This article was originally posted in the Union Leader and can be found here.
NH Legal Perspective: Misrepresenting Data Security Measures Put Businesses at Risk
By J.P. Harris
January 25, 2020
It is hard to go a week without hearing or reading in the news of a cybersecurity event of one kind or another. It is now an essential function of just about every business and not-for-profit to manage these risks.
States and the federal government continue to increase and change the regulations requiring those who possess sensitive data — which is nearly every business and not-for-profit — to keep it safe. It is also becoming more common for statutes or regulations to provide rights to citizens to know what data is collected about them and how it is used.
Business leaders should think of cyber-compliance as they think of complying with the dozens of employment laws and regulations that govern their day-to-day activities. Those who fail to analyze and deal with all aspects of cyber risk, including regulatory compliance, expose their entities to fines and costly data breaches.
There is another aspect to consider. As consumers become savvier regarding their privacy rights in this evolving digital world, businesses will continue to differentiate themselves based on the extent to which they can offer security and privacy. In that way, market forces may help push companies toward better and more robust protections of data, while regulators do the same in their way.
Companies should be mindful, however, that misrepresenting their security and privacy measures is itself against the law. The Federal Trade Commission (FTC) is one agency that monitors the veracity of companies’ statements to consumers about data privacy measures.
For example, on Jan. 16, the FTC announced it had settled complaints with five companies that allegedly misrepresented their participation in the E.U.-U.S. Privacy Shield Framework, which allows companies to transfer consumer data from European countries to the United States.
Four of the companies allegedly falsely claimed on their websites that they had received certifications under the Privacy Shield Framework. The FTC alleged that the fifth company allowed its certification to lapse and failed to verify its compliance annually, but continued to represent to consumers that it was so certified. On Jan. 9, the FTC announced it had finalized a settlement with a California company facing similar allegations. That company’s published privacy policy indicated that the company had been certified under the framework, when it allegedly lacked such a certification.
On Dec. 17, the FTC announced it had settled a complaint against another company that helped consumers unsubscribe from email lists and consolidate email subscriptions. The company allegedly falsely told consumers that it would not “touch” their personal emails in the process. In reality, the company was sharing some of the information gleaned from the email accounts with its parent company, which then aggregated data on buying habits to perform market research analytics on products it sells. Again, a central part of the FTC’s action was based on a company’s misstating what it did with consumers’ data.
These examples are not outliers. What can be learned from them? Most businesses and many not-for-profits must implement privacy and security measures — either because laws require them and/or the market makes them essential. Determining what kinds of data needs to be protected, where that data resides, who has access to it, and how to protect it is not an easy task, but it is essential to satisfying regulatory requirements and mitigating risk.
Once the data is known, privacy and security policies need to be specifically tailored to that data. It is not enough to copy a privacy policy from the internet, half-heartedly adopt it, and publish it to the world as “your policy.” Just copying a generic policy likely exposes companies to enforcement actions for misrepresenting the companies’ actual practices. At the same time, whatever policies that are adopted set a standard by which the companies and not-for-profits will be judged.
In short, you’d better be able to satisfy whatever promises are made in your policies.
Companies need to have a long-term view toward cyber compliance. It is not enough to adopt a policy that is satisfactory on day one and then forget about it. For one thing, technology and data change. Companies’ use of data also changes over time. Bad actors will continue to change the ways they attack data too. Policies therefore need to be re-evaluated with frequency to ensure they still match the specific needs and uses.
Failing to do so increases the chances that a company misrepresents to consumers how data is kept and used — which is itself its own regulatory risk. A security and privacy review, including a data impact risk assessment, will undoubtedly reveal weaknesses and things that can be improved. Companies need to budget for the investments that will inevitably be required to remain compliant and secure a competitive advantage in the marketplace.
If companies think about cyber compliance like they think about complying with wage and hour or employment laws, for example, they will be better positioned to thrive in the ever-changing digital age.