As I discussed in Part I of this series, laws protecting privacy as well as security of data create an industry standard. Failure to comply with an industry standard, whether established by statute, regulation or practice, forms the basis for liability. All organizations must recognize that liability for breaches of privacy create as much risk as any negligent omission.
The industry mantra to self-regulate is now a thing of the past. Prominent associations such as the American Electronics Association have reversed themselves and come out in favor of some form of regulation of privacy rights. It is just a matter of time before personal information will be given protection at the federal and state levels. The question becomes what should organizations do to prepare and protect themselves from the oncoming privacy laws and regulations.
Following are six essential steps to take.
1. Begin by identifying the federal regulatory and legal privacy controls applicable to your organization, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliely Act, the Children's Online Privacy Protection Act and the Privacy of Consumer Financial Information Act. Then look to state laws. Together, these legal requirements impose a complex, and sometimes inconsistent, legal framework that will dictate how organizations may collect, use, maintain, transmit, disclose and manage personally identifiable information.
2. Develop a privacy plan. Identify the scope and nature of all protected information within the organization, the source of that information, the necessary use of that information, both within and outside the organization, and the legal or existing contractual restrictions applicable to each category of information.
3. Prepare a privacy statement. Because much of the current litigation is premised on the failure of a Web operator to follow its stated privacy statement, one of the most important things a company can do is to prepare one that meets the organization's needs and can be complied with. A privacy statement becomes, in effect, the contract between the Web operator and its user.
4. Review contracts with third parties to assess compliance of the
legal requirements. Based upon this review, either modifications should be made to existing contracts or new contracts drafted.
5. Review the organization's property, casualty and other insurance policies to determine whether they provide adequate coverage for potential liability in the event of an unauthorized or prohibited disclosure.
6. Establish a compliance program. Compliance with the new privacy requirements and minimization of risk require ongoing monitoring.
This column is intended as a guide to general business practices and should not be misconstrued or acted on as legal advice or comprehensive instruction. The documents referenced in this article can be found on Alex Brittin's Web site in either the library or model policy sections. Go to http://