Data has become an essential tool and valuable asset at most companies. U.S. and international laws, and industry self-regulation, on consumer and employee data privacy and security have made it essential that companies understand what data they collect; how and where it is stored, processed and secured; who can access it, and under what circumstances; and how it is used, shared and transferred, and for what purposes. Failure to understand these practices, and institute and maintain appropriate data protection policies and procedures, can result in expensive and embarrassing lawsuits and enforcement actions. Accordingly, data protection has become a crucial part of good corporate compliance efforts.
Compliance programs should include an audit of a company’s current and planned data collection, processing, use, storage and transfer practices to ensure that its privacy and security policies are accurate and sufficient. Efforts should be made to ensure that the company’s practices, and those of its vendors, comply with those policies. Vendors and others given access to the data should be contractually held to those policies. In addition, a contingency plan needs to be in place to prepare for compliance failures and security breaches.
A growing number of companies have instituted a Chief Privacy Officer and/or a data privacy and security committee to oversee this increasingly arduous task, to help educate company employees and vendors of their obligations, to implement privacy by design1 and to develop culture that fosters concern about data privacy and security.
The general process of developing a good data privacy and security compliance program is summarized as follows:
Identify the Information Assets and Practices
Satisfying a company’s obligation to protect information begins by understanding what information the company has, the extent to which it really needs it, where it comes from, where it is located and how it is used, processed, secured, transferred and shared. Both current and contemplated practices should be examined. It is often the case, especially with companies that do not have well evolved data protection programs, that there are little known data files and databases containing sensitive personal information, transaction data, R&D results, corporate financial records, and not only in the company’s possession, but also under the control of related third parties such as service providers. There are various forensic IT vendors who can conduct a data audit and produce data maps and profiles and to identify current data and related security measures. It is recommended that they be engaged through outside counsel to support a position that the findings are privileged. Data privacy and security lawyers are also needed to help develop the audit since they know what compliance obligations attach to what types of data assets and practices. Legal counsel can further supplement the data diligence with related inquiries regarding other legal and regulatory compliance (e.g., advertising, sales, etc.) and intellectual property rights, particularly with regard to company websites and mobile applications, providing additional value.
Conduct an Assessment
Identify Responsive Measures
With regard to privacy audit results, changes to policies and procedures may be required to meet current or prospective practices that are essential or important to the business. If there are material changes to be made, they should apply only to new data absent consent and the applicable policy representations should continue to apply to previously collected data absent opt-in consent. With regard to security, based on the results of the risk assessment, a company must identify the security measures most appropriate for its business, the types of information involved, and the specific risks it faces. Such security measures should be selected and designed to manage and control the risks identified during the risk assessment. Security laws do not typically specify which security measures technology companies must deploy. Rather, they may use any security measures reasonably designed to achieve the objective. This focus on flexibility, however, means that determining compliance may ultimately become more difficult, as there are unlikely to be any safe-harbors for security. Some data protection laws require businesses to have a written information security plan that meets certain requirements, so a written security plan is recommended for all companies.
Appoint a senior executive to be responsible for data privacy and security – a Chief Privacy Officer. It is recommended that this person should have a committee of senior executives in all the departments that have an interest in or will be dealing with data, such as marketing, HR, product development, IT and legal. Each committee member should then have responsibility over their respective group and its activities. Absent such an approach, it is virtually impossible to keep tabs on what is going on with respect to data at most companies.
Implement the Measures and Monitor the Operation and Effectiveness of the Program
As with any plan or corporate policy, it is of no value if it sits on the shelf. To be effective, the privacy and security measures developed must be implemented, monitored and enforced. Merely implementing data privacy and security measures is not sufficient. A company must also ensure that such measures are properly put in place and that they are effective. This includes conducting regular testing and monitoring over time to assess whether compliance is ongoing and practices continue to meet policy and whether the chosen security measures are sufficient to control the identified risks. It also involves monitoring employee compliance with policies and procedures. Stated differently, the question here is simply: “Do we know whether our data privacy and security program is working?”
Understand your policy coverage and exclusions, and that of your vendors and business partners, and consider additional cyber liability coverage.
Regularly Reassess the Program
Privacy and security are moving targets. Thus, businesses must constantly keep up with ever-changing laws, best practices, self-regulatory schemes, threats, risks, and vulnerabilities, as well as the measures available to respond to them. It is an ongoing process. As a consequence, businesses must conduct periodic internal reviews to evaluate and adjust their data privacy and security program in light of:
- Any material changes to the business;
- Changes in technology;
- Changes in business practices;
- Development of new products and services;
- Evolution of the law, self-regulation and best practices;
- Changes in internal or external threats;
- Environmental or operational changes; and
- Any other circumstances that may have a material impact.
Address Education and Training
Training and education for employees is a critical component of any compliance program. Even the very best policy statements and physical, technical, and administrative security measures are of little value if employees do not understand their roles and responsibilities. Data privacy and security education begins with communication to employees of applicable policies, procedures, standards, and guidelines. It also includes implementing a data privacy and security awareness program, periodic reminders, and developing and maintaining relevant employee training materials, such as user education concerning permitted and prohibited data collection, storage, processing, use, transfer and sharing; virus protection, password management, and other security measures; and discrepancy reporting. Applying appropriate sanctions against employees and contractors who fail to comply with data privacy and security policies and procedures also is important.
Address the Data in the Hands of Third Parties
Corporate obligations regarding data privacy and security extend not only to the data in a company’s possession, but also to a company’s data in the possession of a third party service provider or business partner. Outsourcing information processing or storage to a third party (including “to the cloud”), or sharing data with business partners, does not relieve a company of its obligations with respect to its privacy and security obligations. For instance, businesses need to look carefully at the security measures of the outsource providers with whom they contract, and the measures in place—contractual and otherwise—to respond to breaches. Indeed, some data protection laws specifically require certain contractual obligations be imposed on vendors with access to sensitive personal information. Thus, third party relationships should be subject to the same risk management, security, privacy, and other protection policies that would be expected if a business were conducting the activities directly. This generally involves three basic requirements: exercising due diligence in selecting service providers and business partners; contractually requiring implementation of appropriate privacy protections and security measures; and monitoring the performance of the third parties that have access to your data.
Prepare for the Event of a Security Breach
How will a company respond if a breach does occur? To address the technical, legal and public relations issues, a company should have a well thought out and legally compliant incident response plan in place. This plan should ensure that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken—both to respond to the breach (to stop further information compromises and to work with law enforcement), to notify regulators and people who may be potentially injured, and to deal with the press. Such a plan should also address how the company will comply with the requirements of the applicable security breach notification laws.