It's Raining PII in New York


On November 25, 2012, the front page of the New York Post blasted the headline, “Drop Secret. Shred Alert! Covert cop files used as parade confetti.” The Post reported that shredded files appearing to contain material from Long Island’s Nassau County Police Department were dropped during this year’s Thanksgiving Day parade. The confetti reportedly contains the names and social security numbers of detectives as well as other confidential information. An anonymous law enforcement source indicated that the documents were to have been shredded and then burned. The Police Department is investigating and has vowed to conduct a review of its procedures “for the disposing of sensitive documents.” Although most data breaches don’t result in PII being strewn throughout the streets of New York, they can and often do become front page news and can have serious legal, regulatory, financial and reputational consequences. Notably, the most common cause of data breaches is not sophisticated professional cyber-attacks, but simple human error.

Regardless of how the confetti investigation plays out, this incident should serve as a reminder to all organizations to consider their own risk management plans, including the following factors:

  • Review your internal policies and procedures and make sure they’re up to date. The statutory and regulatory framework governing confidential information is constantly evolving and must be incorporated by your organization. Federal statutes such as HITECH, HIPAA and Gramm-Leach Bliley must be considered, and the 46 state laws seem to always change with respect to notification and security requirements. If your organization conducts business outside of the US, requirements of foreign laws must be incorporated into your policies and procedures. Remember, having a policy your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed to, and followed by, employees.
  • Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
  • Hire a consultant to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments. And, it is good practice as organizational risks change with changing practices.
  • Education of employees is critical to the success of any compliance program. Make sure all employees are educated and trained concerning those policies and procedures and any laws and regulations that apply to your business. There are laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, that mandate these types of training programs.
  • Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
  • Do not forget to compare your data collection and sharing practices to what your privacy policy says. Regulators, such as the Federal Trade Commission, are watching closely.
  • Cyber insurance can help organizations respond to and mitigate the harmful consequences of a data breach. Indeed, the SEC wants companies to consider insuring these risks. Insurance should be considered an important piece of your risk management plan.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.