Data Privacy Protection: A Serious Business for Companies

Vol. 41 No. 4

By

Arti Sangar (asangar@diazreus.com) is a partner with Diaz, Reus & Targ in Dubai. She specializes in commercial dispute-resolution and arbitration, as well as in transactional matters involving private equity investments, corporate restructuring, mergers and acquisitions, major real estate development projects, commercial dispute management, and employment issues. She coauthors Emirates Business Law Blog.

Data privacy breaches are making headlines and much has been written lately about them—for all the wrong reasons. Companies are being sued in privacy-related lawsuits more frequently than ever before. It’s no wonder that this is one of the top concerns for companies worldwide. Even a well-managed company can run into trouble by taking just one wrong step as it collects, stores, transfers, or discloses data. Sometimes it can be just a minor stroke of bad luck to create a major data security breach. A computer hacker breaks into a company’s website and steals credit card data. A disgruntled employee discloses confidential information. A laptop is stolen from an employee while traveling. The consequences of such incidents can be serious and even devastating: heavy fines, injunctions, lawsuits, government investigations, and sanctions—even criminal liability.

The advent of the Internet and evolving information technology have, for all of their remarkable attributes, further complicated the issues surrounding data protection. As a result, data protection is of greater concern today than it has ever been. The risks to companies are significant, and the amount of damages sought in lawsuits is simply jaw-dropping. More importantly, companies that run afoul of data protection standards suffer negative media attention, diminished brand reputation, and lost consumer confidence.

This article (1) explains which data are actually private and, therefore, subject to data protection statutes; (2) provides a primer on global data privacy laws; and (3) provides practical advice to companies regarding the implementation of data privacy and security protocol.

What Are Private Data?

Almost every company processes information relating to its employees, customers, suppliers, or other third parties. The starting point for discussing privacy and data security issues is understanding which information is private and consequently protected by relevant legal requirements. Examples of the types of information that are considered private include employment records, mailing lists, insurance records, medical records, school records, bank records, arrest records, data banks, privileged communications, social security numbers, and other government-provided identification numbers.

Companies may encounter privacy and data security issues in numerous circumstances. As employers, for example, companies may collect and process employees’ payroll and health benefits information. Employers may monitor communications that employees send or receive using company computers. Companies also handle personal information of vendors. Furthermore, in their role as providers of goods or services, companies may receive records containing personal information from customers. Regardless of the circumstances in which a company handles personal information, it must pay close attention to privacy and data security laws governing the collection, use, transfer, and disposal of personal information. There are federal and state privacy laws that can affect the confidentiality of the private information maintained by a company.

Data Privacy Laws

Data privacy laws vary dramatically from country to country. Some countries have enacted comprehensive laws, while others have few or no rules in place. Countries throughout the world have been increasingly active in enacting data security laws over the past two decades. In an interconnected world, the issue of privacy has indisputably become an international one. International privacy laws differ significantly from their U.S. counterparts in both scope and application. The European Union data privacy and security laws are more comprehensive, for example, than those of the United States.

In the United States, there is no single, comprehensive federal law regulating the collection and use of personal data. Instead, there exists a patchwork system of federal and state laws. Federal laws include broad consumer protection laws such as the Federal Trade Commission Act, which prohibits unfair or deceptive business acts. Sector-specific laws include the Gramm-Leach-Bliley Act, which applies to financial institutions, and the Health Insurance Portability and Accountability Act of 1996, which applies to protected health information. In addition, there are many guidelines developed by governmental agencies and industry groups that are not legally enforceable but are part of self-regulatory efforts and are considered best practices.

Turning to the European Union, it has a comprehensive data protection directive that requires compliance by all 27 member states. However, the directive allows for significant variations among the member states and enforcement has not been consistent. Similarly, several Latin American countries have recently enacted, or are drafting, comprehensive legislative frameworks to protect private information. For example, in April 2010, Mexico’s House of Deputies and its Senate passed the Bill for the Federal Law for the Protection of Personal Data in Possession of Private Persons. Of equal significance is the emergence of laws throughout the Middle East, which previously had no data protection law in place. On the other hand, China has sparse data protection law. In Africa, only a few countries such as Tunisia and Mauritius have adopted comprehensive privacy laws.

Companies seeking to transfer records containing personal information to a foreign country should be aware of and comply with the restrictions that the foreign country imposes on exporting private information. In this context, it is important for companies to not only acquaint themselves with the current privacy regulations and laws, but also be prepared for any new developments.

Managing Data Privacy

Even companies whose core businesses are not online collect, process, store, and transmit information electronically. Every business therefore needs to ensure that its policies and procedures reflect the legal framework governing this area. As a starting point, companies operating in multiple jurisdictions should familiarize themselves with current data privacy laws of all jurisdictions in which they do business to ensure compliance with those laws. Staying abreast of all the international privacy rules can be daunting. However, it is extremely crucial.

It is good company practice to adopt a privacy policy that provides the basic framework for all data protection compliance activities. It must include, among other things, guidance on the transfer of data outside the country, Internet usage, and e-commerce. A privacy policy also sends a clear signal that privacy law compliance is taken seriously, and it can help to demonstrate a company’s commitment to data protection. Federal, state, and local laws, as well as various foreign government regulations, must be taken into account when crafting an appropriate policy.

Privacy policy must be properly communicated and possibly supported by training to ensure that the staff members, including management, are aware of the rules and understand them. Guidance and other educational materials should also be made available and easily accessible. Compliance with the relevant policies must be regularly monitored and breaches sanctioned. Contracts with third-party delegates should be reviewed to ensure that they too contain provisions regarding the protection of private data. It is also advisable that organizations should undergo independent data security audits periodically. A data protection audit can be a rigorous project that involves analyzing each of the company’s policies, or, if the company has none, the audit should actually promulgate a policy.

Responding to a Data Security Breach

Companies should also have a plan in place to respond to a data security breach even before a breach occurs. The plan should include, at a minimum, setting up a security breach response team and developing and implementing a written data security response plan setting out procedures to follow in the event of a data security breach. As soon as a data security breach is discovered, the company should take all necessary steps to investigate the incident promptly and limit further data loss. For example, if the breach involves data on company premises, the company should immediately secure the physical area where the data are stored and isolate all affected systems. The company should then review any relevant contracts of parties involved in the breach (for example, vendor contracts), as well as any related privacy policies to see if the company owes notification or other obligations to any third parties with respect to data breached.

It should also be borne in mind that significant legal action may follow a security breach. Therefore, a company should consider the potential for litigation that may arise, including civil lawsuits against the company instituted by affected persons and an investigation of the company by law enforcement authorities and regulatory agencies.

Conclusion

Vulnerability to data security breaches and public concern about it have brought privacy and data security issues into sharp focus. Responding to these concerns, regulatory bodies worldwide have stepped up their commitment to enforcement and have been actively promoting new legislation. In that vein, legislative and regulatory developments in privacy and data security are expected to continue through 2012 and the coming years. More than ever, it is crucial that companies protect and safeguard private information and manage their legal responsibilities in relation to processing private data in a way that is consistent with applicable data protection legislation. A well-constructed and comprehensive policy can provide a solution for these various competing interests and so represents an effective risk-management tool. More importantly, companies must keep themselves up to date on developments concerning data protection laws around the world.

Advertisement

  • Call for ILN Articles

  • Contact Us

  • International Law News

Moscow September 2014 Conference ad

 

  • Editor-in-Chief

  • Managing Editor

  • Sample Issues

 

International Law Section Fall Conference ad

 

Vancouver November 2014 Conference ad