Many recent cybersecurity and privacy laws require that certain policies be adopted and followed by businesses to assist in the protection of personal information. Even in states where there are no such laws, some policies may nonetheless be prudent as a “best practice” to avoid a tort claim of negligence if personal information is accessed without authorization. Recent legal action serves as an excellent reminder that businesses must do more than pay lip service to these policies. Businesses should expend the necessary resources to make sure their policies are appropriate for their purposes and followed.
Earlier this year the Federal Trade Commission (“FTC”) finalized settlements with five companies for falsely claiming they were in compliance with the EU-U.S. or Swiss-U.S. Privacy Shield. When properly followed, certification under these privacy shield frameworks allows companies to transfer personal information from the EU or Switzerland to the U.S.—transfers that might otherwise be inappropriate. In all five instances, the companies were either a proper participant in the privacy shield frameworks, but failed to recertify, or started the application process and never completed it. Despite these failures to follow through, all five companies maintained websites with privacy policies claiming they were properly certified and in compliance with the privacy shield frameworks.
The FTC investigated these false claims of compliance and entered into settlements with all five companies. The settlement terms included, among others, (1) prohibition from misrepresenting participation in, or compliance with, privacy programs and (2) continued application of the privacy shield frameworks to personal information collected while a participant in the program.
The lesson from these examples is that businesses must adopt and at all times comply with their cybersecurity and privacy policies. As people become more concerned with the loss of privacy in an electronic world, regulators and individuals will inevitably demand that companies practice what is stated in their policies, so companies must be sure to maintain accurate policies as business practices change over time.