A company’s privacy or security policy is a commitment to abide by the rules that are described in the document. It is a contract with the individuals whose personal data are in the company’s custody. Thus, the document must be complete and accurate.
Companies have been severely sanctioned by the Federal and State regulators for making inaccurate, unclear statements – or understatements – and misrepresenting their practices in their published policies. Other companies have been penalized by regulators for failing to abide by, or acting contrary to, the representations made in these policies. Transactions have been blocked or suspended by courts when they violated, or were inconsistent with, the related data protection policy.
Since each company has its own DNA, its policies and procedures are also unique. There is no “one size fits all” form document that applies to everyone. A company’s privacy and security policies must reflect its actual practices, not those of another company’s.
It would be a serious mistake to merely cut and paste another company’s policy. Just as one would not treat a heart condition by borrowing a neighbor’s drugs, it could be very damaging to adopt another entity’s policy as one’s own. The company would find itself bound by the other entity’s promises, required to have procedures that are irrelevant to its business, and would likely fail to meet the obligations that apply to its own market or circumstances.
Drafting an accurate, clear and concise privacy or security policy takes time and requires an in-depth knowledge of the applicable legal framework and the company’s own circumstances. We have considerable experience with the Fair Information Practice Principles, and the many other laws, regulations, guidelines, cases, and enforcement action that dictate or frame the content of data privacy or security policies.
We have drafted countless data privacy and security policies for a wide variety of clients, from publicly held global companies to start-ups. We strive to create clear, practicable, compliant policies that accurately reflect the practices of our clients, and that are understandable by the individuals’ who personal data are at stake.
We then conduct a thorough evaluation of the company’s legal obligations, and identify the constraints, requirements, restrictions, or obligations that apply to the types of personal data for which the policy is to be drafted.
Frequently, applicable laws require specific additions to the policy. For example, this is the case for companies that wish to apply for a Safe Harbor certification, or companies that are covered entities under HIPAA. In this case, we have to ensure that that the company has in place the safeguards and processes as necessary for compliance with the unique requirements of the applicable law.
It is only after having obtained a clear picture of the company’s activities and obligations that we begin drafting the applicable document. This document is then shared for comments with different departments within the company, in order to ensure that it fully and accurately describes the proposed collection, use, and processing of the personal data.
We are frequently requested to lead or participate in the drafting of the data security policies, so that we can ensure that the policies accurately, fully, and concisely express the company’s commitment with respect to the protection of personal data in its custody. Most companies are required to adopt a written data security policy, to address - at a minimum - the protection of specific types of data, such as health or financial data or social security numbers.
When working on a company’s data security policy, we begin with a thorough evaluation of the different types of personal data that the company intends to collect, and how these data are to be used, in order to identify the data security laws, regulations, guidelines and standards that regulate these activities. We also learn how the company intends to use, process, or store the data, and whether it may transmit, or give access to the data to others, outside its firewall.
Frequently, applicable laws or standards mandate certain provisions. For example, this is the case for HIPAA covered entities, companies that are subject to the Massachusetts security regulations, or companies that handle credit card information and are subject to the PCI DSS standards.
After having identified the applicable legal framework, and the company’s needs and goals, we work with the company’s CISO (or CIO, CTO) to evaluate whether and how the company can comply with the applicable laws, regulations, standards, or contracts, and whether changes or improvements are required.
We then work with the management team at shaping the best data security structure under the circumstances, taking into account the legal framework that governs the specific market in which the company operates. For example, different rules apply when processing financial or health data. There are other requirements for the handling of social security numbers or driver’s license numbers.
This draft security policy is then shared with different departments within the company for their review, in order to ensure that the proposed policy fully and accurately describes the measures and safeguards that will be applied when storing, processing, or disposing of the personal data. It is then revised according to the comments.
When the policy is ready to be launched and rolled out, we work with the company in developing the appropriate training and education for the personnel, so that the policy is applied consistently throughout the company.