In our last blog post, we discussed the concept and history of privacy and the legal and societal expectations in the U.S. relating to the treatment of other peoples’ information. Here, we’ll discuss in greater detail the potential fallout of information mismanagement, separately from legality, and how the concept of mismanagement might not be so straightforward. We’ll also discuss some of the measures you can take, outside of carefully constructing a privacy policy, that can provide you with an added degree of protection if anything goes wrong.
There are many ways to treat personal information in the U.S. that are surprisingly legal. Take “shoulder surfing“, for example. This practice, in which interviewers ask job applicants to log on to Facebook or other social media during an interview (or else provide the password to said account for separate review), should be avoided despite it not being strictly illegal, as it could reveal perceived negative information about the applicant that cannot legally be used as grounds for not hiring. In such a situation, this shifts the burden of proof to the employer in the event that the applicant is not hired, and proving that information was inappropriately used in a decision process can be very difficult.
There are many other examples of behaviors that, while not illegal, violate social norms and can lead to significant fallout. Uber is a prime example of a company that has struggled with these kinds of issues; for example, the amount of information that is reserved for the company in their privacy policy is so extensive that it has prompted the Electronic Privacy Information Center to file a complaint with the Federal Trade Commission. In addition, Uber has previously been accused of failing to respond appropriately to a breach that released the names and license plate numbers of 50,000 of their drivers, not to mention publicly tracking, in real time, 30 of their users during a launch party.
As this incident shows, issues could arise even when you are explicit in what information you are collecting and how you are using it. However, this doesn’t mean that you shouldn’t provide such explicit information in service agreements; indeed, not providing it could be far more problematic, and possibly illegal. Take a recent complaint filed with the Federal Trade Commission against Google, in which it was claimed that the company is collecting information from students that it is not entitled to.
Of course, these kinds of issues are not just limited to the U.S. – indeed, they become even more complicated when approaching things from a more global perspective. For example, what happens when someone asks for their information to be removed from search results, or from a publicly accessible database? This may very well depend on the country in which such a request is submitted. In particular, the EU has over time established the importance of the “right to be forgotten”, something that is not generally recognized under U.S. law. The reasons for this legal difference are not clear, but it does seem as though culture plays a role; recent European history involving totalitarian regimes and government data collection contrasts sharply in this case with the very strong American legal tradition of freedom of speech and of the press. Indeed, the potential for such cultural differences can be seen linguistically – many languages either don’t have separate words for “privacy” and “secrecy” or else borrow the word “privacy” directly from English. It’s very important to keep potential cultural differences in mind if your company is based in the U.S. but does work overseas, since certain ways of managing information that might seem appropriate to you may not be acceptable to individuals in other countries.
Given the complexity of privacy law, it should be unsurprising that the handling of data can often result in legal action and the assessment of financial damages. This is especially true in the U.S., where class-action lawsuits are a much more commonly used method of redress than in Europe. The costs incurred from such legal issues, as in many other areas of business, may be too great for a company to bear, in which case purchasing insurance to protect yourself may be reasonable. Many companies have begun to offer insurance specifically covering costs arising from privacy violations, with a great deal of flexibility in selecting particular coverages in order to best suit individual client needs. Some even specialize for particular kinds of data, like health care information. For more information on cyber insurance and other potential risk management approaches, refer to our e-book about Cyber Insurance.
Handling information is a necessary part of business, all the more so now that the internet is involved in nearly every element of our work. While the privacy concerns that come with this task are not only significant but frequently confusing and variable depending on the country you are doing business in, it’s nonetheless important to thoroughly understand the risks and take steps to safeguard your business in the event that these issues cause you trouble down the road.