Privacy Practice Leader Robert Belair Discusses Data Concerns Businesses Face

In the Association of Corporate Counsel’s “Chief Legal Officers 2013 Survey,” proper collection and handing of data was one of the top concerns expressed by general counsel. What is so worrisome?

There’s a lot going on. Corporate counsels are right to be worried. The standards are changing for collecting personally identifiable information (PII). We see a lot of it in best practices and self-regulatory codes. We see a lot of it in media reaction. We see some of it in changes in the law for disclosure to the individual at the time of collection.
What’s going to happen with that information? How will it be used? How long will it be kept? Who gets to see it? What rights will the individual have? What consent is required from the individual? Explicit consent? Written consent? There are more restrictions today on the use of PII. And there’s more expectation of accountability from companies; that they will audit the use of the information and respond to consumer complaints, and will have in place a compliance management system.

Some of that is due to the CFPB (the Consumer Financial Protection Bureau) and its compliance management system requirements. Some of it is the new aggressive posture by the FTC. In August 2013, for example, the FTC issued a stipulated order against check guarantee company Certegy, which, among other things, accused Certegy of overbroad and unnecessary information collection. Some of the concern is a reaction to the HITECH Act (the Health Information Technology for Economic and Clinical Health Act) and the effective expansion of HIPAA. The European Union also continues to work to strengthen the Data Privacy Directive.

Technology is a game changer in data collection and presents new risks. Explain that.

Lots of concern right now about the NSA and its surveillance of telephone and internet activity. The online world continues to be a place where individual activity gets noticed, collected, recorded. The FTC continues to push an initiative called “Do Not Track.” The industry has implemented some of that, but there has been bickering about what exactly Do Not Track means.

New technologies are changing the face of data collection. Some of it is old school, like license plate readers. At any given moment there are thousands of cars equipped with cameras that take photos of the license plates on the cars around them, then transmit that information – time, location, license registration – back to a database that compares it to license plates that are of interest to debt collectors, skip-tracing entities and law enforcement. Most of the American public does not appreciate the extent to which this is going on. It has important benefits, but it also presents privacy risks.

As to mobile devices, apps capture information about a person’s interests, hobbies and location. There is a lot of activity now trying to introduce privacy best practices into the mobile space. The FTC is involved. Part of the industry just adopted a disclosure code of conduct for mobile apps, but most of the industry is critical of that, so we’ve got a long way to go as to what mobile app consumer notices should be. What information should be collected, retained and used, and what rights should consumers have?

We are seeing an explosion of cameras everywhere today, which can provide real benefit, as seen with the Boston Marathon bombing. But how much do people know about where those cameras are, how long videos are kept, what kinds of close-ups are available? What about a camera on a street corner hooked up to facial recognition technology? Are there adequate privacy protections in place with regards to who gets to see the images, how long the images can be kept, and what can they be used for? What if somebody is in a divorce proceeding and the spouse subpoenas camera information to see who the husband or wife is with?

What initial steps should businesses be taking to protect their interests and the privacy of their customers?

First of all, they should have a comprehensive privacy policy and include security provisions and protections. A robust comprehensive policy has lots of moving parts, including notice, choice, confidentiality, data quality, archival standards, and accountability. Also, organizations that collect PII ought to do a privacy audit to understand what data they are collecting — and they only ought to collect the data they have a business need for – and whether they are in compliance with all laws. That’s an assessment we do for clients.

If a company imports PII from other places around the globe, the company needs to know if it’s in compliance with, say, the U.S.-EU Safe Harbor Privacy Program, or is using other privacy protection strategies depending on the source nation. Employees, in addition to customers, also provide PII back to the U.S. Even U.S.-based employees who travel overseas on business and submit travel reports can create privacy protection issues. Companies need to be thoughtful about what they are importing and have in place privacy policies that address transborder data controls.

What about the growing problem of data breaches?

Data breach is an issue most companies can really avoid. In addition to having good security to prevent harm from hackers, companies should encrypt PII – not just in transit but at rest – so that they will protect the PII and they will not be subject to data breach requirements even if an unauthorized third party acquires the information. Encrypting PII is becoming more commonplace. Removing or at least segregating account information such as Social Security numbers also protects the information from a breach. SSN information is the trigger for most data breach statutes. Lastly, maintaining PII on mobile devices is a terrible idea. Laptops get stolen, they get lost and that can lead to a data breach.

Please click the link below to download the entire interview.

Service Specialties