September 1, 2009

Cover Story

Home Free?

This past winter was tough, to say the least, for anyone in the business of m...Read More

Featured Articles

Luz Robles

Peter Csathy

Sections

Features
Utah’s New Golden Link

TechKnowledge
Traditions in Healing

Legal Briefs
Catch the Next Legal Wave

Executive Living
Green Wheels

Executive Getaways
Team R and R

Executive Health
A Ribbon of Hope

Money Talk
Fill Your Buckets

EntrepreneurEdge
Small Business, Big Connections

Business Trends
Workers’ Comp Costs RX

Features
Best of Business 2009

Focus
High-Mileage Measures

Regional Report
Businesses Welcome

Regional Report
Utah County Outlook

Industry Outlook
Human Resources

Article

Catch the Next Legal Wave

Complying with Data Privacy Laws

By Gretta Spendlove

September 1, 2009

CVS Caremark Corporation operates 6,300 retail pharmacy stores in the U.S., as well as online and mail order pharmacy businesses. Its customers pay with credit and debit cards, insurance cards, personal checks and cash, generating an electronic river of private financial information. CVS also collects sensitive employee information. In 2006 and 2007, TV stations reported finding clearly readable credit card receipts, prescriptions and pharmacy labels in trash dumpsters used by CVS pharmacies in 15 U.S. cities. In June, following a lengthy investigation, the Federal Trade Commission (FTC) entered a consent order with CVS. The FTC ordered CVS to create an information security system preventing unauthorized disclosure, misuse, loss or destruction of information, to have that system audited yearly, and to allow monitoring by the FTC for the next 20 years. The Privacy Wave Laws come in waves. Civil rights laws washed in during the 1960s, and environmental laws floated in during the 1970s. A flood of state and federal privacy laws is now engulfing the U.S. The laws include the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, the Fair and Accurate Credit Transactions Act and the Federal Trade Commission Act, all with their many regulations and amendments, as well as recently-enacted state laws. Increasingly, not just banks, but any company that sells products and collects financial information as part of the sale, must protect that information or face investigations and damages. FTC Enforcement The FTC is a new “heavy” in data protection enforcement. The CVS case was the 24th case brought by the FTC to challenge information security practices, and the first case challenging the security of employee data, as well as customer data. In another recent case, the FTC targeted Compgeeks, an online seller of computer electronics, which collects sensitive information for credit card purchases, such as names, addresses, credit card numbers, expiration dates and security codes. In January 2008, the media reported a data breach at Compgeeks. The company later confirmed that hackers had accessed the sensitive information of numerous consumers. The FTC complaint alleged that Compgeeks routinely stored sensitive information in unencrypted text, did not adequately assess whether its Web application and network were vulnerable to attack, and did not employ even defenses that were free or inexpensive. As with CVS, the FTC mandated that Compgeeks establish a data security plan which would be continuously audited by outside auditors and monitored by the FTC. A key part of the FTC’s privacy program is to force companies to keep the promises they make to consumers about privacy. Almost all the top 100 online commercial sites, and many minor ones, now post privacy policies. These policies soothe customers, but can also form a target for FTC investigations. The Law Several states, including Nevada and Massachusetts, now have data laws that govern small businesses—hair stylists, fast food stores—as well as CVS-type behemoths. Massachusetts requires businesses that collect information about the state’s residents to encrypt sensitive data stored on laptop computers and other portable devices. In Nevada, companies that suffer a security breach but comply with the new law can cap their damages at $1,000 per customer for each occurrence. Those that don’t comply will be subject to unlimited civil penalties. The Utah Government Internet Information Privacy Act requires courts and other government agencies to post privacy policies on their Websites detailing how sensitive information is collected, used and disclosed, and expects them to comply with those policies. Utah does not yet have a similar law governing private businesses. However, the Utah legislature debated, in its last general session, about collecting information regarding each alcoholic drink purchased by Utah consumers. The purpose would be to assist the state in DUI cases, helping them identify individuals, how much he or she had to drink and where the drinks were purchased. Utah does have a Computer Crimes Act prohibiting hacking, and an Access to Electronic Communications Act prohibiting providers of electronic communications and remote computing services from disclosing information. Useful Publications The FTC publishes a booklet, “Protecting Personal Information: a Guide for Business” that identifies five key principles on which a sound security plan should be built. The booklet can be downloaded at ftc.gov. Those principles are: • Take stock. Know what personal information you have in your files and on your computers. • Scale down. Keep only what you need for your business. • Lock it. Protect the information in your care. • Pitch it. Properly dispose of what you no longer need. • Plan ahead. Create a plan to respond to security incidents. Catch the Wave The trend in laws mandating data privacy protection will likely require even small businesses to eventually adopt privacy policies and encrypt sensitive data. It is an area of the law which is rapidly changing and of which all businesses should remain aware. Gretta Spendlove is a shareholder at Durham Jones and Pinegar.
Utah Business Social
UB Events View All
Health Care HeroesUtah Business Event
Oct 21, 2014
Please join us, along with our sponsors, MountainStar Healthcare, and Roseman University in honor...
Content Marketing BootcampUtah Business Event
Oct 28, 2014
Please join Utah Business Magazine, along with our sponsor Adobe, for an in-depth, hands-on, educ...
Community Events View All
Golf Tournament to Benefit Families of Fallen and Wounded Soldiers
Sep 19, 2014
Alumni members of Sigma Delta Pi and Sigma Alpha Epsilon at Weber State University are sponsoring...
PARC’s Annual Pallet Race
Sep 19, 2014
PARC will run its 6th Annual Pallet Race on Sept. 19, 2014, at 10 a.m. in the Layton Hills Mall p...

info@utahbusiness.com  |  90 South 400 West, Ste 650 Salt Lake City, Utah 84101   |  (801) 568-0114

Advertise with Utah Business

Submit an Event

* indicates required information
* Event Name:
Price (general):
Website (if applicable):
Coordinator's Name:
Coordinator's Email:
Coordinator's Phone:
Venue Name:
Venue Address:
Venue City:
Venue Zip:
Event Capacity:
Date(s):
to
* Event Description:
  Cancel