In spite of all its success, Uber has been in the news lately for all the wrong reasons. Recent comments by a top Uber executive about using journalists’ private information against them have thrown the company’s rather cavalier attitude towards consumer privacy into the limelight.
Apart from collecting personal data, such as the names and addresses of its customers, Uber’s “Godview” tool allows it to gather information about the physical location of its customers and vehicles in real time. In reaction to severe media backlash as well as criticism by the U.S. Senate, the company has hired a team of lawyers to review its policies on data collection and protection. These events raise an important question:
"What best practices should a company follow when gathering and storing sensitive personal data?"
If you’re a tech company or any other company that collects consumer or employee data, you likely have access to social security numbers, credit information, payment information, criminal and health records. As useful as this data might be to improve user experience and target marketing operations, compromised personal information may lead to a series of damaging consequences, including fraud and identity theft.
Data leakages may occur inadvertently or be the result of intentional data trade. Either way, your company takes a hit to its reputation, can be sued for publication of private information and could possibly be targeted by law enforcement.
The Law of Data Privacy in the United States
Unfortunately, the rules regulating data protection in the U.S. are messy and confusing. As of now, there is no federal law governing the subject nor is there expected to be one. Several states have, however, enacted their own laws regulating data, often covering only specific industries (such as health), resulting in a hard-to-navigate framework. The Federal Trade Commission (FTC) has also been going after companies that are negligent with private data as detailed below.
5 Data Privacy Best Practices
With no real direction or rules to follow, companies are left to decide their own practices, often ignoring the repercussions of mishandling private data. With technology, legal framework and public opinion constantly evolving, it’s best to be conservative and set out certain best practices from inception. This post lists a few ways your organization can protect its data reserves.
1. Limit What Data you Collect
Based on how you collect private information, your data may consist of a wide variety of information. While it may seem like a great idea to keep this information “because you can,” it increases your responsibility and possibly even your security costs. A better alternative might be to keep only information that you actually need.
Since some data is of greater sensitivity than others, classifying data by risk factor is also useful in determining what kind of security protocol you’d use. Very sensitive or classified data should have several layers of protection, located on limited devices, and have limited employee access, as elaborated in the next section.
2. Regulate Employee Access
Recent reports have suggested that private data was freely accessible and circulated amongst all of Uber’s employees. Naturally, the more accessible information is, the more susceptible it is to be compromised. In implementing security measures, a key aspect to consider is who has access to the data. It is best to limit access to any private data on a “need-to-know” basis or by pre-defined security clearances.
Employees also need to be sensitized to the gravity of data protection issues, both at the time of hiring and through regular programs on data protocol. An attorney can help you develop protocol for your employees to treat all personalized information as confidential (even amongst employees), educate your employees on their legal obligations under their employment contract, and protect your organization with contractual tools like damages and indemnity in the event of a breach.
4. Set a Timeline for Storing Data
In addition to limiting the information you acquire and store in the first place, it is advisable to delete personally identifiable data when you no longer have a need for it. For example, deleting credit card information after a single transaction. The Federal Disposal Rule tells you how specifically to destroy data.
It is always a good practice to maintain logs of when each piece of data was acquired, how it was used, with whom it was shared and how it was deleted. An attorney can help you with drafting an employee manual, setting out organization-specific practices with respect to data storage including access thresholds, information recording, and procedures to follow in the event of a breach. Having an attorney-drafted data protection policy in place will go a long way in ensuring your organization stays compliant with local and federal regulations, and stay off the regulator’s radar.
5. Consider Cyber Insurance
You may have protected your servers with excellent security measures, but it is quite possible that cyber criminals utilize even more sophisticated means to bypass your security. In cases like these, your entire bank of data is vulnerable to theft. Cyber insurance may shield you from the liabilities that arise in the event of such a breach. While you probably won’t need insurance when you have only a few employees, it’s definitely worth the costs as your company grows.
Since the regulations on data privacy vary in different parts of the country, and are constantly evolving with advancing technology, looping in an attorney to stay in the clear is important for any business that collects personal data. Priori Legal has the network and the expertise to match you with the right lawyer suited to your needs.