I've been working in privacy for about 12 years now, and it truly is a profession where nothing can really surprise you. You would think in 2015, in the throws of the greatest information privacy and security storms we have seen in years (Sony, Snowden, Target, celebrity hacks, etc.) that companies have worked to get their information privacy and security plans together, to include a data governance program that keeps up with changes to state and federal law. Of course, if new legislation comes out or if one state implements a law with some uncertainty as to its impact or enforceability, a company would not be wise to jump and rearrange it programs prematurely. But when a law has been on the books for years, even the biggest ships can make the turn. Yet, there is news that another company is being sued for one of the lowest of lowly hanging fruits in data protection: printing credit card numbers on consumer receipts. Seriously? This is still a thing?
It may be. J. Crew Group Inc. was sued in class action in a New Jersey federal court accusing the retailer of improperly displaying the expiration date and more than five digits of credit card numbers on electronically-printed receipts, exposing customers to the risk of potential identity theft. If the lead plaintiff's allegations are true, the company has been doing this for years in violation of the Fair and Accurate Credit Transactions Act, which allows only a maximum of five numbers to be shown. The plaintiff alleges on multiple visits to different J. Crew stores he received receipts with the last four numbers and the first five numbers printed on the receipt. The complaint asks the court to certify a nationwide class of all people who were provided with an electronically printed receipt from J. Crew that displayed the first five digits and last four digits of their credit or debit card numbers. According to the plaintiff, the company knew about FACTA as it addressed the laws requirements for expiration dates, yet left the numbers as they were. This is indeed puzzling, if true.
Regardless of the outcome, that litigation will be one expensive piece of low-hanging fruit. This story is just another reminder that sound data governance plans can actually bear many a fruit, but they have to be regularly reviewed and updated in accordance with changes in federal and state law. This aspect of data governance planning is not only valuable for ensuring legal compliance, but doing so ensures that the proper due diligence takes place to do all the things a company must do when considering a change:
- Applicability. Does this law even apply to our company? A simple question, but often improperly assessed--in both directions--resulting in no compliance, or unnecessary and overly burdensome compliance.
- Completing a risk assessment. If I make this change, does it break anything else? Test. Test. Test.
- Budgeting. Planning ahead saves money. What technical or staffing requirements must be met to implement this change? Does my existing system or staff meet the requirements, or do I need to make changes or upgrades?
- Drafting and training on new policies and procedures. You must draft clear instructions for how the company will meet these new requirements and educate employees on the changes to ensure a proper roll-out as well as quickly reporting new issues.
- External communications. If applicable, develop external communications to educate customers and business partners.
- Document everything. As with all things related to data governance and preparing yourself for the next breach or audit—document, document and document some more. Give your company a good story to tell, IF not WHEN trouble comes to your door.
We say it all the time around here—responsible information management is a never ending process. To be sure, things these days are moving fast enough without failing to implement changes mandated by federal law more than ten years ago. Your governance plan need not be expensive, complicated, nor take exorbitant amounts of time from your day to day business. But ignoring it all together or not giving changes in the law their due attention, will make sure you lose more than time when, not if, judgment day rolls around.
