indexMost auctioneers and other businesses have an exposure they may have never thought about or even realized. Think about it, when a bidder registers online or comes to your auction and registers in person, you scan their driver’s license or record their personal and private information.  It is at this moment you’ve created a new exposure and this exposure alone can easily cost an auctioneer, tens or thousands of dollars, without even batting your eye. 

The exposure I’m referring to is privacy or the loss of personally identifiable information (PII). What constitutes PII is a person’s name, social security number, driver’s license number, DOB, or credit card number. If any two of these combined is compromised, as the auctioneer (business owner), you now have a reason for concern.

Forty six (46) states have database notification laws which simply state, if you (the business) lose a customer’s PII you are responsible for notifying them of this event. Unfortunately these are state laws and the laws aren’t consistent from state to state.

The cost for notification is high.  When PII is lost, one of the primary expenses is the cost of research required to understand how to comply with individual state laws. Additionally, the cost of notifying customers in all states may lead to hiring an attorney to research the state laws, in some cases.  According to the Ponemon Institute, a single information breach cost is reported at $136 per record for 2012 and in the United States total cost per data breach incident is $5.4 million.

State laws are fairly consistent regarding who is held responsible; if it is “your customer” then you’re the responsible party for the notification. This also holds true whether you’ve outsourced the data processing to a third party vendor.

In fact, most third party vendor contracts actually have a hold harmless clause, stating the vendor will do their best effort to protect this information, but if they are breached they cannot be held responsible or liable. The responsibility always falls back on you, the auctioneer, since it is your customer.

In addition, the laws remain silent regarding how the information is stored. For you this means, if it is stored in electronic or paper form it does not matter. Even if you’re doing things the old fashion way by making a copy of your bidders driver’s license and you lose those copies, you’re still responsible and must notify all bidders whose information was lost.

Most states also require you to provide customers with a victim assistance package which may include identity theft education, identity theft insurance and identity theft credit monitoring. The cost of these services will vary based on the number of records in your database and the length of time for which you have to provide the services, be it 1 year or up to 3 years.

What we have seen in most major information breaches is these events eventually turn into a class action law suit. There by, costing the auctioneer major fees and legal expenses.  We would encourage all auctioneers to be extremely diligent with all PII you might collect and hold, regardless of the format, be it from their bidders, sellers, vendors, employees or independent contractors. If you are storing paper copies, we would encourage you to keep this information in locked filing cabinets. The files and personal information should only be available to those who need access to it.

If you’re keeping the information in an electronic format and storing it on a local computer, we would encourage you to have the information encrypted. A number of states have notification exemptions if the data is encrypted.   It’s also important to make sure the computer housing this information is in a secured facility. This type of data is most always better stored off site in a professionally managed data center rather than storing it locally on your server, laptop computer or other device with multiple users have access to.

I would be remised if I did not also tell you; this is an insurable risk which can be transferred to your insurance company. There are a number of stand-alone database notification products available in the market place today. If you happen to purchase the flexible auctioneers E&O coverage this is an optional coverage that can be added to your E&O policy for minimal additional premium.

If you’d like more information about privacy risks, you can visit: www.privacyrights.org

For a listing of State Security Breach Notification Laws, you can visit: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

To read more about research from Ponemon Institute, you can visit: http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01

Author: Larry Harb is the President and CEO of IT Risk Managers, Inc., a national wholesaler of niche insurance products. Larry provides specialized program for auctioneers, for more information visit:www.ITRiskmanagers.com