3disciplinary measures should be consistentwith that goal. The manner in which this isincorporated into the information securityprogram should allow for signicant exibil-ity, however, in terms of the specic actionsthat will be taken in the event of violation.e.
Terminated employ-ees must be prevented from accessing per-sonal information “by immediately terminat-ing their physical and electronic access to suchrecords.” This is generally self-explanatory.Care must be taken in those situations wherean employee is separated from employment,but continues to provide transition assistance.Either employment must be extended, or safe-guards imposed so that the former employeedoes not have directaccess to the personalinformation at issue.f.
Third-party service providers
must verify that ser-vice providers “havethe capacity to pro-tect…personal infor-mation.” This involves
language into vendor agreements which (a)obligate the service provider to appropriatelysafeguard the information; and (b) maintainits own written information security program.While such requirements will become partof the standard boilerplate, complicated sce-narios may arise in connection with existinglong-term contracts that lack such terms, andwith out-of-state service providers that havenot yet assembled their own written infor-mation security programs. These must beapproached on a case-by-case basis, and therelative bargaining power of the parties maywell dictate the relative risk that the partieswill ultimately bear here. A review of vendorcontracts is essential, and should be under-taken by all businesses.g.
The information security pro-gram must limit (a) the amount of personalinformation collected; (b) the length of timesuch information is kept; and (c) persons per-mitted to access such information. Informa-tion may only be kept to the extent necessaryto accomplish its “legitimate purpose” or com-ply with applicable governmental require-ments. While this concept is understandablein the abstract, implementation may wellprove tricky. For example, in completing aretail transaction, may the retailer collect per-sonal information for a legitimate but unre-lated purpose? Is access by an employee forlegitimate purposes unrelated to the ratio-nale for the collection of the data permit-ted? Given the somewhat restricted deni-tion of “personal information,” however, themost common question may be the extentto which persons may bepermitted to retain creditand debit card numbersof customers. “Inde-nitely” does not appear tobe an acceptable answerany longer.h.
Identiying per- sonal inormationrecords
The writteninformation security pro-gram must provide for a method of identify-ing records and devices used to store personalinformation (unless
records are treatedas personal information). Carefully imple-mented systems used to segregate personalinformation address this require-ment. This may well requirea reworking of databases
and other established
data processes, however,and must be carefullyconsidered on a pro-cess-by-process basis.i.
must impose reason-able restrictions onphysical access torecords containingpersonal information.
[C]omplicated scenarios mayarise in connection...without-of-state service provid-ers that have not yet assem-bled their own written infor-mation security programs