The Deeper Issues Surrounding Data Privacy

Data privacy means keeping customers’ information private and confidential. but third-party agreements about data sharing, data ownership, and data custody are still issues that confront chief information officers and the legal establishment. 

How do you cover all those bases to ensure data privacy? 

First, What Is Data Privacy? 

One challenge is that the definitions for data privacy vary, depending on whom you talk to. This renders protecting consumer information an unsure practice. 

In one case, data privacy is defined by Builtin as “the practice of protecting personal, private, or sensitive information, ensuring it’s collected with the proper consent, kept secure and used only for authorized purposes, while respecting both individual rights and existing regulations.”  

However, data privacy is also defined by IBM as: “the principle that a person should have control over their personal data, including the ability to decide how organizations collect, store and use their data.”  

In legal terms, an invasion of privacy is described by Cornell Law School as: “The infringement upon an individual’s protected right to privacy through a variety of intrusive or unwanted actions. Such invasions of privacy can range from physical encroachments onto private property to the wrongful disclosure of confidential information or images.”  

Related:NCA’s Plaggemier on Finding a Path to Data Privacy Compliance

How Regulators Protect Data Privacy 

With clear definitions of data privacy being evasive, many companies have favored adoption of the data privacy protections enumerated in Europe’s General Data Protection Regulation . The GDPR gives consumers the right to reduce the information trails they leave when they browse social media or use the internet. Individuals are also able to request the data that companies collect and hold on them, and demand that it be deleted. In short, the assumption is that individual consumers “own” their data, and that they have the right to decide how this data is to be appropriated and used.  

The GDPR is the most comprehensive guidance on data privacy to date, which is why many countries have expressed a desire to adopt it. In the US, however, opposition to regulation has stymied efforts to adopt similar stringent data protections, and this has resulted in lawsuits. 

Google’s $392 million settlement with users in 2022 is one example. In that case, a group of US attorney generals sued Google on behalf of their constituents. The lawsuit alleged that Google was tracking user locations without clearly indicating to users that location tracking was being done. 

Related:Data Privacy in the Age of AI Means Moving Beyond Buzzwords

Google paid monetary damages as part of the settlement. It also had to inform users in more straightforward ways about how it was collecting their data, how users can delete it, and tell users how they can control whether they are being tracked.  

The Google case brought major ramifications with it, since many companies besides Google were providing and selling information about their users to third parties. These companies were informing users about their data sharing practices in fine-print documents that were hundreds of pages long, and that the average user could not be expected to read. Nevertheless, if the user wanted to use a certain service or application, they had to tap the "AGREE to conditions button", or be locked out. 

This practice unfairly benefited companies. Under the law, a practice like this can be regarded as a “contract of adhesion,” meaning that one party to the contract has an unfair advantage over the other party because the advantaged party wrote the contract and created it in such a way that the other party could not easily read and digest it. 

A contrarian legal viewpoint is that each individual has the responsibility to read and understand every word of a contract he agrees to, even the fine print ones. 

Related:25 Major Car Brands Flunk Data Privacy Review

The end result? 

The legal community is torn on data privacy rights, and Congress hasn’t made much progress, either. 

So, What’s the Best Approach to Data Privacy? 

Corporate legal departments will continue to draft voluminous agreement contracts packed with fine print provisions and disclaimers. CIOs can’t avoid this, but they can make a case to clearly present to users of websites and services how and under what conditions data is collected and shared. Many companies are doing this—and are also providing "Opt Out" mechanisms for users who are uncomfortable with the corporate data privacy policy. 

That said, taking these steps can be easier said than done. 

There are the third-party agreements that upper management makes that include provisions for data sharing, and there is also the issue of data custody. For instance, if you choose to store some of your customer data on a cloud service and you no longer have direct custody of your data, and the cloud provider experiences a breach that comprises your data, whose fault is it? 

Once again, there are no ironclad legal or federal mandates that address this issue-but insurance companies do tackle it. 

“In a cloud environment, the data owner faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider),” says Transparity Insurance Services.  

Transparity goes on to say, “State and federal data privacy laws in the US do not impose civil liabilities in the event of a cyber intrusion" but that “Typically, liability is imposed if…An entity failed to remedy or mitigate the damage once the breach occurred.” It added that “Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.” 

This is why it’s standard data privacy practice today for companies to immediately notify users and customers of a breach, to mitigate the breach, and to provide customers with free-of-charge security and monitoring services for a period of one year. 

It should also be standard practice to obtain a cyber liability insurance policy, and to include cyber liability as a risk issue in the company’s overall risk management plan. 

This cyber liability insurance coverage can vary in nature, depending upon what a company wants to cover and pay. 

Most cyber liability insurance policies cover first- and third-party expenses, and they include customer and user notification costs, forensics to determine how a breach occurred, credit and fraud monitoring services for customers, and crisis management to mitigate damage to a company's reputation. 

In a case where a cloud provider leaks your data, you may be liable for judgments against that provider also, and you may need to purse litigation against the provider.  

“A data breach claim for a cloud vendor is really an errors and omissions (E&O) claim,” says Woodruff Sawyer Law.”The cloud vendor usually has no direct liability to the individuals whose data has been breached, but there may be a claim from their customer for failing in their performance of services (in this case, keeping the customers' data secure). For this reason, errors and omissions and cyber coverage generally bundled together in a single policy for technology companies.” 

Summary Remarks 

There is no universal agreement on what data privacy is. This makes data privacy management a challenge for companies and their CIOs. 

In this environment, it’s important for CIOs to adopt as many widely accepted data privacy practices as possible, stay in touch with management and the legal team, and include data privacy as a requirement on RFPs to vendors. and require a QA for data privacy in every new application.