In this environment of growing attention to the risks of data security breaches, and in the midst of an explosion of mobile applications that make data storage an increasingly far-flung proposition, many organizations assume that the first line of defense for a company with a website or a mobile app is a good privacy policy.

In its March 26, 2012, report on privacy policy guidelines, "Protecting Consumer Privacy in an Era of Rapid Change," the Federal Trade Commission (FTC) made a number of recommendations that will affect the content of privacy policies going forward. In December, the FTC followed up those recommendations with significant changes to the Children's Online Privacy Protection Rule, and in January 2013, California's attorney general issued recommendations for privacy practices for developers of mobile applications to observe. The bottom line is that posting a privacy policy is not enough. At a minimum, companies with websites or mobile apps should be aware of the following:

1. The most important thing about a privacy policy is that it accurately reflect actual practice. The FTC does not dictate the contents of a privacy policy, but it can -- and does -- bring enforcement actions where companies with websites or mobile apps do not adhere to the privacy policies they post.
2. When a privacy policy is revised, information collected under the previous policy cannot be used or disclosed pursuant to the terms of a (more liberal) revised policy, without the consent of the consumer. This means that a company with a website or mobile app must keep track of what personally identifiable information is collected under each revision of its policy. 
3. Where the user "clicks" his/her consent to a website's Terms of Use or Privacy Policy, they are more likely to be found enforceable than where no affirmative action is required. Wherever possible, a company with a website or mobile app should locate a link to its privacy policy at those points where personal information is collected and require agreement at the time that information is submitted. 
4. The company will need to require that third parties who will see personal information of visitors (Web hosts, for example) agree in writing to keep that personal information confidential and secure. 

Managing the risk

But to effectively manage the risk associated with collecting, storing and using personal information, a company with a website or a mobile app -- indeed, every organization that collects personal information -- should do much more than simply post a privacy policy. For example, the organization should take the following actions:

• Identify what personal data the organization has in its possession, and where (including laptops and portable devices), and evaluate whether some of it could be deleted;
• Include in its inquiry information collected offline as well as that collected online;
• Focus on all information that can reasonably be linked to a consumer, or a computer or a device, because the traditional distinction between personally identifiable information and non-personally identifiable information has become blurred;
• Limit the information it collects (online and by other means) to what is necessary for the purpose for which it is collected, use the information collected only for that purpose, limit disclosure of the information to those with a need to use it for the purpose, retain it only as long as is necessary to fulfill the purpose and delete it when it is no longer needed;
• Identify foreseeable threats to the organization's information and its underlying information systems. Many of these threats are not exotic, but include the mishandling of passwords and thumb-drives, along with potential loss of information during document disposal, transport of personal information from one point to another, remote access and overseas travel;
• Assess its administrative, physical and technical information security controls (including record retention policies) currently in place, and improve them where necessary or desirable;
• Develop and test specific procedures for responding to a security breach;
• Address privacy at every stage in the development of its products and services, and in its overall operations;
• Review its contractual arrangements with service providers that have access to personal information (including cloud computing arrangements), and be sure such service providers have agreed in writing to protect the confidentiality, integrity and availability of that personal information;
• Designate a person to be responsible for the implementation and effectiveness of the organization's privacy efforts;
• Communicate the importance of data security throughout the organization, and train those responsible for the handling of personal information;
• Consider the use of privacy-enhancing technologies (PETs), such as encryption;
• Review and update the organization's policies and procedures annually, and also in conjunction with any change in business processes that affects the security of personal information (such as outsourcing call center functions); and
• Recognize that other countries address data security differently than the U.S. If the organization collects personal information from individuals outside the U.S., via its website, mobile or otherwise, it will need to be sure it obtains their consent or otherwise complies with applicable law.

An organization that takes the steps outlined above will be more likely to prevent a security breach, and better prepared in the event one occurs, than one that posts a privacy policy but does no more.

16 May 2013