Dykema On Demand
|
||
Featured ArticleProtecting Consumer DataHigh-profile breaches of consumer data security are raising red flags about privacy policies that might create unnecessary legal liability. When a federal judge certified a class action against the Veterans Administration in November 2007, he opened the door to one of the largest data-security lawsuits ever brought in U.S. courts. The class includes more than 26 million veterans whose personal data was stored on computer equipment stolen in May 2006. With portable flash drives reaching ever-higher data-storage volumes, potential disaster looms for any company that fails to secure its sensitive information. Such a disaster can affect a company’s legal liability as well as its business reputation. “Amazing amounts of data have made it out, and bad things have happened,” said Steve Tupper, a Dykema member and leader of the firm’s Privacy, Data Security, and E-Commerce practice, in a Dykema on Demand Podcast. “Enforcement action has happened in the wake of those bad things. To mitigate the risk, companies need to review their privacy policies and procedures.” A One-Two Punch For example, ChoicePoint Inc. settled charges by the Federal Trade Commission (FTC) that the company released personal information about 163,000 people, resulting in at least 800 cases of identity theft. The January 2006 settlement included $15 million in penalties and consumer redress. And in 2007, customers, banks and credit-card companies filed at least 19 lawsuits against TJX Inc.—which owns national chain stores TJ Maxx and Marshall’s—alleging the company failed to protect financial data, and then dragged its feet in disclosing the loss of data for some 94 million customers. The FTC also is investigating the case for possible enforcement action. The FTC derives its data-security enforcement authority from two statutes: the Fair Credit Reporting Act, which forbids unauthorized release of credit information; and the FTC Act, which prohibits companies from making false and misleading statements about their privacy policies. The combination of statutes gives the FTC a potent one-two punch—particularly in cases where companies fail to uphold their own policies. An Ounce of Prevention “We can all have two-inch thick policy manuals, and they don’t do a bit of good if you don’t enforce them,” Tupper said. “We need GCs and line-level managers to be actively involved in enforcing the company’s policies.” That means ensuring all affected people understand data-security policies and procedures; and making sure those policies include restrictions necessary to protect sensitive data. In some cases, companies are disabling or eliminating external USB ports that allow easy transfer of large files to portable media. When employees must be able to carry data offsite on mass-storage devices, companies are requiring encryption and authentication technology to protect that data. Just as importantly, companies are reviewing their policies to make sure they don’t make promises they can’t keep. FTC and state laws give companies considerable flexibility in setting privacy policies, but they require companies to adhere to the policies they set. As a result, companies should ensure their policies are flexible and broad enough to cover the realities of operating in a fast-changing technology world. “Companies are fond of saying they will protect consumers’ data no matter what,” Tupper said. “But the FTC is liable to show up and enforce those policies on behalf of consumers. You need to think carefully about what’s in your privacy policy, and the assurances you’re giving to customers who are handing over data that thieves would love to have.” For more information, please contact Steve Tupper at stupper@dykema.com. |
Back to: Featured Articles :
For more information on our Privacy, Data Security and E-Commerce Practice, contact: | |
