Online marketing. Social media. Electronic payment systems. Ubiquitous mobile devices and consumer electronics, all of which can ultimately be connected to the “Internet of Things.” Each of these is a communication channel that offers businesses wide access to personal information, allowing for convenient customization of products and services. The danger? Exposure and liability when criminal activity or internal technology failure results in lost or compromised customer and/or company data. When working with vendors there may be additional risk in the event of a data breach, and it’s imperative to show reasonable steps were taken to protect data.

The complexity of statutes and regulations that govern data collection, storage, and disposal is compounded by variances in-laws when your business operates in multiple states or internationally. With no single federal standard that answers every data privacy scenario, organizations are forced to mitigate risk by continuously updating their cybersecurity processes and policies — or face potentially significant legal consequences by failing to do so.

Healthcare and financial service organizations face intense scrutiny regarding their practices for collecting, using, and securing personal health and financial information under the Health Insurance Portability and Accountability Act (HIPPA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Fair Credit Reporting Act (FCRA) and the Gramm-Leach Bliley Act (GLBA).

Other industries are not immune, as evidenced by the Federal Trade Commission’s (FTC) increasing number of enforcement actions against retailers, hotels, technology companies, and fitness centers alleged to have insufficient steps to protect customers’ private information.

As federal and state legislators, regulatory agencies, and industry organizations consider additional legal requirements, all businesses need to know:

• What types of information are protected
• their legal obligations in the collection, security, and disposal of such information
• their responsibilities for notifying customers, law enforcement, and regulatory agencies if there is a data security breach.

Our Privacy and information Security practice offers a wide range of knowledge, skills, and experience in counseling clients on electronic communications, cybersecurity, privacy, and data protection issues. The group includes members who are CIPP/US certified by the International Association of Privacy Professionals (IAPP) and have substantial experience advising and representing internet service providers, retailers, utilities, and companies in the telecommunications and healthcare industries. In addition, we counsel businesses in managing risk related to data collection and security through contracts with vendors and others and in preparing and adopting privacy and business policies.