“Data protection” is the newest catch phrase in Corporate America — and with data security breaches leading the headlines every week that reality is not likely to change. In fact, there is a heightened push by companies to get a handle on this issue with the Securities and Exchange Commission and states’ attorneys generals picking up the enforcement baton and taking a close look at the data practices of companies across the board.
So where do you start in getting a handle on this risk? Your ultimate goal should be a comprehensive privacy program and data retention schedule along with a written information security program. Taking proactive steps to implement these kinds of policies and processes can help reduce the risk — and the subsequent cost — of a security breach when one occurs. However, trying to tackle the entire data protection issue in one fell swoop is likely unmanageable, regardless of the size of your company. Attempts to do so are likely to lead you to into a state akin to a deer in headlights.
There are additional federal statutes that come into play if you have “personally identifiable information” as defined by the statute. Most notably, the Children’s Online Privacy Protection Act has adopted a broader definition of “personally identifiable information” than we typically see, expressly including things like social media user names and IP addresses.
There are also statutes that restrict how certain types of data can be used, such as the CAN-SPAM Act, which regulates unsolicited marketing emails, the Telephone Consumer Protection Act, which regulates how you can use and market to telephone numbers and cell phone numbers, and the Telemarketing Sales Rule, which regulates use of data for telemarketing purposes.