1) Any company that keeps personal information not central to it's core business is held to higher standard
- You must be informed of what information the company is storing and how long they will store the information. For example, some companies like to run credit checks. I believe this requires a social security number (ssn). If the company holds on to the number after the check is done, they must inform you of it and become liable for it.
- If for any reason your ssn is breached, the company must 1) notify you within 10 days 2) pay you $100 for your troubles and 3) pay to provide you with full credit reports from all 3 credit bureaus for the next 3 years.
- If your credit card number pin is stolen the company must pay you $50. (I don't think the company should be storing this at all) but in theory, it's a lot easier to close down a credit card then recover your ssn.
- These conditions also apply to government agencies like schools who foolishly use a ssn as a personal identification number.
- Notify you within 10 days if they suspect your information has been breached
- If investigation determines the company has been negligent (data not encrypted or casually shipped via ups) all the conditions for #1 apply.