client login    languages

Privacy & Data Security Policies and the Necessity of Good Information Security Training

Request A Demo of Our Ethics And Compliance Solution

Privacy & Data Security Policies and the Necessity of Good Information Security Training

In order to comply with one’s obligations in information privacy and data security, it is essential to properly distinguish them, as they involve very different considerations and legal obligations. Both are quite important, but depending on the context, different approaches must be taken to facilitate compliance.

In the context of the Internet, privacy often refers to monitoring of one’s Internet activity, particularly web browsing, and sale or internal use of the resulting data. For example, a company may tailor a marketing “pitch” to consumers based upon their Internet click-through to the ads or sites of competitors or complementary product sellers – e.g. car company A will send solicitations (such as pop-up ads) to persons whom it knows have visited the site of car company B, as an indication that they are in the market for a vehicle. Search engine providers, website operators and others may compile and sell such data. Even large mobile phone carriers are harvesting data on their customers’ smartphone uses and selling that data as anonymous data.

Such practice is not inherently unlawful or inappropriate (unless it involves tracking web usage of children), and may provide web users with an enhanced, more efficient experience. However, it must be clearly disclosed to users in a readily accessible and understandable privacy policy, reflecting the website’s specific practice to be used in each case, and frequently supported by user “opt-in” or affirmative authorization.

In the context of the Internet, information security pertains to prevention of fraud resulting from unauthorized access – usually through third-party ‘hacking’ – to an Internet user’s personal information. Such information can include SSN, driver’s license number, credit card number, health care information or items as basic as users’ names and physical or e-mail addresses. Companies often get into trouble with “one size fits all” policies promising privacy and data security, when they are not taking real steps to deliver it. However, even absent false declarations, it is increasingly likely that a security breach will lead to regulatory claims against the company involved.

These considerations dictate both technical steps to secure data, information security awareness (as well as information security training) and contractual steps to ensure that third-party vendors commit to taking steps to the extent a company relies on their efforts, for example in hosting a transactional website. These considerations apply in both the mobile app and desktop computing arenas, but often involve different technical issues.

Your website privacy and data security policy needs to reflect your actual and intended practices; not someone else’s! Major problems can be caused when using someone else’s privacy policy, or a generic policy found on the Internet, which fails to reflect appropriate and actual practice.

This post has been prepared for the general information of clients and friends of The Network and FisherBroyles. It is not intended to provide legal advice for a specific situation or create an attorney-client relationship.

Marty Robins, a partner with the national law firm FisherBroyles, practices extensively in the general corporate and corporate governance, M&A, finance, intellectual property and information technology/data security areas. As a result of his 32 years of experience in business practice, in both law firm and in-¬‐house environments, he appreciates the multifaceted nature of so many legal matters and is able to bring to bear, expertise in all pertinent areas and recognize the need for complementary expertise. He has also published extensively in a number of legal journals on topics ranging from corporate governance to technology procurement to equipment leasing to intellectual property and information technology due diligence in M&A transactions. The article original appeared in FisherBroyles’ IP Law Update in May 2013.

1 Comment

  1. August 15, 2014 at 12:57 pm

    […] Blog: Privacy & Data Security Policies And The Necessity of Good Information Security Training […]

    Reply »

Leave a Comment

We would be glad to get your feedback. Take a moment to comment and tell us what you think.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Awards & Certifications 2013 GRC 20/20 Technology Innovation Award 2013 TAG Top 40 Innovative Company 2012 IABC Gold Quill Award 2012 MarCom Award We self-certify compliance Safe Harbor Safe Harbor Certification SOC 2 Certification