Developing a Holistic Legal Approach to Information Privacy & Data Security

Information privacy and data security can bring distinct legal challenges for businesses in technology and communication sectors where commercial agreements and contracts with third-party vendors are common. Commercial agreements must often touch on data ownership, usage rights, liability parameters and other areas due to the necessary sharing of data. This is especially true when it comes to meeting regulatory compliance for PII, PHI and PCI data with HIPAA, GLBA, GDPR and other regulatory compliance statutes.

A business’ contracts and agreements must have highly specific language governing the rules of data collection, use, and sharing. For example, binding corporate rules may apply for transnational companies transferring personal data internationally across corporate divisions operating in different countries. Even startups deal with the need for data processing compliance where international laws apply. This includes rules for handling data and responsibilities and processes in the event of a breach.

Information privacy and data security require a holistic approach that addresses these issues on a business and individual employee basis. This is due to the potential theft of private data through email exchanges, social media, and mobile device communication. Everything from password, access credentials, technology and governance policies need to be part of a data security framework. At minimum, this should include the following in the age of the “BYOD” Bring Your Own Device and mobile workforce:

  • Mobile device management
  • Multifactor authentication and even biometrics governed by strict access protocols/administration
  • Encryption technology for data transmission
  • Nextgen firewalls for data within the network

Companies must have formal processes for reviewing information technology security measure implementation where data and privacy are involved. This starts with firewalls, software and encryption measures as well as device management, cloud security and access controls like MFA. It continues with having a solid approach to backup and disaster recovery planning which also plays a part in data security and privacy.

Third-party Vendor Data Security Measures

While these internal company frameworks are important, its equally vital to ensure the same types of frameworks are in place for third-party vendors. It’s not uncommon for contracts and agreements to require vendors to complete a data security questionnaire or undergo an audit of their data security practices and facilities. This can include standard adherence to SSAE16, SOC II, ISO or other related data security certifications.

An audit of third-party vendor agreements can assess their ability to protect data and assure that contractual provisions are in place to ensure compliance. The same due diligence and contract review should be done with all new vendors. Companies should also detail the types of information being transmitted to or stored by various vendors and asses the security of that transmission.

Vendor contracts must explicitly spell out the limitations on data collection and use to very specific purposes and parameters. As the original grantor of that private data and the holder of proprietary data, businesses must have internal and external security controls to cover incident response and reporting. This includes audit rights and legal recourse parameters such as insurance and indemnification clauses that contractually obligate third party vendors when it comes to data privacy.

Developing a Comprehensive Privacy and Data Security Program

A company’s data privacy and security program must include the needs and processes to address the legal, information technology, operational, human resources, and business use variance across all internal and external touchpoints. This can begin with an adherence to the recognized standards released by the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO).

As many technology and communication companies ranging from startups to corporations are subject to regulatory audits, they must have the systems in place to conduct such audits. This is crucial to showing legal standing for their outcomes to state federal or international regulatory bodies who request them in the event of a breach.

Drawing up the contracts and agreements for companies that protect data use and privacy has to be part of a broader understanding of overall privacy and data protection programs. Having the support of a skilled and experienced security and privacy law firm can be crucial to protecting data in the digital age.