Red Flag regulations - protect yourself from breach of security - March 27, 2012

*******

If you take credit cards, receive personal checks, have social security numbers or other personal identification information, you need to have a Red Flag policy. You can get a Red Flag Policy by calling my office, ask for Eileen: 516 747 6700 ext 312. Cost is $150.00. For more on Red Flag regulations see http://www.kirschenbaumesq.com/earticle262.htm.

**********

The February 25, 2012 article, which I posted below if you missed it, had a response from Massachsetts about its relatively new and strict law on safe guarding personal information. The information is below. It's important that you have a Red Flag Policy, in writing, in place if there is a breach of security. It's been a while since we addressed this issue and offered a simple, inexpensive and effective solution. You should order the Red Flag Policy statement and have all employees sign it acknowledging receipt. While you're at it, have them all sign an Employment Agreement.

***********

Here's the news on Massachusetts:

************

The toughest data protection law in the country was spurred on by high-profile data breaches such as the release of over 45.6M TJX client credit card numbers in 2006 and the fact that nearly one out of three Massachusetts residents have had confidential information compromised through data theft or loss in 2010, according to statistics released September 20, 2011 by the office of Attorney General .

Regardless of business size, type or location, this relatively new Massachusetts law applies to all business entities with access to Personal Information of any Massachusetts resident. Therefore, it is critical to understand these relatively new regulations.

The Massachusetts Data Protection laws apply to your business if it collects, stores, or has access to (in electronic form or paper) any Massachusetts resident's name and his/her:

Social Security Number;

Driver's License Number (or State-issued Identification Card Number);

Financial Account Number; or

Debit or Credit Card Number.

Examples of when Personal Information is typically provided include:

When Checks or Credit Cards are Used;

On Employment Applications;

When Identification is Verified; and

As 401(k) or other Benefit Service Forms are Completed.

Also, as of March 1, 2012, third party vendor contracts MUST include clauses that require compliance with Massachusetts data security regulations.

Under Massachusetts General Laws Chapter 93H and the Code of Massachusetts Regulations Section 17, applicable businesses are required to have a Written Information Security Programs or a "WISP" that is communicated to and accepted by each employee. While the law allows for consideration of the size, scope, and type of business, there are strict requirements regarding the format and content of the WISP. The law also has requirements for action in the event of a data loss.

In addition to civil fines assessed by the Attorney General, there is the potential for individual and class action lawsuits, Massachusetts unfair and deceptive trade practice actions, and Federal Trade Commission unfair and deceptive trade practice actions. There is also the potential for failure to comply with the regulations constituting prima facie negligence.

*****************

What to do with social security numbers, credit card info, alarm codes etc

February 28, 2012

***************

You may collect your subscribers personal information for legitimate business purposes. These purposes include identification, ascertaining credit worthiness, information that will be needed later to collect a judgment, codes and passwords. The information includes social security number, credit card information, personal passwords, background information and host of other information not readily available to the public. While you can collect this information you must be very careful how it is used and accessed. You must also be vigilant that this information does not leave your office. When contained on paper you must redact the information before permitting it to leave your office. My office, which has a very large collection practice for the alarm industry, has the following policy that our attorneys and support staff must follow:

"Social security numbers, tax ID numbers, credit card information, alarm codes, and other personal or sensitive information must be redacted from all legal documents prepared by this office. Any document that goes to arbitration or to court must be checked for all of these types of information. That means exhibits in complaints, demands for arbitration, petitions, etc. If a contract containing any such information is to be used as an exhibit in a legal document, then the information must be redacted before the document is given to an attorney to review and sign. Attorneys are not to sign any legal document if the file contains a document that needs to have certain information redacted and it hasn’t been done yet. Do not write any of the information that needs to be redacted into the file. Instead, keep an unredacted copy in the file in case we need it later for permissible use – as a trial exhibit, to perform a search, or for judgment enforcement. W hen closing out files, you need to redact social security numbers from the unredacted copy kept in the file."

Here's why we and so careful, and you should be too:

Failure to follow these procedures may result in severe penalties.

New York General Business Law section 399-dd*4 provides in relevant part as follows:

"No person [or] firm … shall do any of the following: Intentionally communicate to the general public or otherwise make available to the general public in any manner an individual’s social security number....

Any person [or] firm … having possession of the social security account number of any individual shall, to the extent that such number is maintained for the conduct of business … take reasonable measures to ensure that no … employee has access to such number for any purpose other than for a legitimate or necessary purpose related to the conduct of such business … and provide safeguards necessary or appropriate to preclude unauthorized access to the social security account number and to protect the confidentiality of such number....

No person may file any document … in any court of this state that contains a social security account number of any other person...."

The penalties for violation are severe - $1,000 for a single violation or $100,000 for multiple violations resulting from a single act or incident – and the numbers go up significantly upon subsequent violations.

Failure to properly redact certain information is also a violation of the Federal Red Flags Rules and may result in severe penalties. There is currently a $3,500 penalty for each violation and violators may also be subject to court ordered injunctive relief.

By the way, ignorance of the law is irrelevant, as is who in your office is the offender. You're the one that's going to be sued and have to pay the judgment. Be careful what you send out of your office and who you send it to. Who ever you're sending it to needs to be as careful as you to make sure that any document is properly and thoroughly redacted of personal identification information.

Federal Law

Federal Trade Commission red flag rules, codified in 15 U.S.C. § 1681 require companies holding consumer accounts to adopt policies to detect to prevent the unauthorized disclosure of information and identity theft

Texas Law

Section 501.052 of the Texas Business and Commerce Code requires any business that requires individuals to disclose their social security number to obtain goods or services or enter into a business transaction to have a privacy policy on file that describes how social security numbers are collected used, and protected in addition to other information.

Not sure how to comply, call Gene Rosen, Esq., at 516 747 6700 ext 303. He our Managing Attorney in our Alarm Collection Department. He can also be reached at GRosen@KirschenbaumEsq.com. Our alarm collection practice is limited to New York and New Jersey.