The collection and use of personal data should be a primary concern for any organization conducting business in the US or abroad. State, federal and international laws impose certain restrictions on data storage and transfer that make data collection and use a fairly risky business. Organizations must ensure that they are processing, storing and transferring data efficiently, securely and in accordance with these laws. One improper move may place the organization in the midst of a public relations nightmare. Considering this risk and the amount of people that could be affected by one mistake, it is imperative for executives to have some basic understanding regarding the protection of personal data. 

First, it is important to understand the type of data that is at issue. “Personal data” traditionally has been defined as any type of information that can identify an individual, such as a person’s name, place of work or email address. This definition appears to be changing, however, as networking Web sites, such as MySpace, Facebook and LinkedIn, make this type of data less personal and more public. As a result, the trend seems to be for the definition of “personal data” to include only the type of data that is not publicly available, such as your driver’s license, credit card or Social Security numbers. This trend is most apparent in a review of contemplated and recently enacted state privacy laws, which limit the definition of “personal data” to information that is more sensitive and not the type that you could find via a Google search on the Internet.

Because there is not a consistent definition of “personal data,” organizations that are collecting any type of information from customers or consumers should define what they consider “personal data” in a privacy policy posted on their corporate Web site or in an employee handbook. 

The definition of protectable data may also change depending on the organization at issue. For example, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability & Accountability Act (HIPAA) are federal laws that provide heightened restrictions for entities collecting certain types of information. Specifically, only financial institutions, such as companies providing credit card services, credit counseling or lending services that are collecting financial data from individuals should concern themselves with the requirements of GLBA, while the requirements of HIPAA apply only to organizations that are collecting protected health information from individuals. Because these statutes are complex and very specific in their applicability, if you believe your organization is collecting data covered by either of these laws, you should check with an attorney to ensure compliance.

It is also important to be clear on what your organization considers “personal data” so that you may describe when your organization may or may not be sharing this data with third parties. Typically, this description is provided in the privacy policy posted on your Web site or, in the case of employees, in your employment agreement. At the very least, an organization should retain the right to share data in certain pre-defined situations, such as to comply with a legal order or in the event of an asset acquisition. You also may want to explain how and when your organization may share certain data with unaffiliated third parties, and whether the individual will have the opportunity to object to this disclosure.  Finally, when your organization obtains and uses data collected from a third party, you should make certain that the third party has received the appropriate permission from the affected users to share the data with your organization.

Similarly, before sharing personal data with any third party, you should consider placing restrictions on that party’s use of the data to ensure that your customers and employees are protected. For example, if an organization intends to share member data with an advertising agency, it should have an agreement in place with the agency restricting its use of the member data or, at the very least, requiring the agency to keep the data as securely as you have maintained it. Imagine how upset a member would be if you shared its membership data with a third party which subsequently had a security breach.

This final thought leads to another important concern – the security of the personal data stored by your organization. Many states have enacted or are contemplating laws that require a company to maintain a heightened level of security for more sensitive data (such as credit card or Social Security numbers). For example, Connecticut recently passed a law requiring all organizations that collect data that is not publicly available (e.g., credit card data, Social Security numbers, etc.) to both safeguard the data from misuse by third parties and destroy, erase or make unreadable any such data prior to disposal.  Several other states have already enacted similar laws. Considering this, an organization should ensure that its IT department or personnel are, at the very least, encrypting data and destroying the data that is no longer needed.

No matter how careful an organization is with the protection of its data, there is still a possibility for a breach. In the event of a breach, many states require an organization to notify all affected persons, in addition to the state attorney general, if the data was not encrypted. The notification that is required depends upon the state at issue and the type of data that has been disclosed. Considering the intricacies and potential complexities of these requirements, you should check with your attorney to ensure you are complying with the applicable law in the event of a breach.

Finally, there is one last risk for you to consider – the risk of violating an international law.  In today’s global economy, many organizations are transferring data to international subsidiaries, affiliates or partners. The sharing of data in this manner can be subject to fairly strict regulation and restrictions, depending on the country into which you send the data. For example, if you share data with a German subsidiary, that German entity will not be able to transfer the data back to the United States without registering the transfer and, in some instances, obtaining consent from the affected German residents. Further, if you transfer data to a company in the Netherlands for processing and storage, you may have to obtain approval from the Netherlands authorities. Thus, it is important that you consider the privacy laws of the country that you have targeted to store or process your data before outsourcing any work to that country.

The above should provide your organization with the guidelines it needs to identify any issues related to the protection of personal data collected from both employees and customers. If you have any questions or want further information, please contact Anthony V. Lupo or Sarah Bruno.

Anthony V. Lupo
lupo.anthony@arentfox.com
202.857.6353

Sarah L. Bruno
bruno.sarah@arentfox.com
202.775.5760