What Are Private Data?
Almost every company processes information relating to its employees, customers, suppliers, or other third parties. The starting point for discussing privacy and data security issues is understanding which information is private and consequently protected by relevant legal requirements. Examples of the types of information that are considered private include employment records, mailing lists, insurance records, medical records, school records, bank records, arrest records, data banks, privileged communications, social security numbers, and other government-provided identification numbers.
Companies may encounter privacy and data security issues in numerous circumstances. As employers, for example, companies may collect and process employees’ payroll and health benefits information. Employers may monitor communications that employees send or receive using company computers. Companies also handle personal information of vendors. Furthermore, in their role as providers of goods or services, companies may receive records containing personal information from customers. Regardless of the circumstances in which a company handles personal information, it must pay close attention to privacy and data security laws governing the collection, use, transfer, and disposal of personal information. There are federal and state privacy laws that can affect the confidentiality of the private information maintained by a company.
Data Privacy Laws
Data privacy laws vary dramatically from country to country. Some countries have enacted comprehensive laws, while others have few or no rules in place. Countries throughout the world have been increasingly active in enacting data security laws over the past two decades. In an interconnected world, the issue of privacy has indisputably become an international one. International privacy laws differ significantly from their U.S. counterparts in both scope and application. The European Union data privacy and security laws are more comprehensive, for example, than those of the United States.
In the United States, there is no single, comprehensive federal law regulating the collection and use of personal data. Instead, there exists a patchwork system of federal and state laws. Federal laws include broad consumer protection laws such as the Federal Trade Commission Act, which prohibits unfair or deceptive business acts. Sector-specific laws include the Gramm-Leach-Bliley Act, which applies to financial institutions, and the Health Insurance Portability and Accountability Act of 1996, which applies to protected health information. In addition, there are many guidelines developed by governmental agencies and industry groups that are not legally enforceable but are part of self-regulatory efforts and are considered best practices.
Turning to the European Union, it has a comprehensive data protection directive that requires compliance by all 27 member states. However, the directive allows for significant variations among the member states and enforcement has not been consistent. Similarly, several Latin American countries have recently enacted, or are drafting, comprehensive legislative frameworks to protect private information. For example, in April 2010, Mexico’s House of Deputies and its Senate passed the Bill for the Federal Law for the Protection of Personal Data in Possession of Private Persons. Of equal significance is the emergence of laws throughout the Middle East, which previously had no data protection law in place. On the other hand, China has sparse data protection law. In Africa, only a few countries such as Tunisia and Mauritius have adopted comprehensive privacy laws.
Companies seeking to transfer records containing personal information to a foreign country should be aware of and comply with the restrictions that the foreign country imposes on exporting private information. In this context, it is important for companies to not only acquaint themselves with the current privacy regulations and laws, but also be prepared for any new developments.
Managing Data Privacy
Even companies whose core businesses are not online collect, process, store, and transmit information electronically. Every business therefore needs to ensure that its policies and procedures reflect the legal framework governing this area. As a starting point, companies operating in multiple jurisdictions should familiarize themselves with current data privacy laws of all jurisdictions in which they do business to ensure compliance with those laws. Staying abreast of all the international privacy rules can be daunting. However, it is extremely crucial.
Responding to a Data Security Breach
Companies should also have a plan in place to respond to a data security breach even before a breach occurs. The plan should include, at a minimum, setting up a security breach response team and developing and implementing a written data security response plan setting out procedures to follow in the event of a data security breach. As soon as a data security breach is discovered, the company should take all necessary steps to investigate the incident promptly and limit further data loss. For example, if the breach involves data on company premises, the company should immediately secure the physical area where the data are stored and isolate all affected systems. The company should then review any relevant contracts of parties involved in the breach (for example, vendor contracts), as well as any related privacy policies to see if the company owes notification or other obligations to any third parties with respect to data breached.
It should also be borne in mind that significant legal action may follow a security breach. Therefore, a company should consider the potential for litigation that may arise, including civil lawsuits against the company instituted by affected persons and an investigation of the company by law enforcement authorities and regulatory agencies.
Vulnerability to data security breaches and public concern about it have brought privacy and data security issues into sharp focus. Responding to these concerns, regulatory bodies worldwide have stepped up their commitment to enforcement and have been actively promoting new legislation. In that vein, legislative and regulatory developments in privacy and data security are expected to continue through 2012 and the coming years. More than ever, it is crucial that companies protect and safeguard private information and manage their legal responsibilities in relation to processing private data in a way that is consistent with applicable data protection legislation. A well-constructed and comprehensive policy can provide a solution for these various competing interests and so represents an effective risk-management tool. More importantly, companies must keep themselves up to date on developments concerning data protection laws around the world.