CVS Caremark Corporation operates 6,300 retail pharmacy stores in the U.S., as well as online and mail order pharmacy businesses. Its customers pay with credit and debit cards, insurance cards, personal checks and cash, generating an electronic river of private financial information. CVS also collects sensitive employee information. In 2006 and 2007, TV stations reported finding clearly readable credit card receipts, prescriptions and pharmacy labels in trash dumpsters used by CVS pharmacies in 15 U.S. cities.
In June, following a lengthy investigation, the Federal Trade Commission (FTC) entered a consent order with CVS. The FTC ordered CVS to create an information security system preventing unauthorized disclosure, misuse, loss or destruction of information, to have that system audited yearly, and to allow monitoring by the FTC for the next 20 years.
The Privacy Wave
Laws come in waves. Civil rights laws washed in during the 1960s, and environmental laws floated in during the 1970s. A flood of state and federal privacy laws is now engulfing the U.S. The laws include the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, the Fair and Accurate Credit Transactions Act and the Federal Trade Commission Act, all with their many regulations and amendments, as well as recently-enacted state laws.
Increasingly, not just banks, but any company that sells products and collects financial information as part of the sale, must protect that information or face investigations and damages.
The FTC is a new “heavy” in data protection enforcement. The CVS case was the 24th case brought by the FTC to challenge information security practices, and the first case challenging the security of employee data, as well as customer data.
In another recent case, the FTC targeted Compgeeks, an online seller of computer electronics, which collects sensitive information for credit card purchases, such as names, addresses, credit card numbers, expiration dates and security codes. In January 2008, the media reported a data breach at Compgeeks. The company later confirmed that hackers had accessed the sensitive information of numerous consumers. The FTC complaint alleged that Compgeeks routinely stored sensitive information in unencrypted text, did not adequately assess whether its Web application and network were vulnerable to attack, and did not employ even defenses that were free or inexpensive. As with CVS, the FTC mandated that Compgeeks establish a data security plan which would be continuously audited by outside auditors and monitored by the FTC.
A key part of the FTC’s privacy program is to force companies to keep the promises they make to consumers about privacy. Almost all the top 100 online commercial sites, and many minor ones, now post privacy policies. These policies soothe customers, but can also form a target for FTC investigations.
Several states, including Nevada and Massachusetts, now have data laws that govern small businesses—hair stylists, fast food stores—as well as CVS-type behemoths. Massachusetts requires businesses that collect information about the state’s residents to encrypt sensitive data stored on laptop computers and other portable devices. In Nevada, companies that suffer a security breach but comply with the new law can cap their damages at $1,000 per customer for each occurrence. Those that don’t comply will be subject to unlimited civil penalties.
The Utah Government Internet Information Privacy Act requires courts and other government agencies to post privacy policies on their Websites detailing how sensitive information is collected, used and disclosed, and expects them to comply with those policies. Utah does not yet have a similar law governing private businesses. However, the Utah legislature debated, in its last general session, about collecting information regarding each alcoholic drink purchased by Utah consumers. The purpose would be to assist the state in DUI cases, helping them identify individuals, how much he or she had to drink and where the drinks were purchased.
Utah does have a Computer Crimes Act prohibiting hacking, and an Access to Electronic Communications Act prohibiting providers of electronic communications and remote computing services from disclosing information.
The FTC publishes a booklet, “Protecting Personal Information: a Guide for Business” that identifies five key principles on which a sound security plan should be built. The booklet can be downloaded at ftc.gov. Those principles are:
• Take stock. Know what personal information you have in your files and on your computers.
• Scale down. Keep only what you need for your business.
• Lock it. Protect the information in your care.
• Pitch it. Properly dispose of what you no longer need.
• Plan ahead. Create a plan to respond to security incidents.
Catch the Wave
The trend in laws mandating data privacy protection will likely require even small businesses to eventually adopt privacy policies and encrypt sensitive data. It is an area of the law which is rapidly changing and of which all businesses should remain aware.
Gretta Spendlove is a shareholder at Durham Jones and Pinegar.