The recent news stories about Uber’s “God View”, in which the company can view the location of users of the service in real time and, according to The Washington Post, once presented a day’s information at a company party and on another occasion gave a potential employee access to records that indicated travels of identified individuals, may be a shocking realization for many consumers about the type and volume of information startup and other companies collect and retain about their customers. Managing such a large amount of data creates numerous risks for companies, both internal and external. However, there are steps that can help companies mitigate privacy and security risks as data collection increasingly becomes an integral business practice.
An initial task is to ensure that your company’s public-facing Privacy Policy and Terms of Use, usually displayed on its website, are conspicuous and tailored to the company’s business and information systems. Such policies enable a company to clearly and expressly define the terms of its relationship with the consumer and how information obtained through the website and services offered by the company are collected, stored and used. Additionally, agencies like the Federal Trade Commission (“FTC”) look to the terms of these agreements in determining compliance with federal regulations. The FTC can bring a deceptive trade practice claim against the company if the company informs consumers how it will handle their data and then fails to do so.
Organizations that collect, store and use customer data should draft employee policies and procedures that comply with pertinent laws, regulations and business practices, and should also hold training sessions and provide reminder notices in order to encourage a culture of privacy. These policies typically address topics like role based access to company information, encryption requirements, confidentiality agreements, and device policies. Indeed, for companies in industries such as healthcare, such procedures are typically required by laws like HIPAA. Moreover, companies would be well served to train employees on company-wide policies and procedures and to document attendance at the trainings.
In sum, as news reports reveal almost daily, companies that collect data from their consumers do so at the risk of loss of sensitive information, possibly on a massive scale, or a scandal based on an employee’s access to company data. Companies may be able to mitigate these risks by drafting appropriate privacy policies, terms of use, and employee policies. Perhaps more importantly, appropriate policies and documented employee training may provide a company with defensibility should an employee act inappropriately and disclose company data or provide an entry point for cyber attackers. If you have questions on drafting your company’s policies and procedures, please contact Kenneth N. Rashbaum or Phil Mortensen.
