A Quick Reminder: Cybersecurity and Privacy Policies are Not Enough—Businesses Must Keep Them Current

Many recent cybersecurity and privacy laws require that certain policies be adopted and followed by businesses to assist in the protection of personal information. Even in states where there are no such laws, some policies may nonetheless be prudent as a “best practice” to avoid a tort claim of negligence if personal information is accessed without authorization. Recent legal action serves as an excellent reminder that businesses must do more than pay lip service to these policies. Businesses should expend the necessary resources to make sure their policies are appropriate for their purposes and followed.

Earlier this year the Federal Trade Commission (“FTC”) finalized settlements with five companies for falsely claiming they were in compliance with the EU-U.S. or Swiss-U.S. Privacy Shield. When properly followed, certification under these privacy shield frameworks allows companies to transfer personal information from the EU or Switzerland to the U.S.—transfers that might otherwise be inappropriate. In all five instances, the companies were either a proper participant in the privacy shield frameworks, but failed to recertify, or started the application process and never completed it. Despite these failures to follow through, all five companies maintained websites with privacy policies claiming they were properly certified and in compliance with the privacy shield frameworks.

The FTC investigated these false claims of compliance and entered into settlements with all five companies. The settlement terms included, among others, (1) prohibition from misrepresenting participation in, or compliance with, privacy programs and (2) continued application of the privacy shield frameworks to personal information collected while a participant in the program. 

Another example of a company failing to ensure compliance with its privacy policy can be found in the recent class action lawsuit filed against Zoom Video Communications, Inc. (“Zoom”). See Cullen v. Zoom Video Communications, Inc., No. 20-cv-2155, (N.D. Cal.). The plaintiffs allege that Zoom—the popular online video conferencing platform—collected personal information from its users without adequate notice or authorization and shared that information with third parties, including Facebook. The plaintiffs also allege that the collection and sharing of such information was inconsistent with the terms of Zoom’s privacy policy. Interestingly, the plaintiffs asserted a claim for relief under the California Consumer Privacy Act, which went into effect on January 1, 2020 and is likely one of the first lawsuits filed under the new law. 

The lesson from these examples is that businesses must adopt and at all times comply with their cybersecurity and privacy policies. As people become more concerned with the loss of privacy in an electronic world, regulators and individuals will inevitably demand that companies practice what is stated in their policies, so companies must be sure to maintain accurate policies as business practices change over time.

Contact Gary Schober (716.848.1289), Michelle Merola (518.736.2917), Patrick Fitzsimmons (716.848.1710) or any of our other Cybersecurity Practice attorneys, to discuss any concerns you have with your current cybersecurity and privacy policies, or compliance with any cybersecurity or privacy laws.

If you received this alert from a third party or from visiting our website, and would like to be added to our Cybersecurity & Privacy alert mailing list or any other mailing list, please visit us at: https://forms.hodgsonruss.net/sign-up-for-email-and-other-communications..html