Protecting Your Business with Strong Operational Privacy Controls

by Davis Wright Tremaine LLP

For decades basic requirements to secure business records have been rooted in various legal silos, from corporate governance to rules of evidence to the discrete privacy rules that govern select technologies. Today, however, data security is becoming an integral part of how government authorities, the press, and the public judge how well companies protect personal privacy—and whether they can be trusted to do so without the need for even more intrusive mandatory laws and regulations. Incorporating robust operational controls over how personally identifiable information (PII) is secured, and thus how consumers’ privacy is maintained, will be key to an organization’s ability to avoid future enforcement actions, comply with looming legislative or regulatory action, and sustain consumer confidence. 

Federal and State Direction
This expanded focus on what and how information must be secured to protect privacy is evident from increased activity at both the federal and state levels.

The FTC, for example, changed the privacy debate in its 2012 white paper entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. Before that white paper, information was either PII or not; consumers suffered tangible harm from intrusion or they did not. After the white paper, the lines grew blurred: information purged of name and address could still be “personal,” and consumer fears could be cognizable in law, even if no tangible harm was suffered. In the more subtle new world, how a company secures and handles information may very well determine whether “personal” information has been shown enough respect to dissipate “harmful” fears and meet the rising expectations for privacy protection. 

The FTC has taken this approach on the road. In one of the few areas where it has rulemaking authority, it added security obligations to COPPA. Where it does not have rulemaking authority, it has taken enforcement action against companies of various sizes and in various industries for not delivering consumers promised or “reasonable and appropriate” security—whether or not any consumer suffered direct harm—especially when such security defenses were publicly available at low or no cost. The vast majority of these target companies—including Facebook, Google, and most recently TRENDnet—reach settlements with the FTC that include establishing comprehensive security programs with robust operational controls. Companies like Wyndham Hotels and LabMD are challenging the FTC’s authority to enforce what they call “arbitrary” security standards that have not been formally promulgated. But the fact remains that the FTC continues to bring enforcement actions; privacy issues continue to dominate discussions in the legislative, regulatory and public arenas; and those discussions increasingly call for operational controls to ensure the security of information, and thereby ensure privacy compliance. 

The Department of Health and Human Services (HHS) has also been busy bringing enforcement actions against companies that have failed to take proper measures to secure patients’ personal health information (PHI). In August, HHS published a $1.2 million settlement with a company that failed to wipe PHI from the hard drive of a leased photocopier before turning it back in to the leasing company, a precaution that would be wise for any company handling PII. 

Federal agencies are not alone. State legislatures and attorneys general have certainly not waited for the federal government to enact uniform legislation before taking on privacy and data security themselves. Many state data breach laws have built-in incentives to encrypt stored personal information. Massachusetts and Nevada have taken the direct route by imposing encryption and data security requirements, regardless of breach. Fourteen states currently require that data breach notifications be sent to the attorney general’s office. Maryland Attorney General Doug Gansler made privacy a priority of the National Association of Attorneys General and a priority for Maryland. Numerous attorneys general have followed suit by creating Internet privacy units within their offices, claiming existing authority to treat data breaches or failure to meet privacy promises as unfair and deceptive trade practices under state law, and often coordinating their privacy enforcement. Gansler and Connecticut’s Attorney General George Jepsen met Living Social’s recent breach notice with lengthy and detailed requests for additional information. Jepsen’s Privacy Task Force teamed up with California Attorney General Kamala Harris to investigate a breach of an online credit card security system and reached an Aug. 29, 2013 settlement. Harris’s Privacy Unit is aggressively pursuing privacy enforcement actions and seeking new enforcement hooks through state privacy legislation. Harris recently recommended that the state legislature require encryption for data in transit, and expand “personal information” to include online credentials such as email addresses or other usernames and the passwords that would permit access to an account. Nebraska and Pennsylvania statutes explicitly provide that it is an unfair business practice for a business to knowingly make a false or misleading statement in an online privacy policy. 

Self-Regulation and Multi-Stakeholder Collaboration
In the face of the increased willingness by federal and state authorities to regulate and enforce privacy and security promises and protocols, active self-regulation and multi-stakeholder processes have become more important to demonstrate that industry understands the importance of keeping personal information secure.

Of course, security has long been a part of Fair Information Practice Principles (FIPPs), and any company that holds itself to FIPPs standards has long had security obligations. Under the White House privacy initiative and the Commerce Department “bill of rights,” personal data (broadly defined) must be secured. But security has taken on new momentum in the many multi-stakeholder processes now underway. In the World Wide Web Consortium’s (W3C) Do-Not-Track (DNT) process, the debate shifted away from a stark black and white world in which data was either personal or anonymous and consumers were either tracked or not tracked, and moved to a more nuanced acceptance of the controlled usage of information if permitted uses are delimited and security measures protect against unpermitted uses. The same approach—embedding data security principles as part of privacy protection frameworks—is part of NTIA’s multi-stakeholder work on mobile privacy, and in NIST guidance on how to de-identify information. Various draft privacy bills echoed similar themes in prior Congresses—securing consumer information is necessary to ensure that consumers are protected in their privacy choices.

In attacking the problem of cybersecurity for critical infrastructure, NIST, with industry participation, is already paving a formal road for migrating from occasional efforts to secure data systems to systematic security built into company procedures and treating cybersecurity risk as a part of an organization’s overall risk management portfolio. The draft NIST framework, although voluntary, paints a picture of what potential litigants may claim to be the de facto reasonable standard for cybersecurity. The current environment at both the state and federal levels suggests that similar standards may be imposed on companies’ handling and securing of personal data.

All these trends point industry to adopt robust technical and organizational controls on data.

What do you do? What can you do?
In this environment, it is worth asking yourself (and your legal, IT, engineering, product development, marketing, HR and finance departments) just how well you secure data that government authorities, the press, and the public may judge to be threateningly personal. It is not enough to assume that IT is “handling it.” All departments need to partner with other groups in the organization who collect, access, store or use customer and employee information. What is “reasonable” will depend on the company’s size, business and technological capabilities as well as the nature and amount of information it collects. But you should specifically ask:

  • Who is responsible for your organization’s security program?
  • Have you identified your data assets and determined the need for protection as a result of legal requirements and business need?
  • Do you run background checks on personnel who handle protected data?
  • Do you have the paper trail of NDAs, records of access, retention policies and internal audits?
  • Do you go beyond paper policies and train personnel who handle protected data? Do you periodically refresh and reinforce that training (e.g. implementing “pop-quizzes” or internal “spear-phishing” attempts)?
  • Do you physically secure your computers and servers against unauthorized physical access?
  • Do you restrict access to protected information to need-to-know personnel?
  • Do you secure networked workstations and other devices with firewalls, password policies, and centralized patch management?
  • Do you secure your network perimeter, limit remote access and maintain intrusion detection and response systems? Do you review the logs, monitor alarms, and respond accordingly?
  • Do you protect data at rest and in transit?
  • Do you periodically conduct risk assessments and test your network against penetration?
  • Do you have policies, procedures, and teams in place to respond immediately to breach?
  • Do you have contracts in place that commit service providers, vendors and other counterparties to security, limited data uses, audit and breach response, and indemnity?

Self-policing is also part of privacy by design—a concept endorsed and enforced by the FTC. You want to design privacy into your enterprise operations and audit your products and services before the Wall Street Journal or a regulator does it for you. Ideally, your organization accounts for privacy protections when designing products and services in the same way it accounts for components and costs. This way, you do not have to hold a launch or retrofit a product after the fact—or worse, after an enforcement action is brought. You internalize privacy in your organization, giving privacy and security responsibilities to a CPO, CISO or other executive, with specific reporting, security, and accountability protocols. You prepare your executives for rapid response when they are called by reporters or summoned to the FTC or Capitol Hill. You know your FIPPs and how your technology addresses every element. You know the life of your data from birth to disposition, so that you will not be surprised when reporters come calling. When your products are created or supported by third parties, you ensure their compliance with your standards. Where possible, you tie the use of data to actual consumer benefits and you give some level of choice to consumers. When you self-regulate in a meaningful way, whether it is following third party guidelines or crafting protections appropriate to your particular company, you will not only protect personal data, you will promote and differentiate your brand as one that can be trusted, and you will protect your business.

Not long ago, C-level executives might have been skeptical about investing resources in privacy, but today, there are some pretty clear reasons for investing. 

  • First, the press or Capitol Hill can shut you down, as both did to NebuAd. Both expect privacy protections, whether or not they are “the law” or required by the opinion letter you have. The FTC is already treating conduct it deems offensive to those expectations as an unfair or deceptive act that it can punish without waiting for any new law—and state AGs are following suit. Your product needs to protect privacy, and not be seen as an affront to consumer or political expectations. At minimum, respecting privacy is insurance. 
  • Second, responsible privacy policies can create trust, and trust is valued currency in the market and before government. 
  • Third, proactively adopting security measures can help you retain your freedom to innovate and change. Sooner or later, rules are coming—whether legislative or “voluntary” reasonableness standards. Self-regulation is far more flexible than legislation. What gets fixed into law creates design constraints that cannot keep up with technology. Self-regulatory principles can respect privacy but still adjust rapidly with innovation and changing consumer expectations.

All businesses have the opportunity today to protect privacy and to protect their own businesses with practical operational privacy controls that work—before enforcement actions, intrusive mandatory regulations, or a loss of consumer confidence leads to far more intrusive requirements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.