Thank you for sharing!

Your article was successfully shared with the contacts you provided.
With the advent of faster hardware, smarter software and cheaper storage, more and more companies are creating a new category of intellectual property — the data collection. Data collection, both online and offline, has soared in the past decade. The global market for database software and services was estimated at $9 billion in 2001. With the swipe of a member card, consumers receive discounts on their purchases while retailers download information about the purchasing habits of their customers. With a few taps on the keyboard, consumers using the Internet input information about themselves or are simply tracked electronically, in each case adding information to a Web site’s already bulging data collections. And the technology continues to evolve at an extremely rapid pace. IBM and others are promising delivery this year of new software designed to create a “virtual” database by linking existing, incompatible data systems so that information can be retrieved in an organized fashion and all at once from disparate, physically separate data sources. The new software reportedly will issue a single query across different databases and consolidate the results in one report to the user, all at a fraction of the cost of the current method of data warehousing. There, large groups of data are transferred to a single system to create one extensive database. Yet before companies create and link larger and more comprehensive databases, some attention should be given to the emerging issues and liabilities surrounding data collections. Not surprisingly, with better, faster, cheaper technology come greater consequences. NOT ALL THAT GLIMMERS IS GOLD In addition to creating, accessing and storing data collections, companies also must secure them from unauthorized access. Failure to do so can be, at a minimum, a public relations nightmare and at worst, grounds for liability. Recent security mishaps underscore the seriousness of security breaches. According to one recent report, Wired News, “Help Wanted: Steal This Database,” Jan. 6, 2003. Carmichael Lynch, a public relations and advertising firm, inadvertently published its administration password on its Web site. The slip-up apparently went undetected by the company for more than six months. During that time, unauthorized visitors using the password could have accessed databases belonging to Porsche and American Standard, two of Carmichael Lynch’s largest clients. One such database contained names, addresses, and vehicle information on approximately 75,000 luxury car and SUV owners. Another database contained e-mail addresses and passwords for almost 12,000 people who had registered on the American Standard Web site. Publishing giant Ziff-Davis Media Inc. is also reported to have had security woes. See Wired News, “Help Wanted: Steal This Database,” Jan. 6, 2003. Ziff-Davis, following a security lapse that exposed the personal data of thousands of subscribers, entered into an agreement with the attorneys general of the states of New York, California and Vermont. The media company agreed to pay $100,000 to the New York State Department of Law and $500 each to 50 or so customers whose credit card information had been disclosed. Not to be outdone, a recent security glitch on Tower Records’ Web site exposed data on millions of U.S. and U.K. customers. The exposed data included sensitive information such as home and e-mail addresses, phone numbers and information regarding video and music purchases dating back to 1996. See ZDNet UK, “Tower Records exposes customer data,” Dec. 6, 2002. It is estimated that more than three million such customer records were exposed. The security glitch on the Web site was the result of a programming error that existed for an unknown length of time. Proving that no entity is immune from security headaches, the American Civil Liberties Union, in January 2003, agreed to pay New York State $10,000 in connection with a security breach. For a three-month period, sensitive, personal information on about 90 or so consumers could be accessed from the ACLU Web site as a result of a security breach caused by a third-party vendor. In yet another heavily publicized incident, on April 5, 2002, hackers broke into the payroll database for the State of California. The database contained personal information on the state’s 265,000 employees including names, home addresses, Social Security numbers and bank account information. The security breach went undetected for more than a month and unreported to state employees for another two weeks. Testimony at an informational hearing held by the Senate Committee on Privacy revealed that during the time in question, unauthorized persons in Germany attempted to access a state worker’s bank account and someone attempted to change the address on another worker’s credit card account. Voters in California took matters in hand and, on Sept. 26, 2002, passed a bill mandating that companies and agencies publicly disclose any computer security breaches that implicated personal information. That law is scheduled to take effect on July 1, 2003. TRUTH OR DARE The California law, known as SB 1386, is the first state law of its kind. It requires not just state agencies to disclose security breaches, but “any person or business that conducts business in California.” Starting in July, any company doing business in California must disclose a security breach to each affected resident in California whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The law recognizes a safe harbor for encrypted data. As defined in SB 1386, personal information means an individual’s first name or initial and last name in combination with one or more of the following “data elements,” where either the name or the data element(s) is not encrypted:

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.