While recent headlines about cybersecurity attacks, data breaches, and ransomware should give everyone reason to review the steps the take to protect their own personal information, companies should be especially vigilant to ensure they are complying with their obligations to keep personal information secure. Maintaining information privacy and cybersecurity can present difficult challenges for any company. This article is a part of a series discussing information privacy and cyber security, your obligations as a company, and steps that can be taken to create and improve an effective information privacy program.
What is information privacy and cybersecurity?
Understanding the scope of information privacy and cybersecurity is the first step in building an effective privacy program. Information privacy and cybersecurity (sometimes referred to as data security or information security) are distinct but related areas. Information privacy addresses being able to control and limit what information is collected about you, how that information is used, and to whom that information is disclosed. Cybersecurity addresses the policies and procedures designed to avoid the loss or unauthorized disclosure of collected information (for example, a data breach). A promise of privacy is of little value if the company does not take the necessary steps to secure and protect the information it collects. Similarly, a consumer benefits little from a very secure information technology system if the company’s privacy policies allow for broad disclosures of the personal information within or outside of that system.
Why every company should be thinking about privacy and cybersecurity.
Do you collect any information or data about your customers, your potential customers, website users, or your employees? If you answered that question “no,” you may want to take another look at your business model because most likely you collect some form of personal or non-personal information. Businesses routinely collect information from many sources. For example, when a user makes a purchase from a website, they will normally provide information directly to that company, including their name, contact information, and payment information. That website may also passively collect other data points from that user, including the user’s IP address, location, and app or internet browsing history. Companies also possess highly sensitive personal information on their own employees. As the reach of the internet expands (for example, connecting to your home security system, your television, or your mobile device), so too does the type and amount of collected information. If you collect any form of information from or about a person, you have obligations regarding maintaining the privacy and security of that collected information.
As discussed in the other articles in this series, once you have identified the need for an information privacy and cybersecurity program, you must determine the sources of your obligations and the steps you need to take to meet those obligations. It is a good idea to also seek the advice of an experienced information privacy lawyer before a data breach or other incident occurs.
Fraser Stryker Law Firm Information Privacy Attorneys
Fraser Stryker’s information privacy and cybersecurity lawyers advise clients on a wide-range of issues regarding data collection, disclosures, FTC compliance, online advertising, data breach notifications, terms of service and privacy policies, intellectual property, and other e commerce and technology-related issues.
Attorney Alexander Boyd is a Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US) and can be reached at 402-978-5250.