Data Breach Incidents—Especially “Ransom” Incidents, are on the Rise—One panelist observed that the New York State Attorney General’s Office received reports of approximately 900 data breach incidents during the past year alone. There has been a significant increase in reports of “ransom” incidents, in which hackers break into a company’s information systems, then threaten to damage the information system or use data they have accessed unless the company pays a sum of money to the hackers. The reports made to the New York State Attorney General’s Office are not publicly available, but it is not clear whether would be accessible through a FOIA (Freedom of Information Act) request.
Information Hoarders—Do You Really Need to Obtain and Keep All of That Personal Information about Your Customers?–In response to a comment that many of the FTC’s cases appeared to be health-care related, one panelist observed that healthcare companies are particularly exposed to data security threats because they “deal with so many types of data they may or may not need and they keep it forever.” Some companies continue to keep data “just for the sake of keeping it” without asking themselves why they need to continue to hold onto the information. Many of those companies then “become very sloppy” with their data privacy practices. For example, they keep not only a patient’s current address but all of their past addresses or fail to assess whether they really need to obtain personal information such as social security numbers. When combined with many of those organizations’ failure to implement practices and procedures to secure the personal information they obtain and retain, the organizations create precarious situations. To avoid these situations, companies should determine how long they have had the information, ask themselves how long they foresee a need for the information, and implement processes whereby they discard unnecessary information on a regular basis. To combat the poor practices that occur at many healthcare organizations, such as writing down private and personal numbers on pieces of paper and placing them in others’ plain sight, the FTC has launched many consumer and employer education programs.
Sync the New with the Old–Even in companies that maintain good data privacy and security practices, there are instances in which the remnants of old technology can hinder those practices. For example, new systems can require that certain fields of information be included in a customer’s file, and can automatically seek to fill any missing information fields with information contained in old records. That in turn could lead to many unforeseen data security issues. To avoid these types of issues, the panelists suggested reviewing “legacy” systems whenever a company implements new technologies and platforms to assess how the legacy systems are interacting with the new ones.
Avoiding Government Enforcement Activity: Are Your Data Privacy & Security Practices “Reasonable, Appropriate, Continuing, and Ongoing”?—The panelists urged companies to ensure that you are “keeping your promise to consumers” to maintain their data secure. Many companies fall into the trap of making “standard promises” in their privacy policies but fail to take the steps to verify that their actual practices and procedures are consistent with the promises contained in privacy policies. Once a company breaks the promises it made about the security of its customers’ data, the FTC may consider the company’s practices to be deceptive. Therefore, companies should track the language of their data privacy and security policies as closely as possible to their actual practices.
In response to one attendee’s question about what triggers the issuance of a ten- versus twenty-year consent order by the FTC, one of the panelists explained that unless a company could show why a ten-year consent order would be adequate to implement and monitor data security practices, companies violating federal law should expect to be subject to twenty-year consent orders. The panelist emphasized that companies should implement practices that are “reasonable, appropriate, continuing, and ongoing” and should not fear sharing information regarding data security risks with other companies, as the FTC and DOJ have recently issued an official joint statement that they would not consider sharing that information to be anti-competitive activity.
Don’t Forget to Monitor Third Party Privacy Practices—The panelists pointed out that companies often neglect to review and audit the data privacy and security procedures of third parties with whom they contract. Companies must remember not only to obtain the ability to review and audit third parties’ policies and procedures but also to preserve the ability to review those procedures on a regular basis, especially when the third party changes systems, platforms, or devices.
Federal Legislation on Data Privacy Not Likely to be Issued Anytime Soon–The attendees of the panel were eager to know the panelists’ opinions on whether federal legislation on data privacy would be forthcoming, but one panelist noted that the FTC has been asking Congress for many years, unsuccessfully, to legislate on data privacy issues and could not predict what Congress would do. Although many members of Congress seem to recognize the need for legislation, they have difficulty agreeing on the terms of potential legislation. The panelists further explained that Congress usually becomes more interested in passing legislation following major data breaches such as the ones that occurred in fall 2013. It will be interesting to see whether those events trigger a legislative response from Congress.