On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.
The following steps will help you review your current policies and practices.
1. Know what you have. Review your operations to make sure you know the different types of personal information (of both employees and consumers) your organization collects, stores, and uses, including:
- Name and contact information (address, phone number, email address, fax number)
- Date of birth
- Social Security number ("SSN")
- Employee or Tax Identification Number
- Credit or debit card number
- Bank account number
- Any passwords or passcodes that would allow access to personal or financial information
- Biometric data.
Do you collect data from children online? If so, make sure you have the appropriate age verification and parental consent mechanisms in place.
2. Then ask the question - do we really need to be collecting all that data? Look at how you use the data you collect and see if there are ways to eliminate the collection and storage of things like SSNs, credit/debit card numbers, and other sensitive information.
3. If you determine you still need the data, think about where it goes once it's collected. Review your data flows to make sure you know where the data is going. Is it stored in electronic databases? In hardcopy? On backup servers, tapes, or other backup media? On-site or off-site?
Do you share the data with any third parties? If so, do you have contracts in place that: (a) restrict the use of the data; (b) require the third parties to properly protect the data; and (c) require the third parties to notify you if the data is somehow compromised?
Are there any cross-border data flows? If so, ensure that you have considered transborder data flow requirements and have obtained appropriate consent from data subjects, implemented the appropriate contracts, or are participating in the Safe Harbor program to ensure compliance.
4. Who has access to the data? Review your operations to make sure you know who has access to the data. Do all employees need access, or only certain subsets? Do contractors/vendors/other third parties have access to the data? Are employee and vendor logins and accesses removed when they no longer need access to the data?
How are employees and third parties trained to handle the data? Regular training and reminders are critical to ensure that everyone with access to the data knows how to properly handle and protect the data in accordance with your policies. Take out the calendar and make sure data privacy and security training are scheduled.
6. Test your website mechanisms and controls. Test all of your opt-out mechanisms, including your e-mail unsubscribe functions. Make sure that when an individual makes choices about how you can use their data, those choices are put into effect.
If you collect sensitive information through your Web site, make sure you have properly implemented encryption functions. Take care to avoid common encryption mishaps such as failure to encrypt login or password retrieval Web pages.
7. How is the data protected? Look at the security controls you have in place for electronic and hardcopy data. Make sure that you review and update these controls on an annual basis.
Are there mechanisms in place to alert you to suspicious activity on your systems? Do you have a current incident response plan in place so employees know what they are supposed to do if there is a suspected security incident? Review your incident response plan and make sure the contact information for employees, processors, vendors, and other necessary parties is current.
Is sensitive data encrypted when it is stored electronically? Businesses storing credit or debit card numbers are required to encrypt stored account numbers under the Payment Card Industry Data Security Standard ("PCI DSS"). Massachusetts has introduced rules requiring businesses to begin encrypting sensitive personal data stored on laptops starting in May 2009.
8. Are you prepared to comply with the FTC's Red Flag rules? The FTC's Red Flags Rule requires financial institutions and creditors to develop and implement written identity theft prevention programs to identify, detect and respond to patterns, practices, or specific activities ("red flags") that could indicate identity theft. If your organization regularly extends, renews, or continues credit (including deferred payment for any purchase), you may be required covered by this Rule. The FTC has delayed enforcement of the rule until May 1, 2009.