Panelists Discuss Privacy of Personal Information and Provide Tips on Defending Against Security Breaches
Posted by Peerapong Tantamjarik
This morning, I dialed in to a brown bag discussion teleconference sponsored by the American Bar Association Section of Antitrust Law's Computer & Internet Committee, Consumer Protection Committee, held in Washington D.C. The topic of the presentation concerned Information Privacy in the Digital Age. A copy of the flyer can be found here.
The teleconference involved panelists from private law firms, the FTC, and the Chief Compliance and Privacy Officer from ChoicePoint, Inc. It highlighted the ever-increasing attention paid by regulators on data security breaches of personal information and provided an opportunity for the panelists to share their thoughts on ways to improve compliance and how to respond to such breaches. From a chronology of recent privacy breaches, it is clear that victims of hackers run the gamut from private corporations to public agencies.
California currently has a state law that requires notification to certain entities and consumers when a breach of personal information is discovered. The California state agency for privacy protection has a very informative brochure on the topic and references to the applicable statutes. Many states are looking to the California statute as a model and are working to enact their own notification laws. Here is a list of the various state legislative activities.
Some good tips regarding a program to protect consumer information to come out of the conference include the following:
ャ?Create an independent office for privacy/security that reports to Board ャ?Possibly hire consultants to implement privacy and security compliance plan ャ?Use a law enforcement liaison to keep up to date with what the latest hackers are attempting ャ?Centralize credentialing of outside vendors and conduct due diligence on any contractors who will have access to consumer personal information ャ?Implement a policy outlining the steps in response to a breach, such as public relations issues and identifying which entities to notify (i.e., state regulators, businesses, and consumers) that is compliant with the applicable law, or if there is no law, what the company would consider a best practice ャ?Have a comprehensive data destruction policy and consistently update it ャ?Address non-US internet access issues ャ?Conduct lots of auditing, internal and external, of the company's privacy/security program ャ?Do not to store personal information longer than reasonably necessary (so when there is no longer a legitimate business reason to store a consumer's information, the company should dispose of it in accordance with FTC guidelines) ャ?Need to store and transmit sensitive information only in encrypted format (while obvious, the panelists noted how many entities in possession of private information do not adhere to this procedure)
Another good source is the FTC's privacy website, which includes links to FTC settlement orders that can provide an outline of good practices for maintaining data privacy and security.
