Corps Not Protecting Data

Organizations collect and hold substantial and significant amounts of personal information, but are not doing enough to protect it

CHICAGO -- Corporate organizations collect and hold substantial and significant amounts of personal information, but in some instances are not doing enough to adequately protect it, according to a recent study conducted by Foley & Lardner LLP on the current state of privacy and data security.

The study revealed that while nearly half of the organizations surveyed experienced an event that could have led to a security breach, the majority have neither incurred a loss, made notification of a loss, nor been sued because of a loss. Given this experience, the majority of organizations are relatively optimistic about their future data security prospects – but they do admit that significant threats exist.

“While the dragon still sleeps within many companies regarding an appreciation of large litigative and enforcement risks arising from breaches in data security for accounting firms and other types of companies that aggregate sensitive data, we are just one mega-case away from awakening the whole of corporate America to the risks here,” said Pamela L. Johnston, study director and partner in the firm’s White Collar Defense & Corporate Compliance and Securities Litigation, Enforcement & Regulation Practices. “The first wave of privacy and security litigation already has begun, and federal legislative initiatives currently under consideration may heat up the regulatory climate.”

Increase in Collection and Distribution of Personal Data

The study revealed that companies continue to collect and maintain data that identity thieves crave despite recent high-profile incidents of stolen information. Data that is not often needed by companies is being collected, including names and addresses, dates of birth, social security numbers, health records, bank account numbers and credit card numbers. The study found that 72 percent of companies still collect social security numbers, which belies the popular public perception that social security numbers are less utilized by companies today than in the past.

The globalization of business also has resulted in a need for companies to send or receive information across international borders. This globalization, however, poses intriguing problems for policy makers who might want to fashion uniform rules regarding data breaches.

“Companies with subsidiaries in countries such as Argentina and those that are members of the European Union need to be more sensitive when sending or receiving data across these borders,” said Andrew B. Serwin, study director and partner in the firm’s Information Technology & Outsourcing and IP Litigation Practices. “The laws that govern privacy and data security are strictly enforced in these countries.”

Foley & Lardner LLP