Resources to assist counsel in creating, implementing and reviewing a company's privacy and data security compliance programs.
Almost every company collects and maintains the personal information (www.practicallaw.com/1-501-8805) of its employees, customers and other individuals. Companies must pay close attention to privacy and data security laws governing the collection, use, transfer and disposal of this personal information.
Failure to comply with these laws can lead to significant adverse consequences, including:
Diminished brand reputation and lost sales.
Government investigations and sanctions.
Having to defend against private lawsuits.
In the US, the patchwork of federal and state privacy and data security laws continues to evolve, creating a considerable compliance challenge for companies. Federal laws include:
Broad consumer protection laws like the Federal Trade Commission Act (www.practicallaw.com/6-383-6476), prohibiting unfair or deceptive business acts.
Sector-specific laws like the Gramm-Leach-Bliley Act (www.practicallaw.com/7-501-3428), which applies to financial institutions, and the Health Insurance Portability and Accountability Act (www.practicallaw.com/1-501-6222) (HIPAA), which applies to protected health information (www.practicallaw.com/8-501-6596).
At the same time, states continue to adopt their own laws covering the collection, use, disclosure and protection of personal information with varying requirements. Most significantly, Massachusetts' data security regulations went into effect on March 1, 2010. The law requires businesses that own, store, license or maintain personal information of Massachusetts' residents to develop written information security programs and set up specific data security safeguards.
Companies with an international presence also must comply with the data protection laws in each jurisdiction where they operate. For example, the EU Data Protection Directive (www.practicallaw.com/6-501-7455) restricts the transfer of personal data (www.practicallaw.com/8-501-8067) of EU residents to countries (including the US) that are deemed to have inadequate privacy protections unless certain additional requirements are met.
With the law in this area constantly evolving, companies need to ensure that their privacy and data security practices reflect operational realities and are continuously kept up to date.
The Privacy and Data Security Toolkit provides several resources designed to help counsel create, set up and review a company's privacy and data security compliance programs.