FOP B9PrivacyandDataSecurity

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/373798397
Privacy and Data Security
Research · September 2023
CITATIONS READS
0 1,114
1 author:
Alan S. Gutterman
Older Persons' Rights Project
474 PUBLICATIONS 145 CITATIONS
SEE PROFILE
All content following this page was uploaded by Alan S. Gutterman on 09 September 2023.
The user has requested enhancement of the downloaded file.

Privacy and Data Security 1
Alan S. Gutterman
_______________
§1 Introduction
This Guide covers the development and administration of policies and procedures to
comply with laws, regulations and industry standards relating to privacy, data security
and overall collection and use of nonpublic personal information. Every company collects
or otherwise gains access to nonpublic personal information of customers, other business
partners and consumers who have yet to enter into a business relationship with the
company and the need for the company to protect and avoid unauthorized use of this
personal information has become a major compliance issue that cannot be ignored by
senior management. Reports of privacy issues continue to increase and many companies,
including major multinational businesses, have experienced serious security threats and
breaches that have compromised the privacy rights of their customers and resulted in
significant damage to their reputations. Laws and regulations relating to privacy and data
security have multiplied at the federal and state levels and companies engaged in cross-
border business activities must establish procedures and systems that comply with legal
regimes in foreign countries that often much more restrictive than those that are
applicable in the United States. The costs of complying with privacy and data security
laws is increasing and the financial risk of failing to adapt and comply is also material.
At the same time, the range of potential cyberattackers has expanded and their tools of
the trade have become more sophisticated, a trend which has pushed companies to invest
more financial resources in data security as a basic item of business continuation.
Privacy and data security laws already have a long history in specific industries, notably
in the financial services and medical areas. For example, consumer reporting agencies, as
well as persons or entities using consumer credit reports and/or providing information for
use in such reports, must comply with strict standards with respect to ensuring the
accuracy and security of the nonpublic personal information of consumers. In addition,
businesses that are not normally engaged in credit transactions may nonetheless be
subject to constantly expanding legal regimes that are designed to protect the nonpublic
personal information of consumers. A wide array of financial institutions, as well as other
businesses that handle nonpublic personal information of consumers, must disclose their
policies with respect to use and sharing of such information and honor the preferences of
consumers with respect to how such information is disclosed to affiliates and
nonaffiliated third parties of the collector. Similar requirements have been imposed on all
businesses that operate web sites in federal and state privacy laws that are based on
emerging global privacy principles that require disclosure of collection and use policies,
choices for consumers as to how their nonpublic personal information is used and shared,
access for consumers to verify the accuracy of their nonpublic personal information, and
implementation and enforcement of data security policies and procedures to prevent theft
and unauthorized disclosure of nonpublic personal information. In addition to federal
and state laws and regulations, companies must adhere to industry-specific guidelines and
the terms of contractual agreements with business partners. For example, the Payment
Card Industry Data Security Standards are relevant for any business that wishes to accept 2
payments through credit or debit cards. Companies that are engaged in processing data
collected by other firms will typically be required to sign agreements that obligate them
to protect data transferred to them and impose liabilities for failures to do so and security
breaches that lead to leaks of the transferred data.
Obviously privacy and data security has become a serious issue for businesses because of
the need to comply with specific laws and regulations. There are other reasons, however,
that companies are advised to create privacy and data security compliance programs.
Perhaps most important is the role that those programs can play in building and
maintaining trust and loyalty of consumers and other business partners. In addition, the
increasing use and complexity of technology has created new issues for employees and
their managers regarding the level of privacy that employees are entitled to with respect
to their personal communications utilizing email and other tools provided by their
employers. The process of creating and operating a comprehensive privacy and data
security program, and related technical infrastructure, can also pay dividends for a
company by allowing it to realize and retain the value of its data and make the transfer of
data within the organization more efficient.
§2 Federal privacy-related laws
Privacy law is a rapidly evolving area that has changed in response to technological
changes in computers, digitized networks, and the creation of new information products
as well as the need for organizations to provide their stakeholders with greater comfort
and transparency relating to their information sharing and protection practices. There is
substantial variation in the complex web of federal privacy-related laws; however, the
general theme is protection against unauthorized use of collected information and
government access to private records. A list of the most commonly encountered federal
statutes and regulations would include the following:
• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (“GLBA”)

• Fair Credit Reporting Act of 1999 (“FCRA”)
• Right to Financial Privacy Act of 1978
• Children’s Online Privacy Protection Act of 1998 (“COPPA”)
• Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
• Federal Privacy Act of 1974
• Electronic Communications Privacy Act of 1986
• Video Privacy Protection Act of 1998
• Computer Fraud and Abuse Act of 1984
• Identity Theft Assumption and Deterrence Act of 1998
This is not an all-inclusive list and other federal laws and regulations may apply in
specific situations. In addition, of course, not all of the laws and regulations listed above
apply to every company and it is crucial for management and its legal advisors to identify
the rules that are specifically applicable to the operation of the business in question. For
example, hospitals, pharmacies and medical offices will need to comply with the HIPAA
requirements and implement security programs that conform to HIPAA guidelines. The 3
GLBA will be important for banks and other financial services companies. Public
companies must understand the guidance issued by the Securities and Exchange
Commission relating to the control and disclosure of cybersecurity and related risks.
When a specific statute does not apply, the general guidelines issued by the Federal Trade
Commission (“FTC”) mandate that companies post and comply with privacy policies,
website term of use and end user license agreement.
Among its other responsibilities the FTC has authority under the Federal Trade
Commission Act (“FTCA”) and other statutes to take action against privacy violations
under its general mandate to enforce the prohibitions in Section of the FTCA against
“unfair or deceptive acts or practices in or affecting commerce …” The FTCA also
provides authority to investigate and prosecute actions based on violations of privacy
rights under other laws such as COPPA, the GLBA, the Telemarketing and Consumer
Fraud Abuse and Prevention Act, and the FCRA. In any event, the administrative actions
of the FTC provide companies with important guidance regarding best practices with
respect to collection, storage, use and protection of consumers’ personal information.
§3 State privacy-related laws
State laws may also come into play in the implementation of information security
measures on financial institutions and other companies that own or license personal
information. Some state laws provide protections that are very similar to those provided
under federal laws (i.e., state laws regulating wiretaps and eavesdropping); however,
many state laws are notable for their attempts to provide for stricter protections for
consumers with respect to their privacy rights. State rights with respect to privacy can be
derived from a number of legal sources including state constitutions, state privacy acts,
insurance record laws; unfair and deceptive trade practices acts, state common law,
including allegations of misrepresentation, failure to disclose, invasion of privacy; and
breach of contract, state advertising laws and trespass to chattels. Obviously companies
that are actively engaged in business activities in a number of states will need to take
affirmative steps to identify and understand the privacy-related laws and regulations in
those states that may be applicable and determine whether federal law preempts all or a
portion of those state laws. For a full explanation of the relevant state laws, contact the
attorney general’s office in the appropriate state as well as the state body with regulatory
authority over banks and other financial institutions. In many states, such as California, a
separate government office of privacy protection has been established.
§4 Security breach notification laws
Numerous and well-publicized compromises of the security of personal information of

consumers has led almost all of the states to adopt laws that require that notices be sent to
consumers when an event occurs that may cause the privacy of their personal information
to be compromised. Information on state security breach notification laws is available on
the website of the National Conference of State Legislatures. In addition, Congress has
been actively considering legislation that would create a uniform national standard with
respect to required notification to consumers in the event of a breach of data security. 4
California’s law was the first attempt at addressing security breach notification issues and
mandated that companies that store personal information data electronically must notify
California consumers of a security breach in the event the company knows or reasonably
believes that unencrypted information about the consumer has been subject to a security
data breach. While the California law became a model for the legislation adopted by
other states, there are variations with respect to key definitions and exceptions; and, it is
thus essential for companies that store personal information of consumers from multiple
states to check the specific requirements in each state with regard to security breaches.
Examples of issues and questions that might arise include the following:
• What information is protected under the terms of the statute?

• What constitutes a security breach that would trigger the notification requirements?
• How long does the company have after learning of a security breach to comply with
the notification requirements?
• Who should receive notification of the security breach?
• How can notice be delivered to consumers?
• What information must be included in the notice?
• What additional steps to protect impacted consumers are companies required to take
beyond delivery of notice?
§5 Privacy principles
While the policies and procedures adopted by businesses relating to privacy and data
security will vary greatly in terms of scope and detail each company should make a
conscious effort to understand and apply certainly globally-recognized privacy principles.
Perhaps the best guide is the Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data of the global Organization for Economic Cooperation and
Development (“OECD”), which were first adopted in 1980 and updated in 2013 and
which have become the basis for many of the privacy laws implemented around the
world. Among other things, the 2013 version of the Guidelines, which are discussed in
greater detail below, lay out the general principles:
• There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject.
• Personal data should be relevant to the purposes for which they are to be used and, to
the extent necessary for those purposes, should be accurate, complete and kept up-to-
date.
• The purposes for which personal data are collected should be specified not later than
at the time of data collection and the subsequent use limited to the fulfilment of those
purposes or such others as are not incompatible with those purposes and as are
specified on each occasion of change of purpose.
• Personal data should not be disclosed, made available or otherwise used for purposes
other than those specified above except with the consent of the data subject or by the 5
authority of law.
• Personal data should be protected by reasonable security safeguards against such risks
as loss or unauthorized access, destruction, use, modification or disclosure of data.
• A data controller should be accountable for complying with measures that give effect
to the principles and individuals should have the right: (a) to obtain from a data
controller, or otherwise, confirmation of whether or not the data controller has data
relating to them; (b) to have communicated to them, data relating to them (i) within a
reasonable time, (ii) at a charge, if any, that is not excessive, (iii) in a reasonable
manner; and (iv) in a form that is readily intelligible to them; (c) to be given reasons
if a request made under subparagraphs (a) and (b) is denied, and to be able to
challenge such denial; and (d) to challenge data relating to them and, if the challenge
is successful to have the data erased, rectified, completed or amended.
§6 Developing privacy and data security compliance programs
Developing a privacy and data security compliance program requires a substantial

investment of professional and managerial time and financial resources to acquire, install
and operate the necessary technological systems that serve as the foundation for
collecting, using, transferring and discarding nonpublic personal information. It is
common to refer to privacy and data security as a top-level corporate governance issue
that involves the board of directors and senior management and as companies grow they
are likely to recruit and appoint experienced professional to serve as chief privacy
officers with their own dedicated personnel and budget to oversee the element of the
compliance program. While there is no single template for the privacy and data security
compliance program it is important to address the following and the steps outlined in
Table 1:
• Defining and identifying nonpublic personal information handled by the company and
documenting how the information flows into, within and outside the organizational
structure of the company;
• Establishing managerial responsibility and control over the compliance program and
allocating sufficient cash and other resources to the program;
• Establishing and enforcing all necessary policies and procedures with regard to
privacy and data security;
• Establishing focused programs to deal with specific privacy-related risks such as
online collection of information and collection and use of information during the
course of customer relationships;
• Establishing programs for educating all company employees and business partners
about privacy- and data security-related requirements, including continuing education
of new developments and threats for executives and managers directly responsible for
the compliance program;
• Understanding and monitoring all applicable privacy- and security-related laws and
regulations including emerging trends that may change the regulatory landscape in
the foreseeable future;
• Establishing and administering procedures for oversight of vendors with access to

nonpublic personal information for which the company is ultimately responsible; 6
• Establishing procedures for data retention and destruction;
• Establishing and administering privacy incident response and breach notification
procedures;
• Establishing and enforcing disciplinary policies with respect to failure of employees
and business partners to comply with the privacy- and data security-related policies
and procedures of the company;
• Communicating the company’s privacy- and data security-related practices to
relevant stakeholders including employees, customers, business partners, financial
markets and regulators; and
• Providing regular reports on the efficacy of the program to the board of directors and
members of the senior management group.
Responsibility for administering the privacy program should be vested in a single person,
generally referred to as the chief privacy officer, who will be given authority to establish
privacy policies and procedures and oversee personnel in each department of the
company who will be responsible for privacy-related issues in their functional area. The
importance of have an executive-level position responsible for managing the risks and
business impacts of privacy laws and policies is reinforced by the fact that most of the
Fortune 100 companies now have a chief privacy officer or an equivalent position. The
chief privacy officer, with the support of the chief executive officer and other members of
the senior management group, should be prepared to implement privacy policies and
practices for the entire company and coordinate the compliance activities of disparate
departments such as marketing, communications, customer service, information
technology, human resources and legal. The privacy officer and his/her staff should
begin by making an assessment of the nonpublic personal information that the company
collects and how it is used and otherwise handled by the company. Once policies and
procedures are in place the privacy officer should conduct privacy impact assessments
and audits of the handling of nonpublic personal information and should create training
and educational programs for employees and company agents. Various resources are
available for developing a privacy program including the materials that are readily
available from privacy seal organizations and from privacy advocacy groups.
Achieving adequate data security and privacy protections for customers, employees and
other parties requires a strategy and like any other strategy it is important to identify
relevant metrics that can be used to assess performance. Unfortunately, there is no single
strategy that will be entirely successful in each instance and even companies that have
thoughtfully developed and implemented data protection regimes can suffer security
breaches. When creating a data protection program companies should be mindful of the
stories they might need to tell if and when problems occur and this means being able to
demonstrate that the program was based on recognized industry standards and applicable
regulatory guidelines. In addition, companies should have a record of their consultation
processes that includes the names and backgrounds of the technical and legal specialists
that were involved. Companies should also be able to explain how their data security
framework work and when and how decisions were made among various alternative
solutions. For example, companies typically have a limited budget for their data security
programs and the record should describe how and why dollars were invested in 7
addressing particular risks. While all this information cannot eliminate potential liability
for security breaches it can help mitigate potential penalties and punitive damage awards.
Table 1
Checklist for Privacy- and Data Security-Related Law Compliance Procedures
In devising procedures for compliance with applicable privacy- and data security-related laws and
regulations, the following checklist may be helpful:
1. Determine the scope of the laws and regulations applicable to the company, including whether the
business activities of the company require collection of information from consumers and/or fall within
specialized regulated areas such as financial services or health care.
2. Review the steps that should be followed in order to develop a privacy and data security
compliance program.
3. Designate a chief privacy officer and invest sufficient resources to staff a privacy compliance unit
and procure the necessary technology to implement an effective privacy and data security program.
4. Consult applicable laws and regulations to develop a definition of the nonpublic personal
information that must be covered by the company’s privacy and data security compliance program.
5. Conduct an assessment of the information previously collected by the company and the current
and projected collection activities of the company to create an inventory of where nonpublic personal
information is collected, used, stored and transferred;
6. Prepare and implement privacy-related policies and procedures, including general privacy policies
and notices and procedures for collection and use of nonpublic personal information.
7. Establish training programs on privacy-related compliance issues for employees, contractors and
other agents of the company.
8. Prepare and implement security requirements for nonpublic personal information, including
information security policies and procedures.
9. Prepare procedures and contractual documents with respect to handling of the company’s
nonpublic personal information by business partners and service providers.
10. Prepare and implement procedures for proper and effective disposal of nonpublic personal
information that is no longer needed by the company to conduct its business activities.
11. Establish procedures for investigation and notification of security breaches.
12. Establish and follow procedures for regular audits of the effectiveness of the company’s privacy
and data security compliance program.
§7 Defining and identifying nonpublic personal information
In order to design and administer an effective privacy and data security program it is
necessary to carefully define and identify the nonpublic personal information that the
company has access to and is legally obligated to protect. Personnel responsible for
establishing the program must begin the process by conducting a thorough investigation
and analysis for how nonpublic personal information comes into the company, moves
through the company, and flows out of the company. This is the best and only way to
identify the areas in which the company is most vulnerable to the risk that it will
intentionally or inadvertently breach applicable laws and expose the nonpublic personal
information in its possession to theft and unauthorized access and use.
As mentioned above, data security is an issue for all businesses, regardless of their size
and the activities in which they are engaged. Obviously certain enterprises are already
subject to specific laws and regulations that compel the implementation of compliance 8
procedures; however, every company has trade secrets and other sensitive information
that must be protected in order to preserve their competitive value. As such,
implementing technology-based protections and policies and procedures is a priority item
for management, although the scope and timing of the efforts will necessarily depend on
the availability of resources and the rate at which the size of the business is scaling.
Unfortunately, invasive cyberattacks by hackers that compromise an enterprise’s
operations can occur on the very first of operations and impact of such an occurrence will
vary depending upon the scope of the attack and how much the enterprise relies on its
databases to operate effectively and continuously. Beyond the risk of a cyberattack
shutting down the business altogether is the concern that an attack will lead to
misappropriation of nonpublic personal information of members of a class of persons that
have been singled out for protection under federal and/or state laws: customers/clients,
employees, benefit plans, patients, students and/or constituents. Enterprises that have
ongoing relationships with members of a protected class, such as banks and other
financial institutions, retailers, schools and health care providers, are certainly at risk and
engaging in financial transactions with consumers (i.e., accepting payments) is an activity
that should not be undertaken without appropriate safeguards.
In order to identify nonpublic personal information you need to begin with a working
definition of the term so that you know what you are looking for as you go through the
investigation process. Not surprisingly, laws and regulations provide the best source of
information and, of course, the company needs to clearly understand its specific
obligations under those laws and regulations that are specifically applicable to its
business activities. Financial institutions, for example, must be mindful of the definition
of “personally identifiable financial information” in the federal Gramm-Leach-Bliley Act,
which includes any information a consumer provides to obtain a financial product or
service; about a consumer resulting from any transaction involving a financial product or
service; or otherwise obtained about a consumer in connection with providing a financial
product or service. Examples of information that may fall within the scope of this
definition include the fact that an individual is the customer of a particular financial
institution; the name, address, social security number and account numbers of a
consumer; any information a consumer provides on an application; any information from
a “cookie” obtained in using a web site; and any information on a consumer report
obtained by a financial institution.
The obligations of financial institutions with respect to protection of consumer

information are limited to “nonpublic personal information,” which means nonpublic
personally identifiable financial information (as defined above) and any list, description,
or other grouping of consumers (and publicly available information pertaining to them)
that is derived using any personally identifiable financial information that is not publicly
available. Information will be considered to be “publicly available” if the financial
institution has a reasonable basis to believe that such information is lawfully made
available to the general public from federal, state, or local government records (e.g.,
public real estate records); widely distributed media (e.g., telephone book); or disclosures
to the general public required by federal, state, or local law.

9
California law regarding protection of personal information requires all businesses, not
just financial institutions, to identify and create handling procedures for any information
that identifies, describes or can be associated with an individual, and includes the
following categories: name and address; electronic mail address; age or date of birth;
names of children; electronic mail or other addresses of children; number of children; age
or gender of children; height; weight; race; religion; occupation; telephone number;
education; political party affiliation; medical condition; drugs, therapies, or medical
products or equipment used; the type of product the customer purchased, leased, or
rented; real property purchased, leased, or rented; the type of service provided; Social
Security number; bank account number; credit card number; debit card number; bank or
investment account, debit card, or credit card balance; payment history; and information
pertaining to the customer’s creditworthiness, assets, income, or liabilities. Unfortunately,
every jurisdiction has its own unique legal and regulatory definition of personal
information and the exceptions from protective obligations that might apply (e.g., what is
considered to be publicly available) and the personnel responsible for the privacy
program must continuously monitor changes in this area and be mindful of new activities
in jurisdictions where the company has not previously been operating. If the company
receives sensitive information from a business partner reference should be made to the
specific contract with that customer to determine what is covered and the precautions that
the company is required to take in order to protect the information.
Once you have an idea of what types of information you are looking for you need to have
a process for identifying where the information resides within the organization of the
company and how it flows through company during the course of day-to-day business
activities and operations. All departments that might have access to nonpublic personal
information should be contacted and have their operations audited. For example,
personnel overseeing the privacy program should conduct interviews and check records
in sales, human resources, accounting, information technology, and customer service. In
addition, relationships with outside service vendors that involve processing of nonpublic
personal information will need to be reviewed and audited. In general, it is necessary to
develop a full understanding of the following issues and questions:
• What are sources of the nonpublic personal information that is received by the
company? Common providers include customers, credit card companies, financial
institutions, credit bureaus, employees and business partners.
• How does the company receive nonpublic personal information? Common methods
for receiving such information include online (via the company’s web site); by email,
regular mail or facsimile; and during the course of processing transactions (e.g., cash
registers in company stores).
• What kind of nonpublic personal information is received from each identified source?
The sales department may collect credit card and banking information while human
resources takes in other types of personal information such as social security numbers
and birth dates.
• Where is the nonpublic personal information collected from each identified source
stored by the company? A good deal of information may be stored in a centralized

computer database; however, information may able to be located in file cabinets and 10
on diskettes and tapes. Not all information will be located at the headquarters office
and an inventory should be maintained of information stored on individual laps, home
offices and in branch offices.
• Which persons—employees and agents—could have access to the nonpublic personal
information collected by the company? In addition to verifying who is authorized to
access information care should be taken to evaluate the possibility of unauthorized
access, particularly by outside service providers.
The process of locating and identifying nonpublic personal information can be difficult
and time-consuming and should always extend beyond file cabinets and computer
systems to include all computers (including laptops and home computers), flash drives,
disks, cell phones and any other type of equipment that the company may use to store
data. Given the rapid evolution of storage technology the personnel responsible for the
privacy and security program must keep up with new storage products. As noted above,
the inventory process must be extensive enough to include locations away from the
company’s headquarters and outside vendors who have authorized access to sensitive
information in order to perform services for the company. Changing storage strategies
must also be taken into account, particularly as companies rely more and more on
outsourcing their data management to vendors offering their services in “the cloud”.
Understanding the type of information that may be subject to privacy-related laws and
regulations is an essential first step in the developing a privacy program and managing
the scope of the company’s compliance efforts. One guiding principle should be that if a
company does not have a legitimate business need for sensitive information about
customers or business partners it should take affirmative steps to make sure that such
information is not collected, either intentionally or accidentally. If information is
collected procedures should be put in place to ensure that it is retained for only as long as
there is a legitimate business need and thereafter such information should be carefully
destroyed using appropriate security practices.
There are different types of security and compliance risks with each type of nonpublic
personal information. Areas of great concern are social security and credit card numbers
and other sensitive financial information that can be misappropriated and used as the
basis for fraudulent business transactions or identify theft. A number of laws have been
implemented that specifically address use of social security numbers and impose
obligations on businesses not to use such information needlessly or carelessly. Customer
credit card information should be closely watched—in workplaces where safeguards are
not in place such information can be easily found near facsimile machines on the sales
floor where orders are received or in customer files that are readily distributed among
large groups of people. In addition, unless software that reads customers’ credit card
numbers is properly set the reading device used in processing transactions may
permanently retain the information and broaden the scope of the company’s protective
obligations well beyond the date that the information serves any business purpose.
§8 Privacy policies and procedures

11
Guidance regarding the development, implementation and management of privacy
policies and procedures can be obtained through careful review of the pronouncements
and positions of the Federal Trade Commission (“FTC”) in their rulemaking and
enforcement actions in the privacy area. Points to be borne in mind include the following:
• Companies should be clear and truthful regarding the policies and procedures that
they follow relating to maintenance and protection of the privacy, confidentiality,
security, or integrity of nonpublic personal information.
• Companies must be particularly vigilant to guard against disclosing nonpublic
personal information to third parties in violation of their published policies and
without obtaining the express, affirmative (“opt-in”) consent of the individual whose
information is being disclosed. A record of all disclosures and the related consents
should be carefully maintained.
• When making material changes to privacy policies and procedures, refrain from
applying those changes to nonpublic personal information that was collected prior to
the effective date of the change unless and until the individuals from whom such
information was collected have given their express opt-in consent to the changes and
the use of their information in the manner dictated by the amended policy or
procedure.
• Consumer education should be one of the primary goals and objectives of the privacy
program and companies should include a clear and conspicuous notice regarding their
privacy and security practices on all their web sites and should regularly notify
customers about such practices in other ways (e.g., periodical mailings).
As with other legal and regulatory areas it is important to prepare appropriate

documentation and records that can be accessed to demonstrate the existence and efficacy
of the privacy program to regulatory bodies and provide a basis for prosecuting or
defending civil actions that may involve privacy-related issues. For example, companies
should maintain, for at least five years, a copy of each representation made to individuals
regarding the collection, use and security of collected nonpublic personal information; a
copy of documents seeking to obtain opt-in consent of consumers and any documents
demonstrating such consent provided by consumers; and all invoices, communications,
and records relating to the disclosure of nonpublic personal information to third parties.
It should be noted that the growing interest in privacy has spawned an explosion of
development work with respect to new privacy enhancing and privacy inhibiting
technologies. The need to alleviate the initial widespread concerns of consumers
regarding the provision of their personal information as a condition of engaging in online
review and purchase of products and services led to technological advances in encryption
and the growing use and influence of privacy seals. Consumers could also protect
themselves against unauthorized use and outright theft of their personal information with
biometrics and use of pseudonymous and anonymous systems. In turn, businesses
anxious to collect information from and about visitors to their web sites might deploy
cookies, web bugs and spyware; however, consumers have fought back with cookie
managers, bug zappers and spyware management tools. One particularly intrusive
phenomenon—spamming—has been the subject of extensive regulatory activity and 12
technical tools such as message filtering and pop-up blockers.
When developing and implementing privacy policy policies and data security procedures,
reference can and should be made to applicable guidelines and standards that may have
been published by industry groups and regulatory bodies. For example, hospitals,
pharmacies and medical care providers required to comply with the HIPAA Security Rule
should review the materials available from the Department of Health and Human
Services, which include audit standards and information on physical, technical and
administrative safeguards. Financial institutions should review information available
through the Federal Financial Institutions Examination Council on how to identify and
address threats to financial data. Companies that accept debit and credit cards for
payment should be aware of the materials available through the Payments Card Industry
Security Standard Council, which include self-assessment questionnaires and a variety of
reference guides for merchants. Finally, while few companies have the need or resources
to implement the same level of protection used by the US government, the standards
followed by the government are available through the National Institute for Standards in
Technology and can be a useful starting point for understanding data security and specific
issues such as securing wireless local area networks and protecting data as part of a
broader supply chain management program.
§9 --General privacy policies and notices
Every business, regardless of its size or line of business, should prepare, adopt,
disseminate and follow appropriate policies and procedures with respect to protecting the
privacy rights of its customers, employees and business partners. One of the cornerstones
of the privacy program is a comprehensive privacy policy or notice that is made available
to customers and other parties from whom nonpublic personal information may be
collected. At a minimum a comprehensive policy or notice should include the following
and the elements outlined in Table 2:
• An explanation of the reasons that the company collects personal information from its
customers and other parties;
• A description of the specific types of personal information that the company regularly
collects from its customers and other parties including examples of activities and
transactions that will typically include information collection;
• A description of how the personal information collected by the company may be used
in the company’s day-to-day activities and in the course of providing products and
services to its customers;
• When applicable, a discussion of how personal information is collected and used
when customers purchase gift cards and use other online services;
• A statement that information that visitors to the company’s web site voluntarily
disclose in a public fashion is public and not subject to the protection obligations
assumed by the company;
• A description of when and how the company discloses personal information and the
steps that must be taken by customers and other parties to restrict such disclosures;
• A description of the measures taken by the company to protect personal information 13
collected from customers and other parties;
• A description of procedures that customers and other parties can follow to access
their personal information to verify the accuracy of such information;
• A statement regarding the suitability of web site content for children and other
information required by federal and state laws regulating online marketing of
products and services to minors;
• Instructions regarding how answers can be obtained to any further questions a
customer or other party might have regarding the company’s privacy policy.
Businesses and organizations that collect a substantial amount of sensitive personal

information will generally implement a comprehensive privacy policy. Smaller
businesses may opt for an abbreviated version of the form; however, care should be taken
to address most of the issues above in some way and, of course, comply with specifically
applicable laws and regulations.
Statutes and related regulations play a significant role in the form and content of privacy
policies and procedures and organizations must be mindful of the industry-specific
requirements to which they may be subject. For example, financial institutions publish
their privacy principles in the form of a privacy notice that must be delivered to
consumers that have a sufficient level of business contact with the institution. The form
of the privacy notice for a financial institution is determined in large part by the
requirements of the federal Gramm-Leach-Bliley Act and financial institutions, such as a
bank, will generally prepare a lengthy form of notice that includes additional information
that may be of interest to consumers regarding the protection of the private information.
Many financial institutions combine the privacy notice with an opt-out election form.
While every privacy policy or notice should address certain core issues it is important for
an attorney preparing or reviewing a proposed policy or notice to be sure that it is
sufficiently customized to the activities of the specific business. For example, the privacy
notice prepared and delivered by a law firm should generally be quite brief given that
lawyers are prohibited from sharing personal information of clients under applicable
professional responsibility rules. Companies that provide services on a global basis
should be sure that their privacy policies anticipate possible cross-border transfer of
information that is protected under the more stringent requirements that are typically
found in data security laws outside of the United States. Health care providers and health
plans should draft their privacy notices to conform to the requirements of the federal
Health Insurance Portability and Accountability Act of 1996.
Table 2
Checklist for Drafting a Website Privacy Policy
The following checklist enumerates information which should be collected to draft or review a form of
privacy policy for a Web site. The privacy policy should be available directly through each page and
through a link included in the site’s terms and conditions.
1. Collection of Information
14
1.1 Describe the information that the site owner will collect from users.
1.2 Describe where information is collected on the site. Information will generally be collected when
users first register at the site and when they actually purchase products and services through the site.
1.3 Describe the procedures for a user to update or correct his or her Personally Identifiable
Information. Users should be given an opportunity to review and correct their Personally Identifiable
Information online and should also be able to send changes via regular mail.
1.4 Include a description of how the site owner uses “cookies” to collect information on the site.
2. Use of Information
2.1 Describe how the site owner intends to use information collected on the site.
2.2 Describe the site’s policies regarding sharing of information collected on the site. The site owner
will generally share information with third parties with whom the owner contracts to provide specified
services to users.
2.3 Describe the choices of the user regarding collection, use, and distribution of their information.
Where appropriate, site owners should allow users to “opt out” from distribution of their information to
third parties for marketing purposes.
2.4 Describe the security precautions adopted by the site owner to protect against loss, misuse, or
alteration of personal information.
3. Third Party Sites and Public Postings
3.1 Include a disclaimer of responsibility for privacy policies and data collection procedures at third-
party sites accessible through the site. Site users should be admonished to closely review the privacy
policies of third-party sites accessible through the original site.
3.2 Include a notice to users regarding the public nature of communications posted in chat rooms and
discussion forums.
4. Further Information
4.1 Include a procedure for contacting the site owner regarding questions relating to the privacy
policies.
§10 --Online collection and use of personal information
It is now commonplace for for-profit businesses and other organizations to seek and
collect substantial amount of information online through their web sites. Online
collection of user information raises a number of privacy concerns. Parties wanting or
needing to collect information should take a number of steps to insure that users are
aware that the information is being collected and that they knowingly consent to the
intended uses of the data. The most important thing that can be done is to draft and
prominently display the privacy policy for the site, which should be available from the
site home page and any other location on the site where information may be collected
from visitors. At a minimum, companies must post policies that comply with any
applicable state laws and regulations. If information is to be collected from children, the
federal Children’s Online Privacy Protection Act of 1998 and the related FTC Children’s
Online Privacy Protection Act Guidelines require that a separate policy should be
prepared and posted that carefully describes the information collection practices on the
web site. In addition, web site operators will need to send a direct notice to parents
informing them of procedures for collecting personal information of children and

obtaining the consent of parents to such collection. The notice should be accompanied by 15
a parent consent form.
In general, a privacy policy or statement used in connection with an online business

should address the following areas of concern:
• The purpose or purposes for collecting the information (e.g., entering the user in a
contest or including the name of the user on a mailing list) should be clearly disclosed
to users.
• If users are not required to provide the information in order to purchase the product or
service or participate in any other activity provided for on the site, that fact should be
clearly disclosed to users. If users are sent subsequent communications via email,
procedures should be established which allow users to discontinue receipt of
messages. This is not only good etiquette; it is also mandated under anti-spam
legislation.
• If the site is employing passive methods for collecting information, such as
navigational tracking tools or browser files, users should be advised of these methods
and also should be notified about the type of information that is being collected.
• If the information collected on the site is subject to public posting, users should be
encouraged to use a “screen name” or some alternative means of identification other
than full names.
• If email addresses are solicited and the site is not secure, users should be
appropriately warned about the possibility that unauthorized parties might be able to
use email addresses to learn other personal information about the user.
One of the key concerns for consumers with respect to online purchasing is the privacy of
information that they provide in connection with the transaction, particularly information
as to their credit cards. Companies need to address this problem by taking steps to insure
the security of online transactions. These procedures should also be called out to
consumers in some form of Web site notice regarding credit card purchases and
confidentiality. Users should be informed about other contemplated uses of the
information, including the possibility that data will be shared with, or sold or otherwise
distributed to, others. In fact, the adoption of specific state laws such as California’s
direct marketing disclosure statute have created additional requirements on specific types
of information sharing with third parties (i.e., direct marketers) that must be incorporated
into online privacy notices.
It is very important to ensure that any online privacy policy also complies with any
applicable laws and regulations that might be imposed on the site, including regulations
imposed in foreign countries in which the company intends to be actively engaged in
soliciting customers. In many cases, it will be necessary to create a separate web site for
each country, with each site posting its own customized version of the privacy policy.
§11 --Collection and protection of personal information

Privacy policies and notices should be supplemented by additional procedures and forms
relating to the actual collection and protection of personal information. Companies that 16
collect and use information outside of the online environment should obtain explicit
written consents from customers and clients for collection, use and disclosure of their
personal information. In addition, companies should implement specific management and
employee procedures for protection of personal information collected or otherwise
acquired by the company. For example, all employees should be required to execute a
confidentiality agreement that covers personal information obtained by the company and
obligates employees to protect such information and not misuse or misappropriate such
information. Companies that frequently collect social security numbers from employees
and clients should also consider having a separate social security number policy that
addresses storage of social security numbers and the manner in which they are used for
various activities conducted by the company.
Customers and clients generally are provided with rights to inspect their personal
information and make changes to such information in the event it is incorrect. The
company should create a specific form that customers and clients can use to request
access to their records and, if necessary, request changes to the information in those
records. The privacy policy or notice should include specific instructions for individuals
wishing to file a complaint alleging a violation of their privacy rights and companies
should enable that process by creating their own privacy violation complaint form. In
addition, a form should be available for use by individuals that decide to withdraw their
initial consent to collection, use and disclosure of their personal information.
§12 --Training requirements
An important part of any privacy and security program is extensive training for all
participants in the workforce on compliance requirements and the use of tools that the
company makes available to protect sensitive information comes into its possession. In
some cases training is mandate by applicable law; for example, health care providers are
required to provide formal education and training of the work force to ensure ongoing
accountability for privacy and security of protected health information. With respect to
privacy issues, the training provided to employees, contractors and volunteers should
cover general confidentiality obligations, reporting of known and suspected breaches,
sanctions, complaints, and privacy issues that are specific to different types of
communications (i.e., email and facsimile communications). With respect to general
security issues the training program should cover relevant security policies, physical and
workstation security, password management, audit procedures, and reporting of actual or
suspected breaches. Employees, contractors and volunteers should also be educated about
applicable laws and regulations. The specific subject matter of the training program will
depend on the types of personal information that is collected and used by the company
and there are often specific regulatory conditions with respect to training that will need to
be satisfied. As for managers they should be trained in all of the areas described above
and also in departmental privacy and security training tools, training program
evaluations, remediation procedures, monitoring procedures, and overall assessment of
the company’s privacy and security systems. Training should be an ongoing process and
the company should document all training activities. A compliance program training
database should be established and regularly updated so that managers, employees, 17
contractors and volunteers have constant access to information relating to the company’s
privacy and security programs.
§13 Security requirements for nonpublic personal information
While financial institutions have long been subject to federal and state law requirements
relating to protection of nonpublic personal information gathered from consumers, it is
now clear that businesses of all types will be subject to similar regulations in the future.
For example, California law requires that companies that own or license unencrypted
personal information about California residents must implement and maintain reasonable
security procedures and practices for that data. The California statute does not specify the
required level of security, other than to say that it must be “appropriate to the nature of
the information” to protect the personal information from unauthorized access,
destruction, use, modification or disclosure, including prohibitions on disclosure of such
information to unaffiliated third parties unless such parties contractually agree to
maintain reasonable security procedures. As such, more and more companies will need
advice on how to comply with personal information security requirements, including
preparation and implementation of appropriate policies and procedures. The need to
provide assistance in this area is even more acute given that consumers have become
increasingly sensitized to the risks of “identify theft” and have become more adamant in
their demands that the companies from which they procure goods and services
demonstrate that they are committed to protecting personal information they receive from
their customers.
§14 --Information security policies and procedures
When establishing appropriate compliance strategies and information security procedures

for collecting personal information, companies should:
• Establish internal guidelines and policies that assure the uninterrupted security of
nonpublic personal information.
• Create and implement employee training measures and supervision systems to ensure
that personal information is protected during day-to-day handling and use.
• Establish and continuously evaluate information security systems that include
adequate protective physical safeguards and technological measures in support of
information security policies.
• Inform all business partners and service providers that handle personal information of
their responsibility to ensure that their policies, procedures and practices maintain a
level of security consistent with the company’s own information security policies.
• Establish procedures for disposal of personal information in a secure manner and in
keeping with the approved records retention schedule and the company’s overall
policy objective of minimizing the risk of loss or unauthorized access, use or
disclosure of such information.
• Implement plans for conducting an independent assessment of the effectiveness of the
policies and procedures that have been put in place by the company for the protection
of nonpublic personal information. 18
The process of developing an appropriate and effective set of information security

procedures is a time-consuming process that requires participation and support from
various functions within the company, including sales, accounting, credit, human
resources and information technology. In order to make sure that the programs and
procedures are effective companies must designate an employee or employees to
coordinate the information security program. In addition, senior management should be
publicly committed to the initiative based on the realization that information security has
become a globally recognized element of business ethics policies and practices for
companies in a wide range of industries.
The first step to be taken is conducting a comprehensive inventory of current practices in

each of the areas listed above. This is generally accomplished through the use of an
information security assessment checklist that reviews information security policies and
practices, employee awareness and training, technological tools utilized to protect
information, and relations and communications with outside vendors that handle sensitive
information. In addition, companies should make sure that their initial assessment focuses
on the specific elements for an effective information security program set forth in the
FTC’s Final Rule on Standards for Insuring the Security, Confidentiality, Integrity and
Protection of Customer Records and Information, even if the company is not specifically
required to comply with the Rule. It is essential to identify reasonably foreseeable
internal and external risks to the security, confidentiality, and integrity of nonpublic
personal information that could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and assess the sufficiency of any
safeguards in place to control these risks. At a minimum, such risk assessment should
include consideration of risks in each relevant area of the company’s operations
including: employee training and management; information systems, including
information processing, storage, transmission, and disposal; and prevention and response
measures for attacks, intrusions, or other systems failures. Once a company understands
its existing strengths and weaknesses with respect to information security, it can take
steps to establish and maintain a comprehensive security program reasonably designed
for the protection of its collected nonpublic personal information.
§15 ----Guidelines and policies
The cornerstone of an information security program should be detailed guidelines,

reviewed and approved by senior management and the board of directors, that set out the
procedures that must be followed with respect to identification and protection of
nonpublic personal information collected from consumers in the course of the company’s
business activities (see Table 3). The guidelines are intended to accomplish several goals
and purposes: describe the security infrastructure that is to be created within the
company, including designation of the person(s) responsible for compliance, risk
assessment procedures, implementation of security measures, supervision and oversight
of outside vendors, assessment of the security program, and training and education of
company employees; include a clear and comprehensive definition of the type of

information that must be covered by the security program; and refer to the specific 19
statutory obligations imposed on the company, since this can be used as evidence that the
company recognized the applicability of these requirements and took good faith steps to
comply.
With respect to financial institutions, the relevant statutory schemes are the federal
Gramm-Leach-Bliley Act and any similar state regulations. Other businesses might refer
to statutes such as California’s law regarding security procedures for personal
information of its residents. In general, these statutes call for companies to design and
implement information safeguards to control the risks identified through risk assessment,
and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls,
systems and procedures..
It is now commonplace for companies to create and distribute a data security policy that
describes the framework to be used within the company for handling, storage and
protection of confidential information. Companies should also be sure that they adopt
and disseminate specific policies relating to various aspects of the information security
issue. For example, a company’s online privacy and security policy should always
include a reference to the company’s practices with respect to disposal of personal and
confidential information. In addition, it is recommended that companies prepare specific
policies and guidelines with respect to use and disclosure of personal information,
including the requirements that must be satisfied in order for personal information to be
released to third parties (e.g., informing the recipient that the information can only be
used for specified purposes and cannot be further disclosed without obtaining applicable
consents).
Table 3
Checklist for Drafting Guidelines for an Information Security Program
The following checklist enumerates information which should be collected to draft and review guidelines
for the preparation and implementation of an information security program for businesses seeking to
comply with their legal obligations to identify and safeguard nonpublic financial information received
during the course of business relationships with customers.
1. Background and Purposes
1.1 Describe the overall purpose of the rules and procedures included in the document. In general, the
guidelines provide a framework for drafting information security programs to comply with the Federal
Trade Commission’s “Standards for Safeguarding Customer Information” Rule promulgated under the
authority of the Gramm-Leach-Bliley Act (“GLBA”). 16 C.F.R. §§ 314.3, 314.4. The Rule concerns the
safeguarding of customers’ nonpublic financial information related to financial products or service
transactions.
1.2 Identify and describe the nonpublic financial information that must be safeguarded using the
procedures described in the document. The program should cover receipt and handling of “nonpublic
financial information,” and the guidelines should include a definition of that term and examples of
information and records that might fall within the scope of the definition. In general, the program should
apply to any paper or electronic record maintained by a company business unit that contains nonpublic
financial information about an individual or a third party who has a relationship with the business unit.
1.3 Identify those departments or business units that are most likely to have access to nonpublic
financial information. The answer will vary depending on the business activities of the institution; however,
it is generally likely that such information will be made available to staff involved in information 20
systems/technology; accounting services; accounts receivable; sales; and human resources.
1.4 Consider including a separate section of defined terms used throughout the document in
connection with programs. Among the defined terms that might be described are “customer,” “consumer,”
“nonpublic financial information” and “service providers.”
2. Program Requirements
2.1. Outline the overall requirements of the program. The GLBA mandates that any program address
the following methods to safeguard customers’ nonpublic financial information: (i) the appointment of an
information security program coordinator; (ii) methods to conduct a risk assessment of likely security and
privacy risks; (iii) the design and implementation of information safeguards to control security risks; (iv)
methods to oversee the operations of service providers and corresponding contracts with such entities to
ensure their compliance with the GLBA; and (v) a plan to periodically evaluate and adjust the program. 16
C.F.R. § 314.4.
2.2 Provide for designation of a program coordinator who will be responsible for implementing the
program. In addition to designating the coordinator, the program should list and describe the duties of the
coordinator, including compilation of a list of business units and areas with access to nonpublic financial
information, identification of security risks, monitoring of contracts with third-party service providers,
implementation of education and training programs, and evaluation and monitoring of the effectiveness of
the security programs.
2.3 Provide that the program must identify reasonably foreseeable external and internal risks to the
security, confidentiality, and integrity of nonpublic financial information that could result in the
unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and must
assess the sufficiency of any safeguards in place to control those risks. The risk assessment should include,
at a minimum, consideration of risks relating to employee training and management; safeguards of
information systems/technology processing, storage, transmission and disposal (including network and
software design); and methods to detect, prevent, and respond to attacks, intrusions, or other system
failures.
2.4 Require the program to include information regarding the design and implementation of
information safeguards to control the risks identified through the risk assessment. The program’s
monitoring may include technology system checks, reports of access to technology systems, and audits.
3. Third-Party Service Providers
3.1 Include procedures for oversight of third-party service providers with whom the company may
share customers’ nonpublic financial information. Such activities by third-party service providers may
include collection activities, electronic transmission of documents, destruction of documents or equipment,
or other similar services.
3.2 Require that reasonable steps be taken to select and retain third-party service providers that are
capable of complying with the GLBA by maintaining appropriate safeguards for the customer information
to which they have access.
3.3 Require the program to include a reference to the business unit’s duty to require, by contract, that
all third-party service providers implement and maintain appropriate GLBA safeguards for customers’
nonpublic financial information.
4. Evaluation and Dissemination of Programs
4.1. Require the program to be subject to periodic review, evaluation and adjustment. The program
must include a plan by which it will be evaluated, on no less than an annual basis, and a method to revise
the program, as necessary, to ensure its continued effectiveness.
4.2. Include a description of the minimum requirements for distribution of information regarding the
program to employees and others that have access to nonpublic financial information. Among other things,
the materials must be made available to employees during mandatory training sessions and should be also
be included in staff handbooks. Programs and related materials should also be posted on the organization’s
internet or intranet web site. 21
§16 ----Employee training and supervision
Any information security plan is only as good and reliable as the employees involved in
the implementation of the plan. Accordingly, it is essential for companies seeking to
protect customer information to ensure that all of their employees, not only those
involved in handling such information on a regular basis, are adequately training and
properly supervised. At a minimum, the following steps should be taken by employers:
• Check references prior to hiring employees who will have access to customer
information.
• Ask every new employee to sign an agreement to the standards established by the
company with respect to preserving the confidentiality of proprietary information and
maintaining the security of customer information.
• Train employees on the basic principles necessary for securing and preserving
customer information, including locking rooms and file cabinets where records are
kept and observing sound practices to prevent unauthorized access to such
information on computers and the company’s data networks.
• Provide continuous instructions and reminders to employees regarding the policies,
and legal obligations, of the company with respect to securing and protecting the
confidentiality of customer information, including regular training and posted
reminders around the workplace.
• Limit access to customer information to employees who have a legitimate business
reason for seeing it.
§17 ----Information systems
The company must also ensure that its information systems, which include information
processing, storage, transmission, retrieval and disposal, are set up and maintained in a
manner that assures that customer information will be secure from the time it first enters
to the system to the point at which it is disposed. While most information is stored on
computer networks, the relevant system should be broadly defined to include traditional
paper records.
Obviously, the most important rule is making sure that records are stored in a secure area
and that access to the area is limited to authorized managers and employees. With respect
to paper records, this means storing them in a room, cabinet, or other container that is
locked when unattended and also making sure that the storage area is protected against
destruction or potential damage from physical hazards such as fire or floods. With respect
to electronic records, the sensitive information should be placed on a secure server that is
accessible only with a password and which is physically located in a secure area. The
company should always maintain backup media and keep any archived data secure by
storing it offline in a secure area.
When initially collecting customer information, or transmitting it once it has been

collected, the company should be sure to use secure data transmission, with clear 22
instructions and simple security tools. This generally means using a Secure Sockets Layer
(SSL) or other secure connection so that the information is encrypted in transit.
Customers and employees should be cautioned against transmitting sensitive data, like
account numbers, via email; and, if employees do transmit such data using email, access
to the messages should be limited through password protections.
§18 ----Business partners and service providers
The efficacy of the company’s efforts with respect to information security depends not
only on the actions of employees but also other parties who may handle the nonpublic
personal information that the company is obligated to protect, including contractors and
service providers. Outsourcing important business functions—payroll processing, web
hosting, customer call center operations or data processing—should not be implemented
until the outsourcing partner’s practices with respect to data security have been carefully
investigated. Companies should develop guidelines that specify their expectations with
respect to arrangements with third-party service providers that may have access to
nonpublic personal information collected by the company. The main issue for any
agreement with an outside service provider is ensuring that the vendor is committed to
complying with all applicable laws and regulations and establishing and maintaining a
sufficiently rigorous program for protecting personal information and other sensitive data
transferred during an outsourcing arrangement. Comprehensive agreements will go into
specific details regarding the steps that vendor will be expected to take including the
following:
• Naming a manager who will be responsible for privacy compliance and data security;
• Limiting the use of information to only what is needed to fulfill the contract;
• Only disclosing information as permitted by the company or as required by law;
• Implementing effective administrative, technological and physical safeguards in place
to stop theft, loss and unauthorized access, copying, modification, use, disclosure or
disposal of information that are at least as rigorous as those used by the company and
those offered by the vendor to its other clients;
• Limiting access to the information only to subcontractors that the company has
approved and which have entered into agreements that obligate them to provide the
same level of protection for data that the vendor is required to provide to the
company;
• Educating their employees on privacy laws and policies and take reasonable steps to
ensure employee compliance through staff training, confidentiality agreements and
employee sanctions;
• Using reasonable efforts, including virus protection software, to avoid viruses,
worms, back doors, trap doors, time bombs and other malicious software;
• Maintaining backup security and acceptable business recovery plans (including
disaster recovery, data backup and alternate power);
• Following all applicable privacy laws and regulations, industry standards (e.g.,
Payment Card Industry data security standards in cases where the disclosed
information includes credit card data) and internal privacy policies;

• Granting access to the company to inspect their premises and security practices to 23
ensure compliance with the contract and applicable laws and regulations;
• Rendering regular reports on compliance activities;
• Reporting any security breaches or incidents to the company within an agreed time;
and
• Returning or destroying all information received or created in any form when the
contract ends, and where this is not possible, keep the contract’s privacy measures in
place to protect the remaining information.
Procedures should be established for ensuring that service providers notify the company
whenever they experience a possible or actual security breach even if the incident does
not directly involve the company’s data. Companies should be prepared to adopt an
expansive approach to monitoring the activities of “service providers” that include any
person or entity that receives, maintains, processes, or otherwise is permitted access to
nonpublic personal information through its provision of services directly to the company.
Among the tools that are commonly used in dealing with third party service providers is a
special form of contract addendum to the general services agreement that deals
specifically with the duties of the service provider with respect to protection of
confidential information. If necessary, the addendum should be customized to fit the
particular type of data that the service provider will be handling for the company. In turn,
service providers should prepare their own rules and procedures for protecting third-party
information, and a copy of these materials should be exchanged during the due diligence
process. Another alternative that might be used when the third party service provider is
engaged in connection with outsourcing business processes is a separate contract that
specifically addresses data protection issues and establishes the obligations of the service
provider with respect to protection, use and transfer of sensitive data that is essential to
performance of the outsourcing arrangement.
§19 ----Disposal of personal information
When the time comes to dispose of customer information, the company must take
precautions to ensure that disposal is done in a secure manner and that a record is
maintained of the date and manner of disposal. It is recommended that companies hire or
designate a records retention manager to oversee disposal of all records containing
customer information that is personal and not otherwise available to the public and the
steps taken by the company must be reasonable and appropriate to prevent unauthorized
access to—or use of—nonpublic personal information. Such information should be
disposed of as soon as it is outdated or no longer necessary for the conduct of the
company’s business and its relationship with the customer. Customer information
recorded on paper should be shredded or recycled and stored in a secure area until it is
picked up and removed by a recycling service. In order to make it easier for employees to
comply shredders should be made available at easily accessible locations in the
workplace particularly next to copy machines. Customer information stored electronically
should be erased with wipe utility programs when disposing of computers, diskettes,
magnetic tapes, hard drives or any other electronic media that contain such information
and all hardware that contained such information must be effectively destroyed. If 24
employees work outside of the company’s facilities, such as in their home offices, steps
should be taken to ensure that they follow the same security procedures as they would at
the company with respect to security and destruction. Disposal procedures should be
regularly reviewed to determine if they remain reasonable in light of the sensitivity of the
information, the specific legal and regulatory obligations of the company, disposal
expenses, and changes in technology.
Information about destruction of data is also available from the Federal Trade
Commission as part of its education program on compliance with its Rule Regarding
Disposal of Consumer Report Information. This Rule provides several examples of
“reasonable measures” to protect against unauthorized access, including implementing
and monitoring compliance with policies and procedures that require the burning,
pulverizing, or shredding of papers containing consumer information so that the
information cannot practicably be read or reconstructed; implementing and monitoring
compliance with policies and procedures that require the destruction or erasure of
electronic media containing consumer information so that the information cannot
practicably be read or reconstructed; and, after due diligence, entering into and
monitoring compliance with a contract with another party engaged in the business of
record destruction to dispose of material, specifically identified as consumer information,
in a manner consistent with the Rule.
Since many, if not most, companies outsource much of their record-destruction

activities, it is important to understand the appropriate level of “due diligence” that might
be required in order to satisfy the requirements of the Rule. The Rule suggests that, in this
context, due diligence could include reviewing an independent audit of the disposal
company’s operations and/or its compliance with the Rule, obtaining information about
the disposal company from several references or other reliable sources, requiring that the
disposal company be certified by a recognized trade association or similar third party,
reviewing and evaluating the disposal company’s information security policies or
procedures, or taking other appropriate measures to determine the competency and
integrity of the potential disposal company.
§20 ----Independent assessment
While the senior management personnel responsible for the company’s security program
should regularly and continuous evaluate the efficacy of the program regulators will
expect that companies also turn to independent third parties to evaluate and provide
recommendations for adjustment of the security program according to ongoing
assessment findings and material changes in the legal and business environment in which
the company operates. The reports prepared by the outside party should describe the
specific safeguards implemented and maintained by the company, analyze whether the
safeguards are appropriate for the size and complexity of the company and the nature and
scope of the company’s activities and the sensitivity of the nonpublic personal
information handled by the company, and certifies that the company’s security program
is operating with sufficient effectiveness to provide reasonable assurances that nonpublic

personal information handled by the company is protected. In general, a company should 25
be prepared to evaluate, through both internal and external means, its information
security program and make adjustment in light of the results of the required testing and
monitoring, any material changes to operations or business agreements, or any other
circumstances that the company knows or has reason to know may have a material impact
on the program.
§21 --Investigation and notification of security breaches
In the decade following February 15, 2005, the date that ChoicePoint disclosed that the
personal information of approximately 145,000 people may have been misappropriated
by identity theft, more than 4,800 companies and government agencies publicly
announced security breaches according to information compiled by the Privacy Rights
Clearinghouse and available for viewing on its website, which also contains an extensive
collection of tools relating to protection of privacy rights. ChoicePoint responded to the
problem by providing notifications to customers in California and other states; and state
legislatures, beginning with California and continuing to almost all of the other states,
adopted new security breach notification laws that now require that notices be sent to
consumers when an event occurs that may cause the privacy of their personal information
to be compromised. In addition, Congress has been actively considering legislation that
would create a uniform national standard with respect to required notification to
consumers in the event of a breach of data security. In light of these developments, it is
incumbent on companies to carefully implement formal security breach plans that cover
investigation of the event, notification of consumers and other parties as required by law
and good business practice, and ongoing review and evaluation of security measures.
In spite of all of the legislative activity, the occurrences of large data breaches at
companies, universities and governmental organizations continue to rise at an alarming
rate. For example, public reports indicate that breaches have occurred at well-known and
highly respect companies and organizations such as JP Morgan Chase, Target, Home
Depot, Lockheed Martin, the University of Hawaii, the States of Texas and South
Carolina, Cedars-Sinai Medical Center, BNY Mellon, eBay, the US military, T-Mobile
and Sony. As a result, it is not surprising that data security has become a significant issue
with senior managers of corporations. In fact, surveys indicate that data breaches, and the
costs and damages to reputation and public image that accompany them, are more
worrisome to executives than other crisis situations, including terrorism, product recalls,
corporate malfeasance and workplace violence. While the notification requirements
attempt to deal with actions taken after a breach has occurred, there are many legislators
that believe it may be necessary to begin regulating the steps that owners and custodians
of personal information must take to reduce the likelihood that a breach occurs in the first
place. Companies can anticipate more stringent regulation and plan in advance by using
an information security assessment checklist.
The best way to approach compliance in this entire area is to develop and follow a clear
and comprehensive breach notification or data management and protection policy that
identifies protected information and data; defines the duties of responsible parties within
the company with respect to the protected data and compliance with security breach laws; 26
describes the incident response process to be followed upon the occurrence of a security
breach; and sets out notification procedures. Overall responsibility for the policy should
be vested in a senior management official, such as the chief privacy or security officer (or
the equivalent manager within the company organization); and, when a security breach
occurs, this official should be able to quickly enlist the support of the business unit within
the company in which the breach occurred as well as legal counsel and representatives
from the company’s human resources and public relations departments. The plan should
include a draft version of the form of notification that will be sent with annotations to
remind the persons responsible for the notification of the need for possible modifications
for particular states.
In addition to the formal notification, the company should also implement a broader
communications program directed at affected consumers and others that makes additional
information available to such parties through the company web site. For example, many
companies supplement information in the notice by posting a set of “frequently asked
questions” on their web site and providing links to organizations that can assist
consumers with any concerns they might have about possible identify theft. A press
release should also be prepared and disseminated, and all inquiries to the company about
the security breach should be directed to one designated corporate representative. Even if
an incident has not occurred, companies should consider posting a notice on their web
site that briefly describes their commitment to protection of personal information and the
steps that will be taken, including notification, in the event that a security breach does
occur at some time in the future.
Obviously, one of the most important activities following a security breach is

investigation of how the breach occurred and an analysis of the steps needed to
strengthen the security systems of the company to prevent similar problems from
occurring in the future. Once the immediate threat has been addressed, the next step is to
determine whether more comprehensive remedial actions are necessary, including
changes in the configuration of data networks and modifications to physical security rules
and procedures. The chief privacy or security officer should also step back and take a
look at how the entire notification and “crisis management” process went to determine
whether additional changes should be made to the company plans and strategies in this
area. Finally, news of security breaches suffered by others should be carefully scrutinized
to see what lessons can be learned and applied to the company’s situation before trouble
hits in the future.
As noted above, almost all of the states have adopted statutes relating to security breaches
and companies should prepare, and periodically update, a chart that details the specific
requirements of each state where they have contact with consumers. Companies may
attempt to develop notification programs based on the requirements of the state with the
most onerous rules so that just one notice can be given in all jurisdictions; however, care
must be taken to ensure that an issue or disclosure item does not fall through the cracks.
Companies may also voluntarily expand the group that receives a notification to include
parties referred to in federal legislation that has been proposed from time-to-time as a
matter of good business practice and as a way to head off potential problems with law 27
enforcement agencies and other regulatory bodies.
§22 Effective implementation and management of privacy programs
Several distinct, yet highly related, activities must be undertaken in order to effectively
implement and manage a privacy program:
• Management must engage in strategic and business planning relating to operational

activities that are impacted by requirements imposed by privacy-related laws,
regulations and industry standards.
• An assessment must be made of the current level of company compliance with
privacy-related requirements and the risks confronting the company from
noncompliance must be identified and quantified.
• Solutions to deficiencies in the current level of company compliance should be
created and introduced into the operational activities of the company.
• Appropriate criteria and procedures for monitoring the effectiveness of the privacy
program should be developed and implemented.
• The privacy program should be regularly and continuously evaluated by both internal
and external auditors.
Each company should have its own unique and overriding vision for the long-term
direction of its business and the goals and objectives that it wishes to achieve. One
important element of this vision is the type of organizational culture that it wishes to
establish and nurture including the norms and values with respect to collection, use and
protection of personal information. The organizational culture should also include an
understanding of how the company interacts with its external environment, including
customers, and the approach that management expects its employees to take with respect
to legal, social and ethical issues that are part of the company’s business environment.
Realization of the management’s vision for the company occurs through the creation and
implementation of a strategic plan. While a strategic plan is necessary comprehensive and
covers all areas of the company’s business it should identify privacy compliance issues
and establish strategies and tactics for dealing with those issues. For example, the
strategic plan should address acquisition and allocation of the resources necessary to
establish and manage a privacy program including a budget for security systems,
employee training, administration, advertising, auditing and other related services.
During the process of strategic and business planning the company must carefully and
thoroughly assess the operational activities to determine their level of consistency with
the projected goals and objectives of the company with respect to privacy compliance.
The purposes of this assessment is to identify the requirements of relevant laws and
regulations and the compliance risks that the company is facing and to establish a priority
list of the steps that the company needs to take in order to create and administer effective
privacy policies and practices.
Once the assessment stage has been completed management can turn to creating and
implementing policies, procedures and other tools to address the identified privacy 28
compliance risks. Implementation should be done in the context of the overall strategic
and business plan and should include a list of specific tasks and activities, clear
assignment of responsibilities for those tasks and activities, schedules and milestones,
and a set of benchmarks to monitor progress in each area. The range of solutions, and
related tasks and activities, will depend of course on the particular results of the
assessment; however, it is common for companies to focus on converting various systems
and procedures to comply with privacy law requirements, create and/or update their
forms and contracts to track those requirements, and implement education and awareness
programs regarding privacy issues for employees and outside parties that regularly deal
with the company (i.e., customers).
Once the solutions have been created and implemented management must carefully
monitor the progress of the tasks and activities in relation to the action plan to ensure that
remedial measures are being introduced on a timely basis and that the desired level of
improvement in compliance is being achieved. Monitoring can take a number of different
forms including policies, processes and technical tools and records should be created and
maintained of the steps taken by the company to ensure that its privacy program is being
followed and is effective in meeting legal and regulatory requirements.
Regular monitoring of the effectiveness of the privacy program should include formal
internal and external audits that provide management with independent and objective
assessments of how well the program is operating and how effective it has been in
achieving its stated goals and objectives. Audit procedures can focus on specific aspects
of the compliance program. For example, auditors can review the manner in which the
company has handled requests for personal information, the processes used to collect
such information, and the safeguards that are used when such information is disclosed
(e.g., what steps are taken to verify that the recipients of the information are entitled to
receive it and will take the necessary steps to protect such information). Internal auditors
can assist management in creating efficient internal processes for privacy compliance and
their effectiveness is enhanced by their greater familiarity with the operational activities
of the company. External auditors, on the other hand, can provide independent assurance
services that provide greater comfort to outside parties such as customers, regulators,
business partners and visitors to the company’s web site. The goal of the internal and
external audit process is to generate reports and data for management that can be used to
modify and improve the strategic and business plan (§ 230:24) underlying the privacy
program.
Best Practices for Development and Administration of Privacy Programs
An effective privacy program is one that simultaneously addresses privacy risks and business opportunities.
As time has gone by there has been an emerging consensus on what constitutes “best practices” with
respect to collection, use, retention, disclosure and destruction of personal information and companies
should incorporate these principles into the planning and administration of their privacy programs. The
following criteria included in the Generally Accepted Privacy Principles issued by the AICPA/CICA
(American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants) are
based on internationally recognized practices that have already been incorporated into a wide range of
privacy laws and regulations in the United States and around the world and into recognized guidelines 29
recommended by industry and trade organizations:
(1) Management: A company defines, documents, communicates, and assigns accountability for its
privacy policies and procedures.
(2) Notice: The company provides notice about its privacy policies and procedures and identifies the
purposes for which any personal information is collected, used, retained, and disclosed.
(3) Choice and Consent: The company describes the choices available to the individual whose
personal information is being collected and obtains and documents the implicit or explicit consent of the
individual with respect to the collection, use, and disclosure of personal information.
(4) Collection: The company collects personal information only for the purposes identified in the
notice regarding its privacy policies and procedures.
(5) Use and Retention: The company strictly limits the use of personal information to the purposes
identified in the notice and for which the individual has provided the implicit or explicit consent referred to
above. The company retains personal information for only as long as necessary to fulfill the stated
purposes.
(6) Access: The company provides individuals with access to their personal information for review
and update.
(7) Disclosure to Third Parties: The company limits disclosure of personal information to third parties
only for the purposes identified in the notice and with the implicit or explicit consent of the individual
referred to above.
(8) Security for Privacy: The company establishes policies and procedures for protecting personal
information against unauthorized access (both physical and logical).
(9) Quality: The company complies with the policies and procedures specified in the notice by
maintaining accurate, complete, and relevant personal information for the specific purposes identified in the
notice.
(10) Monitoring and Enforcement: The company regularly monitors compliance with its privacy
policies and procedures and implements and enforces procedures to identify and address privacy-related
complaints and disputes.
A thorough and effective privacy program includes policies, communications, procedures and controls, and
evaluation criteria. Policies include written statements developed by the company that clearly describe the
intent and goals of management with respect to privacy compliance and specific requirements,
responsibilities, and/or standards. Communications include written and oral messages delivered by the
company to the individuals whose personal information is at issue, internal personnel, and third parties
about the company’s privacy notice and its commitments therein and other relevant information.
Procedures and controls are other actions taken by the company to realize its goals and satisfy specific
requirements, responsibilities, and/or standards. Finally, evaluation criteria should be comprehensive,
relevant, clear and objective, and measurable so that management can determine the effectiveness of the
program and take appropriate actions to modify the program to cure shortcomings and integrate changes in
applicable legal and regulatory requirements. The evaluation process should include monitoring and
auditing, performance measurement and benchmarking.
There are several distinctive steps that management must take in order to establish and maintain an
effective privacy program. First, senior management should create a privacy team, headed by a chief
privacy officer, to oversee the compliance activities within the company such as creating policies and
procedures and setting up training programs. Second, the privacy team should prepare a written privacy
program for the company that addresses all key areas including the level and type of resources that would
need to be invested in collection and protection of sensitive information. Finally, management should
ensure that a program is established for monitoring compliance with privacy-related laws and regulations
and that compliance is carefully evaluated through internal and external audits.
§23 Privacy and data security issues in acquisition transactions

Privacy and data security are important issues when a company is considering the 30
acquisition of the business of an outside party, by merger or otherwise. Before
proceeding with the transaction the acquiring company, or “acquirer” in this discussion,
will want to undertake a due diligence investigation of the outside party, the “target” in
this discussion, to identify potential risks associated with taking on the target’s duties and
obligations with respect to nonpublic personal information that the target has collected.
The acquirer will not only be concerned about liabilities associated with the target’s
operations before the closing of the transaction but will also want to gauge how much it
may need to invest in improving the security technology and practices of the target in
order to bring them to a level similar to that which exists throughout the rest of the
acquirer’s business.
The scope of the due diligence investigation will depend on the importance of data to the
target’s operations and the value that the acquirer attaches to such data. Other factors
include the geographic scope of the target’s business and the range of laws and
regulations specifically applicable to the target. The process is necessarily complicated
by the fact that the persons whose nonpublic personal information is in question have
generally not consented to disclosure of such information. In Canada, for example,
nonpublic personal information can only be disclosed during the due diligence leading up
to a prospective business transaction without the knowledge and consent of affected
individuals if the disclosure is necessary to determine whether to proceed with the
transaction, and if the determination is made to proceed with the transaction, to complete
it. This means that due diligence in this area needs to be narrowly focused on
information that is reasonably necessary under the particular circumstances. For
example, information about particular persons should not be requested when it is clear
that aggregate statistics will provide the acquirer with enough data to make an informed
decision. In addition, nonpublic personal information cannot be exchanged unless and
until the parties have entered into an appropriate that requires the acquirer to use and
disclose that information solely for purposes related to the transaction, to protect that
information by security safeguards appropriate to the sensitivity of the information, and if
the transaction does not proceed, to return that information to the target, or destroy it,
within a reasonable time.
One commentator writing about due diligence in the context of mergers and acquisitions
involving Canadian firms suggested the following list of items as being appropriate for
assessing privacy and data security practices of a target1:
• Copies of privacy and data security policies and procedures, including security breach
response plans and cybersecurity governance and risk procedures;
• Information about privacy and cybersecurity audits, including how often they are
conducted and copies of recent reports;
1
L. Wasser, “Privacy and Cybersecurity Issues in Canadian M&A Transactions”, Deal Points: The
Newsletter of the Mergers and Acquisitions Committee of the Business Law Section of the American Bar
Association, XXI(2) Spring 2016, 3.
• Information about the target’s process for obtaining, recording and giving effect to
withdrawal of consent by consumer, including copies of standard consent forms; 31
• Information respecting training of employees on privacy and cybersecurity
compliance, as well as copies of any agreements with employees related to such
matters;
• Information on any significant or recent security breaches and any actual or
threatened claims, complaints, litigation or regulatory action related to such breaches;
• Information relating to selection and management of vendors and other service
providers including policies and procedures, copies of vendor privacy and data
security questionnaires and copies of all contracts governing privacy commitments,
data protection and compliance with applicable laws; and
• Copies of any cybersecurity insurance policies.
As is the case with many areas during any due diligence process the acquirer will
generally supplement document and record reviews with interviews and inspections by
technology specialists who can critically assess the controls and protections that the target
has actually put in place.
The same commentator emphasized that representations and warranties from the target in
any agreement entered into if the decision is made to proceed with the acquisition should
cover compliance with applicable laws and the target’s own policies and procedures,
compliance with all privacy and data protection requirement under contracts to which the
target is a party, adequacy of employee training, sufficiency of data security and
cybersecurity controls, and disclosure of material or recent privacy or data security
breaches or threatened/pending litigation The acquisition agreement should also cover
allocation of financial responsibility for problems that may have arisen prior to closing
but which are not discovered until after the deal is completed. In addition, of course, the
results of the due diligence investigation may impact the value that the acquirer is willing
to place on target and its business.
§24 International laws
As e-commerce grows in the world economy, one of the concomitant issues that must be
confronted is what to do with all of the personal data that is accumulated by merchants
from electronic transactions. At the very least, a mailing address and credit card number
are required to complete an online transaction (sometimes not even the address, if the
buyer is merely paying to download software). This information alone has many potential
uses and requires serious legal protection. The Internet, however, makes the protection of
personal information all the more complicated through certain automatic data-gathering
operations which take place. Whereas most personal data is freely given by the consumer,
“cookies” and other automated information trackers also add to the identifying
information that is transmitted over the Internet. Furthermore, most Web browsers
automatically create cache and history files that are meant to speed up access to
frequently visited sites, but these may also be used to identify a particular user’s
browsing habits and interests. That information could be of great use to advertisers and
sellers, let alone the criminal element. Today, many companies, regardless of their size
or line of business activities, operate a global website and/or are engaged in cross-border
communications that will inevitably involve the collection, use and transfer of personal 32
information and they are now obligated to do so in accordance with United States and
foreign laws and regulations pertaining to protection of personal data.
In the U.S., online collection of user information raises a number of privacy concerns.
Parties wanting or needing to collect information should take a number of steps to ensure
that users are aware that the information is being collected and that they knowingly
consent to the intended uses. The purpose for collecting the information (e.g., entering
the user in a contest or including the name of the user on a mailing list) should be
disclosed. Users should be informed about other contemplated uses of the information,
including the possibility that data will be shared with, or sold or otherwise distributed to,
others. If users are not required to provide the information to purchase the product or
service or participate in any other activity on the site, they should be informed. If the site
is employing passive methods for collecting information, such as navigational tracking
tools or browser files, users should be advised of these methods. They should also be
notified about the type of information being collected. If the information collected on the
site is subject to public posting, users should be encouraged to use a “screen name” or
some alternative means of identification other than full names. If e-mail addresses are
solicited and the site is not secure, users should be warned about the possibility that
unauthorized parties may be able to use their e-mail addresses to learn personal
information about them. If users are sent subsequent communications via e-mail,
procedures should be established that allow users to discontinue receipt of messages.
While there is some level of convergence on the international level regarding

fundamental legal principles relating to privacy and data security companies, attitudes
still vary substantially around the world regarding issues in these areas; and, in general,
U.S. website operators will find that foreign laws can be quite restrictive and mandate the
implementation of costly and complex security systems and procedures. For example, the
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,
which were first adopted in 1980 and updated in 2013, have become the basis for many
of the laws implemented around the world. The 2013 version of the Guidelines lay out
the following basic principles on national application:
• There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject.
• Personal data should be relevant to the purposes for which they are to be used, and, to
the extent necessary for those purposes, should be accurate, complete and kept up-to-
date.
• The purposes for which personal data are collected should be specified not later than
at the time of data collection and the subsequent use limited to the fulfilment of those
purposes or such others as are not incompatible with those purposes and as are
specified on each occasion of change of purpose.
• Personal data should not be disclosed, made available or otherwise used for purposes
other than those specified above except with the consent of the data subject or by the 33
authority of law.
• Personal data should be protected by reasonable security safeguards against such risks
as loss or unauthorized access, destruction, use, modification or disclosure of data.
• There should be a general policy of openness about developments, practices and
policies with respect to personal data, and means should be readily available of
establishing the existence and nature of personal data, and the main purposes of their
use, as well as the identity and usual residence of the data controller.
• Individuals should have the right: (a) to obtain from a data controller, or otherwise,
confirmation of whether or not the data controller has data relating to them; (b) to
have communicated to them, data relating to them (i) within a reasonable time, (ii) at
a charge, if any, that is not excessive, (iii) in a reasonable manner; and (iv) in a form
that is readily intelligible to them; (c) to be given reasons if a request made under
subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to
challenge data relating to them and, if the challenge is successful to have the data
erased, rectified, completed or amended.
The Guidelines state that data controllers should be accountable for complying with
measures which give effect to the principles stated above. Specifically, data controllers
should:
• Have in place a privacy management program that: (i). gives effect to the Guidelines
for all personal data under its control; (ii). is tailored to the structure, scale, volume
and sensitivity of its operations; (iii) provides for appropriate safeguards based on
privacy risk assessment; (iv) is integrated into its governance structure and establishes
internal oversight mechanisms; (v) includes plans for responding to inquiries and
incidents; and (vi) is updated in light of ongoing monitoring and periodic assessment.
• Be prepared to demonstrate its privacy management program as appropriate, in
particular at the request of a competent privacy enforcement authority or another
entity responsible for promoting adherence to a code of conduct or similar
arrangement giving binding effect to the Guidelines.
• Provide notice, as appropriate, to privacy enforcement authorities or other relevant
authorities where there has been a significant security breach affecting personal data.
Where the breach is likely to adversely affect data subjects, a data controller should
notify affected data subjects.
The Guidelines also provided that a data controller remains accountable for personal data
under its control without regard to the location of the data, and that Member countries
should refrain from restricting transborder flows of personal data between itself and
another country where (a) the other country substantially observes the Guidelines or (b)
sufficient safeguards exist, including effective enforcement mechanisms and appropriate
measures put in place by the data controller, to ensure a continuing level of protection
consistent with the Guidelines. Any restrictions to transborder flows of personal data
should be proportionate to the risks presented, taking into account the sensitivity of the
data, and the purpose and context of the processing.
Finally, the Guidelines suggest that Member countries seeking to implement the 34
Guidelines should (a) develop national privacy strategies that reflect a coordinated
approach across governmental bodies; (b) adopt laws protecting privacy; (c) establish and
maintain privacy enforcement authorities with the governance, resources and technical
expertise necessary to exercise their powers effectively and to make decisions on an
objective, impartial and consistent basis; (d) encourage and support self-regulation,
whether in the form of codes of conduct or otherwise; (e) provide for reasonable means
for individuals to exercise their rights; (f) provide for adequate sanctions and remedies in
case of failures to comply with laws protecting privacy; (g) consider the adoption of
complementary measures, including education and awareness raising, skills development,
and the promotion of technical measures which help to protect privacy; (h) consider the
role of actors other than data controllers, in a manner appropriate to their individual role;
and (i) ensure that there is no unfair discrimination against data subjects.
Since the late 1990s, the most comprehensive and well-known foreign regulatory scheme
in this area has been the Data Directive in the European Union, which has served as the
basis (i.e., “minimum standards”) for the national laws in the EU Member States. US
companies doing business in the EU have needed comply with the specific national laws
in each country where sensitive information is collected and reconcile the diverse
requirements of US and EU law when it is necessary to transfer information within the
company back and forth between the US and the EU. For a number of years, such
transfers have been conducted under the umbrella of a “safe harbor agreement”
negotiated between representatives of the US and the EU; however, the original version
of that agreement was struck down by the European Court of Justice in October 2015 and
subsequent discussions led to the creation of a new framework, the so-called “EU-US
Privacy Shield”, which imposes stricter rules and standards on US companies. In
addition, US companies will need to be aware of, and comply with, new national laws
that will be adopted throughout the EU in the near future to meeting the uniform
standards included in a new General Data Protection Regulation relating to the protection
of individuals with regard to the processing of personal data and on the free movement of
such data, which will replace the EU Data Directive.
In addition, other major industrial countries, such as Canada and Japan, have their own
complex networks of privacy and security laws, which makes it challenging for global
companies to establish privacy-related standards and procedures that can be uniformly
applied across their entire organizational structure. The problem are multiplied in
countries such as Canada where there are provincial, as well as federal, laws that must be
adhered to and incorporated into any compliance program. Finally, privacy rights are
emerging in other economically important countries such as China.
§25 Tax considerations
Federal and state taxing authorities are subject to specific laws and regulations relating to
taxpayer privacy rights and the protection of information provided by taxpayers in
connection with compliance with applicable tax reporting and payment requirements.
Privacy rights at the federal level are set out in the Internal Revenue Code, Privacy Act of
1974 and the Freedom of Information Act. The Internal Revenue Service, as well as state 35
taxing authorities, may disclose information to other tax authorities, the Multistate Tax
Commission, appropriate federal and state governmental agencies and officials, and third
parties when necessary to determine or collect tax liabilities. Governmental agencies have
also established departments that are responsible for maintenance of taxpayer records and
receiving and processing requests for information contained in those records.
____________________
36
About the Author
This Work was written by Alan S. Gutterman, whose prolific output of practical guidance and tools for
legal and financial professionals, managers, entrepreneurs and investors has made him one of the best-
selling individual authors in the global legal publishing marketplace. His cornerstone work, Business
Transactions Solution, is an online-only product available and featured on Thomson Reuters’ Westlaw, the
world’s largest legal content platform, which includes almost 200 book-length modules covering the entire
lifecycle of a business. Alan has also authored or edited over 100 books on sustainable entrepreneurship,
leadership and management, business law and transactions, international law and business and technology
management for a number of publishers including Thomson Reuters, Practical Law, Kluwer, Aspatore,
Oxford, Quorum, ABA Press, Aspen, Sweet & Maxwell, Euromoney, Business Expert Press, Harvard
Business Publishing, CCH and BNA. Alan has extensive experience as a partner and senior counsel with
internationally recognized law firms counseling small and large business enterprises in the areas of general
corporate and securities matters, venture capital, mergers and acquisitions, international law and
transactions, strategic business alliances, technology transfers and intellectual property, and has also held
senior management positions with several technology-based businesses including service as the chief legal
officer of a leading international distributor of IT products headquartered in Silicon Valley and as the chief
operating officer of an emerging broadband media company. He has been an adjunct faculty member at
several colleges and universities, including Berkeley Law, Golden Gate University, Hastings College of
Law, Santa Clara University and the University of San Francisco, teaching classes on corporate finance,
venture capital, corporate governance, Japanese business law and law and economic development. He has
also launched and oversees projects relating to promoting the civil and human rights of older persons and a
human rights-based approach to entrepreneurship. He received his A.B., M.B.A., and J.D. from the
University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the
University of Cambridge. For more information about Alan and his activities, please contact him directly
at alangutterman@gmail.com, follow him on LinkedIn, subscribe to his newsletters (Older Persons’ Rights
Project and Entrepreneurship | Human Rights) and visit his personal website. Many of Alan’s research
papers and other publications are also available through SSRN and Google Scholar.
Copyright Matters, Permitted Uses, Disclaimers and Suggested Citation
Copyright © 2023 by Alan S. Gutterman. All the rights of a copyright owner in this Work are reserved and
retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to
copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike
(CC BY-NC-SA) 4.0 License. The author, Alan S. Gutterman, declares that there is no conflict of interest,
and no financial support was received for the research, authorship and/or publication of this Work.
090923
View publication stats

FOP B9PrivacyandDataSecurity

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FOP B9PrivacyandDataSecurity

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Privacy and Data Security

Research · September 2023

The user has requested enhancement of the downloaded file.

Privacy and Data Security 1

§2 Federal privacy-related laws

• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (“GLBA”)

§3 State privacy-related laws

§4 Security breach notification laws

Numerous and well-publicized compromises of the security of personal information of

• What information is protected under the terms of the statute?

§6 Developing privacy and data security compliance programs

Developing a privacy and data security compliance program requires a substantial

• Establishing and administering procedures for oversight of vendors with access to

§7 Defining and identifying nonpublic personal information

The obligations of financial institutions with respect to protection of consumer

to the general public required by federal, state, or local law.

stored by the company? A good deal of information may be stored in a centralized

§8 Privacy policies and procedures

As with other legal and regulatory areas it is important to prepare appropriate

§9 --General privacy policies and notices

Businesses and organizations that collect a substantial amount of sensitive personal

3. Third Party Sites and Public Postings

§10 --Online collection and use of personal information

informing them of procedures for collecting personal information of children and

In general, a privacy policy or statement used in connection with an online business

§11 --Collection and protection of personal information

§12 --Training requirements

§13 Security requirements for nonpublic personal information

§14 --Information security policies and procedures

When establishing appropriate compliance strategies and information security procedures

The process of developing an appropriate and effective set of information security

The first step to be taken is conducting a comprehensive inventory of current practices in

§15 ----Guidelines and policies

The cornerstone of an information security program should be detailed guidelines,

company employees; include a clear and comprehensive definition of the type of

1. Background and Purposes

3. Third-Party Service Providers

4. Evaluation and Dissemination of Programs

§16 ----Employee training and supervision

§17 ----Information systems

When initially collecting customer information, or transmitting it once it has been

§18 ----Business partners and service providers

information includes credit card data) and internal privacy policies;

§19 ----Disposal of personal information

Since many, if not most, companies outsource much of their record-destruction

§20 ----Independent assessment

is operating with sufficient effectiveness to provide reasonable assurances that nonpublic

§21 --Investigation and notification of security breaches

Obviously, one of the most important activities following a security breach is

§22 Effective implementation and management of privacy programs

• Management must engage in strategic and business planning relating to operational

Best Practices for Development and Administration of Privacy Programs

§23 Privacy and data security issues in acquisition transactions

§24 International laws

While there is some level of convergence on the international level regarding

§25 Tax considerations

Copyright Matters, Permitted Uses, Disclaimers and Suggested Citation

View publication stats

You might also like