In my software consulting years, it was remarkably routine for clients to concede that they had never read their own procedures and documents. While it lent itself to amusing anecdotes like the database administrator who kept his notes in Klingon, the phenomenon reflects a practical problem: employees cannot fulfill obligations they do not know about. Ignorance makes compliance impossible.
In the Privacy Policy context, what you don’t know can certainly hurt you. An aged Privacy Policy is like expired cheese: it can never help you, but it definitely has the potential to injure you.
Yet many mistakes are easy fixes. Here are the top ten we deal with most often.
10. Wrong State. Different states impose different requirements. For instance, Connecticut requires specific provisions pertaining to Social Security Numbers. All too often however, policies do not address the nuances of applicable state laws. The company needs to be familiar with the applicable state law, and the Policy should reflect that.
9. Wrong Data. Systems evolve. Features are added. Bugs are discovered. And these changes invariably impact the data that is collected. Each change may be marginal on its own. Their cumulative and compounded effect however, is often gargantuan. If the Policy does not accurately reflect the data currently being collected, it is simply a powerful tool in the hands of plaintiff’s counsel.
8. Wrong Link. Many state and federal regulations require that a Privacy Policy be easily accessible. Yet companies frequently overlook this requirement, placing the Policy in the cyber equivalent of a dark, musty and locked basement. The link to the Privacy Policy should be visible, working, and regularly tested.
7. Wrong Technology. In an effort to address customer and regulator concerns, companies occasionally succumb to the temptation to swank: to list the powerful technology they use to process and protect information. This approach has two problems. First, any specific technology will likely be quickly out-moded. Second, companies evolve, and do so by degrees. They migrate to new technologies; before migration, they may run pilot projects on leased space. This is a perfectly prudent approach in the cloud computing era. But it does mean that the Privacy Policy promise of the X-J-2000 QuantumProcessor with six factor authentication is going to be inaccurate within days of the Policy being drafted. Privacy Policies should explain general data protection mechanisms and principles, but avoid committing to specific technologies.
6. Wrong Promise. Privacy Policies often promise never to sell data. But that may be an impossible promise. In an era of mergers, acquisitions and sales, such a promise can – and has – created impediments to sales of the company. After all, if the value in the company is its data, regulators, including the FTC, have taken the view that sale of the company amounts to an impermissible de facto sale of the data. Don’t paint yourself into a corner.
5. Wrong Promise Part Two. Privacy Policies often promise never to share data. This is another impossible promise. Third party contractors, vendors, security consultants, and individuals and entities outside the company will almost invariably have access to the data at some point, however fleetingly. The Privacy Policy should address this. As an added precaution, it should note that data may be shared under compulsion such as a court order or subpoena.
4. Wrong Guarantee. Privacy Policies frequently promise excellent security: “state of the art” is one term that crops up with disturbing frequency. Even assuming that this is a promise that is kept, the problem is that “state of the art”, like beauty, lies in the eye of the beholder. Stay away from promises that lend themselves to differing interpretations.
3. Wrong Version. There is an almost irresistible institutional impulse to draft a top-shelf gold plated Privacy Policy, and then carefully file it away never to be seen again. Meanwhile, the passage of time and changes in business ensure that the Policy is antiquated on its first birthday, if not before. We have seen Privacy Policies that refer to processes and products used a decade ago. The answer: ensure that the most current and accurate Policy is on display.
2. Wrong Training. Far too many employees have never read the Privacy Policy. They are busy. Indeed, a safe rule of thumb is that the more critical an employee, whether technically or organizationally, the less likely they are to have read it. Employees that have not read a Policy cannot comply with it. The simple solution: identify the employees who need to be familiar with the terms of the Policy. And make sure they are.
1. Wrong Practice. If there is one area that draws the attention of plaintiff’s attorneys and regulators alike, it is the divergence between the promises of a Privacy Policy, and the actual practices of the company. Absent an ongoing process of self-monitoring and revision, such divergence is inevitable. The simple solution: if the company’s practices and Privacy Policy promises are not identical, one or the other must be adjusted until they are.
| © Poyner Spruill LLP. All rights reserved.