Unfortunately, many businesses, particularly small- and medium-sized businesses, think that’s enough. These businesses lack well-designed internal privacy and security policies, which are a critical piece of the puzzle. While this can be due to limited resources or slow adoption by leadership, it often arises simply because the business does not realize the importance of developing these policies. In this post, we will take a look at why internal privacy and security policies are important for your organization.
How Important Is It That I Have Internal Privacy and Security Policies?
Compliance with External Privacy Policies
Evidence of Reasonableness
Implementing internal privacy and security policies that clearly outline your business’ approach to safeguarding personal information can also be important in the event of a privacy or security breach. Regulators investigating a breach will almost certainly ask whether your business has written policies relating to privacy and security and will consider the existence of such policies positive evidence that your business takes its role as a data steward seriously. Indeed, on several occasions the FTC has cited the absence of a written information security plan as evidence that a company did not act reasonably (see e.g., the FTC case against Uber).
Of course, policies by themselves will not insulate your business from reprisal; you must also faithfully practice those policies, monitor compliance with them, and regularly review them to stay abreast of evolving threats, laws, and organizational changes. But it can be helpful if, in the aftermath of a privacy or security breach, you can show that you undertook efforts to clearly outline what actions are unacceptable and to educate and train your employees through policy and education.
Required by Some Statutes and Regulations
Depending on the types of data you handle, you may also be required by law or regulation to maintain written internal privacy and security policies. For example, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule, 45 C.F.R. Part 160, requires that covered entities maintain written security policies and procedures. Similarly, the Safeguards Rule, which implements Section 501(b) of the Gramm-Leach-Bliley Act (“GLB”), 15 U.S.C. § 6801(b), requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing a comprehensive written information security program. For purposes of GLB, financial institutions are not merely banks but any business “significantly engaged” in providing financial products or services. In May 2018, the FTC charged peer-to-peer payment provider, Venmo (operated by PayPal) with violating the Safeguards Rule, in part for failing to maintain a written information security program.
What Is Involved in Developing These Policies?
If you have questions about writing or implementing internal privacy and security policies and procedures, please contact us. We can help you craft policies that align with the laws, regulations, and best practices that apply to your business.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.