A Quick Reminder: Cybersecurity and Privacy Policies are Not Enough—Businesses Must Keep Them Current

Hodgson Russ LLP

Many recent cybersecurity and privacy laws require that certain policies be adopted and followed by businesses to assist in the protection of personal information. Even in states where there are no such laws, some policies may nonetheless be prudent as a “best practice” to avoid a tort claim of negligence if personal information is accessed without authorization. Recent legal action serves as an excellent reminder that businesses must do more than pay lip service to these policies. Businesses should expend the necessary resources to make sure their policies are appropriate for their purposes and followed.

Earlier this year the Federal Trade Commission (“FTC”) finalized settlements with five companies for falsely claiming they were in compliance with the EU-U.S. or Swiss-U.S. Privacy Shield. When properly followed, certification under these privacy shield frameworks allows companies to transfer personal information from the EU or Switzerland to the U.S.—transfers that might otherwise be inappropriate. In all five instances, the companies were either a proper participant in the privacy shield frameworks, but failed to recertify, or started the application process and never completed it. Despite these failures to follow through, all five companies maintained websites with privacy policies claiming they were properly certified and in compliance with the privacy shield frameworks.

The FTC investigated these false claims of compliance and entered into settlements with all five companies. The settlement terms included, among others, (1) prohibition from misrepresenting participation in, or compliance with, privacy programs and (2) continued application of the privacy shield frameworks to personal information collected while a participant in the program. 

Another example of a company failing to ensure compliance with its privacy policy can be found in the recent class action lawsuit filed against Zoom Video Communications, Inc. (“Zoom”). See Cullen v. Zoom Video Communications, Inc., No. 20-cv-2155, (N.D. Cal.). The plaintiffs allege that Zoom—the popular online video conferencing platform—collected personal information from its users without adequate notice or authorization and shared that information with third parties, including Facebook. The plaintiffs also allege that the collection and sharing of such information was inconsistent with the terms of Zoom’s privacy policy. Interestingly, the plaintiffs asserted a claim for relief under the California Consumer Privacy Act, which went into effect on January 1, 2020 and is likely one of the first lawsuits filed under the new law. 

The lesson from these examples is that businesses must adopt and at all times comply with their cybersecurity and privacy policies. As people become more concerned with the loss of privacy in an electronic world, regulators and individuals will inevitably demand that companies practice what is stated in their policies, so companies must be sure to maintain accurate policies as business practices change over time.

Written by:

Hodgson Russ LLP

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.