Tips on protecting personal data.

• Author: Eleftheriou, Demetrios A.
• Position: Special Issue: Technology & the Practice of Law

Organizations are faced with the daunting task of managing and protecting an unceasing deluge of dynamic personal data (i.e., data that can identify an individual) that floods their networks and branches and flows to vendors and the personal mobile devices of globetrotting employees. The challenge is how to manage and protect such data in light of a growing number and complexity of privacy and data security laws in the U.S. and abroad. Although an in-depth discussion of data protection laws is beyond the scope of this article, below are some best practices that can help to reduce the risk of violating such laws:

1) Anonymization is your friend. Don't collect personal data if you don't need it. Work with anonymous or deidentified data if you can. Ensure that the data is truly "deidentified" as defined under applicable law (e.g., HIPAA) (1) or regulatory guidance.

2) Collect only the data you need and disclose only what is required. If you need to collect or disclose personal data, try to minimize the collection or disclosure of sensitive personal data, such as the notice-triggering items under the security breach notification laws.

3) Encrypt sensitive personal data during transit and at rest. Stolen encrypted data is a safe harbor under the breach notification laws as long as the decryption process is not also compromised. Have a good password policy, since encryption is only as strong as your password.

4) Do not use or disclose personal data outside the reasonable expectation of the individual providing the information, unless permitted by applicable law. This type of secondary use or disclosure is how organizations get into trouble. Note that "reasonable expectation" is often set by privacy language provided at the point when personal data is collected, such as in an online privacy statement provided to users of a website.

5) Perfect data security is not required, so don't guarantee it. The general rule for securing personal data is to have reasonable and appropriate administrative, technical, and physical security measures in place. Also, be careful of misrepresenting your privacy or data security practices (e.g., such as in an online privacy statement), since such practices could be considered a deceptive trade practice in violation of law.

6) If you collect personal data, you need to properly protect it. Failing to protect such information could be considered an unfair trade practice in violation of law.

7) You have had a data breach...