In order to comply with one’s obligations in information privacy and data security, it is essential to properly distinguish them, as they involve very different considerations and legal obligations. Both are quite important, but depending on the context, different approaches must be taken to facilitate compliance.
In the context of the Internet, privacy often refers to monitoring of one’s Internet activity, particularly web browsing, and sale or internal use of the resulting data. For example, a company may tailor a marketing “pitch” to consumers based upon their Internet click-through to the ads or sites of competitors or complementary product sellers – e.g. car company A will send solicitations (such as pop-up ads) to persons whom it knows have visited the site of car company B, as an indication that they are in the market for a vehicle. Search engine providers, website operators and others may compile and sell such data. Even large mobile phone carriers are harvesting data on their customers’ smartphone uses and selling that data as anonymous data.
In the context of the Internet, information security pertains to prevention of fraud resulting from unauthorized access – usually through third-party ‘hacking’ – to an Internet user’s personal information. Such information can include SSN, driver’s license number, credit card number, health care information or items as basic as users’ names and physical or e-mail addresses. Companies often get into trouble with “one size fits all” policies promising privacy and data security, when they are not taking real steps to deliver it. However, even absent false declarations, it is increasingly likely that a security breach will lead to regulatory claims against the company involved.
These considerations dictate both technical steps to secure data, information security awareness (as well as information security training) and contractual steps to ensure that third-party vendors commit to taking steps to the extent a company relies on their efforts, for example in hosting a transactional website. These considerations apply in both the mobile app and desktop computing arenas, but often involve different technical issues.
This post has been prepared for the general information of clients and friends of The Network and FisherBroyles. It is not intended to provide legal advice for a specific situation or create an attorney-client relationship.
Marty Robins, a partner with the national law firm FisherBroyles, practices extensively in the general corporate and corporate governance, M&A, finance, intellectual property and information technology/data security areas. As a result of his 32 years of experience in business practice, in both law firm and in-¬‐house environments, he appreciates the multifaceted nature of so many legal matters and is able to bring to bear, expertise in all pertinent areas and recognize the need for complementary expertise. He has also published extensively in a number of legal journals on topics ranging from corporate governance to technology procurement to equipment leasing to intellectual property and information technology due diligence in M&A transactions. The article original appeared in FisherBroyles’ IP Law Update in May 2013.
On-Demand Presentation | Data Privacy: Policy and Compliance (UK Event)
This on-demand event provides an overview of data privacy and security issues from a global perspective. Featuring interactive discussion and real-world examples, you’ll hear from global privacy experts, legal advisors and compliance solution providers.