Benefits.r^omDensationSAN ANTONIO^^-^ Vol. 45, No. 5©2008 International Foundationof Employee Benefit PlansPersonal Data Privacy andSecurity: Best PracticesAlmost 40 states have passed their own legislation requiring companies and organi-zations to ensure the security and privacy of personal information. What can fundoffices do to ensure the safety ofthe personal information held inside their appli-cation databases? This article offers direction in implementing processes and controls toprevent security breaches and discusses how to respond in the event ofa breach.Continued on page 11Canadian ConferenceCountdownE-Learning and WebcastsSpecialIssue onTechnologyLow-Cost Technologies ThatTransform Participant ServicesInformation Technology Trendsfor Benefits ProfessionalsSecrets to Success WhenUsing Technology forBenefits CommunicationThe Importance oftheGoing Concern Assumption inEmployee Benefit PlansPlans Need to Keep an Eyeon Real Estate Income TaxationIntemational FoundationEDUCATION - BENEFITS • COMPENSATIONPersonal Data Privacy and SecurityContinued from page 1Consider this scenario:For many business travelers, the toolsof the trade include a laptop and the con-tents of its hard drive. On a recent tripacross the country to speak at a confer-ence, one business traveler had a closecall. A laptop's hard drive became dam-aged and a backup was far away. On thehard drive was the material for a speakingengagement.Fortunately, the contents of the harddrive were recovered. However, sincethen, that traveler carries with him aportable backup on a USB (universal se-rial bus) memory stick.What if the laptop were to be stolen orlost? In many cases, the information—presentations, articles and work informa-tion—would not mean much to a thief.But what if that USB memory stick werestolen? Often, the information is of littleuse to anyone else.Not so, in the case of one Departmentof Veterans Affairs employee in May 2006.Without authorization, he took home alaptop and hard drive, containing infor-mation on 26 million people. A robberyat his house meant the laptop and itshard drive disappeared. Fortunately,someone turned in the laptop and harddrive to the FBI and, upon review, itseems that the data on the hard drive hadnot been accessed while the equipmentwas missing. In this case, identity theftwas not an outcome of a data securitybreach.Now, the questions:• Was there a backup of the data on thelaptop? One must assume that was thecase, and that the data was simply adownload to the laptop from the de-partment's relevant application.• Was the laptop secured for access?• Was the hard drive secured for access?• Was there some form of recovery soft-ware or hardware located on the lap-top or hard drive?• If all else failed, would the data on thehard drive self-destruct?These are easy questions to ask, be-cause there are solutions currently andcommercially available for each.Next, the hard questions:•What if someone was ahle to getaround all those security measuresand gain access to the informationahout 26.5 million people?• What can discourage someone fromselling or using that information forcriminal activity such as identity theft?• How do we inform the 26 million peo-ple that their information has heencompromised?• How do those 26 million people findinformation about what was compro-mised?• Who decides what data is sensitive? Ifthe only information on that harddrive was demographics—age, ZIPcode, gender—there may he no reasonto worry. If the information includedfirst name, last name and Social Secu-rity number only, there is obviously acause for concern.• Who should be punished for this secu-rity hreach? The organization owningthe data? The employee who lost thedata? The thief? Or the criminal mas-termind who was able to hack the se-curity on the hard drive? Certainly, ifthe department had appropriate secu-rity measures, they may not be pun-ished. Had the employee followed thesecurity "rules" in place, he may not hepunished.While security breaches seem com-mon, it was not until several high-profilesecurity breaches happened around thesame time that much publicity or concernwas expressed about this privacy issue.The mainstream press brought these tothe attention of the public and, fortu-nately, some high-profile consumer actiongroups and legal firms became vocalabout this issue.Since then, many of the questions havebeen answered. In 2002, California signedlegislation into law covering the notifi-cation of security breaches. Effective July2003, this law has been the impetus forsimilar legislation in almost 40 states, withthe most recent heing Massachusettsin Fehruary 2008. A data privacy and secu-rity bill has been debated in the U.S. Con-gress.According to the Web site v^rww.Gov-Track.us, S 495 is a "bill to prevent andmitigate identity theft, to ensure privacy,to provide notice of security breaches, andto enhance criminal penalties, law en-forcement assistance, and other protec-Continued on next pageFor related article summaries, seewww. ifebp. orglprivacyissues.Got a specific benefits question ?Need some help answering it?Call (888) 334-3327, option 5, andget a prompt e-mail or fax back.54th Annual Employee Benefits ConferenceNovember 16-19San Antonio, TexasFor more information, viewwww. ifebp.org/usannual.E-Learning CoursesHIPAA RevisitedUpdate on HIPAA Privacyand SecurityFor more information, viewwww. ifebp.org/elearning.HIPAA Privacy and Security(International Foundation Survey & Sam-ple Series). 511 pages. Item #6153. $131(I.F Members $52). For more book details,see wvvw.ifebp.org/books.asp?6153.To order, call (888) 334-3327, option 4."HIPAA Applications for Trustees: How'sYour Report Card?," Benefits & Compen-sation Digest, April 2005, at www.ifehp.org/resources/periodicals.May2008 • www.ifebp.org • Benefits & Compensation Digesttions against security breaches, fraudulentaccess and misuse of personally identifi-able information."Fortunately, the laws passed hy manystates already cover the majority of theseitems. Organizations wdth databases con-taining personal information now have alegal responsibility to protect that infor-mation. In the case of a security hreach,organizations are required to disclose thathreach and notify people whose personalinformation is compromised.First, we answer the question of whatdata is sensitive. One resource, a SecurityBreach Notification Chart, can he accessedatwww.perkinscoie.com/statehreachchart/.In that document, the