This article is the second in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Click here to read the first article in the series.
The first article in this series emphasized the importance of in-house counsel being involved with and taking a lead in corporate information and data security matters. This suggestion is not rooted in finding extra work for in-house counsel or toward job security. Rather, it follows Federal Trade Commission (FTC) guidance for companies to incorporate privacy and security into their cultures. Commonly referred to as “privacy by design,” the FTC’s guidance encourages companies to build privacy and data security into all aspects of corporate decision making so that such issues are “baked” into companywide initiatives and marketing plans and remain front of mind.
Even more importantly, privacy is fast becoming a primary business imperative, particularly for firms with an online presence. The New York Times recently noted that “privacy is no longer just a regulatory headache. Increasingly, internet companies are pushing each other to prove to consumers that their data is safe and in their control.” So what is in-house counsel to do?
A good starting point is a privacy report the FTC issued about a year ago titled “Protecting Consumer Privacy in an Era of Rapid Change.” In this report, which had (and still has) as its stated purpose, to provide “recommendations for businesses and policymakers,” the FTC urged companies to adopt certain practices to protect consumers’ private information. Specifically, the agency articulated three primary principles: privacy by design, simplified choice for businesses and consumers, and greater transparency. Unfortunately, each of these principles merits more time and attention than permitted in this column, so I only address and discuss here the first principle: privacy by design.
It is very easy to say that companies should incorporate privacy into their regular business practices. But what does that mean in practice?
First, companies should provide reasonable security for consumer data. The report highlights many actions the FTC has brought against companies that failed to adequately protect consumer data, which in certain instances followed a reported data breach or unauthorized access to the data. In many of these cases, the FTC noted that the target companies failed to adequately protect consumer data by not having in place procedural and physical safeguards designed to limit access to the data. In such cases, the FTC found that the breaches could have been avoided if appropriate safeguards had been developed and implemented.
However, the FTC notes that there is no “one size fits all” approach to data security and that security measures should reflect the type of information maintained. For instance, confidential, nonpublic or sensitive data, such as credit card, banking or health information, warrants greater protection than information that may be generally available in a phone book. For companies subject to specific data security regulations, this is obvious and easy. However, for companies that are not subject to specific regulations, the FTC suggests that they conduct internal self-evaluations of their data collection and use practices, and once completed, look to existing laws for similar industries to determine what level of security might be appropriate.
Third, the FTC calls upon companies to implement reasonable data retention and disposal policies. Similar to the collection and use limitations above, the FTC suggests that companies only keep data for as long as it is useful for its intended purpose and thereafter dispose of such data in a manner that renders the information inaccessible. Again recognizing that there is no one set approach for all information, the FTC recommends that these restrictions “be tailored to the nature of the company’s business and the data at issue,” and that a company “should develop clear standards and train its employees to follow them.”
Finally, the FTC recommends that companies take reasonable steps to ensure the accuracy of the data they collect and maintain, “particularly if such data could cause significant harm or be used to deny consumer services.” In this regard, the FTC seeks to impose on companies that make marketing eligibility decisions based on information they collect from consumers and others an obligation to ensure the accuracy of such data so that consumers are not excluded from offers or otherwise disadvantaged based on inaccurate or old information.
So, with these concepts as background, how should in-house counsel even begin to implement these principles? The report offers a simple road map for establishing a privacy program:
- Designate personnel responsible for the privacy program
- Perform a risk assessment that, at a minimum, addresses employee training and management and product design and development
- Develop and implement controls designed to address the risks identified
- Manage appropriate oversight of service providers
- Evaluate and adjust the privacy program in light of regular testing and monitoring
- Stay current on privacy-related developments, such as legislation, industry initiatives and FTC and attorney general cases
Although following these suggestions will not entirely immunize a company from breaches or unauthorized access to its data, nor shield it from liability in the event of such occurrences, they will surely reduce the likelihood of them happening. Moreover, from a business perspective, adopting these policies will provide companies with a competitive advantage over less-compliant firms and instill confidence among its current and prospective customers.