State Tightens Data Rules

GRAND RAPIDS — The Michigan Data Breach Notification Law that goes into effect July 2 will impact virtually any kind of entity — public or private — that maintains people’s personal information in an electronic format. The new amendment to the Identity Theft Protection Act requires that any breach of computerized personal data be reported to each individual whose personal information was compromised.  

Beginning next month, any company, governmental unit/agency, public institution or individual that owns, maintains or licenses an electronic database of personal information that includes either driver license numbers, social security numbers, personal banking/financial account information, or a combination thereof must abide by the requirement or face fines for non-notification. The law is “very broad” as to whom it applies, according to Norbert Kugele, a partner at Warner Norcross & Judd LLP, who has taught seven seminars on the subject.

“This is not only going to apply to consumer databases that a retailer or online business might have, but also to a company’s or agency’s personnel records on employees,” he explained. If, for example, a company does direct deposit of paychecks, it’s going to have a record of the employee’s financial institution information and maybe driver’s license number.

According to a 2006 study by the Ponemon Institute of Michigan, the corporate cost of a data breach averages $182 per compromised record. Total costs of recovering from a data breach incident averaged $4.8 million and ranged from $226,000 to $22 million.

Forrester Research estimates the costs range from $50 to $90 per record, which is just the cost of identifying the security breach, dealing with the security breach, and then doing the actual notification. Add to that the distraction of having to deal with a breach and the loss of employee production while it’s being resolved, Kugele said.

If a publicly traded company experiences a breach, he said, it will impact the company’s stock, and there might be regulatory issues that have to be dealt with. The adverse publicity, a marred public image and a loss in customer confidence can significantly raise the damages. Forrester Research indicates that the true cost could be as much as $300 per record, depending on the regulatory climate that a company operates under.

On top of all the other costs, there’s another potential cost — the legal expense of fighting lawsuits brought by individuals who were victims of identity theft.

“Ultimately, the research concludes that it’s cheaper just to put into effect the necessary security that you need on your system to try to prevent these things from happening,” Kugele noted.

There are a couple of carve-outs in the statute. Financial institutions aren’t subject to the statute because they’re subject to heavy regulation under federal and state laws. Kugele said the Graham-Leach-Biley Act has very specific requirements about protecting personal information and notifying customers of a breach, so financial institutions are already covered in those respects. Similarly, entities that are subject to and in compliance with privacy regulations under the Health Insurance Portability and Accountability Act already have security and notification obligations, too.

There is an exception to the Michigan Data Breach Notification Law. It’s what Kugele calls the “I pulled up the wrong record” exception.

“If in good faith you are trying to access a record, and you mistakenly pull up the wrong record, that’s not going to be considered a security breach as long as you didn’t misuse the information,” he elaborated.

Data security breach notification laws differ from state to state, so businesses that operate in several states have to consider the legal issues involved in a data breach in those other states, as well. In Michigan, the fine is $250 for each failure to provide notice, but for multiple violations the fine can’t exceed $750,000. However, under Michigan’s breach notification law, people have to be notified of a breach unless the company or institution maintaining the database can demonstrate that there is no risk of harm. Kugele believes a “no risk” would be difficult to prove.

“If you’re covered under this statute and have suffered a security breach, how could you possibly know that there’s no risk of harm?” Kugele asked. “Unless you can track down the specific person who has acquired the data and figure out what his motivations are, I don’t know that there is any way you can conclude, in most circumstances, that there is no risk of harm for the people in that database. I think, in most cases, you should err on the side of caution and send out a notification.”

Kugele has been trying to spread the word about the data breach notification law in seminars but said he doesn’t know how widely known it is yet. For those who aren’t and need to prepare, he has a few recommendations.

First, a company should look at its computer system and figure out exactly what information it has and where it is stored. Then the company should decide what information it really needs to keep, and weed out the rest.

“You should also think about consolidating information, because the more places it is on your computer system, the greater the risk,” Kugele pointed out. “If you can isolate it and keep it in fewer places on your system, that by itself will reduce the risk of breach.”

A company also has to seriously consider who has access to personal information, he said. Controls have to be put in place so that only people who have a need to access the information have the authority to access it. It’s a good idea to have a consultant do some penetration testing on the system to see how vulnerable it is from the outside. But don’t just look at the system’s external security, Kugele advised. More than half — some estimate as much as 70 percent — of security breaches actually occur within an organization. An organization has to determine whether people inside the organization who don’t have authority to access personal information can access it anyway.

“Another thing to think about is what do you really know about the individuals who have legitimate rights to access the information? Have you done any background checks on them? If not, maybe you should think about doing that.”     

No posts to display