Developing a privacy and data security compliance program requires a substantial investment of professional and managerial time and financial resources to acquire, install and operate the necessary technological systems that serve as the foundation for collecting, using, transferring and discarding nonpublic personal information. It is common to refer to privacy and data security as a top-level corporate governance issue that involves the board of directors and senior management and as companies grow they are likely to recruit and appoint experienced professional to serve as chief privacy officers with their own dedicated personnel and budget to oversee the element of the compliance program. While there is no single template for the privacy and data security compliance program it is important to address the following:
- Defining and identifying nonpublic personal information handled by the company and documenting how the information flows into, within and outside the organizational structure of the company;
- Establishing managerial responsibility and control over the compliance program and allocating sufficient cash and other resources to the program;
- Establishing and enforcing all necessary policies and procedures with regard to privacy and data security;
- Establishing focused programs to deal with specific privacy-related risks such as online collection of information and collection and use of information during the course of customer relationships;
- Establishing programs for educating all company employees and business partners about privacy- and data security-related requirements, including continuing education of new developments and threats for executives and managers directly responsible for the compliance program;
- Understanding and monitoring all applicable privacy- and security-related laws and regulations including emerging trends that may change the regulatory landscape in the foreseeable future;
- Establishing and administering procedures for oversight of vendors with access to nonpublic personal information for which the company is ultimately responsible;
- Establishing procedures for data retention and destruction;
- Establishing and administering privacy incident response and breach notification procedures;
- Establishing and enforcing disciplinary policies with respect to failure of employees and business partners to comply with the privacy- and data security-related policies and procedures of the company;
- Communicating the company’s privacy- and data security-related practices to relevant stakeholders including employees, customers, business partners, financial markets and regulators; and
- Providing regular reports on the efficacy of the program to the board of directors and members of the senior management group.
Responsibility for administering the privacy program should be vested in a single person, generally referred to as the chief privacy officer, who will be given authority to establish privacy policies and procedures and oversee personnel in each department of the company who will be responsible for privacy-related issues in their functional area. The importance of have an executive-level position responsible for managing the risks and business impacts of privacy laws and policies is reinforced by the fact that most of the Fortune 100 companies now have a chief privacy officer or an equivalent position. The chief privacy officer, with the support of the chief executive officer and other members of the senior management group, should be prepared to implement privacy policies and practices for the entire company and coordinate the compliance activities of disparate departments such as marketing, communications, customer service, information technology, human resources and legal. The privacy officer and his/her staff should begin by making an assessment of the nonpublic personal information that the company collects and how it is used and otherwise handled by the company. Once policies and procedures are in place the privacy officer should conduct privacy impact assessments and audits of the handling of nonpublic personal information and should create training and educational programs for employees and company agents. Various resources are available for developing a privacy program including the materials that are readily available from privacy seal organizations and from privacy advocacy groups.
Achieving adequate data security and privacy protections for customers, employees and other parties requires a strategy and like any other strategy it is important to identify relevant metrics that can be used to assess performance. Unfortunately, there is no single strategy that will be entirely successful in each instance and even companies that have thoughtfully developed and implemented data protection regimes can suffer security breaches. When creating a data protection program companies should be mindful of the stories they might need to tell if and when problems occur and this means being able to demonstrate that the program was based on recognized industry standards and applicable regulatory guidelines. In addition, companies should have a record of their consultation processes that includes the names and backgrounds of the technical and legal specialists that were involved. Companies should also be able to explain how their data security framework work and when and how decisions were made among various alternative solutions. For example, companies typically have a limited budget for their data security programs and the record should describe how and why dollars were invested in addressing particular risks. While all this information cannot eliminate potential liability for security breaches it can help mitigate potential penalties and punitive damage awards.
Chapter 230 of Business Transactions Solution (§§230:1 et seq.) on WESTLAW covers the development and administration of policies and procedures to comply with laws, regulations and industry standards relating to privacy, data security and overall collection and use of nonpublic personal information. The materials include a large library of illustrative policies and related practice tools such as checklists for developing a privacy and data security compliance program (BTS §230:130), negotiating information security issues in outsourcing contracts (BTS §230:131) and privacy and data security issues in acquisition transactions (BTS §230:132). The chapter also includes valuable communications vehicles for clients including client executive summaries regarding privacy and data security laws (BTS §230:133), security requirements for nonpublic personal information (BTS §230:134) and implementation and management of privacy programs (BTS §230:135).