This article is the second in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Click here to read the first article in the series.
The first article in this series emphasized the importance of in-house counsel being involved with and taking a lead in corporate information and data security matters. This suggestion is not rooted in finding extra work for in-house counsel or toward job security. Rather, it follows Federal Trade Commission (FTC) guidance for companies to incorporate privacy and security into their cultures. Commonly referred to as “privacy by design,” the FTC’s guidance encourages companies to build privacy and data security into all aspects of corporate decision making so that such issues are “baked” into companywide initiatives and marketing plans and remain front of mind.
Third, the FTC calls upon companies to implement reasonable data retention and disposal policies. Similar to the collection and use limitations above, the FTC suggests that companies only keep data for as long as it is useful for its intended purpose and thereafter dispose of such data in a manner that renders the information inaccessible. Again recognizing that there is no one set approach for all information, the FTC recommends that these restrictions “be tailored to the nature of the company’s business and the data at issue,” and that a company “should develop clear standards and train its employees to follow them.”