Repercussions And Data Privacy…Your Business Is On The Hook

(I am lucky enough to be working with Sandra Hughes and Nick Vehr on a series of presentations in the area of data privacy. This is the second in a series of three articles about: “Risk. Repercussions. Reputations. Data Security & Privacy for Today’s Business Enterprise.” I wrote this article. If you missed the first article in the series, presented by Sandra Hughes, you can check it out here.)

In the world of privacy law, business owners may find the absence of regulation more problematic than thousands of pages on the topic in the Code of Federal Regulations.  And since that sounds counterintuitive at very least, it bears some explaining.

There are federal privacy regulations that impact any number of businesses across the country. The two privacy regulatory schemes that come to mind almost immediately are HIPAA in the world of health care and the Graham Leach Bliley Act in the world of banking and finance. So if you’re a hospital CEO or bank president, you know a lot about detailed regulations and you probably have compliance people either on your payroll or on your speed dial. Or both.

But what if you own a pizza company or a window business, or any operation not covered by HIPAA or GLB? You probably collect and store personally identifiable information. So are you off the hook? Short answer? No.

The Federal Trade Commission has stepped into this regulatory vacuum and has gotten very active in recent years. The FTC is able to do this, it contends, under the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices.”  That language is the extent of any written regulation on the topic. But relying on that simple language, the FTC has prosecuted a number of enforcement actions involving car dealers, restaurants and market research companies. In the two instances where FTC targets have challenged the FTC’s authority to proceed, the federal courts have sided with the Commission.

Companies have allegedly engaged in “deceptive acts” when their actions haven’t matched their promises. Companies that copy a privacy policy off the Internet without ensuring the policy aligns with their actual practices are at risk. And companies that decide to make unilateral changes to existing privacy policies may land on the FTC’s radar.

Even those companies that limit their promises may not be risk free. The FTC has increasingly found that companies that don’t use state of the art privacy protocols may be engaging in “unfair practices.” Companies whose procedures for encrypting or disposing of data, for example aren’t up to par, may have a problem. And that “problem” could take the form of a consent decree that requires FTC monitoring for over 20 years.

No regulation means no “safe harbors” and no clear guidance. But clearly no regulation does not mean no teeth.

 (“Risk. Repercussions. Reputations. Data Security & Privacy for Today’s Business Enterprise,” presented by Sandra HughesJack Greiner and Nick Vehr, can be presented to your industry or trade association. Please contact either person to find out how.)