Recent technological advances and the ensuing proliferation of new products and services have, in many respects, not only made life more convenient but also increased the likelihood that personal data can be accidentally misused and/or intentionally abused. While there are state and federal statutes that are designed to help protect the privacy of personal information, continuing changes in technology often make it difficult for the law to keep abreast with the changing business and technological environment. In addition, as illustrated by recent, highly publicized data security breaches, businesses that fail to respond promptly and effectively to a data security breach can suffer long-term reputational harm. In light of the foregoing, we offer the following summary of the top ten things that you need to know about data privacy:
1. A privacy policy is legally required for a business operating online. Until recently, website privacy policies were relatively common but not legally required in the United States for most websites except those businesses operating in certain industries and/or operating websites that were geared towards children. Recently, however, a number of states have enacted legislation requiring entities collecting information online to post privacy policies. Some states, notably California, also mandate the inclusion of specific terms and provisions. It is important for businesses operating online to ensure compliance with these state laws because generally, businesses operate online in order to reach potential customers nationwide.
2. A privacy policy can be considered an enforceable contract. A privacy policy can be considered an enforceable contract between the business and those whom it affects, generally its customers, but potentially, anyone who visits the website and provides information via the website. A privacy policy must therefore be drafted with great attention and care. Above all else, a privacy policy must be an accurate reflection of the business' actual policies and procedures.
3. Breaches in data security result in notification obligations. There is no such thing as perfect security, and any business can experience a data security breach. In the wake of a series of highly publicized data security breaches, a number of states have enacted laws mandating that businesses provide their customers with prompt notice of any breach of security involving customers' data. California was the first state to enact such a measure and, as a result, many other states' laws are modeled after California's groundbreaking measure. Still, there are a number of differences among the relevant state laws. As such, a breach involving data from individuals residing all over the country or even in a number of different states will necessitate ensuring that a business has a detailed response plan, including a plan to notify customers in accordance with any applicable state laws and to ensure that it complies with such a plan.
4. Procedures for privacy policy revision should be developed and disclosed. Every business should develop and disclose a procedure to revise its privacy policy in order to ensure that this policy remains up-to-date and pertinent. It may seem simple but often businesses develop privacy policies that "sit on a shelf" and are never updated. As a general "rule of thumb," every business should require that its privacy policy be reviewed annually and updated if needed. In addition, all businesses should require that their privacy policies be reviewed and if necessary, revised when there are changes in applicable law or business practices.
5. Privacy issues should be addressed in contracts with service providers. All businesses should address privacy issues in their contracts with service providers who will be given access to any personal information under the control of the company. Ideally, service providers should agree in writing to comply with the business's data security protections. Utilizing such contractual provisions may help prevent "back door" breaches of data security and will give businesses opportunities to pursue recourse with its service providers if there is a data security breach.
In the event that a business uses a service provider with whom it must enter a contract without such a provision, it should obtain a copy of the service provider's privacy and/or data security policies to ensure that they are adequate in light of any risks that the contractual arrangement poses. Even if a service provider will not agree to such a contractual provision, at a minimum, a business should understand any risks a potential data security breach that using such a service provider might pose.
6. Privacy compliance requires maintenance of adequate security. Every business should adequately secure confidential, nonpublic personal information both physically and electronically. This means that even small businesses should use virus protection software and require computer logins and passwords in order to access their systems. Documents or files containing nonpublic personal information, for example, or other confidential information should be kept securely. Among other things, business may wish to prohibit employees from taking certain documents home, using email to transmit certain documents, or using personal email accounts to conduct business. All employees, consultants, temporary workers and the like should be trained regarding such security measures and required to comply with them. For example, employees should be trained about the importance of securing their laptops and other electronic devices when they travel and be given means to shred or otherwise safely dispose of confidential information.
7. Cross-border data transfers entail additional regulatory requirements. Many countries have adopted data protection legislation that governs the collection, storage and usage of nonpublic personal information. Local legislation may be more stringent than in the U.S. for businesses that collect or use personal information, and may extend to a business at the source of the data transfers. As an example, local legislation may require disclosure filings with local authorities, or may provide disclosure and correction rights to the subjects of the personal data, which affect the source of the data transfer. Before participating in cross-border data transfers, businesses should ensure that the recipients of the data are allowed under the laws of their own jurisdictions to use the data as intended and check whether any regulatory filings or compliance are required.
8. Privacy compliance programs should address the potential of governmental demands for information. The government can potentially request nonpublic personal information from any business. Every business therefore, should have policies and procedures that govern how it will respond to a request for such information from the government. As long as the government's request is made in compliance with applicable law, a business should be protected from liability for disclosing such information to the government because a number of state and federal statutes are designed to safeguard the privacy of such information. Every business, however, at a minimum, should require a subpoena or similar written request from the government so that it is protected from liability against any persons whose nonpublic personal information is provided to the government. Businesses should have a lawyer review and respond to any subpoena or request in order to ensure the validity of the subpoena or request as well as to ensure any responses are appropriate. In all instances, businesses should retain all subpoenas or similar requests as well as all responses generated to the same .
9. Certain sectors and types of data will entail additional regulatory requirements. Certain industries and certain types of data entail additional regulatory requirements with respect to data security because of the sensitive nature of the information that these types of businesses handle. Specifically, the Gramm-Leach Bliley Act imposes statutory requirements on financial services institutions to provide certain privacy disclosures while the Health Insurance Portability and Accountability Act of 1996 governs the use and disclosure of protected health information. In addition, to respond to consumer concerns about data security, the federal bank regulatory agencies have issued interagency guidance about safeguarding nonpublic personal information and responding to data security breaches. These additional requirements mean that certain businesses must not only develop written policies and procedures but also invest significant resources to tasks such as training relevant employees and distributing notices to customers.
10. One must consider the level of foreign data protection before engaging in offshore outsourcing. Technological advances have made it easy and economical for businesses to transfer personal information electronically and to outsource certain functions offshore. These transmittal channels, however, are never 100 percent secure. In addition, because different countries offer differing levels of protection and in some cases, no legal protection, for the privacy of nonpublic personal information, outsourcing poses the risk that data security will be breached. A foreign business, whether it is a business's subsidiary or an affiliated or a third-party provider, that provides outsourced services, however, at a minimum, must be required to comply with that business's privacy policies and procedures.
Published October 1, 2006.