20 Sep. 2010 | Comments (0)
Managing electronic data, especially data privacy and data security concerns, have been elevated to C-level attention and a regular slot on the board’s agenda due to the substantial increase in costs and risks arising from these issues. Chief Information Officers, Chief Privacy Officers and Chief Security Officers are constantly worrying about who might be “mining” the company’s e-data looking to steal trade secret, patent or personal information. The risk of losing millions of dollars of important information is very real. It seems like not a day goes by without a major security breach being announced in the media. According to the Privacy Rights Clearing House, since January 2005 more than 510 million records have been reported as having been breached in some form from private and public companies (large and small), colleges and universities, state and federal governments. [See list.]. Even the Dalai Lama is not immune from hackers mining data on his servers. [See March 2009 New York Times article, “Vast Spy System Loots Computers in 103 Countries.”]. More than 40 states have laws that require the custodian of the data that was lost to notify the individuals whose data was lost. Some states have enacted laws which have broad reach beyond their borders to protect their citizens’ data with heavy fines for violations. For example, there is a Massachusetts law (201 CMR 17.00) that applies to any company which holds personal information of a Massachusetts resident (with no restriction as to where the holder of the information is located) and it carries a fine of $5,000 per violation and per record lost. Companies also must be concerned about compliance with a number of federal laws such as the Sarbanes-Oxley Act, HIPPA, Gramm–Leach–Bliley Act and PCI Data Security Act.