Blowin’ in the wind

Mishandling of customer records offers cautionary tale
Sunday, June 1, 2008

WEST HAVEN, Conn.--It’s a bad day for your alarm company when a television station airs a story that your clients’ records--including social security numbers, bank account numbers and cancelled checks--have been found blowing across someone’s lawn.

In addition to the many potential liability and legal issues, observed Eric Pritchard, a partner in the law firm of Kleinbard, Bell & Brecker, where he specializes in the security industry, that kind of publicity is “not a good marketing piece.”

However, on May 6, that’s just what happened when television station WTNH ran with a story about a West Haven resident who found personal records blowing from a dumpster onto the front lawn. The records, according to the report, belonged to Northeast Security.

Northeast Security is not a member of CASIA, the Connecticut Alarm & Systems Integrators Association, and no contact information or listing for the company could be found by Security Systems News.

However, the WTNH report noted that Northeast is a subcontractor for Rocky Hill, Conn.-based Safe Home Security. Contacted by Security Systems News, David Roman, president of Safe Home Security, confirmed the records did belong to Northeast Security, and that Northeast had done subcontracting work for him. However, “these were not Safe Home records … it’s really not my issue,” he said.

A phone number provided by Roman for Northeast was answered by a generic automated messaging service, and a message left by Security Systems News was not returned.

Bob McVeigh, president of CASIA, said his association was looking into the matter, but “no one seems to know who Northeast Security is.” He was naturally surprised that the personal records were not correctly disposed of. It’s common practice he said, for alarm companies to own “a healthy shredder,” and to use it when they have a dead file, he said.

Michael J. Kelly, president of Michael J. Kelly Insurance Agency in Santa Barbara, Calif., which provides security and communications insurance products, noted that security companies need to be careful about how they dispose of customer information because “ID theft is something that can happen with physical or electronic information … It’s a big issue because ID theft is not covered by general liability or crime policy.” He said more than 200 state and federal laws have been enacted to protect people from ID theft and alarm companies need to beware of lawsuits due to incorrectly handled personal information.

Pritchard concurred, reiterating that federal and state laws may apply to cases involving personal records. And for companies doing PERS work, HIPAA laws may apply as well. The “big federal privacy law that could apply is called Gramm, Leach & Bliley,” Pritchard said. It is mostly used in cases involving financial services companies, however, and may not apply to security companies, but “I wouldn’t want to find out through lengthy, expensive litigation that it does.”