|sWM:||How will corporations be able to maintain that their privacy is being upheld if new laws, such as the Patriot Act, may require them to turn over certain types of data?|
|sWM:||Do most companies have privacy policies in place?|
Most companies do, particularly if the company has a public face, or if they're offering products and services online. It is part of reassuring people that when they're giving information, they know how it is being used.
|sWM:||What are some tips to help companies protect themselves against privacy lawsuits?|
|sWM:||What kinds of security/privacy issues wind up in court most often?|
|sWM:||Can you elaborate on the situation of companies wanting to sell personal information?|
Many companies have privacy policies that were written in different pieces, so they have broadly drafted language. In one particular case, Toy Smart's policy said: "We will never sell your personal information." Unfortunately, this company went bankrupt, and in the proceedings, the FTC sought injunction. The better privacy policies will not use such absolute language. For example, there have been actions recently involving Egghead.com. In that case, the argument from the Attorney's General was that an opt-in notice, where users would be sent an e-mail, was required. In the e-mail, it would say: "We will not transfer your data unless you click here." They were on somewhat tenuous legal grounds. There is not a lot of legal guidance on whether opt-in is required or you simply send an opt-out notice saying: "As part of sale, we are transferring business assets. If you object, click here." What the court found was that neither opt-in nor opt-out was legally required.
FOR MORE INFORMATION
Get advice from your peers on privacy policies in our Security Discussion Forum.