Business journals and publications are replete with stories about businesses that collect, use, store or sell private information of employees, customers, consumers or third parties, and their paying substantial and possibly business threatening damages as a result. Since there is no overall federal framework to protect personal private information (PPI), many state laws regulate PPI collectors and users. These laws often impose harsh penalties on businesses that fail to comply and allow private and class action enforcement suits. Moreover, carriers often reject insurance loss claims and specific insurance coverage is often difficult and expensive to acquire. Some concerns related to PPI include:
- Collection. The information provider needs to be informed that their data is being collected, stored, used, protected and potentially sold.
- Disclosures. Disclosures to data providers must be written, clear, comprehensive, understandable and be accepted by providers with appropriate opt outs.
- Policies. Policies need to be published and accessible to data providers, and all changes publicized, documented and memorialized.
- Storage. Storing or maintaining such information during and after the transaction concludes needs to be secure with access and use restricted to those disclosed to and accepted by providers.
- Security. A breach or other loss of PPI often results in liability and lawsuits for failure to properly protect PPI, so a fast action plan should be in place.
- Use. Only fully disclosed and authorized use is allowed, and any changes should be disclosed to and accepted in writing by the data providers.
- Sale. PPI sales or access to third parties needs to be consistent with disclosures and authorizations, and should be restricted to responsible parties only.
- Indemnity/Insurance. Any entity that acquires or uses the collected PPI should agree to indemnify your business from all losses and demonstrate adequate insurance coverage.
The business and commercial attorneys at Brooks, Tarulis & Tibble, LLC have experience in advising clients on the use and collection of PPI, as well as addressing problems that arise from its collection. Should you have any questions or problems, please contact us.