Privacy 101: Have You Been Naughty or Nice?
“In the kingdom of glass everything is transparent, and there is no place to hide a dark heart.”
- Vera Nazarian, The Perpetual Calendar of Inspiration.
“No one likes to see their name on a government folder.”
- Stephen King, Firestarter.
In keeping with the holidays, I thought you might like to know a little bit about how Santa gets the goods on you. More importantly, as a business owner (or maybe someone running a nonprofit) you have certain duties in terms of keeping safe client and consumer information, so it’s a good idea to brush up on your responsibilities. But first…
Disclaimer: The following information does NOT constitute legal advice and is only for general educational purposes. Each situation is different and specific legal issues usually require additional research and investigation, so do not rely on this article to address a particular legal issue; use it as a starting point to gain a general understanding.
Supplemental Disclaimer: This is not an all inclusive list of all privacy laws. Plus, I’m only addressing New York State laws in this article; federal is a whole other story; perhaps we will examine those in a future article.
1. What is Privacy?
Common Law typically recognizes four forms of “privacy” violations for which a person can sue: (1) intrusion upon a person in a secluded area or upon a private manner (2) public disclosure of a private, but otherwise truthful fact (3) false light portrayal of an individual (4) misappropriation of a person’s name or likeness.[1]
So, um, what is the “Common Law?” It’s the unwritten law that courts enforce in the absence of a statutory law saying the same thing or contradicting it.[2] In plain English, if there isn’t already a written law that says you can or can’t do something, a court may find a right or responsibility anyway; but it’s not arbitrary; it has to be an established custom or court made precedent, or derive from them.[3]
Ironically, in 1902, New York’s highest court ruled that there is no common law right of privacy in New York State.[4] In response to this decision, New York’s legislature passed its first privacy laws.[5] Since then, the State has passed many more laws concerning the duties of protecting information,[6] prohibiting spying,[7] requiring care in handling documents,[8] licensing for document destruction[9] and so forth.
This article will deal with these duties and rights from the perspective of a business (or nonprofit), and some of the things you need to do, not do and other areas where caution is well considered.
2. What is Private Information?
Many of the privacy laws, in New York State, deal with the care, handling, sharing and disposal of “personally identifiable information,” but what is that? It turns out that "personally identifiable information" can be defined in a number of ways, by a number of different laws, with some definitions only applying to the terms of that particular law.[10] Further, definitions can vary state by state, so if you do business in more than one state, you may need to be cognizant of those subtle differences.[11]
While, there is no central definition, many laws do take their lead from the Federal Trade Commission’s definition of, “Data that can be linked to specific individuals, and includes but is not limited to such information as name, postal address, phone number, e‐mail address, social security number and driver’s license number.”[12]
3. General Tips
There have been 5,000 reported data breaches and over 5M records exposed from 2005 – 2014.[13] For the average organization, the Federal Trade Commission (“FTC”) recommends five general approaches as your first line of defense: (1) take stock (2) scale down (3) lock it (4) pitch it and (5) plan ahead.[14]
By the way, if you don’t know what the FTC is, don’t be embarrassed; it is one of those organizations everyone seems to have heard of but no one seems to know much about. It is an independent federal agency, currently with over 1,100 employees, originally created by the Federal Trade Commission Act in 1914, under U.S. President Woodrow Wilson.[15]
FTC’s mission is “to prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.”[16] Anyway, back to their advice, which basically breaks down like this:
(1) Take Stock: Know what information type is coming in, the way it came in, and from whom.
(2) Scale Down: Have a records retention policy, don’t ask for information you don’t need, don’t keep it for longer than necessary, and check if your software is collecting only what you want.
(3) Lock It: Don’t store sensitive data on an Internet accessible computer unless necessary, use firewalls, encrypt sensitive information sent to third parties over public networks, regularly update anti-virus and anti-spyware programs, consider restricting employee access to third party software, regularly scan computers on your network. Also, be vigilant of your websites, consider data security for your photocopiers, identify vulnerable wireless electronics, train employees to detect scams and attacks, see if outsourced companies use similar or better security than you do.
(4) Pitch It: Have a plan to regularly dispose of documents, shred, burn or pulverize paper, use wipe utility software to dispose of computer data (just “deleting” data isn’t sufficient); also, consumer credit reports may be subject to special FTC rules.
(5) Plan Ahead: Have a disaster response and recovery plan, notify for breaches and losses of data.[17]
4. Social Security Numbers
Generally, a person or organization shall not communicate an individual’s social security number to the public, place it on any kind of card or tag required for the individual to access products, require it transmitted over the Internet unless encrypted, use it as a website identifier unless accompanied by a password or PIN number, or embed it on a card, document, bar code or magnetic strip, or mail it to an individual, unless part of their application or enrollment, or to establish, amend or terminate their account, contract, or policy, to confirm the accuracy of their social security number (even so, it cannot be printed on a postcard or be visible through the envelope).[18]
A person or organization shall not require an individual to disclose or furnish their social security number (or any number derived therein, such as the last four digits), for any purpose in connection with any activity, or to refuse any service, privilege or right to an individual wholly or partly because such individual refuses to disclose or furnish such number, UNLESS the social security number is encrypted, in which case it is ok, at least under State law.[19]
Further, even unencrypted social security numbers may be requested under a number of circumstances, including but not limited to those instances: where expressly required by law, for determining if an individual has a criminal record, internal verification or fraud investigation, when a consumer requests a consumer report or initiates a credit request, is related to a deposit account or an investment, is in connection with employment (including injury suffered, retirement, termination, and unemployment insurance), or determining whether they have a criminal record.[20]
Employers shall not, unless otherwise required or permitted by law, post or display an employee’s social security number, print it on a badge or card (including time card), place it in a file with unrestricted access, or use it as an identification number for purposes of any occupational licensing.[21] Also, employers may not communicate an employee’s personal identifying information to the general public.[22]
And, do yourself a favor and have a written policy in place to safeguard against these violations, as well as notify your employees of these rights when you hire them (try a simple sheet of paper with Employee Rights or insert it into your Employee Handbook); doing so will enable you to avoid being “presumptively knowing” if you accidentally committed this violation.[23]
If you are a school or university, you cannot use the student’s social security number for any public identification purpose, such as posting or public listing of grades, on class rosters or other lists provided to teachers, on student identification cards, in student directories or similar listings, unless specifically authorized or required by law.[24]
5. Document Disposal
So, what are some of the specific guidelines for getting rid of this stuff? Well, if you are collecting the information and the record contains “Personal Information”[25] linked to “Personally Identifiable Information,”[26] then the record has to be shredded, or the Personally Identified Information has to be destroyed or made unreadable, or action must be taken that is consistent with commonly accepted industry practices, that reasonably will ensure that no unauthorized person will have access to the personal identifying information contained in the record.[27]
Incidentally, “individuals” (but not, corporations or other organizations) collecting the information for reasons, other than profit, are exempt from this requirement.[28] Banks, even have their own rule which requires discarded documents to be unusable by the unauthorized.[29] If you are inclined to hire someone to take care of this problem for you, verify that they are licensed by the State of New York.[30]
Paper Airplanes with Love
So, let’s look at a practical example. Let’s say you started a fanciful home business “Paper Airplanes with Love” selling colorful origami paper airplanes, delivering sweet messages to the recipient, at the order of the customer (hmm, I wonder if there is a market for that?).
Customers order through a website where they enter their address, telephone numbers, and credit card info, and the addresses of the intended recipients of their purchases. You print out each order for your own tax records and keep them in a file cabinet. You also store the information on a computer, which you keep connected to the Internet, so you can continuously receive new orders.
Ok so far. Fairly simply operation. You don’t need a bulky record retention manual, but you should have a checklist of which records to dispose of and when (the following footnote has a list of suggested tossing timelines, ranging from about 1-7 years, but note exceptions).[31] Once you decide to rid yourself of the records, shred them - thoroughly - which is probably the easiest thing to do for such a modest business.
As for your computer, update your anti-virus and anti-spyware software, regularly scan the computer, and occasionally check to make sure nothing “funny” seems to have happened to your records or computer settings. If you have a really old computer (let’s say Windows XP or Vista), then check even more thoroughly that your security software is up to date, because Microsoft may have stopped supporting the built-in security to the underlying Windows operating system.[32]
Be careful of spam,[33] and phishing[34] expeditions that send emails to you pretending to be your bank or Internet Service Provider, etc. or anyone that emails you with a request to get in touch with them and then asks you for sensitive information. I recommend calling the bank number on your statements, etc., rather than using any special number that was emailed to you.
This footnote contains additional tips.[35] If, eventually, you part ways with your computer, adequately blank out the hard drive (see the footnote for tips). Don’t just hit “delete files”!! That doesn't permanently "erase" them for someone who knows how to find them (trust me, they are very easy to find). [36] Also, New York State has new recycling laws that say you can’t just drop the computer off at the sidewalk.[37]
If anyone shares your space, like a roommate, an intern, or the occasional stranger (business contacts, friends of friends at parties), you might consider locking the file cabinet where you keep customer records (and putting a password on your computer) or somehow otherwise securing customer sensitive data. As much as you might trust everyone, if anything quirky happens and something goes missing, you can point to your enhanced storage security to both insurers and litigants.
Finally, devise a disaster recovery plan and investigate the possibility of creating a back-up for your electronic and/or paper files; but don’t forget to secure those back-up procedures. If a third party is managing your back-ups, inquire about their security measures; this will assist you against claims from customers, the government and insurers.
Conclusion
So, have you been naughty or nice? Are you following the rules regarding privacy and data? Doing the right thing will help protect others from identity theft and similar harms, and will keep you off Santa’s naughty list. Hope you had a lovely holiday and Happy New Year!
***
Citation Web Links Now Enabled! Try Them...
(you may need to hover on top of the title or the actual citation number; try moving around the cursor until you see the little "hand")
[1] Restatement of Torts, 2nd: §§652B-D; Howell et al. v. The N.Y. Post Co., 81 N.Y.2d 115 (1993).
[2] http://dictionary.law.com/Default.aspx?selected=248 (“which resulted in the English common law, much of which was by custom and precedent rather than by written code”).
[3] https://en.wikipedia.org/wiki/Common_law: “Common law (also known as case law or precedent) is law developed by judges, courts, and similar tribunals, stated in decisions that nominally decide individual cases but that in addition have precedential effect on future cases. Common law is a third branch of law, in contrast to and on equal footing with statutes which are adopted through the legislative process, and regulations which are promulgated by the executive branch).”
[4] Roberson v. Rochester Folding Box Co., 64 N.E. 442 (N.Y. 1902) (the court ruled that a company could not be sued for violating a person’s privacy by using that person’s picture, without their consent, to promote the company’s product, because there was no Common Law right to privacy in New York).
[5] Howell et al. v. The N.Y. Post Co., 81 N.Y.2d 115 (1993).
[6] NY Education Law, §2B (displaying social student security numbers); NY General Business Law, §399-ddd (communicating Social Security Numbers); §399-ddd2 (requesting Social Security numbers); §399-dd3 (buying and selling telephone records); §520-a (no carbon copy for credit cards); NY Public Officers Law, §§91-99 (Privacy Law; State government handling of private records); NY Technology Law, §208 (notification of breaches).
[7] NY General Business Law, §390-b (anti-phishing act); NY Penal Law, §190.77 (Identity Theft); §250 et al. (eavesdropping, spying, wiretapping, etc.).
[8] NY Banking Law, §9J.
[10] Virginia A. Jones, CRM, FAI; Requirements for Personal Information Protection, Part 2: U.S. State Laws (2009); research underwritten by ARMA Intl Educational Foundation (2010), page 4.
[11] Virginia A. Jones, CRM, FAI; Requirements for Personal Information Protection, Part 2: U.S. State Laws (2009); research underwritten by ARMA Intl Educational Foundation (2010), page 4.
[12] Virginia A. Jones, CRM, FAI; Requirements for Personal Information Protection, Part 2: U.S. State Laws (2009); research underwritten by ARMA Intl Educational Foundation (2010), page 4.
[17] Protecting Personal Information, A Guide for Business, FTC. https://www.ftc.gov/system/files/documents/plain-language/bus69-protecting-personal-information-guide-business_0.pdf.
[18] NY General Business Law, §399-DDD (confidentiality of social security numbers, Communicating).
[19] NY General Business Law, §399-ddd2 (confidentiality of social security numbers, requesting).
[20] NY General Business Law, §399-ddd2(3) (there are additional exceptions, read within).
[21] NY Labor Law, §§203(d)(1)(a-c) and §203(d)(2); https://www.labor.state.ny.us/formsdocs/wp/LS10.pdf.
[22] NY Labor Law, §203(d)(1)(d). For purposes of this section, “personal identifying information” shall include social security number, home address or telephone number, personal electronic mail address, Internet identification name or password, parent's surname prior to marriage, or driver license number.
[23] NY Labor Law, §203(d)(3). It’s $500/per violation if you screw up; save the money do it, right!
[24] NY Education Law, §2B.
[25] For this statute, “Personal Information” is any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person. NY General Business Law, §399-h(1)(c).
[26] Again, for this statute, “Personally Identifiable Information,” generally means, unencrypted information (or encrypted, but where the data key is included in the record; tsk tsk not secure!) that contains a social security number, drivers license number or non-drivers ID number, mother’s maiden name (that’s her name before she married, if you are too young to know what I’m talking about), financial services, or checking account or debit account number or code, electronic serial number or PIN number. NY General Business Law, §399-h(1)(d).
[27] NY General Business Law, §399-h(2) (record destruction procedures).
[28] NY General Business Law, §399-h(2) (at end of subdivision).
[29] NY Banking Law, §9-j (record destruction procedures).
[30] NY General Business Law, §899aaa-bbb; (and NYS Department of State Licensing Bureau, Document Destruction FAQ) http://www.dos.ny.gov/licensing/docdestruct/docdestruct_faq.html.
[31] (IRS) https://www.irs.gov/Businesses/Small-Businesses-&-Self-Employed/How-long-should-I-keep-records;(consumer reports suggestions) http://www.consumerreports.org/cro/2010/03/conquer-the-paper-piles/index.htm.
[32] http://windows.microsoft.com/en-us/windows/lifecycle; Windows XP expired; Vista support is estimated to expire on April 11, 2017.
[35] http://www.pandasecurity.com/mediacenter/security/10-tips-prevent-phishing-attacks/; http://www.identitytheftkiller.com/prevent-phishing-scams.php; http://www.phishing.org/scams/avoid-phishing/
[36] http://pcsupport.about.com/od/fixtheproblem/ht/wipe-hard-drive.htm; http://www.geeksquad.com/do-it-yourself/2mm/hard-drive-wipe.aspx; (by the way, I do necessarily recommend any of the products on these websites, as I have not used any of these, nor do I know how secure or reliable they are; but the point is that you should research and find a good document destruction program when you are ready).
[37] http://www.dec.ny.gov/chemical/66872.html (electronic recycling rules).
***
Comments