With computers becoming more and more the standard tool for employee and consumer information management, it is important to realize the risks that are associated with this. Currently 43 states as well as the District of Columbia, and Puerto Rico, have enacted legislation requiring that victims of security breaches which include personal information be notified upon learning of the breach. Unfortunately the liability that the organizations holding the information have has not been definitively worked out by the courts at this point, however many states have legislation pending that would give more rights to these victims.

According to CRMBuyer.com, The federal Privacy Act allows individuals to sue the government for failure to adequately protect personal data, but there is no counterpart applicable to the private sector. Companies can be held liable in a broader context — as opposed to an individual lawsuit — in two ways: via the Federal Trade Commission and through consumer class actions brought by private parties or state attorneys general.

Since 2004, the FTC has expanded its enforcement activities. The agency now claims that a company’s failure to take reasonable measures to protect customers’ personal information is itself an unfair practice in violation of the FTC Act. In the past two years, the FTC has brought more than a dozen enforcement actions under this theory, with settlements requiring tighter data security measures and payment of fines, as well as the FTC’s legal expenses.

Consumers often wish to enforce their rights through private litigation, where they can potentially receive financial awards generally not available through FTC settlements. In the past several years, consumers have flooded the courts with lawsuits — primarily class actions — often following FTC action. Many of these cases are still pending in various courts throughout the nation.

Ideally, she said, an employer will provide the following information and services to workers believed to be affected by such a breach:

• Full details of the incident, including when the breach occurred and how.

• A description of the information that was exposed.

• A description of steps the employer is taking to ensure the incident doesn’t happen again.

• Information on how to order a credit report.

• A live person to help explain to affected workers what has happened and what they need to do next.

A recent survey by security vendors confirms the inadequacy of many organizations’ data breach notices. In a survey released in April 2008, by the Michigan-based Ponemon Institute:

• 63 percent of respondents said notification letters they received offered no direction on the steps consumers should take to protect their personal information.

• About half of respondents rated the timeliness, clarity and quality of the notification as either fair or poor.

• Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach.

• 64 percent were unsure if they were a victim of identity theft.

For more information on these surveys visit Data Breach Message Not Always Reaching Consumers.