We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
Almost daily, headlines announcing data breaches exposing
consumer personal information to identity thieves are becoming more
and more common. Recent regulatory and consumer class actions filed
on the heels of these breaches illustrate that while the risk of a
cyberattack from outside the company is real, a more insidious
danger may lurk within: the company's own privacy
policy.
Both the Federal Trade Commission and private plaintiffs'
class action attorneys have filed actions against companies that
experienced data breaches, claiming that the companies' privacy
policies misrepresented the adequacy of their security measures and
that the defendants are liable for violating the terms of their own
policies.
This tactic highlights the importance of the disclosures in the
privacy policy and begs the question: "When was the last time
you thought about your privacy policy?"
Many companies assemble their privacy policy in a somewhat
disorderly fashion, usually in response to someone's
recognition that "we need to have one." A
company often copies, partially or completely, a privacy policy
from another company's website (typically a competitor), and
the policy may have little or nothing to do with the company's
business and or procedures.
As two recently filed lawsuits make clear, however, companies
will be forced to live with the representations contained in their
privacy policies when (not if) a data breach occurs.
In Szpyrka v. LinkedIn Corporation, in the
Northern District of California, hackers allegedly compromised the
company's security system, accessing the passwords of
approximately 6.5 million users, and uploading them to a hacking
forum. Adding potential liability to reputational injury, the
California plaintiff filed a federal class action lawsuit against
the company in June seeking damages in excess of $5 million.
Among other things, the complaint alleges that LinkedIn
"deceived consumers by providing in its Privacy Policy that
its users would be 'protected with industry standards protocols
and technology.'" Based on these allegations, the
lawsuit charges that the company violated California's Unfair
Competition Law, Business & Professions Code §
17200 and Consumer Legal Remedies Act, Civil Code §
1750, and that it breached its privacy agreement with
consumers.
Similarly, in Federal Trade Commission v. Wyndham Hotels,
the FTC filed a civil enforcement action in Arizona federal court,
charging that the hotelier violated Section 5 of the FTC Act by
failing to comply with the terms of its privacy
policy. The FTC's complaint asserts that the company
failed to meet its promise to "safeguard our Customers'
personally identifiable information using standard industry
practices" and to "take commercially reasonable efforts
to create and maintain 'fire walls' and other appropriate
safeguards" to protect consumer information.
Although both the LinkedIn and Wyndham actions
included other allegations contending that the defendants'
failures to protect the consumer data were separately actionable,
in each case the companies' privacy policies provided the basis
for the "deception" claims against the defendants.
To avoid such claims, companies should periodically review their
internal and external privacy and security policies for at least
two distinct purposes: first, to confirm that public-facing privacy
policies accurately reflect their use, sharing and protection of
data; and second, to evaluate whether internal security policies
and measures comply with applicable laws and current industry
standards in the event of a cyberattack.
Otherwise, privacy policies intended to describe measures taken
to protect consumers may be used as weapons against the company by
plaintiffs and regulators.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Identity theft is a serious threat. In 2012, more than 12.6 million adults became victims of identity theft in the U.S.1 And the costs have been astronomical.
On April 22 Verizon released its 2013 Data Breach Investigations Report (DBIR), which has since 2008 become a leading annual survey of data breaches, with participants across the globe.
Increasingly, privacy is a big concern in app development. California and other jurisdictions are ramping up enforcement efforts around existing privacy laws.
Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.
FTC On The Prowl, And Businesses Looking For Guidance On New COPPA Changes
