Yesterday, Mintz Levin attended a panel breakfast sponsored by the New York City Bar’s Committee on Women in Intellectual Property. The panel featured two practitioners, one from the public sector and one from the private sector. The panel was moderated by Karen Greenberg, Director at Fordham Law’s Center. Some takeaways that we found useful:
Implementing Best Practices, But Avoiding the “Creepy Factor” –The panelists emphasized the importance of becoming familiar with customers’ preferences and comfort levels with information-gathering tools and tracking technology. The key is to identify and strike a balance between tools that are useful to a customer versus those that merely collect information in a manner that appears to be “creepy.” When the panelists mentioned a new technology proposed by Nordstrom to track the amount of time its customers spent in each section of their stores, most of the attendees reacted by gasping or shaking their heads in disbelief. But Ms. Greenberg was quick to point out that her students’ reactions to some of these technologies were very different from the attendees’ and her students’ reactions to different technologies often contradicted each other.
According to the panelists, when implementing new technologies and drafting data privacy policies, companies should communicate clearly with their customers about the types of information they collect and seek permission for each new technology used. Multinational companies should be aware that the approach in Europe is quite different: there, they tend to use “opt-in” programs that seek customers’ permission before employing a new information-collecting technology. In the United States, companies tend to automatically apply new technologies and require customers to “opt-out” of these new programs.
State of the Law in “Disarray”–When asked about the legal landscape and current state of the law on data privacy, one of the panelists bluntly observed: “It is in disarray.” Although 47 states have implemented data privacy laws to date, the scope of those laws completely differ from state to state and there has been no real effort to create a federal law. Even amongst privacy experts, there are major disagreements about what “privacy” means. That remark led to the “more law vs. less law” debate—whether more laws would help or hinder companies and consumers in navigating data privacy and security issues. While the panelists admitted that they could not answer this question, they all felt that the goal should be to have laws that are flexible enough to adapt to constantly changing technologies.
Handling Government Regulation–The panelists identified the biggest challenge facing publicly-traded companies as determining what type of data security incident rises to the level of a “material” breach and triggers the SEC’s disclosure requirements. Most of the companies who disclosed information about data breaches in their 10-Ks last year described the breaches in a way that made it unclear whether the data breach was “material.” Target and companies who had well-publicized breaches of a large magnitude obviously took a different approach. When asked about data privacy policies and FTC regulation, the panelists’ message was: “Don’t promise too much to consumers in your policies; but don’t assume that promising too little clears you of any potential liability–the FTC may come after you either way.”
Snowden Game-Changer--One of the panelists mentioned that many companies had considered sharing a lot of information with the government after a data security breach to enable the government to help protect them and other companies from future data security breaches. That quickly changed once the companies learned, through the Edward Snowden incident, more about the extent to which the NSA monitored companies and individuals. In the wake of that incident, companies have become much more reticent and tend to take more time before deciding to voluntarily share information with the government.
Waiting for Wyndham–All are eagerly awaiting developments in the case before the United States District Court for the District of New Jersey, Federal Trade Commission v. Wyndham Worldwide Corporation et al. in which a judge recently denied Wyndham’s attempt to dismiss claims by the FTC that Wyndham, as a result of a data security breach, engaged in deceptive and unfair practices by “failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” Each of the panelists and many of the attendees said how important and interesting it will be to monitor the decisions in Wyndham because it will be crucial in defining the scope and extent of companies’ liability for data security breaches.