A Word from the Editor: Privacy and Data Protection Issues Are Here to Stay

Privacy has been described as “the right to be let alone,” a phrase popularized in an 1890 Harvard Law Review article by the future U.S. Supreme Court justice Louis Brandeis in which he expressed concerns about the threat posed by technology to an individual's control over his own personal information. At the close of the 19th century, the perceived technological threat to privacy was the spread of cheap photography and high-speed printing. Imagine what Justice Brandeis would think of today's camera phones, global positioning systems, employer surveillance of e-mail, and customer relationship management systems, not to mention the myriad other technological developments of the last 115 years.

Although concerns about privacy have ebbed and flowed throughout the history of the United States, such concerns are running high now and show every sign of continuing to climb for years to come. The Internet, telecommunications devices, and increasingly sophisticated computer technology have made it easy to collect, analyze, reproduce, and disseminate information about individuals. Laws at the state and federal level are continually emerging to correct perceived erosions of privacy in the United States, while legal developments in the European Union, Canada, Asia/Pacific, and Latin America remind companies that privacy obligations do not stop at the U.S. border.

Companies are beginning to realize that privacy and data protection laws govern virtually everything they do, given that personally identifiable information (such as names, addresses, and e-mail addresses) underpins the business of most companies. Such information is collected through e-mail, Web sites, B2B exchanges, and extranets. It comes in the mail, by personal courier, through call centers, and via face-to-face interaction. This information is one of the primary reasons for promotions, sweepstakes, and contests. Customer and supplier transactions, clinical trials, and marketing all depend upon it. It is collected from employees, prospective employees, intranets, employee portals, and internal corporate networks. Personal information comes from, and goes to, affiliates, trading and business partners, public sources, purchased databases, and other third parties. It crosses media, departments (virtually every part of a company's organizational chart), and jurisdictions (each with its own ' often highly divergent ' data protection laws).

Today, issues about controlling one's personal information arise in three primary contexts:

• Privacy in one's persona: name, identity, photograph, likeness, voice, etc.
• Privacy in one's communications: mail, e-mail, telephone, voice mail, etc.; and
• Privacy in one's data: medical history, employment records, spending habits, etc.

It is this final category of privacy issues, personal data, which has been at the center of many of the recent controversies and calls for new legislation in the United States. For example, it seems that every week a new corporate data security breach involving the loss or disclosure of personal data is reported in the media. This is a phenomenon that does not discriminate: It touches all businesses, whether retailers, information brokers, major financial institutions, universities, or health care companies. And thanks to a relatively recent California privacy law requiring that affected individuals be notified of the breach, the press eventually tolls the bell for all to hear. Now dozens of states are following suit, increasing corporate legal compliance obligations with each law that is passed.

Recent events demonstrate that corporate reputations can be easily cracked through privacy errors or even inaction, but not easily mended. Headlines about corporate governance and legal compliance issues fuel public relations, business, and legal nightmares for companies that have been building brand equity and trust for decades. As a result, prudent companies are now reassessing potential risks for both the corporate entity and its directors and officers. In doing so, they are discovering that privacy and data protection issues are areas where insufficient attention and action could trigger substantial liabilities, including civil and criminal penalties, in both the United States and abroad. They are also discovering that these issues constitute a constantly moving target, given rapidly changing technology, evolving corporate relationships and policies, the proliferation of new data protection laws, and the media's tendency to try corporate privacy practices in the court of public opinion.

Privacy and Data Protection is a topic that is rapidly expanding and will garner much media and legislative attention as well as corporate soul-searching and investment for years to come.

Privacy has been described as “the right to be let alone,” a phrase popularized in an 1890 Harvard Law Review article by the future U.S. Supreme Court justice Louis Brandeis in which he expressed concerns about the threat posed by technology to an individual's control over his own personal information. At the close of the 19th century, the perceived technological threat to privacy was the spread of cheap photography and high-speed printing. Imagine what Justice Brandeis would think of today's camera phones, global positioning systems, employer surveillance of e-mail, and customer relationship management systems, not to mention the myriad other technological developments of the last 115 years.

Although concerns about privacy have ebbed and flowed throughout the history of the United States, such concerns are running high now and show every sign of continuing to climb for years to come. The Internet, telecommunications devices, and increasingly sophisticated computer technology have made it easy to collect, analyze, reproduce, and disseminate information about individuals. Laws at the state and federal level are continually emerging to correct perceived erosions of privacy in the United States, while legal developments in the European Union, Canada, Asia/Pacific, and Latin America remind companies that privacy obligations do not stop at the U.S. border.

Companies are beginning to realize that privacy and data protection laws govern virtually everything they do, given that personally identifiable information (such as names, addresses, and e-mail addresses) underpins the business of most companies. Such information is collected through e-mail, Web sites, B2B exchanges, and extranets. It comes in the mail, by personal courier, through call centers, and via face-to-face interaction. This information is one of the primary reasons for promotions, sweepstakes, and contests. Customer and supplier transactions, clinical trials, and marketing all depend upon it. It is collected from employees, prospective employees, intranets, employee portals, and internal corporate networks. Personal information comes from, and goes to, affiliates, trading and business partners, public sources, purchased databases, and other third parties. It crosses media, departments (virtually every part of a company's organizational chart), and jurisdictions (each with its own ' often highly divergent ' data protection laws).

Today, issues about controlling one's personal information arise in three primary contexts:

• Privacy in one's persona: name, identity, photograph, likeness, voice, etc.
• Privacy in one's communications: mail, e-mail, telephone, voice mail, etc.; and
• Privacy in one's data: medical history, employment records, spending habits, etc.

It is this final category of privacy issues, personal data, which has been at the center of many of the recent controversies and calls for new legislation in the United States. For example, it seems that every week a new corporate data security breach involving the loss or disclosure of personal data is reported in the media. This is a phenomenon that does not discriminate: It touches all businesses, whether retailers, information brokers, major financial institutions, universities, or health care companies. And thanks to a relatively recent California privacy law requiring that affected individuals be notified of the breach, the press eventually tolls the bell for all to hear. Now dozens of states are following suit, increasing corporate legal compliance obligations with each law that is passed.

Recent events demonstrate that corporate reputations can be easily cracked through privacy errors or even inaction, but not easily mended. Headlines about corporate governance and legal compliance issues fuel public relations, business, and legal nightmares for companies that have been building brand equity and trust for decades. As a result, prudent companies are now reassessing potential risks for both the corporate entity and its directors and officers. In doing so, they are discovering that privacy and data protection issues are areas where insufficient attention and action could trigger substantial liabilities, including civil and criminal penalties, in both the United States and abroad. They are also discovering that these issues constitute a constantly moving target, given rapidly changing technology, evolving corporate relationships and policies, the proliferation of new data protection laws, and the media's tendency to try corporate privacy practices in the court of public opinion.

Privacy and Data Protection is a topic that is rapidly expanding and will garner much media and legislative attention as well as corporate soul-searching and investment for years to come.