News Stay informed about the latest enterprise technology news and product updates.

Got a complete privacy policy? Think again.

Corporate privacy policies need to cover a variety of avenues in today's Internet Age. However, the government does not detail privacy in one succinct law. Instead, it is spread about in the Bill of Rights and other statutes. So, searchWindowsManageability asked an attorney who specializes in privacy issues to offer some guidelines for crafting lawful and effective privacy policies.

In the Internet age, a corporate privacy policy writer has to be a legal eagle and a strict copy editor. Writing a privacy policy that covers corporate e-mail and Internet issues without being longwinded and confusing is tough. Finding and adhering to the appropriate privacy laws is tougher, because there isn't one universal privacy law. Instead, privacy is a part of many statutes, from state laws to the Bill of Rights. Added to the jumble, said attorney Devin Gensch, are new issues and laws stemming from the Sept. 11 attacks. As a litigation, licensing, an online commerce attorney for Washington, DC-based law firm Fenwick & West, LLP, Gensch works with privacy issues everyday. In this searchWindowsManageability interview, he offers guidelines for crafting lawful and effective privacy policy issues.

sWM: How will corporations be able to maintain that their privacy is being upheld if new laws, such as the Patriot Act, may require them to turn over certain types of data?

There were reports immediately following the Sept. 11 attacks that companies were being asked for information. Out of sense of patriotic duty, they were providing it. Only in subsequent days did they realize that giving such information might be a violation of their own privacy policies. Typically, a privacy policy will have language that says: "We only share information under the following circumstances." One of the circumstances would be pursuant to a subpenoea, a warrant or a legal process. Simply turning over that information is arguably a violation of the policy. By not waiting for the formal request, the company violated that policy. Companies may wish to look at their privacy policy and make sure they know what it says and under what circumstances they can disclose. You do have two competing interests. Obviously, everyone wants to ensure national security. But a company's customers have given this information believing that it would only be disclosed in certain circumstances.

sWM: Do most companies have privacy policies in place?

Most companies do, particularly if the company has a public face, or if they're offering products and services online. It is part of reassuring people that when they're giving information, they know how it is being used.

sWM: What are some tips to help companies protect themselves against privacy lawsuits?

Actually read your privacy policy to see what it says you'll do in specific situations. If a situation arises where the policy doesn't cover a situation, then the question will become: "What was the reasonable expectation of the customer/user on entering in the transaction?" If the privacy policy implies something about that situation, the company needs to be sensitive to that. Also, when drafting or revisiting a policy, companies should anticipate situations. There are many online companies that have had short life spans. They'll get sold or merge. To prepare for these possible evolutions, write them into the policy.

sWM: What kinds of security/privacy issues wind up in court most often?

There are a few categories. The first is cases that involve violations of a privacy policy, which can be brought by the Federal Trade Commission (FTC) or state's Attorneys General. Those are usually seeking either injunctive relief, or they are of several statutes that allow for damages for particular uses of information. The second category is class-action lawsuits for violations of privacy policies. Those are very common for parties seeking personal information or the contents of an electronic communication. Companies want to comply with court orders, warrants and subpoenas, but they have restrictive language in their privacy policy about when they can turn over such information. The last category is when companies want to sell personal information. Either the company is being sold or is in bankruptcy and is being sold through that means. In some cases, the FTC and the United States Attorney General have sought to enjoin some transactions when they believe that such a transfer would violate the company's privacy policy.

sWM: Can you elaborate on the situation of companies wanting to sell personal information?

Many companies have privacy policies that were written in different pieces, so they have broadly drafted language. In one particular case, Toy Smart's policy said: "We will never sell your personal information." Unfortunately, this company went bankrupt, and in the proceedings, the FTC sought injunction. The better privacy policies will not use such absolute language. For example, there have been actions recently involving In that case, the argument from the Attorney's General was that an opt-in notice, where users would be sent an e-mail, was required. In the e-mail, it would say: "We will not transfer your data unless you click here." They were on somewhat tenuous legal grounds. There is not a lot of legal guidance on whether opt-in is required or you simply send an opt-out notice saying: "As part of sale, we are transferring business assets. If you object, click here." What the court found was that neither opt-in nor opt-out was legally required.


Get advice from your peers on privacy policies in our Security Discussion Forum.

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.