By Elizabeth S. Fitch and Devin Tarwater
Technology is rapidly changing and expanding. Unlimited sources of information are available with the quick click of a mouse. Companies often keep data, full of confidential client information, stored in internal or online databases. This facilitates efficient and quick access to client records, but increases the risk of confidential data being compromised or being inadvertently disclosed. Legislatures have enacted privacy laws to protect personal information and to mandate notification procedures when a data breach has occurred. Compliance with breach notification laws can be cost prohibitive and drain a company's financial and human resources.
Arizona's Breach Notification Law. These technological developments have led to questions regarding how best to protect confidential information and what to do when a data breach has occurred. Federal and state governments have responded by enacting privacy laws to protect personal information when client databases have been breached. Arizona recently enacted a breach notification law, A.R.S. 44-7501, which outlines what a company must do in response to a data breach. It explains whom to notify, when to notify, and how to notify.
Whom to notify and when to notify. When a company is made aware of an unauthorized acquisition and access to unencrypted data that includes an individual's personal information, it is required to act! It must conduct a reasonable investigation to determine if there has indeed been a breach of the security system. If there has been a breach of the security system, the company must notify all individuals affected by the breach without unreasonable delay. The exception is where notification hinders the needs of law enforcement or impedes the restoration of the integrity of the data system. Under those circumstances minor delays may be appropriate. A.R.S. 44-7501.
How to notify. A company is required to notify those affected by the breach in one of four ways: (1) written notice; (2) electronic notice; (3) telephonic notice; or (4) substitute notice. A substitute notice can only be employed if the other methods would be too costly or if there are more than 100,000 individuals affected by the breach. The substitute notice consists of an electronic mail notice, a conspicuous posting of the notice on the affected individual's website if he maintains one, and notification to major statewide media. A.R.S. 44-7501.
Best Practices. Of course, it is best if companies don't ever allow themselves to become victim to a security breach. A breach can be very costly for a company. It is costly both in terms of resources and in terms of business. A company can best protect itself from breaches by adopting technological, administrative, and physical controls.
Technological controls are technical barriers put in place to prevent virtual breaches. A complete technological control system is preventive, detective, and corrective. Preventive security controls are to halt potential breaches before they actually happen. Examples include password verifiers and firewalls. Detective security controls alert the system when they identify activities that are out of the ordinary. Corrective security controls automatically respond to manage or ameliorate threats after preventive or detective systems identify a threat. Peter P. Swire & Kenesa Ahmad, Foundations of Information Privacy and Data Protection, 89 (Terry McQuay ed. 2012).
Administrative controls are personnel barriers that only permit users access to information they need to know. An information classification system helps identify what information employees should be permitted to access. The three most common information classes are confidential, sensitive, and public information. Confidential information would cause a company to fail or be severely compromised if it were divulged. This information should be kept extremely secure and private. Sensitive material is important work-related information that is to be used internally. It should be kept secure. Public information can be shared with the public at large without risk of a compromise. Id. at 91-92.
Physical and environmental controls are physical barriers to protect the actual information-storing equipment. They prevent the actual physical invasion of premises and destruction of property. Physical controls include surveillance systems, security personnel, locked doors, and alarm systems. Environmental controls involve strategically placing critical equipment and materials away from potential hazards such as fire, wind, rain, floods or other natural emergencies. Id. at 98-99.
Hire an Attorney. With technological, administrative, and physical controls in place, a company has a great foundation to protect against data breaches. Although these controls do provide a solid foundation, there are many other nuances to take into consideration depending on the nature of a company's particular business. Also, if a breach does occur, the Arizona Data Privacy statute may require additional action beyond that explained in this article. An attorney can help a particular company know what it actually needs to do to fully protect itself and to comply with the law.
Conclusion. As technology continues to expand, the need to adopt detailed data privacy practices will become increasingly important. Not only are these practices vital to protecting confidential information, but also a vital for company survival. These best practices serve as the foundation to securing confidential data, increasing client or customer trust, and maintaining a successful business.