Legal Obligations and Solutions for Protecting Online Personal Information

CENTER FOR CONTINUING EDUCATION

Self Study Article and Self Assessment Test

Legal Obligations and Solutions for Protecting Online Personal Information
By Mark Winitz
Copyright © 2005 Mark Winitz. All Rights Reserved.

Instructions | Read the Article | Take the Test

1. Introduction

In the Internet era, it is commonplace to enter, exchange, and acquire personal information online. For example, registering and purchasing tickets for events via the World Wide Web, rather than by postal mail or a telephone call, has virtually become the rule rather than the exception. Many event promoters and organizers, however, are unaware of the security issues and laws related to the safekeeping of an individual's personal information when conducting online transactions. This lack of awareness may result in undesirable, costly-and illegal-actions and consequences for both organizers and registrants.

This article discusses the use of online registration in the sport of recreational long distance road running to illustrate how these issues arise. It also presents rules of thumb and advice that legal counsel can use to protect their clients that are involved in these activities.

2. Framing the Challenge

E-Commerce, or conducting business online, has introduced a new level of efficiency and economy for road races. As e-commerce sales boom-2.2 percent of all retail sales in the U.S. are now transacted via the Internet-online road race registration is flourishing. This means that road races are frequently entrusting their entrants' personal information to others, particularly to online registration services.
At the same time, cyber-crime is dramatically rising. The news is filled with stories about computer break-ins, security breaches, identity and credit card theft, and the exposure of private financial data.
"Every day, you see instances of identify theft, hacking; it's going through the roof," says Albert Barsocchini, a lawyer who specializes in computer forensics at Guidance Software, Inc. which investigates computer security incidents for Fortune 500 companies and government agencies.
"It's a dangerous world out there trying to hold onto your personal information," Barsocchini adds. "Everybody is grappling with it, the federal government, the states, the credit card companies, and individuals, trying to keep things secure and private."
Should race directors be paying attention? Barsocchini and other computer privacy and security experts say yes; entities handling computerized personal data (including road races) have practical and legal duties to protect this information.

3. Why Should a Road Race Keep Entrant Data Secure?

Dennis Steinauer, a computer security expert who is also the President of Washington, D.C.'s Credit Union Cherry Blossom 10 Mile road race, feels that race organizations need to take data security very seriously.
"It needs to be done out of respect for runners, and to ensure that they will trust the race and be happy with its attitude toward privacy," says Steinauer who has spent 30 years as a computer security researcher, policymaker, and administrator for the National Institute of Standards and Technology and General Electric Information Systems.
In addition to being mindful of race participant concerns over security of personal data, race directors must also carefully consider the legal and financial ramifications of negligent data security.
California laws already require an agency, person, or business that conducts business in California and owns or licenses computerized personal information to encrypt (electronically scramble) it, implement specific handling procedures, and disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed (California Civil Code, Sections 1798.80-1798.84, see Attachment 1). An example of the data that California defines as "personal" is a first name (or initial) and last name coupled with a credit card number.
According to Barsocchini, California road races are subject to this law, and race participants living in California must be informed if their entry data is breached.
Nationally, a string of recent incidents (at Lexus-Nexus, ChoicePoint, Citibank, and elsewhere) has potentially exposed millions of U.S. citizens to identity theft. In response, Congress is considering legislation to require companies to take steps to protect the personal data of their customers and restrict how this information is handled.
"Once you start holding this information, you open yourself up to liability," says Barsocchini. "You could get into a lot of trouble or get sued."
He adds that the financial burden of hiring specialists to investigate a breach, possible litigation, and notification (about $30 per entrant, he estimates) can be daunting.
In addition to possible national legislation, right to privacy issues also dictate that personal information be protected. Although no right to privacy is explicitly declared in the U.S. Constitution, many states have constitutional provisions or statutes intended to protect individual privacy.

4. What Data Should Be Kept Secure?

According to Steinauer, any information that ties an individual's name to personal data should be carefully protected. He notes that, in an era of annoying junk mail and telemarketing, even addresses and phone numbers, although often publicly available, should be considered sensitive.
The most sensitive (and valuable for hackers) personal information-credit card numbers and financial data-requires the most diligent security.
"One of the biggest things is [online providers] should not be storing credit card numbers unless they are a bank," Barsocchini advises. If individuals register their personal and credit card information with any vendor-as is often touted as a way to make return visits more convenient-the personal information is retained by the vendor. It may be best to avoid "registering" sensitive personal information.
Active.com, a popular online race registration service, states that it considers all of the entrant information that it collects for its road race customers private.
"Unless there is specific information about events, or results, that a race director wants to post on our site, in terms of an outsider being able to access the data, it all needs to be private," insists Jon Belmonte, Active's Chief Operating Officer.

5. Threats to Entrant Data

Although none of the road races or their service providers that Road Race Management Newsletter (RRM) polled knew of any event whose entry list had been compromised by intruders, race directors should not become complacent, according to the data security experts that RRM contacted.
Security breaches can come from internal and external sources. Steinauer states that an often-overlooked point of internal vulnerability is race personnel who have administrative access to entrant records. Most road races rely on volunteers who are subject neither to security checks and clearances, nor employee agreements. Race registration volunteers may not be aware of the need for information protection.
Digital assets are subject to both intentional and unintentional threats. For example, a race volunteer might download personal entrant information from a race registration service and inadvertently post it to their entrant confirmation list on the race's website. Posting anything more than the runner's name, bib number, age, and hometown could be unwise.
"I wouldn't really be surprised if there is a major incident or full scale theft of a race's data in the next couple of years," Steinauer comments.
External network intrusions come in a variety of forms, from viruses that can destroy your entrant data to elaborate scams and identity theft.
Says Barsocchini, "Sophisticated identify theft is going on." He explains that there have been instances where hackers have gotten into a website and created a mechanism to "hijack" people who try to enter the site into their counterfeit site. Those people are then duped into entering personal information.
E-mail also presents a potential risk if it is used to communicate sensitive information. Barsocchini notes that e-mail is "inherently unsecure and subject to [organizational] use policies that may allow third parties to read it."
Race directors should be aware of the possibility of such intrusions and do all they can to make sure they don't happen.

6. Data Security and On-Line Registration Services

Given the many intricacies and potential pitfalls of e-commerce, Steinauer suggests that, if online payment of entry fees is involved, a race should consider using a reputable online registration service. Most race organizations probably are not in a position, technically or financially, to conduct secure online payment transactions on their own (an exception is the ING New York City Marathon, which does its own on-line registration; see Data Security at Two Events below).
In addition, Steinauer suggests that races consider using an online registration service if they collect information about runners in addition to what is necessary to score the race and provide the results. This additional information might include personal data used for marketing and to fulfill agreements with sponsors.
Active's Jon Belmonte says that his company's scale and position allows it to invest in "significant resources" in some of the industry's best security for online data, including state-of-the-art firewalls, intrusion detection, security scanning, and a secure data center with controlled physical access.
"Most race directors that come to us are concerned [about data security]," Belmonte says. "But once we tell them that we invest in the same kind of security resources as Amazon, Yahoo, and Expedia, they feel good about it."
Merchants and service providers such as Active, Sign Me Up Sports, AllSportCentral, and others that store, process, or submit credit card holder data are required by most credit card companies to comply with the Payment Card Industry (PCI) Data Security Standards-internationally recognized best practices for cardholder data security. PCI standards require periodic audits by credit card companies to ensure this compliance.
Todd Bellino, Sign Me Up Sports' V.P. of Business Development, says that in addition to complying with the PCI standards, his organization also "passes encrypted transaction data directly to its bank over a leased line," rather than storing credit card information.
AllSportCentral's Steve Kurtenbach notes that his company "maintains its own data center to improve security and reduce third-party access to data."
Active, Sign Me Up Sports, and AllSportCentral also do not allow their road race clients to view or obtain entrants' credit card numbers.

7. Risk Assessment

Can a race be absolutely sure that even with the most advanced security policies and safeguards, their entrant data is protected? Not really, but they should be able to achieve an acceptable risk, says Steinauer.
Active's Belmonte says his organization doesn't anticipate an incident in the future where consumer data on their network is compromised. Nonetheless, Internet security experts feel that today's World Wide Web can't yet yield guarantees.
"Even the banks haven't figured out how to do truly secure banking," Barsocchini cautions.
Steinauer basically agrees. "You may have protections in place, but there is no system that is ever going to be 100 percent secure." He nonetheless believes that a race can achieve a level of protection for entrants' data that balances risk and costs. This can be accomplished with the prudent selection of service vendors (if used) and implementation of commonsense procedures for the race registration process.

8. Data Security at Two Events

We talked to two large events, the Army Ten-Miler and the ING New York City Marathon, about how they handle online registration and security concerns.
The 20-year-old Army Ten-Miler has used Active.com for its online race registration since 2001. About 95 percent of ATM's 20,000 participants apply online, notes Race Director Jim Vandak. Active also hosts the event's website.
Vandak says that the Army Ten-Miler is very attentive to the security of its participants' personal data. The race touches base with Active annually to confirm the security of their entrant database. "Active assures us that they take above-and-beyond considerations to protect the integrity and security of the information," notes Vandak.
The Army Ten-Miler owns all rights to its entrant database and considers all of the information private. In addition, as a production of the U.S. Army, Vandak says the race is subject to the U.S. Privacy Act (which requires that information about U.S. citizens that the government keeps is protected from unauthorized release, see Attachment 2). The race does occasionally submit information contained on participant entry forms to its sponsors (such as its race photo service). This fact is stated in an online waiver, but entrants can prevent this action by "opting out." About 30 percent of the ATM's entrants choose to opt out.
The race doesn't store entrant data on its computers. When sponsors or scorers need the data, an authorized ATM administrator downloads it from Active's server directly to a CD and ships it via Federal Express. The race does not e-mail this information. Only the race director and the registration manager can access the participant data (using Active's data management tools).
"The customer service that online registration offers is fantastic as long as they have secure online transactions," Vandak says. "It's a wonderful technological tool to service our customers and help the race run efficiently."
The ING New York City Marathon's size (30,000-plus participants), maturity, and ownership by the New York Road Runners Club (a $23M non-profit organization) allows the race to handle independently all functions that involve race registration and the use of its entry list.
"We have approximately 320,000 entrants in the club's races a year, so it made sense for us to develop our own registration systems and programs," says Allan Steinfeld, the marathon's Executive Director.
NYRR maintains its own secure intranet (or private Net), and has an internal IT department. The race handles 95 percent of its registrations online, all of them via its website, which it hosts. All credit card and registration information supplied by entrants is transmitted using secure VeriSign SSL encryption technology. Credit card transactions are automatically authorized and processed.
The online entry form requires that registrants provide personal information (including e-mail address), which is required for entry acceptance notification, start line seeding, scoring, and mailing of race results. Providing additional information (such as occupation) is optional.
The marathon's sponsors do not have access to participant information; rather the race sends out mailings or e-flashes directly to race registrants on behalf of the sponsors. The marathon also performs its own race scoring using timing chips, so entrant data remains entirely internal.
The race periodically assesses its network and security mechanisms. "We are bringing in consultants to upgrade our computer systems and evaluate our associated security measures," says Steinfeld. "It's the right thing to do."

9. Tips for Minimizing Security and Privacy Risks

Develop awareness within your organization why security is necessary for race/event registration data:

Entrant data should not be considered public
Unauthorized access to this information could result in considerable monetary loss and embarrassment to the race/event and entrants
Corruption, loss, or unavailability of the information could prevent the race/event from performing key activities
Know state and federal laws (and legislation) regarding the handling and storage of electronic personal data. Comply with these laws.
Diligently use desktop/network security tools and keep them updated (anti-virus protection, firewalls, logins/passwords, software security "patches").
Have in place reliable data backup procedures and perform regular backups of registrant data.
Consider all entrant data private. Collect and store as little entrant data as necessary to operate your event. If you plan to use this information for other purposes (mailing lists, membership recruiting, etc.), obtain permission from each entrant or provide an opt-out provision. Never store credit card information on your computers.
Selectively limit access to registrant data, by both internal personnel and outside parties, to those who "need to know." Deny database access and administrative functions to others using physical and electronic "lockouts." Also, make sure that listings or reports contain only the data necessary for the function or task involved. Never include credit card information on any listings.
Do not send or receive your entrants' personal data by e-mail.
Review the data security measures of all third parties (vendors, service providers, sponsors) who must access, store, or transmit your registration data. Remember, if their security is weak, your data may be exposed. If you are not comfortable with their protections, let them know.
Carefully evaluate and select online registration service vendors that have proven track records. Seek recommendations from other race/event directors. In particular, entrust online transactions involving the exchange of credit card or other personal financial information only to reputable vendors. Ask potential vendors if they use secure channels for transactions, if they store credit card numbers (why and how, if they do), and if they are insured for data theft. Ask if they share any entrant data with anyone, and if so, with whom.
Evaluate and select a reputable Internet Service Provider (ISP) to host your website. Limit administrative access to the site.
If feasible, seek technical advice from technologists in your race/event organization. Get advice from more than one person. Alternatively, be prepared to commit necessary financial resources for professional technical consultants and/or services. Volunteers generally will not be able to offer the same level of service as qualified professionals.
Look for vulnerabilities in your entire computer operation. Document these evaluations, and maintain adequate records. Consider employing a security specialist or auditor to evaluate your data security and privacy measures.
Implement contingency/public response plans for data security incidents (or suspected incidents) including theft, corruption, or loss/destruction of entrant information. Include in your plans incidents originating from, or affecting, your service providers' systems.

A version of this article, originally written for road race directors and counsel who represent road race organizers, appeared in Road Race Management www.roadracemanagement.com, July, 2005, with the title "Play it Safe: Why Race Directors Should Care About Data Security."

CALIFORNIA CIVIL CODE SECTIONS 1798.80 - 1798.84
Instructions | Read the Article | Take the Test