JP Morgan Chase recently received an unwanted reminder that information security demands attention to more than just the data residing on network hard drives and digital media. “Protestors” from the Service Employees International Union (“SEIU”) filmed themselves sifting through trash in dumpsters outside several New York City Chase Bank branch locations and apparently finding numerous, un-shredded customer financial statements in trash bags awaiting pickup. (The SEIU has been in a dispute with Chase regarding the bank’s use of non-union security employees.) The video quickly achieved notoriety after being posted on YouTube.com here.

While the video might have been more clearly damning if it had included footage of Chase employees actually dumping the bags, regardless of its weight, it serves as a valuable reminder to all businesses maintaining sensitive customer records that information security does not begin and end with electronic data. Clearly, no IS policy is complete unless it includes provisions for the proper collection, handling, storage and disposal of paper records containing private information. Chase has stated that it has reached out to the SEIU for information regarding the records appearing in the video and that it is investigating whether and/or the extent to which its employees may have violated its internal IS policies.

The consequences for failing to adequately protect against loss or theft of personal customer data are becoming increasingly severe. Expenses associated with information security breaches can and often do include the costs to notify and assist affected persons, loss of customers, litigation and consulting costs, regulatory fines, and diminution of stockholder share value. In Chase’s case, if the video footage does in fact end up being evidence of a failure on the company’s part to effectively enforce the paper record disposal policies it says it has, then it is not difficult to imagine that the number of affected customers – and Chase’s potential loss exposure – could be quite high indeed.

For more information regarding the consequences of data breaches, you can obtain a copy of a recent national survey on that subject commissioned by Scott & Scott, LLP and independently conducted by the Ponemon Institute by clicking here.

Tags:

Tags:

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability if your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.
  
• Orders prohibiting further misrepresentations.
  
• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
  
• Claims based on negligence for failing to follow enumerated policies.
  
• Civil fines.
  
• Officer and director liability.
  

It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.

Tags:

The FTC recently approved a settlement with Dave & Buster’s, Inc., a restaurant and arcade chain, for the largest recorded data breach of private credit card information.

The hackers responsible for stealing credit card data from Dave & Buster’s gained access through an unsecured wireless Internet router, or wireless access point (WAP).  The hackers had sought out businesses with no Internet security password and, after gaining access to the networks, had obtained credit card numbers and customer data in real time as the cards were swiped.

There is a growing trend for the FTC to seek civil damages for lax Internet security in order to encourage businesses to provide additional protective measures for online data, including wireless Internet routers.  In addition to the monetary damages Dave & Buster’s will pay to settle the claim related to this data breach, the company will be required to maintain an information security program and to have its security systems professionally audited semi-annually.

Basic information security guidelines can help to prevent this type of breach.  It is important to secure passwords, to enable firewall protection, and to institute additional, appropriate security safeguards to protect consumer information.  This is especially important when dealing with sensitive financial data.

Tags: