By Marty Provin, CIPP/US, Executive Vice President, Jordan Lawrence
In the past, privacy really hasn't been much of a concern for in-house counsel or senior management in the United States. But today, and in the next few years, how businesses collect, use, store, share and ultimately dispose of personal information about customers and employees,is a top priority for all businesses. This article provides a brief overview of the key issues related to privacy and ten steps in-house counsel should take to prepare their organization for the evolving privacy landscape.
The Five Hottest Privacy Issues Facing In-House Counsel
Privacy Laws
New Regulations and Stepped-up Enforcement. Governments around the world have responded to privacy concerns by introducing a tidal wave of privacy laws. Companies operating in multiple jurisdictions face a complex web of privacy legislation that can result in stiff penalties including fines up to $1.5 million and multiple decades of third party audits. Equally important, State Attorney Generals, Federal Agencies Agency's and Data Commissioners are aggressively pursuing businesses that run afoul of privacy laws.
Big Data
Evolving Definitions and Law. Businesses are amassing unimaginable amounts of data on the promises of new insights into historical behaviors, emerging trends and increased revenue. But the untold promise of Big Data is a host of privacy concerns, support challenges and risks during investigation and litigation. Definitions, sources, and regulations related to Big Data, are evolving at a hyper pace creating risks and uncertainty for in-house counsel.
Social Media
Hidden Danger. Social media is rapidly becoming a key component of many organizations' communication strategy. Much more than an advertising or public relations medium, social media enables teams to communicate, share ideas, and problem solve in a fast and effective way. But often in-house counsel does not have a good understanding of social media and how it may be used. The use of social media can expose the organization to a range of problems from labor issues to scrutiny by regulators. In-house counsel must take the lead in understanding social media, how it's used within the organization, and establishing clear and concise policies that govern the use of social media.
Bring Your Own Device (BYOD)
Business Boon or Legal Nightmare. The appeal of allowing employees to use their own computing and communication devices is clear; happier employees, greater flexibility, lower costs, and increased productivity to name a few benefits. On the other hand, BYOD raises serious concerns about security of personal data, compliance with privacy laws and ultimately ethical challenges for in-house counsel.
Discovery in Cross Border Litigation
Plaintiff's New Leverage. The plaintiffs' bar has found has found that discovery involving personal data of individuals outside the United States can create a number of challenges for companies involved in actions in US courts. Many foreign jurisdictions have laws that govern and even block the export of personal data to the US for discovery. Such restrictions can put US attorneys in a difficult situation and have a dramatic impact on the management of the case. It's imperative for in-house counsel to understand the flow of personal data throughout their company.
Top Ten Steps In-house Counsel Should Take to Protect their Organizations
1. Know What Personal Information Your Organization Has.
To evaluate compliance with privacy laws, in-house counsel needs to inventory what personal data their company collects and maintains. This inventory should include specific elements that constitute personal information such as first and last name, social security number, account number, to name a few.
2. Know Where Personal Information Exists In Your Organization.
In order to protect Personal Information, you must first know where that information exists. The challenge is that personal data, like all data, is extremely transient and can be found throughout the organization. Mistakenly, many organizations tend to focus solely on areas like Human Resources or Marketing and overlook other areas of the business that have access to and work with personal information. The surprising fact is, virtually every department potentially has access to personally identifiable information. Accounting, Finance, Audit, Legal, Customer Service, Distribution Centers and IT are areas that have been responsible for compromising personally identifiable information.
3. Understand The Processes That Manage Personal Information.
Over 80% of privacy breaches are the result of a bad process as opposed to unauthorized access to corporate systems or networks. Lost thumb drives, stolen laptops, inadvertent emails or old fashion dumpster diving are the most common ways in which personal information is compromised. In-house counsel needs a detailed understanding of how business people acquire, use, save and share personal information.
4. Determine Retention Requirements.
Personal identifiable information, like all records, has a useful life and after which it becomes a liability. In-house counsel should establish retention rules for records containing Personal Information and ensure the rules are consistently enforced. It's not only good practice; in some jurisdictions it's the law.
5. Develop a Policy.
Like other governance issues, in-house counsel needs to create clear and concise privacy policies that convey the expectations of the company. The privacy policy should be communicated regularly to employees and they should be required to sign-off on their understanding and compliance.
6. Involve Key Players.
Like all corporate governance matters, the Tone at the Top is critical. Senior management must understand risks associated with data privacy and be part of the privacy discussion. Other key players are legal, IT, audit and compliance. In the end, however, privacy is every employee's job.
7. Get Rid of Personal Information.
Information, including personal data, is only valuable to a point and then it becomes a liability. Retention of personal data for the intended use only is a guiding principal of privacy and in many jurisdictions, it's the law! Penalties for over retaining personal data can exceed $1.5 million. Beyond fines and penalties, the average cost of a data breach exceeds six million dollars. If you don't need it - don't have it available to be compromised.
8. Train Employees.
All employees should be aware of the privacy policy and understand exactly what is expected of them in order to comply. A verified sign-off process should be implemented to maintain a defensible audit trail.
9. Audit Policy Compliance.
Auditing the processes, policies, and technologies help ensure compliance. While the actual process varies from company to company, by incorporating privacy into your organization's audit function helps ensure employees and management remain vigilant in protecting the personal information.
10. Conduct a Risk Assessment.
A privacy risk assessment is the first step in-house counsel should take to ensure their organization is complying with privacy laws and to mitigate privacy risks. The assessment should involve those business people who work directly, and understand exactly how personal information is used within the company. Employees with specific subject matter expertise about IT infrastructure, privacy, and security should be included. The assessment can provide in-house counsel with a detailed inventory of the personal information including discreet elements of personal information, the business areas this information exists in as well as the media and applications, personal information flow inside and out of the organization, and the business requirement for retaining Personal Information. The assessment results aid in-house counsel in establishing priorities and gaining executive support.
Conclusion
All the ingredients to make privacy the number one governance issue facing in-house counsel are in place--increased regulations, aggressive enforcement, volumes of personal information, corporate data on personal devices, a savvy plaintiff's bar and heightened public scrutiny. Following these ten steps is a good place for counsel to start in order to successfully manage privacy challenges.
