Americans are increasingly concerned about the privacy of their personal data. For example, an ESET and Harris Interactive survey reveals an uptick in “cyber responsibility,” that can be defined as the ability of individuals to exercise certain levels of protection over their personal data. The survey reveals 4 out of 5 individuals surveyed have adjusted their privacy settings within the last 6 months.
While individuals may exercise cyber responsibility related to their social media accounts, it is more challenging for individuals, acting as consumers, to exercise protection over personal data once it is under the control of a company.
The inability of consumers to exercise greater levels of cyber responsibility may have devastating impacts on the digital economy. For example, a consumer confidence report demonstrates 89% of U.S. adults surveyed are concerned about their online privacy, 43% do not trust companies with their personal information, and 89% avoid companies who do not protect their privacy. These numbers reflect high levels of concern and mistrust as to the interaction between personal information and companies.
These heightened levels of concern linked to data privacy should motivate lawyers to ensure their clients’ companies are exercising their own cyber responsibility.
How can you help your clients exercise “cyber responsibility?”
- Advise companies to strictly adhere to a privacy policy that is easy to understand and locate. An effective policy must be meticulously tailored to the operation of a company and should include the types of information collected, how information is collected, the circumstances under which information can be disclosed, an offer of transparency and choice, offers of accessing and updating personal information, an outline of information that is shared, and an explanation of the company’s information security and enforcement.
- Instruct companies to develop a data breach response plan. Such a plan should include instructions for: analysis and documentation of the events surrounding a data breach, communication with all employees regarding the breach, communication to employees with how they should respond to media or other third parties, a thorough analysis of legal issues (including an identification of laws involved), determining whether law enforcement and credit agencies must be notified, and a plan to notify individuals whose data was compromised in the breach.
- Encourage companies to incorporate and adhere to the Consumer Privacy Bill of Rights while conducting business transactions. The impetus for the creation of the Bill of Rights was to build greater levels of trust in consumers, which in turn would assist in the growth of the digital economy. The Bill of Rights recognizes that for businesses to succeed online, consumers must feel secure. A company who voluntarily follows the Bill of Rights demonstrates their cyber responsibility to protecting consumers and enabling the Internet to act as an avenue for economic growth.
The Bill of Rights adopts 7 principles, which companies should adhere to.
- Control: Individuals should have the ability to control what personal data companies collect and how such data is used.
- Transparency: In order to provide individual control, there must be transparency. Information about a company’s privacy and security practices should be visible, prominently displayed, easily understandable, and in plain language.
- Respect of Context: When personal data is collected, companies should specify the purpose for the collection of such data; companies should not use data outside those specified purposes.
- Security: Privacy of personal data and security risks posed to that data should be assessed by companies and reasonable safeguards should be in place to protect data.
- Access and Accuracy: Companies should ensure the personal data maintained in their databases are accurate. In addition, consumers should have access to the personal data that is collected and the ability to correct inaccurate information or request the deletion of such information.
- Focused Collection: Limits should be imposed on what a company can collect and retain.
- Accountability: Companies and their employees must be held accountable to consumers for adherence to the Consumer Privacy Bill of Rights.
With these principles in mind, you can help your clients demonstrate a sense of respect for the privacy concerns of their consumers through establishing consumer awareness about what information is collected, how it is used, and what may be disclosed via customized privacy policies; setting up a data breach response plan; and voluntarily adhering to the Privacy Bill of Rights.
