Almost daily, headlines announcing data breaches exposing consumer personal information to identity thieves are becoming more and more common. Recent regulatory and consumer class actions filed on the heels of these breaches illustrate that while the risk of a cyberattack from outside the company is real, a more insidious danger may lurk within:  the company's own privacy policy.

Both the Federal Trade Commission and private plaintiffs' class action attorneys have filed actions against companies that experienced data breaches, claiming that the companies' privacy policies misrepresented the adequacy of their security measures and that the defendants are liable for violating the terms of their own policies.

This tactic highlights the importance of the disclosures in the privacy policy and begs the question: "When was the last time you thought about your privacy policy?"

Many companies assemble their privacy policy in a somewhat disorderly fashion, usually in response to someone's recognition that "we need to have one."  A company often copies, partially or completely, a privacy policy from another company's website (typically a competitor), and the policy may have little or nothing to do with the company's business and or procedures.

As two recently filed lawsuits make clear, however, companies will be forced to live with the representations contained in their privacy policies when (not if) a data breach occurs.

In Szpyrka v. LinkedIn Corporation, in the Northern District of California, hackers allegedly compromised the company's security system, accessing the passwords of approximately 6.5 million users, and uploading them to a hacking forum.  Adding potential liability to reputational injury, the California plaintiff filed a federal class action lawsuit against the company in June seeking damages in excess of $5 million.

Among other things, the complaint alleges that LinkedIn "deceived consumers by providing in its Privacy Policy that its users would be 'protected with industry standards protocols and technology.'"  Based on these allegations, the lawsuit charges that the company violated California's Unfair Competition Law, Business & Professions Code § 17200 and Consumer Legal Remedies Act, Civil Code § 1750, and that it breached its privacy agreement with consumers.

Similarly, in Federal Trade Commission v. Wyndham Hotels, the FTC filed a civil enforcement action in Arizona federal court, charging that the hotelier violated Section 5 of the FTC Act by failing to comply with the terms of its privacy policy.  The FTC's complaint asserts that the company failed to meet its promise to "safeguard our Customers' personally identifiable information using standard industry practices" and to "take commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards" to protect consumer information.

Although both the LinkedIn and Wyndham actions included other allegations contending that the defendants' failures to protect the consumer data were separately actionable, in each case the companies' privacy policies provided the basis for the "deception" claims against the defendants.

To avoid such claims, companies should periodically review their internal and external privacy and security policies for at least two distinct purposes: first, to confirm that public-facing privacy policies accurately reflect their use, sharing and protection of data; and second, to evaluate whether internal security policies and measures comply with applicable laws and current industry standards in the event of a cyberattack.

Otherwise, privacy policies intended to describe measures taken to protect consumers may be used as weapons against the company by plaintiffs and regulators.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.