Information about individuals is more readily available now than ever before in history, and its value both to legitimate business interests and to criminals is increasing. Storage options abound, and the trend is to store ever-greater quantities of data on ever-smaller devices, enhancing portability and increasing flexibility for out-of-office access.

The explosion of information’s value, availability, and mobility has created a corresponding escalation in risk and compliance obligations with respect to the privacy and security of that information. More than 40 states, the District of Columbia, Puerto Rico, and the Virgin Islands now require organizations to notify affected individuals when personal information has been (or is suspected to have been) subject to unauthorized access or acquisition. Those same laws often also require that government regulators be notified of the breach.

More than a dozen states mandate some form of comprehensive information security, and more than 35 regulate security of Social Security numbers. Relevant to employers’ group health plans, federal regulations mandate specific security requirements for protected health information and, more recently, breach notifications for individuals and regulators when a breach of such information occurs. Competing mandates with respect to information disposal, employee monitoring, direct marketing, and online operations also collude to create a dense, intricate, and risk-rich compliance environment.