Compliance and risk management are becoming more important concepts for businesses, and especially those operating in regulated industries. Outside of technical legal concepts such as negligence per se or breach of contract, in the event of a dispute between parties concerning legal liability, the case often turns on whether the conduct of one party was reasonable under the circumstances. If a business deals with the non-public personal information of its clients, for example, a dispute may arise in the event this information is disclosed to an unauthorized third party. The disclosure may have been accidental, but as suggested above, a big question will likely be: was the conduct of the company reasonable under the circumstances?
Using the example above, one way a company may help to show the reasonableness of its conduct is by maintaining policies and procedures concerning the handling of sensitive information by its employees. Such policies or procedures may include, at a minimum, employee training on the relevant regulations concerning the type of data in question, policies restricting employees from certain conduct that increases the likelihood of an accidental disclosure, or internal procedures reflecting good controls around access to the data.
Having good policies in place is not quite enough, however. Companies must ensure to educate employees on the location of relevant policies, periodically review and log employee training, and enforce the policies.
Depending on the type of industry and potential risks, companies should consider reviewing their policies and procedures for enforcement to help mitigate liability risks due to non-compliance.