Information Privacy and Cybersecurity:What Are The Rules and Where Do They Come From?

As the internet continues to play a growing role in our economy and personal lives, and the amount of collected personal information continues to increase, it is more important than ever for companies of all sizes and industries to review and update their information privacy and cybersecurity practices. This article is a part of a series discussing information privacy and cyber security, your obligations as a company, and steps that can be taken to create and improve an effective information privacy program.

When designing an information privacy and cybersecurity program, it is important to first think about the multiple sources of obligations and the stakeholders impacted by your decisions. Information privacy responsibilities and considerations come from three primary sources: (1) the law, (2) consumer expectations, and (3) business needs.

(1) The Law

Some privacy laws are generally applicable to almost all U.S. based companies, while others apply to specific jurisdictions, types of data collection, or industries. One of the most common sources of widely-applicable privacy rules comes from the U.S. Federal Trade Commission (the “FTC”). The FTC has broad authority to investigate and take action against “unfair or deceptive” business practices. That authority has been interpreted to include ensuring that companies comply with the representations the company makes about its data collection, use, disclosure (typically contained in the company’s privacy policy), and ensuring companies take reasonable measures to protect the sensitive personal information the company collects. For example, copying a privacy policy from another website without ensuring it matches your actual data collection, use, and disclosure practices can result in allegations of deceptive practices.

A number of laws provide specific requirements for certain industries that collect and use certain kinds of personal information. If your company operates in any of these areas, then additional industry-specific requirements likely apply:

  • Health Care;
  • Financial Institutions;
  • Educational Institutions;
  • Companies and employers using consumer and employee credit reports; or
  • Collecting information about children under age 13.

In addition to these federal requirements, many states also have specific privacy requirements for companies that collect information from their residents. One of the more important state-specific laws concerns companies’ obligation to report data breach incidents. Forty-eight states have data breach notification rules that describe the necessary steps a company must take if their system is breached and personal information may have been released.

International laws also govern the collection of data from other countries or transfer of personal data between countries.

(2) Consumer Expectations

While the law creates certain minimum requirements for companies’ information privacy practices, consumer expectations often play a larger role in determining how broadly or narrowly a company should collect and use its consumer’s information. The more sensitive the information collected, the more demanding consumers are that the information be kept private and secure.

If a data breach occurs, and consumers’ personal information is released, the reputational damage to the company can be very difficult to repair. Even if the company did not violate any legal requirement, consumers will nonetheless lose trust in that company if the consumers’ privacy expectations are not met. If the data breach is not the company’s fault, but rather the fault of one of their vendors, consumers still expect the company to whom they disclosed their information to take all necessary steps to ensure that information remains private. Maintaining transparent privacy policies and giving consumers choice over their information collection and use builds consumer confidence.

(3) Business Needs

A company’s information privacy program must not only comply with the law and meet consumer expectations, but it should also be designed to achieve the business’s operational needs, growth, and changes. Consumer data can provide considerable value to a business. For example, accurate data collection can enhance a company’s ability to contact customers, serve relevant advertisements, predict purchase trends, or improve products and services. It is therefore important to ensure that the company’s privacy policies and procedures allow it to use the collected data for its intended purposes. Privacy policies also need to allow room for future changes, growth, or acquisitions. Identifying these issues and drafting appropriate policies now can avoid uncertainties associated with attempts to use previously collected data for new purposes or the uncertainties associated with the acquisition or merger of a company and questions regarding whether the company’s per-merger privacy representations allow for the transfer of the collected consumer data.

As discussed in the other articles in this series, once you have identified your information privacy obligations, you should determine the steps you need to take to meet those obligations. It is a good idea to also seek the advice of an experienced information privacy lawyer before a data breach or other incident occurs.

Fraser Stryker Law Firm Information Privacy Attorneys

Fraser Stryker’s information privacy and cybersecurity lawyers advise clients on a wide-range of issues regarding data collection, disclosures, FTC compliance, online advertising, data breach notifications, terms of service and privacy policies, intellectual property, and other e commerce and technology-related issues.   For additional information, contact Troy Meyerson.