Protecting Confidential Information
In recent years, a number of laws have been enacted imposing requirements on businesses to protect an individual’s confidential information obtained from an individual in connection with a business transaction. What laws will apply in any given situation is determined by the type of business being operated. For example, businesses that collect and maintain an individual’s identity information, particularly credit card information and social security numbers, are required to implement policies and procedures pursuant to the Red Flag rules1 to protect such information from identity theft. The Red Flag rules are currently in effect and compliance is not voluntary for covered businesses.
In addition to protecting and preserving the confidentiality of the information relating to clients, businesses have their own confidential information to protect which should not be overlooked.
Prior to developing policies and procedures to protect confidential information from unauthorized disclosure, it is a good idea to first identify what type of information belongs to the business and what type of information the business collects from its clients. Once the information is identified, policies and procedures should be developed to protect all confidential information whether proprietary to the business or client. Keep in mind that one size does not fit all.
Protecting confidential information from unauthorized disclosure or use should be the ultimate goal of such a policy, but simply having a policy statement that states, e.g. “Client and Company Information are Confidential” is not sufficient. The policy also needs to address aspects such as access, disposal and storage. Federal law dictates that the disposal of confidential information covered under the Red Flag rules be done in a manner that protects the confidential nature of the information. As such, ensuring that any policy designed to protect confidential information from unauthorized disclosure addresses proper disposal of the information when no longer needed or required. Document shredding is an effective disposal method that is acceptable under the law. Why use a shredder? To prevent dumpster divers from being able to retrieve the information and steal someone’s identity. Believe it or not, there are people who go through the trash that is thrown away for the sole purpose of looking for such information.
Access is another aspect of a policy that should not be overlooked is storage. Where on the premises is the confidential information stored? In what form is the information stored? Answering these questions is necessary to effective policy development.
Policies and procedures regarding protecting confidential information should be in writing and the policy should be widely known by employees. Determining who should have access and why they should have access is also key to effective policy development. Does every employee really need to have access to confidential information? Not likely. Access to confidential information should be on a need to know basis only.
Protecting your business’ confidential information and that of your clients is an important aspect of your business operations, reputation and success. The unauthorized disclosure of confidential information or theft of it can be costly, lead to expensive litigation and result in harm to a business’ reputation. While no policy is foolproof, having such a policy in place reduces exposure to litigation, adverse agency action and ensures compliance with law.
A note to the reader: This article is intended to provide general information and is not intended to be a substitute for competent legal advice. Competent legal counsel should be consulted if you have questions regarding compliance with the law.
A note to the reader: This article is intended to provide general information and is not intended to be a substitute for competent legal advice. This article has been reprinted with the permission of Lee Building Industry Association, www.bia.net. Questions regarding the content of this column or past columns may be e-mailed to Christina Harris Schwinn at christinaschwinn@paveselaw.com. To view past columns written by Ms. Schwinn please visit the firm’s website at www.paveselaw.com. Ms. Schwinn is an experienced employment lawyer and a partner with the Pavese Law Firm, 1833 Hendry Street, Fort Myers, FL 33901; Telephone: (239) 336-6228; Telecopier: (239) 332-2243.