LEGAL
The personal information of individuals is now an extremely valuable commercial asset. It is at the heart of a multi-billion dollar industry involving nearly every traditional business as well as an entirely new type of enterprise, "data brokers." It is highly likely that your organization routinely relies on access to and use of sensitive personal information in its daily operations. In this environment it is essential that at least one individual in your organization should have management authority and decision-making responsibility for information privacy and data integrity.
Personal information is sensitive information which can be associated with a specific individual. Examples of personal information include Social Security numbers, e-mail addresses, and financial account numbers.
Personal information is often collected directly from the targeted individuals, including customers, employees, and casual contacts (e.g., users of your organization's websites, apps, and social media systems). Increasingly however, personal information is bought, sold, and otherwise transferred through data brokers, commercial companies that are in the business of collecting analyzing and sharing the personal information of many different individuals. It is likely that your organization already does business with some of these data brokers.
A diverse and rapidly growing number of laws and regulations apply to collection, sharing, use, and security of personal information. Effective compliance with these legal requirements is both essential and challenging. Certain forms of personal information, for example health and medical information and information collected from children, are subject to specific privacy and security requirements.
Additional sources of legal compliance obligations are the contractual commitments businesses and other organizations make directly with individuals. For example, the terms of service and privacy policies associated with your organization's websites, apps, and social media platforms establish contractual commitments for the collection, sharing, and use of personal information. Violations of those commitments are now commonly viewed to be contract breaches and illegal consumer practices.
A range of legal requirements are applicable in the event that there is a suspected or actual breach of personal information privacy. Specific laws in numerous jurisdictions now require notice to the individuals involved and to government authorities in the event that personal information may have been compromised.
The laws of many different jurisdictions are now commonly applied to personal information. In the United States, both federal and state laws address data security and information privacy. Many other nations (e.g., the European Union) enforce a range of data security and information privacy laws. In today's environment where "cloud computing" and other data sharing systems are widely used, personal information is frequently stored, shared, and processed in many different jurisdictions. This setting complicates the challenge of legal compliance by forcing organizations to understand the data security and information privacy laws in many different jurisdictions and to ensure full compliance with all of those legal requirements.
Failure to protect information privacy and data security effectively has dire consequences. Security breaches that compromise personal information can result in legal sanctions imposed by local, state, and national governments. Those breaches can also lead to significant damage awards in civil litigation. In addition to legal penalties and sanctions, security and privacy failures can be devastating for the relationships between a business and its customers, business partners, investors, and employees.
Note the impact of some of the highly visible data security and information privacy breaches. For instance, the security breach suffered by the major retailer, Target, resulted in severe and lasting commercial harm to that company.
The legal landscape governing data security and information privacy continues to grow more complex. Part of that additional complexity is caused by the increasing capability of information technology systems. Those systems continue to evolve, enabling them to collect, analyze, store, and share ever greater volumes of information more rapidly and more comprehensively. Another cause of the growing complexity is the increased attention governments now direct toward information privacy and data security. Governments around the world now direct substantial attention and resources toward issues of data security and personal information privacy.
One factor likely to make information management more difficult is the emerging trend of considering the total accessible personal information collectively when assessing privacy implications, Traditionally, regulatory authorities and all parties involved in the personal information ecosystem tended to view information transactions individually, focusing on the specific material transferred or shared in each transaction with each individual party. Increasingly, authorities are adopting a more expansive view of information management best practices.
When assessing privacy, authorities are beginning to consider all of the information available to a party, not merely the information made accessible in a single transaction. For example, if an organization shares a range of personal information with another party through multiple transactions involving different units within the organizations or different affiliated companies, authorities are now starting to consider all of the shared information when assessing privacy. Additionally, authorities now evaluate the extent to which shared information can be combined with information from other data sources, both publicly accessible and private data sources, to construct a more comprehensive collection of personal information.
Authorities are also beginning to consider the impact of long-term retention of data. Information collected for one purpose may be retained for a long period of time. Over time that data may be combined with other information and the terms of use associated with its original collection may be lost. In that environment, there may be future failures of compliance with regard to the original privacy commitments.
If for example your organization shares personal information with another on an anonymous basis, but that anonymity can be pierced by combining the data your organization provided with other available "data points" then your organization may face privacy law liability. It is no longer sufficient to consider information privacy on a transaction-by-transaction basis. Instead, each organization must understand how the information it collects, uses, and shares fits into the more expansive "mosaic" of personal information available from multiple sources over extended periods of time.
In order to meet all legal obligations and to extract the full commercial value from sensitive information and data, each organization must establish and effectively implement appropriate data security and information privacy strategies, policies, practices, and procedures. To successfully accomplish this task one individual or unit within each organization must be given both the responsibility and the authority for the organization's overall data security and information privacy oversight.
Creation and use of a chief privacy officer function is necessary as the challenge of legal compliance is now extremely complex. The technical capabilities associated with data collection, analysis, distribution and use continue to grow at a very rapid pace, placing extreme demands on information privacy management practices. An increasing number of different jurisdictions impose data security and information privacy requirements making effective compliance an ever more complicated challenge. Customers, employees, and other individuals are becoming increasingly aware of information privacy issues and threats, and they continue to grow more willing to assert their legal rights associated with their own information.
Use of a data security and information privacy management function is also vital as authorities now expect more sophisticated control over personal information. As more personal information becomes readily available from more different sources, authorities are beginning to require that all parties involved in the use of personal information assess on a continuing basis the ways in which the information they collect, share, and use fits into that increasingly complex and comprehensive overall mosaic of accessible personal information. Organizations are being held accountable not only for the information they share and use in individual transactions, but also for the privacy implications when that information is retained for long periods of time and is combined with other available data.
Personal information and data are highly prized and extremely valuable assets of many organizations. The full value of those assets can, however, only be realized if the assets are effectively managed and protected. The best way to ensure such effective management is through effective use of a properly authorized and trained data security and information privacy officer function within your organization.