Tips to Help In House Counsel Preserve Privacy

By Kevin Fayle on June 01, 2009 | Last updated on March 21, 2019

Virtually every company collects data about its customers.  This ensures that almost every company is subject to some privacy law or another.  Most likely, a company's activities fall under a combination of state and federal laws and regulations, which can make keeping track of legal requirements - and any changes to those requirements that may occur - a difficult job for the company's legal department.

To help alleviate this dilemma for in house counsel, Matthew Savare, Mary J. Hildebrand and Robert D. Chesler have written an article in The Metropolitan Corporate Counsel outlining the various privacy concerns most commonly faced by companies.  While the article doesn't go into every privacy law and regulation, it does give a good introductory outline of the types of things companies should watch out for.
Specifically, the authors point to the following concepts that confront almost every company:

  • Data Breaches. Nearly every state has some form of a data breach law that requires companies to notify consumers if data is lost or someone gains access to the company's databases.
  • Protection of Social Security Numbers. Some states have passed laws requiring companies to protect the social security numbers of their customers and employees.
  • Adherence to Privacy Policies.  If you publish a privacy policy for your website, you'd better abide by its terms.  Otherwise the Federal Trade Commission could come after you for committing an unfair or deceptive act or practice, just like it did to when that company tried to sell off its user data in contravention of its privacy policy.
  • Behavioral Advertising.  Many companies attempt to tailor ads to their website users based on their past browsing history.  So far, the FTC allows the advertising industry to self-regulate the practice.  The real danger might be in customer anger at the practice and not the threat of any kind of legal action, although at least one class action has arisen because of a company's behavioral advertising practices.
The article also discusses various ways that companies can protect themselves from potential liability as a result of a privacy violation.  The authors suggest that legal departments consider the following principles when creating their overall privacy strategy:

  • Companies should minimize the amount of data they collect.
  • Security - both physical and electronic - should be a priority.
  • Old records should be destroyed completely.
  • Companies should put strict policies into place concerning data breaches and follow them.
  • Outside vendors' privacy and security policies must meet the company's standards, and the company should clearly state and monitor the vendor's obligations.
  • Companies should take out a cyber-insurance policy to help offset any possible identity theft and/or data privacy claims.
See Also:
National Archives Missing a Terabyte of Sensitive Information (FindLaw's Technologist)
FTC Online Behavioral Advertising Privacy Principles Unplugged (FindLaw)
Privacy: You Don't Know What You Got Until It's Gone (FindLaw)
Copied to clipboard