Regulatory: In-house counsel must become actively involved in privacy matters—Part 2
This article is the second in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas.
March 13, 2013 at 03:16 AM
6 minute read
The original version of this story was published on Law.com
This article is the second in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Click here to read the first article in the series.
The first article in this series emphasized the importance of in-house counsel being involved with and taking a lead in corporate information and data security matters. This suggestion is not rooted in finding extra work for in-house counsel or toward job security. Rather, it follows Federal Trade Commission (FTC) guidance for companies to incorporate privacy and security into their cultures. Commonly referred to as “privacy by design,” the FTC's guidance encourages companies to build privacy and data security into all aspects of corporate decision making so that such issues are “baked” into companywide initiatives and marketing plans and remain front of mind.
Even more importantly, privacy is fast becoming a primary business imperative, particularly for firms with an online presence. The New York Times recently noted that “privacy is no longer just a regulatory headache. Increasingly, internet companies are pushing each other to prove to consumers that their data is safe and in their control.” So what is in-house counsel to do?
A good starting point is a privacy report the FTC issued about a year ago titled “Protecting Consumer Privacy in an Era of Rapid Change.” In this report, which had (and still has) as its stated purpose, to provide “recommendations for businesses and policymakers,” the FTC urged companies to adopt certain practices to protect consumers' private information. Specifically, the agency articulated three primary principles: privacy by design, simplified choice for businesses and consumers, and greater transparency. Unfortunately, each of these principles merits more time and attention than permitted in this column, so I only address and discuss here the first principle: privacy by design.
It is very easy to say that companies should incorporate privacy into their regular business practices. But what does that mean in practice?
First, companies should provide reasonable security for consumer data. The report highlights many actions the FTC has brought against companies that failed to adequately protect consumer data, which in certain instances followed a reported data breach or unauthorized access to the data. In many of these cases, the FTC noted that the target companies failed to adequately protect consumer data by not having in place procedural and physical safeguards designed to limit access to the data. In such cases, the FTC found that the breaches could have been avoided if appropriate safeguards had been developed and implemented.
However, the FTC notes that there is no “one size fits all” approach to data security and that security measures should reflect the type of information maintained. For instance, confidential, nonpublic or sensitive data, such as credit card, banking or health information, warrants greater protection than information that may be generally available in a phone book. For companies subject to specific data security regulations, this is obvious and easy. However, for companies that are not subject to specific regulations, the FTC suggests that they conduct internal self-evaluations of their data collection and use practices, and once completed, look to existing laws for similar industries to determine what level of security might be appropriate.
Second, the FTC encourages companies to collect only the types and amount of data necessary to accomplish a specific purpose, and no more. By limiting its data collection practices in this way, a company will only possess the information it needs to perform or deliver a requested service or product, and thus limit its exposure in the event of a breach. Obviously, companies should disclose these data collection practices, as well as intended uses of such information, in a privacy policy. If a company desires to collect more information than necessary to perform the intended purpose, or use the collected information in a manner that is inconsistent with the originally intended use, the FTC recommends that companies inform consumers of such other practices at the time they intend to collect the additional information, or implement such other use, commonly known as “just in time” disclosure.
Third, the FTC calls upon companies to implement reasonable data retention and disposal policies. Similar to the collection and use limitations above, the FTC suggests that companies only keep data for as long as it is useful for its intended purpose and thereafter dispose of such data in a manner that renders the information inaccessible. Again recognizing that there is no one set approach for all information, the FTC recommends that these restrictions “be tailored to the nature of the company's business and the data at issue,” and that a company “should develop clear standards and train its employees to follow them.”
Finally, the FTC recommends that companies take reasonable steps to ensure the accuracy of the data they collect and maintain, “particularly if such data could cause significant harm or be used to deny consumer services.” In this regard, the FTC seeks to impose on companies that make marketing eligibility decisions based on information they collect from consumers and others an obligation to ensure the accuracy of such data so that consumers are not excluded from offers or otherwise disadvantaged based on inaccurate or old information.
So, with these concepts as background, how should in-house counsel even begin to implement these principles? The report offers a simple road map for establishing a privacy program:
- Designate personnel responsible for the privacy program
- Perform a risk assessment that, at a minimum, addresses employee training and management and product design and development
- Develop and implement controls designed to address the risks identified
- Manage appropriate oversight of service providers
- Evaluate and adjust the privacy program in light of regular testing and monitoring
- Stay current on privacy-related developments, such as legislation, industry initiatives and FTC and attorney general cases
Although following these suggestions will not entirely immunize a company from breaches or unauthorized access to its data, nor shield it from liability in the event of such occurrences, they will surely reduce the likelihood of them happening. Moreover, from a business perspective, adopting these policies will provide companies with a competitive advantage over less-compliant firms and instill confidence among its current and prospective customers.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
What to Know About the New 'Overlapping Directorship' Antitrust Development
4 minute read
Turning Over Legal Tedium to AI Requires Lots of Unglamorous Work on Front End
6 minute read
Khan Defends FTC Tenure, Does Not Address Post-Inauguration Plans
Best Practices for Adopting and Adapting to AI: Mitigating Risk in Light of Increasing Regulatory and Shareholder Scrutiny
7 minute readTrending Stories
- 1DOJ Files Antitrust Suit to Block Amex GBT's Acquisition of Competitor
- 2K&L Gates Sheds Space, but Will Stay in Flagship Pittsburgh Office After Lease Renewal
- 3US Soccer Monopoly Trial Set to Kick Off in Brooklyn Federal Court
- 4NY AG James Targets Crypto Fraud Which Allegedly Ensnared Victims With Fake Jobs
- 5The 'Motherhood Advantage' in Law: Time to Flip the Script
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
