Protecting and maintaining the integrity of consumer personal and financial information is becoming increasingly important to businesses of all types and their in-house and outsourced contact centers. Over the past several years, concerns regarding identity theft and security breaches of consumers' personal information have lead to a number of legislative and regulatory enforcement initiatives which have raised the bar with respect to the security measures that contact centers and others must have in place to ensure the integrity of consumers' personal information. Indeed, the focus on data security has increased proportionally with the growth in Internet and telephone-based customer contacts and information transfers.
Customer data was maintained in numerous files even though the business no longer required the information; Reasonable security measures were not implemented to limit access to the company's computer networks via wireless capabilities; Information was stored in unencrypted files with an ordinary user ID and password; Computers of one in-store network were easily connected to computers of another in-store network; and Sufficient measures were not taken to identify unauthorized access.
As a result of these lax data protection measures, hackers allegedly gained access to the credit card, debit card, and checking account information of over 1.4 million DSW customers. Consequently, many of these customers were the victims of fraudulent charges on their accounts. The FTC settlement requires DSW to implement a comprehensive security system designed to safeguard customers' information. In addition, the settlement requires DSW to obtain a third-party audit to make certain its security system complies with the settlement once every other year for 20 years. DSW was the seventh company subject to FTC investigation in connection with data security. Other companies targeted by the FTC include BJ's Wholesale Club and Microsoft.
In addition to FTC enforcement, approximately 20 states have enacted data security laws applicable to companies in possession of consumer personal information. For instance, California requires the following with respect to its residents' information: Companies must take all "reasonable steps" to destroy consumers' personal information once the company no longer has a business need for such information. Destruction may occur by shredding, erasing, or making the information unreadable, or undecipherable. Companies must establish "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure." A company that discloses personal information about a consumer pursuant to a contract with an unaffiliated third party, must require by contract that the third-party establish the aforementioned reasonable security practices. Companies that own consumers' personal information must, upon discovery, disclose any breach of the security system to any consumer whose unencrypted personal information was, or is reasonable believed to have been, acquired by an unauthorized person. An agency that maintains consumers' personal information must notify the owner of the personal information of any breach of the security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The California statute provided consumers with a private right of action whereby they can recover civil penalties of up to $500 per violation, or up to $3,000 per intentional or reckless violation. In addition, Congress has proposed various bills to impose data security requirements. However, none have been passed as of the writing of this article. As such, companies are currently subject to a myriad of state laws, as well as the threat of FTC or other regulatory inquiry or action.
Contact centers have access to and maintain a variety of consumer personal information. In light of the foregoing, contact centers must ensure that adequate security measures are in place to protect such information from unauthorized access, use, destruction, disclosure, or modification. Third-party contact centers acting on behalf of various clients must also be sure to act in accordance with their clients' requirements regarding data security requirements.
William Heberer, Esq., concentrates his practice in intellectual property, advertising, marketing and Internet law. He holds a BBA from Hofstra University; an MBA from Vanderbilt University; and a JD from Hofstra University School of Law.
Jennifer Deitch, Esq., focuses her practice on advertising, marketing, promotion and Internet law. She holds a BA from George Washington University and a JD from Benjamin N. Cardozo School of Law.