Friday, April 04, 2008

Pharmacy Chain to Improve Document Disposal to Settle Texas Information Security Claims

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing.

The State of Texas has reached a settlement of claims that CVS Pharmacy, Inc. violated state laws regulating the disposal of customer records containing sensitive personal information, Texas Attorney General Greg Abbott announced on March 26. Under an agreed final judgment, CVS will pay the state $315,000 and will overhaul its information security program.

According to the complaint filed by the Attorney General, thousands of CVS's business records containing sensitive personal information regarding customers were found in a trash dumpster behind a CVS store in Liberty, Texas.

These business records included sales receipts, refund slips, and prescription labels containing such information as customers' names, addresses, dates of birth, credit card numbers and expiration dates, driver’s license numbers, telephone numbers, type of medicine prescribed, insurance company, and prescribing physician.

Shredding, Erasing, or Destruction of Disposed Records

The complaint asserted that CVS's conduct violated Texas Business and Commerce Code Sec. 35.48(d)—which requires businesses disposing of records containing personal information regarding customers to shred or erase the records—and Sec. 48.102 of the Texas Identity Theft and Enforcement and Protection Act—which requires businesses to (1) implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure any sensitive personal information that it collected or maintained in the regular course of business and (2) destroy or arrange for the destruction of its customer records containing sensitive personal information within its control that were not retained by it.

“Recognizing that identity theft is one of the nation’s fastest growing crimes, the Texas Legislature passed laws to protect Texas consumers,” Attorney General Abbott said. “This agreement ensures that CVS will implement new procedures that will better safeguard their customers’ personal information. The Office of the Attorney General will continue aggressively enforcing laws that protect Texans from identity theft.”

The agreed final judgment orders CVS, when disposing of records containing personal information, to modify the records by shredding them, erasing them, or otherwise making them unreadable or undecipherable. Records that are pending modification must be kept in secured, locked containers or otherwise stored securely.

Training, Oversight Requirements

CVS must implement a training program to inform its Texas employees about the company’s enhanced information privacy and security procedures. In addition, each CVS store will be required to post signs explaining proper records storage and disposal procedures and must conduct unannounced compliance checks of at least three percent of its stores every six months.

CVS will also be required to designate an employee from its corporate office to oversee compliance with privacy protection laws. Store employees must be allowed to anonymously report any failures to comply with the program to a designated corporate-based employee or third party vendor. For five years, the compliance representative must forward a sworn statement to the Office of the Attorney General certifying that CVS has instituted and satisfied the required employee training.

The monetary payment to the State included $40,000 for attorney's fees and costs. The remaining $275,000 will be deposited in the general revenue fund and may be appropriated only for the investigation and prosecution of cases under the Identity Theft Enforcement and Protection Act.

The attorney general's office stated that its investigation revealed no confirmed incidents of personal information being misused, but consumers who patronized the affected CVS location should carefully monitor bank, credit card, and any similar financial statements for evidence of suspicious activity. All consumers should also annually obtain free copies of their credit reports, the office said.

The Agreed Final Judgment and Permanent Injunction in the case of Texas v. CVS Pharmacy, Inc., Texas Dist. Ct., Liberty County, No. CV-72881, appears here on the Texas Attorney General’s website. A news release on the action appears here.

No comments: