A Quick Reminder: Cybersecurity and Privacy Policies are Not Enough—Businesses Must Keep Them Current

Jane Bello Burke, William Ciszewski, III, Alfonzo Cutaia, Reetuparna Dutta, Patrick Fitzsimmons, Michael Flanagan, Michelle Merola, R. Kent Roberts, Gary Schober, Amy Walters
Hodgson Russ LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Hodgson Russ LLP

Many recent cybersecurity and privacy laws require that certain policies be adopted and followed by businesses to assist in the protection of personal information. Even in states where there are no such laws, some policies may nonetheless be prudent as a “best practice” to avoid a tort claim of negligence if personal information is accessed without authorization. Recent legal action serves as an excellent reminder that businesses must do more than pay lip service to these policies. Businesses should expend the necessary resources to make sure their policies are appropriate for their purposes and followed.

Earlier this year the Federal Trade Commission (“FTC”) finalized settlements with five companies for falsely claiming they were in compliance with the EU-U.S. or Swiss-U.S. Privacy Shield. When properly followed, certification under these privacy shield frameworks allows companies to transfer personal information from the EU or Switzerland to the U.S.—transfers that might otherwise be inappropriate. In all five instances, the companies were either a proper participant in the privacy shield frameworks, but failed to recertify, or started the application process and never completed it. Despite these failures to follow through, all five companies maintained websites with privacy policies claiming they were properly certified and in compliance with the privacy shield frameworks.

The FTC investigated these false claims of compliance and entered into settlements with all five companies. The settlement terms included, among others, (1) prohibition from misrepresenting participation in, or compliance with, privacy programs and (2) continued application of the privacy shield frameworks to personal information collected while a participant in the program. 

Another example of a company failing to ensure compliance with its privacy policy can be found in the recent class action lawsuit filed against Zoom Video Communications, Inc. (“Zoom”). See Cullen v. Zoom Video Communications, Inc., No. 20-cv-2155, (N.D. Cal.). The plaintiffs allege that Zoom—the popular online video conferencing platform—collected personal information from its users without adequate notice or authorization and shared that information with third parties, including Facebook. The plaintiffs also allege that the collection and sharing of such information was inconsistent with the terms of Zoom’s privacy policy. Interestingly, the plaintiffs asserted a claim for relief under the California Consumer Privacy Act, which went into effect on January 1, 2020 and is likely one of the first lawsuits filed under the new law. 

The lesson from these examples is that businesses must adopt and at all times comply with their cybersecurity and privacy policies. As people become more concerned with the loss of privacy in an electronic world, regulators and individuals will inevitably demand that companies practice what is stated in their policies, so companies must be sure to maintain accurate policies as business practices change over time.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP
Hodgson Russ LLP
Contact
more
less

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide