“Data protection” is the newest catch phrase in Corporate America — and with data security breaches leading the headlines every week that reality is not likely to change. In fact, there is a heightened push by companies to get a handle on this issue with the Securities and Exchange Commission and states’ attorneys generals picking up the enforcement baton and taking a close look at the data practices of companies across the board.
So where do you start in getting a handle on this risk? Your ultimate goal should be a comprehensive privacy program and data retention schedule along with a written information security program. Taking proactive steps to implement these kinds of policies and processes can help reduce the risk — and the subsequent cost — of a security breach when one occurs. However, trying to tackle the entire data protection issue in one fell swoop is likely unmanageable, regardless of the size of your company. Attempts to do so are likely to lead you to into a state akin to a deer in headlights.
Taking the project in stages will help avoid the procrastination that comes with being overwhelmed as you wend your way through the often confusing and conflicting rules and regulations of data protection.
A great place to start is a privacy audit. Generally, different business units and divisions within your company are collecting different data from different sources. You need to get a handle on that data as that is a critical first step in getting a handle on your exposure profile.
The best way to think about a privacy audit is an internal due diligence project or internal investigation. You want to gather as much data as possible about — well, about your company’s data. Interview each business unit and/or division to understand what information they are collecting, where they are collecting it from and how are they using it. Is it consumer information? Employee information? Vendor information? Are they getting data from retail locations or solely online? Are they getting data from a third party data broker or sharing data with an affiliate or subsidiary? Where is that data stored: an off site third party facility or in-house? Is there any data coming from a foreign country or foreign employees or consumers? Is any data transmitted cross-border? Remember to consider data that is actively collected (i.e. solicited and directly provided by an individual), like name and address for entry into a sweepstakes, and data that is passively collected (i.e. generated solely from the transaction itself), like an IP address online or credit card data in a purchase.
A key question in this audit process is to also understand how and with whom the company is sharing data. We see many outward facing privacy notices online that state with conviction that data is not shared with any third parties. In today’s economy, there is a slim chance that such a statement is accurate. Companies are outsourcing to hosting vendors, marketing vendors, etc., and those vendors are all third parties. In addition, it is important to understand your enterprise structure as well. Affiliates, franchisors and resellers are separate legal entities, and are third parties, although they may be related. As you conduct your audit, mapping out your data flows visually can help identify where you might have information gaps. You should be able to map out all data sources, uses, transfers and storage. Your audit is not finished until you can do so.
Once you have a handle on your company’s data practices, you need to identify the regulatory framework in which your company operates. First and foremost, you can expect that the rules and regulations surrounding unfair and deceptive trade practices will apply to your company and its data practices. The Federal Trade Commission (FTC) polices unfair or deceptive trade practices under the authority of Section 5 of the Federal Trade Commission Act. Failing to disclose your data collection, use and disclosures can be seen as an unfair trade practice. Likewise, failing to comply with your stated policies on what is disclosed can be viewed as a deceptive trade practice. This is true in the context of offline data collection, online data collection and mobile app data collection. Of course, state attorneys general have similar enforcement capability under state consumer protection statutes.
For just about every company, enforcement by the FTC and state attorneys general under the umbrella of general consumer protection is a very real possibility, especially if the data that you have is personally identifiable in any way. Unfortunately, what is “personally identifiable” can vary by state as well as by statute and industry. At least 47 states have data breach notification statutes that require certain affirmative steps if there is a data breach. While there is some similarity across statutes, the definition of what constitutes “personally identifiable information” varies by state.
There are additional federal statutes that come into play if you have “personally identifiable information” as defined by the statute. Most notably, the Children’s Online Privacy Protection Act has adopted a broader definition of “personally identifiable information” than we typically see, expressly including things like social media user names and IP addresses.
There are also statutes that restrict how certain types of data can be used, such as the CAN-SPAM Act, which regulates unsolicited marketing emails, the Telephone Consumer Protection Act, which regulates how you can use and market to telephone numbers and cell phone numbers, and the Telemarketing Sales Rule, which regulates use of data for telemarketing purposes.
Of course if you are in a more regulated industry, or have certain other types of data, then you likely have additional data regulatory frameworks to consider. Educational companies and organizations may need to pay attention to FERPA. Companies with any health information must consider HIPAA and HITECH and their subsequent regulations. Financial companies have the Gramm Leach Bliley Act and its subsequent regulations. And many states have similar statutes that also address health information and financial information.
If your privacy audit has identified international data and data sources, then you will have to add the overlay of international data protection laws as well, which can be fairly different from the framework in place within the United States.
The current regulatory landscape is continuing to develop and change — and that fact is not likely to change soon as bills are constantly being introduced on this topic. Don’t wait until the law is settled to understand your regulatory obligations. Get a handle on what you can as soon as you can and continue to monitor legislative developments.
Finally, don’t overlook any industry obligations and self-imposed obligations. Any entity that accepts credit cards needs to be aware of the Payment Card Industry Data Security Standards, which are contractually imposed on any company accepting credit cards. There are also online marketing and tracking industry standards espoused by the Digital Advertising Alliance. Depending on what you have agreed to from an industry perspective, or in your company contracts or privacy notices, you may have additional obligations above and beyond what is required under applicable laws.
Many of the above statutes may also have data security obligations. Your next step after your privacy audit and regulatory review should be a security audit, although you could also start this process simultaneously with the first two steps. The first question you should pose under a security audit is to identify your current security status — where is your current security and what is in place. Often this will involve engaging a third party vendor to help perform that technical assessment.
Once you understand where your current state is, go back to your identified regulatory framework to identify your ideal security status. Outside of particular applicable security standards, such as the PCI-DSS or Massachusetts 201 CMR 17.00, the company needs to have security standards that are at least reasonable and appropriate to the size of the company and the sensitivity of the data at issue.
You can work with your technology vendor to understand where your security gaps are between current status and ideal status and then work to bring your security measures in line with where they should be.
With these three steps performed — privacy audit, regulatory review and security audit — you have organized the basic tools that you need to move towards developing and implementing your comprehensive privacy program, data retention schedule, and written information security program. By breaking the data protection task into more manageable — or at least concrete and identifiable — subtasks, you can take affirmative proactive steps to get a handle on data protection for the company.