Data Security and Storage Facilities: Concerns from Storage Wars
I’ll admit it. I am addicted to Storage Wars, the quasi-reality show that pits a cast of regular characters (who are far from regular) against each other, bidding at auctions for abandoned storage units. On a recent cross-country flight, I must have watched four consecutive hours (eight episodes), repeatedly getting hooked into each episode by the prospect that the newly-acquired units contain treasures like a baseball card collection, a dusty Stradivarius, or grandma’s old gold necklaces.
But I am a lawyer, after all, so I cannot simply enjoy the show for its entertainment value. I have the nagging need to analyze the show from a legal perspective. And the thing that bothers me about Storage Wars has to do with data security.
You see, under Massachusetts law, any business that stores “personal information” (defined here) must take affirmative steps to protect it. Additionally, the business must report to the Massachusetts Attorney General, among others, if any personal information is acquired by an unauthorized person.
So this makes me wonder: what are storage facilities doing to ensure that the winning bidder on an abandoned unit doesn’t inherit a treasure trove of personal information? Let’s say the previous unit owner was a business, and the unit contained a bunch of old personnel files. In today’s day and age, with the raging epidemic of identity theft, if the wrong person hits a mother lode of personal information, it could be more valuable than that Stradivarius. And the storage facility would be required to report this to the AG, after all, the winning bidder would be getting unauthorized access to the personal information of others.
There are considerations here for storage facilities and their customers. Businesses that store information with storage facilities need to take steps to make sure that the personal information being stored is sufficiently protected. Under Massachusetts law, this means taking reasonable measures to select vendors capable of maintaining appropriate security measures and requiring such vendors by contract to implement and maintain such security measures. I covered these requirements in a recent blog post.
Storage facilities, for their part, need to figure out ways to ensure that they’re not permitting unauthorized access to personal information in their customers’ units. Perhaps this means a protocol that requires that an employee of the storage facility to supervise the emptying of the unit by the successful bidder and that any personal information be discarded. If this is the solution, the storage facility will need to get rid of the personal information in the specific manner prescribed by law.
Does your business use off-site storage facilities, and if so, have you met the legal requirements for selecting and contracting with that facility? If not, one of the members of HRW’s Data Security Team can help you with this. Or are you a storage facility, and if so, have you considered and/or adopted policies and procedures to ensure that you’re not permitting unauthorized access to personal information stored by your customers? We would be interested in brainstorming with you about solutions to this issue – but not while Storage Wars is on.
-- C. Max Perlman