Recap of the Data Protection Seminar
McBrayer & MML&K Government Solutions present
On July 17, McBrayer and Business Lexington presented a panel discussion on new Kentucky legislation, specifically House Bill 5 and House Bill 232, which affects business owners, non-profit organizations, and entities with government contracts who handle personal information. The panel included McBrayer, McGinnis, Leslie & Kirkland, PLLC, and Chris Nolan, a lobbyist and communication specialist from MML&K Government Solutions, among others. The panelists discussed how the laws came about, the definitions and details included therein, and provided real-world advice about how to institute security and breach notification policies and procedures.
The event drew over 60 attendees and many arrived with questions about their current legal obligations and how they could ensure compliance with the laws. In addition to the legal requirements imposed by the new laws, attendees were reminded that protecting a customer's personal information is just good business. No customers or clients want their confidential data breached and no business wants to risk the economic or reputational harm associated with a breach.
Below, you will find a few of the questions posed, along with the information that was provided. If you are a business owner or operator, involved with a non-profit, or have a government contract and would like to know how these laws affect you, contact a McBrayer attorney today at www.mmlk.com or (859)-231-8780.
Q: I'm a Kentucky business owner. Do the bills apply to me?
A: House Bill 232 affects "information holders," which, according to the bill, means any person or entity doing business in the Commonwealth. House Bill 5, on the other hand, is only directed at governmental agencies and "nonaffiliated third parties." A nonaffiliated third party is any person or entity that "has a contract or agreement with an agency" and "receives personal information from the agency pursuant to the contract or agreement." So, in general, House Bill 232 will affect more businesses than House Bill 5.
Q: What are the other differences between the bills?
A: There are several nuanced differences. House Bill 232 has a more limited definition as what qualifies as personal information when compared to House Bill 5. House Bill 232 only applies to computerized data whereas House Bill 5 applies to both computerized and non-computerized (i.e., paper) records. Both have distinct guidelines for notifying customers when a breach has occurred. Perhaps the biggest difference is that those subject to House Bill 5 must have reasonable security and breach investigation procedures and practices in writing. Written policies are a must. With House Bill 232, there is no such requirement. However, just because it is not a requirement of the law, does not mean that businesses should forego creating written policies for handling personal information and what to do in the event of a breach.
Q: Personal information - what is that, just credit card information?
A: Well, yes...but there is more to it than that. House Bill 232 gives a pretty simple explanation of what constitutes personal information: a person's name, or their first initial and last name, in combination with one of these things:
(1) Social security number,
(2) Driver's license number, or
(3) Account, credit, or debit card number, along with any required security, access code, or password that permits access to an individual's financial account.
House Bill 5 includes these things, plus more. It is important to note what does not qualify as personal information. For example, a customer's name and e-mail, without more, is not considered personal information. So even a business maintains this information (for example, for a mailing list) and has it stolen from a computer, it is not considered a breach pursuant to House Bill 232.
Q: When it comes to data breaches, are you talking about internet hackers? I don't think anyone would hack into my computer system because I'm just a small business.
A: In addition to hackers gaining access to your computer system, data breaches can occur when equipment containing personal information is lost or stolen. Laptops, iPads, thumb drives, cell phones...if these contain personal information and are lost or stolen, then it can mean a breach. There is also the improper disposal of data, for example not wiping phones before discarding them or forgetting to shred documents. Even a rogue employee who decides to take information can be the source of a data breach. Hackers (along with malware, phishing attacks, etc.) pose a problem, but they are just one of many.
Q: Okay, so what should I do to protect my customers' information?
A: You should speak with a privacy attorney about crafting a personal information security and breach policy. Procedures must be created and implemented. You would also want to work with an IT professional to ensure that your technology is safe. They can make sure that your data is encrypted, which is essential. Together, a team of professionals can help you meet your legal obligations, and help minimize your risk.
Q: When do these bills become law?
A: House Bill 232 became law on July 15, 2014. House Bill 5 will become law on January 1, 2015. Time is of the essence! It is extremely important to act now to ensure you know what you are required to do in the event of the breach. As recent headlines have shown, data breaches are happening to even the most sophisticated companies like Target and Niemen Marcus. It's not a question of if, but when.
J. Chris Nolan is a veteran lobbyist and communication specialist who joined MML&K Government Solutions in 1999 as Assistant Director. Chris coordinates MML&K's Government Solutions communication services while providing lobbying, media advice and strategic planning for a wide range of clients. He specializes in equine issues and horse racing, corporate taxes, insurance, telecommunications and state budget appropriations. He can be reached at (502) 875-1176 or email@example.com.
This article is intended as a summary of state and federal law and does not constitute legal advice.