Information Privacy Planning
- most states now have breach-notification laws if financial information about employees or customers is improperly handled
- state and federal authorities are imposing “reasonable security” obligations for PII
- some companies have made explicit or implicit promises (e.g., on their website or in advertising) to provide a high degree of security
- other nations impose privacy-protection obligations (e.g., Canada and the EU), and
- there‘s competitive advantage in providing cost-effective security assurances
Protected PII includes defined classes of information about employees and customers such as credit card numbers, employee medical insurance plan claims, website browsing data, social security numbers, and other financial information. State regulators are expanding their reach, and lawsuits are threatening Boards of Directors for inadequate oversight of information management processes.
- assess the types of PII you are collecting, whether you need all of this information, and how long you hold it
- determine which laws (state, federal, and foreign) apply to the information you need to collect (including offline information not in electronic form)
- decide whether your international activities would best be served by FTC Safe Harbor elections, or by intercompany agreements, or by Binding Corporate Rules
- compare the “best-practices” followed by your competitors/peers in their privacy programs and in their privacy promises (e.g., through their website privacy assurances)
- effectively involve your IT personnel in planning and implementing your privacy program
- develop training and education modules for all employees (those managing the process, as well as those whose information is being collected), explaining your privacy program and reducing the risk of security breaches