Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Summaries of each of the cases reviewed in the Report are as follows:

1.       Employee Discussion on Facebook Can Be Protected Concerted Activity

• The terminated employed had posted on Facebook about a self-proclaimed demotion that she thought was unfair and unwarranted based upon her performance. Several co-workers with whom she was also “friends” posted their support on Facebook, including comments discussing the employer’s dishonest and unfair practices. The employee was terminated 5 days after making her post for violating the employer’s rule prohibiting “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The NLRB found that this policy was unlawful on the basis that it would “reasonably be construed to restrict Section 7 activity, such as statements that the Employer is, for example, not treating employees fairly or paying them sufficiently.” Further, the NLRB found that the employee’s initial post and the subsequent discussion that it generated fell within the definition of “concerted activity” since the discussion clearly centered on working conditions.

2.   Broad Policies That Do Not Provide Examples or Clear Definitions Are Often  Found Invalid by the NLRB

• An employer implemented a social media policy “restricting the use of the employer’s confidential and/or proprietary information provided that, in external social networking situations, employees should generally avoid identifying themselves as the employer’s employees, unless there was a legitimate business need to do so or when discuss terms and conditions of employment in an appropriate manner.” The policy did not define what “appropriate” or “inappropriate” meant under the policy and therefore employees could “reasonably interpret the rule to prohibit protected activity, including criticism of employer’s labor policies, treatment of employees and terms and conditions of employment."

• A provision requiring “that social networking site communications be made in in an honest, professional, and appropriate manner, without defamatory or inflammatory comments regarding the employer and its subsidiaries, and their shareholders, officers, employees, customers, suppliers, contractors, and patients.” Without defining broad terms like “professional” and “appropriate” the provision could be construed to prohibit communications protected by NLRA.

3.       Policies that Subjectively Infringe on NLRA Section 7 Rights Are Invalid

• ·An employer discharged an employee for violation of a company policy that stated that “insubordination or other disrespectful conduct” and “inappropriate conversation” would be subject to disciplinary action. The NLRB found that this policy “would reasonably be construed by employees to preclude Section 7 activity.”

• An employer’s social media policy “prohibits employees from using social media to engage in unprofessional communication that could negatively impact the employer’s reputation or interfere with the employer’s mission or unprofessional/inappropriate communication regarding members of the employer’s community.” Although the rule contained some clear examples of unprotected conduct (e.g. revealing trade secrets), it also contained examples that could reasonably be read to include protected conduct and, therefore, could “be construed to chill employees in the exercise of their Section 7 rights."

4. Social Media Policies Inhibiting Free Communication Between Employees and Between Employees and Third Parties Are Generally Invalid

The Report discussed the following overbroad provisions from a single social media policy:

• A provision that prohibited employees from “disclosing or communicating information of a confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department” is unlawful because employees have a right to communicate such information to third parties.

• A provision preventing use of the company’s name or service marks outside of the course of business without prior approval of the law department is unlawful because employees have a right to use their employer’s name or logo in conjunction with protected concerted activity, such as to communicate with fellow employees or the public about a labor dispute. 

• A provision prohibiting employees from publishing “any representation about the company without prior approval by senior management and the law department” is unlawful because employees have a Section 7 right to make representations about their employer that are “part of and related to an ongoing labor dispute.” 

• A provision providing “that employees needed approval to identify themselves as the employer’s employees and that those employees who had identified themselves as such on social media sites must expressly state that their comments are their personal opinions and do not necessarily reflect the employer’s opinions” is unlawful because the provision stifled employees’ ability to locate other employees, thus, inhibiting their ability to organize, a protected right under Section 7.

• A provision “requiring employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination” is unlawful because it inhibits the ability for employees to organize to discuss working conditions.

5.       Social Media Policies that Are Adequately Tailored to Uphold Workplace Confidentiality and Discrimination Rules are Lawful

• The policy originally prohibited discriminatory, defamatory, or harassing posts about specific employees, the work environment or work-related issues on social media sites. Broad terms like “defamatory” especially when applied to work-related issues could be construed to apply to protected activity. The amended policy prohibited “the use of social media to post or display comments about coworkers or supervisors or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.“ The amended policy, on the other hand, could not reasonably be construed to apply to protected activity as it provides a “list of plainly egregious conduct.”

• The employer’s social media policy provided that “the employer could request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws. [Further,] [i]t prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients, and it also prohibited employees from discussing in any form of social media “embargoed information,” such as launch and release dates and pending reorganizations.” In context, the prohibition applied only to communications that could impact security regulations or disclose proprietary information and, as such, was narrowly tailored and withstood scrutiny.

The Report also provides updated guidance regarding the scope of “concerted activity” under Section 7:

1.   Facebook Posts Can Only Be Considered Concerted Activity Where There Is Active Participation from Facebook “Friend” Co-Workers In the Discussion

• The terminated employee (a truck driver) posted to Facebook criticizing the way that the business was run, including, that the company was ‘running off all the good drivers’. No other employees joined the discussion and the employee’s comments did not attempt to induce a group action. The NLRB further noted that there was no “unlawful surveillance” since the employee had invited his supervisor to be his “friend” on Facebook.

• The terminated employee posted criticism of a supervisor on Facebook, including use of the phrase “setting it off”. The employer deemed the phrase to be threatening and inappropriate. The post was not concerted activity, because although the posts addressed terms and conditions of employment he did not intend to initiate or induce coworkers to engage in group action and no “friends” that were co-workers responded to his post. 

2.   Social Media Postings That Are a Direct Result of Concerted Activity Are Protected

•  The terminated employee, an individual to whom other employees confided in about on the job issues, posted about those shared concerns over the terms and conditions of employment. Co-worker responses to her posts contained suggestions for action by the group to change those conditions. Her termination was found to be unlawful because it was directly related to her “involvement in her co-workers’ work-related problems, including her discussions with fellow employees about the terms and conditions of employment.”

• The terminated employee made various online (e.g. on local newspaper message boards) and Facebook posts about the employer’s poor management style, which allegedly included bullying, harassment and abuse of employees that had been ongoing for at least 3 years. Several co-workers posted messages of support on the terminated employee’s Facebook Page, e.g. “Thank you for speaking for us who do not dare.” Since the posts were part of an ongoing labor dispute related to treatment of employees, and the statements were a “logical outgrowth of other employees’ concerns or were made with or on the authority of other employees”, it was clear that they contained unfair labor practice charges, which are protected by Section 7. The NLRB further found that the comments were not unprotected disparagement or defamation.

3. Comments to Facebook Postings Have Equal Protection and Privilege As Original Postings

• The terminated employee posted his frustration on Facebook that another individual was promoted over him and that the promotions were not aligned with the performance. Responses to his post included suggestions that all the good employees should quit.  These posts demonstrated “shared concerns about the terms and conditions of employment” and were therefore “concerted activity for mutual aid and protection” and protected activity under Section 7.

• The terminated employee posted on a co-worker’s Facebook wall about his supervisor’s bad attitude and poor management style, and the co-worker agreed responding that she wished she could work elsewhere.  The employees had previously complained about the supervisor to a higher up. Protest of supervisory action is protected under Section 7 and NLRB found that the discussion constituted “concerted activity for mutual aid and protection.” The NLRB further found that the comments were not unprotected disparagement or defamation.

As we have previously noted in prior posts about the NLRB’s social media enforcement actions, employers should carefully review and adjust their social media policies and practices in light of the NLRB’s guidance and enforcement. Social media policies must be narrowly tailored so as not to infringe upon employees’ Section 7 rights.

Although privacy by design isn’t set in stone (yet), start-up companies seeking to collect and use personal information as part of their business plan may want to consider incorporating privacy by design into their everyday business practices. Similarly, as part of their due diligence process, venture capital firms scrutinizing startups seeking to leverage personal information would be well-advised to determine if privacy is being “baked into” into the products and services being offered by such startups. It may be both difficult and costly for companies to implement privacy protections retroactively if privacy concerns are overlooked during the early stages of business planning. Start-ups have the advantage of building privacy protections into their business models from the outset, which can keep those companies out of trouble in the form of litigation or agency enforcement. Privacy-conscious VCs will be more inclined to fund start-ups that reduce risk by proactively address privacy issues and potential liability. In turn, VCs that scrutinize whether privacy is part of a start-up’s business plan will be able to better protect their investment (and their investors).

So what does privacy by design mean? How can start-up companies incorporate privacy by design principles into their business practices to attract VC funding? How should privacy and security legal risks (and solutions) be written into a start-up’s business plan? This post tries to answer these questions.

Step 1 - Understand Your Business Model.

Privacy by design advances the view that privacy assurance should be companies’ default mode of operation. To build privacy protections into a business model, organizations (particularly entrepreneurs seeking VC funding) should know their business models better than anyone else. Companies must understand how they will interact with consumers at every step of each transaction when products and services are under development. From consumer solicitation to the sale of products or services, an entrepreneur should consider evaluating whether and how his or her company collects, maintains, shares, or otherwise uses consumer data. Entrepreneurs may want to conduct a run-down of any and all data involved in their business transactions, including personal consumer data (names, addresses, credit card information, etc.) as well as any other information that can be linked to a specific consumer, computer, or other device. A keen understanding of the technology used by the start-up is also crucial as the functionality provided by such technology (or the lack of certain functionalities) may impact privacy, including the ability of consumers to make decisions about their personal information. By understanding the data and technology involved at each step of the way, entrepreneurs will be more likely to spot potential risks their companies face. Companies that fully understand the scope of the data they collect and how that data is handled will be in better positions to address consumer concerns and respond to objections. Most importantly, they will be in a better position to address legal requirements and build privacy into their products and services from the outset.

Step 2: Understand Your Market.

Really understanding your business model also means understanding the market - including the wants and needs of target consumers and the privacy-related activities of similarly situated companies. Consumers are increasingly wary of privacy issues triggered by their online participation. Start-ups may want to tailor their approach to privacy issues based on their target audience, as various studies show that different subsets of the population may have different privacy expectations and concerns.

For example, a Webroot study concluded that mobile device users over the age of 39 are more concerned about the possible risks associated with geolocation tools compared to 18- to 39-year-olds. Teens may be beginning to respond to privacy concerns on online – TRUSTe found that about 64% of teens use privacy controls on social networks. The platform for personal information collection, storage and processing may also impact the scope of consumer concerns. A new report from the market research firm Nielsen confirms that many Americans have strong concerns about losing some privacy by using location-based mobile services. According to the report, 59 percent of women and 52 percent of men reported having privacy concerns with location-based services and check-in apps. Only 8 percent of women and 12 percent of men reported that they are not concerned with the privacy implications of location-based services and check-in apps.

Consumer outcry and regulatory pressure have forced companies such as Facebook and Google to change their practices, offering consumers privacy controls that are simpler and easier to use. However, while many studies and surveys conclude that people are worried about privacy, people continue to use social media sites, location-based apps, and check-in services despite their concerns. From a market point of view, it’s important for companies to attempt to determine the privacy protections consumers want, as well as what practices may be deemed invasive and “over the line” which could result in backlash.

Determining whether products and services are “over the line” is also valuable for attracting business deals and securing investments. According to a report by the Ponemon Institute, privacy issues have prompted marketers to use online behavioral advertising 75% less than they would otherwise. However, in a previous post we noted that despite consumer concerns, Internet tracking companies continue to secure new investments from VC firms. Recently, a Wall Street Journal article noted that VCs in Silicon Valley are dumping money into social start-ups promoting mobile apps. If they haven’t already, VCs may begin to factor privacy concerns into their due diligence process to avoid future consumer and agency backlash that could potentially devalue their investments. As such, incorporating privacy by design - assessing privacy issues and implementing privacy protections every step of the way – may help attract funding and avoid potential liability.

Understanding the market also means understanding the competition. From start-ups to major market players, many companies are offering privacy protective products and services in response to consumer demand. Companies should conduct thorough due diligence regarding the data practices of established, similarly-situated companies. And a thorough understanding of the market isn’t only about evaluating competitors that exist today – companies would be wise to consider what potential business combinations could become competitors in the future.

Step 3 – Understand the Legal Risk Environment.

Keeping tabs on the privacy legal landscape is important for companies and investors looking to capitalize on consumer demand, particularly those interested in tapping into online markets. Additionally, agency enforcement is on the rise. As such, researching the legal and regulatory environment is a crucial part of due diligence for entrepreneurs and VCs alike.

Multiple privacy bills from both the House and the Senate have recently been introduced. In February, Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011” that would give the FTC authority to establish an online do-not-track system, giving consumers the ability to prevent the collection and use of data on their online activities. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” in April, which would give the FTC significant authority to create rules as to how businesses collect, use, transfer and maintain personal information (for a summary of the bill, click HERE). This month, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act of 2011,” which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices, and would give the FTC the power to take action against companies that don't comply. Also this month, Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX) introduced a draft of the “Do Not Track Kids Act of 2011” which would prohibit companies from tracking children on the Internet without parental consent, restrict online marketing to minors and require an "Eraser Button" that would allow parents to eliminate kids' personal information already online. An underlying policy of all of this proposed legislation is the idea that companies should be required to give consumers more notice about the information that is being collected about them, as well as the ability to control such collection.

While much attention has been given to privacy and security legislation at the federal level, there has been a renewed sense of vigor on the state level as well. The privacy legal risk environment is constantly in flux, and the state of law may vary by jurisdiction. For example, Hawaii’s information privacy proposed bill would require breached entities to provide credit monitoring and call center services to impacted individuals. In Colorado, a proposed bill takes a new approach to incentivizing companies to implement good security (for a summary of the bill, click HERE).

This year has also seen an explosion of privacy-related litigation (the RockYou data breach litigation, Amazon privacy litigation, suits involving online tracking, cookies, history sniffing, etc.) as well as agency enforcement actions (Playdom, Google Buzz, Ceridian/Lookout, GunnAllen, etc.). The end results of agency enforcement and privacy-related lawsuits are bound to impact what the government and the public considered “acceptable” from a privacy point of view.

It can be difficult and time-consuming to navigate the legal and regulatory privacy environment, and companies are encouraged to seek the advice of experts to identify potential privacy legal risks. In many cases, to proactively address privacy concerns, it requires careful analysis and prognostication based on the bills, laws, lawsuits and regulatory actions that are in play. Oftentimes, after careful analysis, potential trends and commonalities can be gleaned that can help companies anticipate where the privacy legal environment is going. If the legal risks are identified early and companies keep up-to-date regarding their responsibilities, mechanisms can be built into products and services to allow for compliance with the current legal framework. For example, building in consumer opt-outs of data collection and honoring such requests, as well as encrypting any sensitive personal information collected, are proactive measures that may be used to provide companies with flexibility to adjust to changing legal requirements.

Step 4 – Integrate Privacy by Design.

It’s easier to tailor privacy and security protections to a company’s everyday business practices, products and services once the company has a comprehensive understanding of its business model. the market and legal compliance requirements. It is much easier for a startup company to undertake this exercise at the outset of its business planning and product/service development. As part of its privacy by design framework, the FTC urges companies to systematically consider four substantive privacy protections at all stages of the design and development of their products and services:

Data Collection. One key principle of privacy by design is that companies should automatically protect any consumer data handled by default. However a company chooses to handle consumer data, it may want to consider mechanisms that enable consumers to opt-out or opt-in of data collection practices (even if those mechanisms are not implemented from the outset). Doing so early will decrease the burden of regulatory compliance if offering opt-in or opt-out consent becomes mandatory. Another key principle of privacy by design encourages companies to handle data in a way that is visible and transparent to the consumer, and that allows companies to honor any representations they make to consumers about their business practices. The FTC has increasingly enforced this principle, settling privacy enforcement actions with Twitter and Chitika for deceptive business practices and with Ceridian and Lookout Services for unfair business practices for failing to safeguard personal employee information, among others. Companies are advised to implement data security protocols and privacy policies and to address the concerns of their consumers. Companies can avoid regulatory enforcement by understanding their commitments to protect consumer privacy, being transparent about their business practices, and adhering to their policies and procedures.

The FTC also emphasizes “minimization” – under this concept, the only consumer data that a company should collect is that which is needed to accomplish legitimate business goals. If a company has internal systems and networks, it should consider whether data is routinely saved by default if there is no legitimate business need to do so. By limiting the scope and amount of consumer data collected, companies reduce potential harms that can result in the event of a breach. The information companies need to collect wholly depends on their business model and the consumer data needed to make it work.

Security for Consumer Data. Many companies that conduct internal evaluations of their data practices will conclude that they maintain consumer data in one form or another. Companies that maintain consumer data can proactively employ physical, technical, and administrative safeguards to protect that information. As the FTC notes, the level of security required depends on the sensitivity of the data a company maintains, the size and nature of a company’s business operations, and the types of risks a company faces. A number of federal and state laws require companies to actively protect the data they maintain, and the FTC is increasingly bringing enforcement actions against companies for their failure to do so.

Maintaining adequate security for consumer data helps companies avoid potential lawsuits and FTC enforcement actions in the event of a breach, and mitigates other attendant consequences such as lost productivity and service interruptions. It also helps reduce the possibility that the enormous costs of responding to a breach will be incurred. Symantec Corporation and the Ponemon Institute estimate that the average organizational cost of a data breach in 2010 was $7.2 million and cost companies an average of $214 per compromised record.

To prevent security breaches, data loss, and other headaches, companies can proactively assess their baseline security measures. Again, a company’s thorough understanding of its business model is key in identifying potential protection gaps. Entrepreneurs and established market players alike would be wise to inventory their information assets, and understand where those assets are stored and how they’re accessed. Start-up companies can attempt to forecast their need for antivirus software, firewalls, virtual private networks (VPNs), and intrusion prevention mechanisms to protect their information assets in the face of internal and external risks. The FTC advises companies to use privacy-enhancing technologies such as identity management, data tagging tools, and Transport Layer Security/Secure Sockets Layer (“TLS/SSL”) or other encryption technologies, particularly if a company is handling sensitive consumer data. Start-ups may want to consider their plans for growth and assess whether their network security measures will be able to accommodate increased network traffic or advanced applications without disrupting service.

Data Accuracy. Privacy by design emphasizes that companies should strive to collect accurate consumer data, and that companies ought to implement mechanisms so that consumers can correct the information that companies collect about them, particularly when sensitive data is involved. Kerry and McCain’s "Commercial Privacy Bill of Rights" would require companies that collect data to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution. Regardless of whether such a requirement is codified, companies - particularly start-ups – may want to anticipate and plan for data correction procedures as well as any attendant costs.

Data Retention and Disposal. Companies can retain data for increasingly long periods of time due to the dramatically decreasing cost of data storage. A concern shared by the FTC and privacy advocates is that companies that retain data for long periods of time invent new, secondary uses for the data that consumers didn’t anticipate when they provided the data in the first place. To promote transparency and consumer notice, companies are encouraged to retain consumer data for only as long as they have a specific business need to do so. Companies are also encouraged to safely dispose of data no longer being used to further a specific business need. The "Do-Not-Track Online Act of 2011" would require online companies to destroy or anonymize personal information after it's no longer needed. We have already seen the concept of limited data retention becoming a regulatory principle in the European Union.

Conclusion

As consumers express an increased demand for privacy protections, entrepreneurs should ask themselves if their products and services provide consumers with notice and choice as to how their data is collected and handled, and tailor their business practices accordingly. Companies are wise to understand their business model and the market in order to tailor their products and services accordingly.

Consumer outcry has caused companies such as Google and Facebook to retroactively change their privacy practices – a process than can be costly with unnecessary attendant negative publicity. Anticipating and preventing privacy violations before they happen mitigates the risk such invasions will occur as well as the costs of remediation. This means having a thorough understanding of the privacy legal risk environment. Doing so is difficult as the environment is in upheaval, therefore companies would be wise to seek professional advice to navigate the legal and regulatory landscape at both the state and federal level.

A start-up company has the advantage of being able to develop and implement a privacy program early, and bake privacy into the design of their products and services, thereby ensuring that these substantive privacy protections become a foundational part of its business model. Employees can be trained early regarding the need for privacy and network security, which helps foster a consumer-protective enterprise culture. Privacy by design makes privacy an essential component of the core product or service a company delivers. Spotting privacy issues and addressing concerns before launch aligns products and services with consumer expectations and can save everyone – entrepreneurs and VCs alike – from future headaches.

The next 10 years will see more types of data collected from more people, and more privacy laws in more places. A deepening and broadening of data protection regulations in the industrialized world will spread to emerging markets and place a higher premium on legal and compliance acumen. In addition, an expansion of health information networks, smart grid networks and cloud computing platforms will make industry and technology expertise a more indispensable part of practicing privacy.

. . . the privacy professional’s success in the next decade will demand greater adaptability and most importantly, agility. The agile privacy professional is the next-generation privacy professional: an expert practitioner who is keenly attuned to cultural and regional distinctions as these continue to grow in an increasingly interconnected data economy; who can migrate and adapt to different roles within an organization and offer value at each; who exhibits both comfort and grasp of legal/compliance and technical disciplines; and who instills direction and leadership of privacy management within the organization.

The following analysis and discussion of the IAPP's whitepaper is completely my own.  I think that the paper raises some incredibly important points about the need for privacy professionals to lead the way for more effective information governance.  As an outside lawyer (with my own unique perspective), my key takeaway is the following -- privacy professionals must understand law AND technology, and must facilitate dialogue between those two disciplines and as between those disciplines, on the one hand, and the business side, on the other.

The importance of a "privacy professional" understanding both legal and technical disciplines cannot be overstated:

The central role of regulatory and IT drivers shaping the privacy profession almost ensures an ongoing need for privacy professionals to be conversant in not one, but both of these disciplines.

Regulation and "Reasonable Security"

I believe this is largely due to what the IAPP describes in the whitepaper as the "Second Wave of Regulation," which began in approximately 2003 with California's landmark data breach notification legislation, Civil Code section 1798.82 (for private entities), often called SB 1386.  On the heels of that came 44 additional such state laws, DC, Puerto Rico, the Virgin Islands, and now some similar European legislation, as discussed in the whitepaper.  And, with the light now shining on security risks and failures within private organizations, additional security standards and legislation began to emerge - most notably, as highlighted by the IAPP, the Payment Card Industry (PCI) Data Security Standard (DSS) and laws such as Nevada's (SB 227) that incorporate that Standard.  For more on that, see Dave's posts here, here and here. Further, as noted in the whitepaper,

A number of factors have spurred North American (and particularly American) organizations to dedicate more resources to privacy process improvement: most notably, PCI DSS enforcement, FTC enforcement, and data breach notification.

Not discussed in the IAPP whitepaper in depth, but just as important, a number of states have crafted legislation designed to require "reasonable" security or safeguards to address security risks in a more proactive fashion, as opposed to the traditional reactive breach notification approach.  Massachusetts, Massachusetts M.G.L. c. 93H and 201 CMR §§ 17.00-17.05, is of course the most recent, most detailed, and most well known, but many states require the same "reasonable security" (sometimes for all personal information, sometimes for just Social Security numbers), including, but not limited to, California (Civ. Code §§ 1798.81, 1798.81.5, and 1798.85), Arkansas (Code Ann. §4-110-104(b)), Colorado (Rev. Stat. Ann. §6-1-713), Connecticut (HB 5658), Maryland (Com. Law Code Ann. § 14-3503), Nevada, as mentioned above (Rev. Stat. § 603A.210 and SB 227), Oregon (Rev. Stat. § 646A.622), Rhode Island (Stat. § 11-49.2-2), Texas (Bus. & Com. Code Ann §§ 48.102(a)  and 521.001, .052, .151) Utah (Code Ann. § 13-44-201), and Washington (Rev. Code Ann. §19.215.020 to .030).  There are more, I could go on.

What in the world is "reasonable security"?  A privacy professional who understands the law and traditional notions of negligence, various concepts of privacy (Fair Information Practice Principles, etc.) as embodied in different standards and legislation around the world (from EU to Australia), and the evolution of information security (as a technical matter) is ideally positioned to help assess what "reasonable security" means and determine what will be compliant, what will be legally defensible, what will be best practice, and what will be just good business.  And such a privacy professional can facilitate discussions among stakeholders that speak somewhat different languages in this regard to reach solutions that are acceptable to all involved.

From Privacy to Information Governance

As a lawyer, I am also extraordinarily pleased to see, in the IAPP's whitepaper, a reference to the new ediscovery rules that came into play in the latter half of the 2000s, most notably the amendments to the Federal Rules of Civil Procedure in 2006.  What does privacy have to do with ediscovery?  Everything.  As noted in the IAPP's whitepaper, the amended rules "increased the need for organizations to conduct data inventories and implement data-retention policies."  How do you protect sensitive data (personally identifiable information, trade secrets, IP, etc.)?  You figure out where it is first.  And thus, as the IAPP points out, we start to see the "privacy" role evolve into an information governance role.

Speaking of information governance, let's return to technology.  States the IAPP: cloud computing will set the pace for the next decade:

One of the clear directions of technology in the past 10 years as it pertains to personal data has been more—more types of data collected from more people in more ways, and shared with more entities. The emergence of cloud computing—essentially a new computing paradigm in which data is stored off-premises and by a range of third parties—sets the pace for the next decade. Short of a wholesale social movement to opt out of information technology and “go dark,” the conveniences and commercial benefits of more data collection and sharing seem to point in the direction of more. People will not 'go dark,' we estimate, because the utility of sharing information will continue to well exceed the risks of doing so.

Thus, the IAPP stresses the need for agility and identifies five strategies for action:

(1) Redefine the privacy role [information governance]; (2) Rotate through departments/business units; (3) Develop multi-cultural literacy; (4) Understand legal and technical disciplines; and, (5) Instill direction and leadership.

Bottom line?  Proactive, multidisciplinary solutions to information governance that incorporate information technology savvy and that address compliance, legal defensibility, and best practices, are now and will become increasingly crucial to any organization that handles sensitive data.  Privacy professionals are well positioned to lead those efforts.  Congratulations to the IAPP on its 10th anniversary!  I look forward to the next 10 years.