protect an individual’s PII by restricting a company from sharing information and possibly establishing technical standards for safeguarding PII. Additionally, many states have passed laws requiring companies to notify individuals who have had their information compromised.
So what should companies do in light of the increasing prevalence of data-related threats and the expansion of regulations regarding PII?
The most cost effective method of mitigating the potential for mishandling PII would be adopting an acceptable use policy specific to a company as it relates to employees and other individuals who may use PII. Acceptable use policies assist companies in setting ground rules concerning fundamental questions on the use of PII. These ground rules should include: (i) who needs access to PII; (ii) which regulations must the company follow; (iii) where are the vulnerabilities in the company’s use of PII; and (iv) rules and permissions company personnel have must follow? An acceptable use policy should accomplish certain basic goals: protect PII under the company’s control, define the means by which authorized users may access PII, and establish how PII can be used by employees. Companies with acceptable use policies should ensure that their employees are sufficiently educated in the policy and that employees have signed affirmations that they have read and understood the policy.
Companies which handle larger amounts of PII from customers and third-parties should also consider adopting privacy policies on the use of PII. Privacy policies establish the relationship between a company and a customer or client concerning the methods by which the company is able to use the individual’s PII. Increasingly an industry standard, privacy policies inform customers what PII is collected, how it is used, and with whom it may be shared. Some of the industry-specific federal laws, such as HIPAA and COPPA, require privacy policies, and certain states, including Pennsylvania, treat misleading privacy policies as a deceptive or fraudulent business practice.
Regardless of the type or the size of the company, any organization should have a comprehensive understanding of the PII it collects and how it will be utilized. Companies should have a legal understanding of which of the various federal and state regulations relating to PII apply to their specific situation and should consider adopting acceptable use policies and privacy policies related to this data.
If you have any questions regarding adopting a policy or which regulations might apply to them, it is best to consult with an attorney who is knowledgeable in this area of law.