Main Menu
Protecting Personal Information – A Guide for Business

Most companies keep sensitive personal information in their files – names, Social Security numbers, credit card or other account data – that identifies customers or employees. This information often is necessary to fill orders, meet payroll or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft or similar harms. Given the cost of a security breach – losing your customers’ trust and perhaps even defending yourself against a lawsuit – safeguarding personal information is just plain good business.

A sound data security plan is built on 5 key principles:

  1. Take stock. Know what personal information you have in your files and on your computers.
  2. Scale down. Keep only what you need for your business.
  3. Lock it. Protect the information that you keep.
  4. Pitch it. Properly dispose of what you no longer need.
  5. Plan ahead. Create a plan to respond to security incidents.

This topic is garnering much attention from the federal government recently. Indeed, the Federal Trade Commission (FTC) released a preliminary Staff Report on December 1 proposing a framework for business and policymakers in an effort to better protect consumer privacy.  The proposed framework builds upon four areas.

  1. The “notice-and-choice” model, which encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices;
  2. the “harm-based” model, which focuses on protecting consumers from specific harms – physical security, economic injury and unwanted intrusions into their daily lives;
  3. the FTC’s law enforcement experience; and
  4. the record from a series of public roundtables the FTC held over the past several months. 

FTC Proposed Framework Overview Privacy by Design

  • Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices and data accuracy.
  • Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.

Simplified Choice

  • Companies do not need to provide choice before collecting and using consumers’ data for commonly accepted practices, such as product fulfillment.
  • For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data (for example, a cookie-based Do Not Track mechanism).

Greater Transparency

  • Privacy notices should be clearer, shorter and more standardized, to enable better comprehension and comparison of privacy practices.
  • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
  • Companies must provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
  • All stakeholders should work to educate consumers about commercial data privacy practices.

The FTC staff seeks comment by January 31, 2011, on each component of the proposed framework and how it might apply in the real world.  Based on comments received, the Commission will issue a final report in 2011. For the full version, or to make a comment, visit the FTC web site, Should you have questions about how your business handles personal information or the proposed FTC framework or report, contact Dan Boots.

  • Partner

    Dan is a senior partner of the Intellectual Property and Technology (IP&T) group (former chair 1997-2009), concentrating his practice on counseling emerging and established businesses in all areas of intellectual property and ...



Recent Posts




Back to Page