- The company will need to require that third parties who will see personal information of visitors (Web hosts, for example) agree in writing to keep that personal information confidential and secure.
Managing the risk
- Identify what personal data the organization has in its possession, and where (including laptops and portable devices), and evaluate whether some of it could be deleted;
- Include in its inquiry information collected offline as well as that collected online;
- Focus on all information that can reasonably be linked to a consumer, or a computer or a device, because the traditional distinction between personally identifiable information and non-personally identifiable information has become blurred;
- Limit the information it collects (online and by other means) to what is necessary for the purpose for which it is collected, use the information collected only for that purpose, limit disclosure of the information to those with a need to use it for the purpose, retain it only as long as is necessary to fulfill the purpose and delete it when it is no longer needed;
- Identify foreseeable threats to the organization's information and its underlying information systems. Many of these threats are not exotic, but include the mishandling of passwords and thumb-drives, along with potential loss of information during document disposal, transport of personal information from one point to another, remote access and overseas travel;
- Assess its administrative, physical and technical information security controls (including record retention policies) currently in place, and improve them where necessary or desirable;
- Develop and test specific procedures for responding to a security breach;
- Address privacy at every stage in the development of its products and services, and in its overall operations;
- Review its contractual arrangements with service providers that have access to personal information (including cloud computing arrangements), and be sure such service providers have agreed in writing to protect the confidentiality, integrity and availability of that personal information;
- Designate a person to be responsible for the implementation and effectiveness of the organization's privacy efforts;
- Communicate the importance of data security throughout the organization, and train those responsible for the handling of personal information;
- Consider the use of privacy-enhancing technologies (PETs), such as encryption;
- Review and update the organization's policies and procedures annually, and also in conjunction with any change in business processes that affects the security of personal information (such as outsourcing call center functions); and
- Recognize that other countries address data security differently than the U.S. If the organization collects personal information from individuals outside the U.S., via its website, mobile or otherwise, it will need to be sure it obtains their consent or otherwise complies with applicable law.