Practice Tip: Why Product Manufacturers Should Heed Privacy Trends

Since there was no dispute that the customer's privacy had been violated, the pharmacy's first line of defense as a matter of law was on the grounds that its employee “knowingly violated company policy.” Therefore, the pharmacy said, it should not be held vicariously liable for its rogue employee.

The judge denied the motion and held that the nature of the pharmacist's conduct involved training and duties that derived from her employment at the drugstore. Thus, a jury would have to decide if the pharmacist's actions were “sufficiently associated” with company-authorized activities.

The jury found the company 80% responsible for the pharmacist's privacy violation. This resulted in a $1.4 million verdict for the plaintiff. Such a result will assuredly embolden privacy plaintiffs in other matters alleging violation of privacy rights ' cases that rarely progress to trial for myriad reasons.

A Bright-Line Rule

Consumer surveys on privacy and the Indiana verdict define a bright line when it comes to personal privacy as a touchstone issue. It is acceptable for a person to decide to share his/her own information when he or she sees fit. However, it is not permissible for someone to make the decision to share another's information.

Product Manufacturers and Privacy

It is within these parameters that product manufacturers must operate. And while doing so seems somewhat basic at first blush, considering precisely the intersection between privacy and personal information is perplexing ' to say the least.

First, consider whose personal data a company is collecting, storing, maintaining, and processing. To name a few, this could include customers, potential customers, employees, vendors, and other contractors. Such a wide variety of constituents implicates as many different federal and state laws and other regulatory bodies.

Second, consider the type of data and where it is stored, including the residents of each state whose data you are maintaining. Depending on your answer to this question, as many as 46 different state data security laws and a multitude of federal laws may apply. If you are collecting personal information outside of the United States ' and in particular, Europe ' comprehensive data rules prohibit the sharing of that data across borders without a safe harbor or other government-approved procedures.

Third, what exactly is personal information? Conceivably, it can mean different things to different people with varying degrees of consequence. The legal risk is most significant when it comes to the loss of sensitive data like Social Security numbers and personal financial or medical information. Such a breach could result in an expensive notification process in terms of hiring investigators, attorneys, and public relations specialists. This is not to mention the business interruption, employee price tag to handle the situation, credit monitoring, and possible government fines and litigation. And while class actions for breach of privacy have, in large part, been relatively unsuccessful, it is indisputable that the business reputation risk is real and measurable when it comes to shoddy data protection practices.

Sensitive personal information should not be the only concern, however. For companies that collect or use information like e-mail addresses, geo-location data, and IP addresses, recent cases involving technology giants on the forefront of privacy issues teach us that there may also be some consumer expectation of privacy with respect to this information.

Some Privacy Practices Should Be Universal

While the appropriate privacy practices vary by industry, manufacturer, product, and individual business needs, there are several processes and procedures that are universal. First and foremost, when it comes to collecting, maintaining, storing, and processing any personal data (however it may be defined, the Federal Trade Commission (FTC) has clearly advised), say what you do and do what you say. In other words, post an unambiguous privacy policy and act within the confines of that policy. If not, you may risk becoming a target of the FTC, which has promised to monitor and enforce company data practices aggressively.

Moreover, while we are not aware of an enforcement action that has targeted a product manufacturer's privacy practices, such a time may not be far off. New technologies in automobiles and other vehicles and equipment, for example, are providing additional sources of data capture, and posing new and thornier issues related to privacy concerns in addition to classic product liability and evidentiary issues.

Manufacturers also face a hefty challenge in keeping tabs on their marketing arms and third-party data brokers. How marketing agencies obtain and forecast personal preferences and establish personal profiles using predictive analysis and other big data techniques could cause some unintended privacy backlash. Consumers have shown that they prefer brands that they trust, and the easiest way to compromise that trust is to appear to infringe on personal privacy.'

If consumers feel their privacy has been violated as a result of specifically targeted advertising, the brand could suffer. Indeed, one retailer caught some unwanted attention for being able to ascertain ' and in turn, market to ' its pregnant customers. Such a practice exposed a girl's pregnancy to her family who had not yet been told. Incidents such as this illustrate that companies have a platform to compete using their data practices. When these techniques reach too far, however, they could have a direct impact on the bottom line.

Lessons Learned

The jury verdict discussed above teaches companies to develop a strong compliance program and, in particular, to train all employees about the proper access, use, and disclosure of personal information. Just as important, once those processes are in place and employees have been trained, it is critical to supervise employee actions closely and audit their performance against the company privacy practices.'

As data breaches have increased, so have the number of cases between insureds and their carriers that address the question of whether a commercial general liability policy would apply to a data breach or other adverse data event. The decisions have run the gamut depending on the jurisdiction, the finer points of the policy, and exactly what data was lost and in what form.

To avoid such an uncertainty, a comprehensive cyber-risk insurance tailored to the data a company collects, maintains, and processes are quickly an important protection. Additionally, companies should consider indemnity clauses with vendors and contractors that handle the company's sensitive data.

A recent study of consumer sentiment on privacy by Forrester Research, Inc. makes three important recommendations applicable to product makers of all shapes and sizes. These recommendations include:

• Embrace solutions designed with privacy in mind;
• Evaluate technology and data vendors on their approach to consumer privacy; and
• Turn privacy from a cost center to a marketing opportunity.

See Differentiate with Privacy-Led Marketing Practices, Forrester Research, Inc., July 2013, p. 13.

This is another study in a series of studies whose findings reinforce the notion that consumers are concerned about personal data, feel frustrated by marketers profiting from their data, and may offer their loyalty to companies that have a “privacy led” approach. Id., p. 2.

Indeed, these findings suggest that there is a “bona fide privacy movement afoot.” See “Privacy As the Next Green Movement?” Jeff John Roberts, July 29, 2013 (reviewing Forrester Research survey and quoting an analyst that privacy and the need for transparent data practices may be “the next green movement”). Whether privacy will gain as much importance as being “green” remains to be seen. Sensing ahead, it seems like a safe bet.

Conclusion

In the end, privacy is much more than simply a risk that needs to be managed. Instead, sound data practices combined with a strong compliance program are a means to differentiate you from your competitors.

Jacob Herstek is Counsel with Nixon Peabody's Products, Class Action, Trade and Industry Representation Group. He is also a member of the firm's Privacy and Data Security Team. and a Certified Information Privacy Professional accredited by the International Association of Privacy Professionals. He can be reached at [email protected] or 716-848-8207.

A recent jury verdict and consumer survey indicates that privacy is touchstone issue for a majority of consumers. Product manufacturers should heed this sentiment as a means to build and keep consumer trust.

A Case in Point

When given the chance to punish a violation of privacy, jurors responded. In July of this year, an Indiana jury found in favor of a pharmacy's customer for the privacy violations of one of its pharmacists. The pharmacist ' against company policy ' accessed the records of a customer. She then disclosed sensitive health-related information and medical diagnoses to her husband, who happened to be the customer's ex-boyfriend.

Since there was no dispute that the customer's privacy had been violated, the pharmacy's first line of defense as a matter of law was on the grounds that its employee “knowingly violated company policy.” Therefore, the pharmacy said, it should not be held vicariously liable for its rogue employee.

The judge denied the motion and held that the nature of the pharmacist's conduct involved training and duties that derived from her employment at the drugstore. Thus, a jury would have to decide if the pharmacist's actions were “sufficiently associated” with company-authorized activities.

The jury found the company 80% responsible for the pharmacist's privacy violation. This resulted in a $1.4 million verdict for the plaintiff. Such a result will assuredly embolden privacy plaintiffs in other matters alleging violation of privacy rights ' cases that rarely progress to trial for myriad reasons.

A Bright-Line Rule

Consumer surveys on privacy and the Indiana verdict define a bright line when it comes to personal privacy as a touchstone issue. It is acceptable for a person to decide to share his/her own information when he or she sees fit. However, it is not permissible for someone to make the decision to share another's information.

Product Manufacturers and Privacy

It is within these parameters that product manufacturers must operate. And while doing so seems somewhat basic at first blush, considering precisely the intersection between privacy and personal information is perplexing ' to say the least.

First, consider whose personal data a company is collecting, storing, maintaining, and processing. To name a few, this could include customers, potential customers, employees, vendors, and other contractors. Such a wide variety of constituents implicates as many different federal and state laws and other regulatory bodies.

Second, consider the type of data and where it is stored, including the residents of each state whose data you are maintaining. Depending on your answer to this question, as many as 46 different state data security laws and a multitude of federal laws may apply. If you are collecting personal information outside of the United States ' and in particular, Europe ' comprehensive data rules prohibit the sharing of that data across borders without a safe harbor or other government-approved procedures.

Third, what exactly is personal information? Conceivably, it can mean different things to different people with varying degrees of consequence. The legal risk is most significant when it comes to the loss of sensitive data like Social Security numbers and personal financial or medical information. Such a breach could result in an expensive notification process in terms of hiring investigators, attorneys, and public relations specialists. This is not to mention the business interruption, employee price tag to handle the situation, credit monitoring, and possible government fines and litigation. And while class actions for breach of privacy have, in large part, been relatively unsuccessful, it is indisputable that the business reputation risk is real and measurable when it comes to shoddy data protection practices.

Sensitive personal information should not be the only concern, however. For companies that collect or use information like e-mail addresses, geo-location data, and IP addresses, recent cases involving technology giants on the forefront of privacy issues teach us that there may also be some consumer expectation of privacy with respect to this information.

Some Privacy Practices Should Be Universal

While the appropriate privacy practices vary by industry, manufacturer, product, and individual business needs, there are several processes and procedures that are universal. First and foremost, when it comes to collecting, maintaining, storing, and processing any personal data (however it may be defined, the Federal Trade Commission (FTC) has clearly advised), say what you do and do what you say. In other words, post an unambiguous privacy policy and act within the confines of that policy. If not, you may risk becoming a target of the FTC, which has promised to monitor and enforce company data practices aggressively.

Moreover, while we are not aware of an enforcement action that has targeted a product manufacturer's privacy practices, such a time may not be far off. New technologies in automobiles and other vehicles and equipment, for example, are providing additional sources of data capture, and posing new and thornier issues related to privacy concerns in addition to classic product liability and evidentiary issues.

Manufacturers also face a hefty challenge in keeping tabs on their marketing arms and third-party data brokers. How marketing agencies obtain and forecast personal preferences and establish personal profiles using predictive analysis and other big data techniques could cause some unintended privacy backlash. Consumers have shown that they prefer brands that they trust, and the easiest way to compromise that trust is to appear to infringe on personal privacy.'

If consumers feel their privacy has been violated as a result of specifically targeted advertising, the brand could suffer. Indeed, one retailer caught some unwanted attention for being able to ascertain ' and in turn, market to ' its pregnant customers. Such a practice exposed a girl's pregnancy to her family who had not yet been told. Incidents such as this illustrate that companies have a platform to compete using their data practices. When these techniques reach too far, however, they could have a direct impact on the bottom line.

Lessons Learned

The jury verdict discussed above teaches companies to develop a strong compliance program and, in particular, to train all employees about the proper access, use, and disclosure of personal information. Just as important, once those processes are in place and employees have been trained, it is critical to supervise employee actions closely and audit their performance against the company privacy practices.'

As data breaches have increased, so have the number of cases between insureds and their carriers that address the question of whether a commercial general liability policy would apply to a data breach or other adverse data event. The decisions have run the gamut depending on the jurisdiction, the finer points of the policy, and exactly what data was lost and in what form.

To avoid such an uncertainty, a comprehensive cyber-risk insurance tailored to the data a company collects, maintains, and processes are quickly an important protection. Additionally, companies should consider indemnity clauses with vendors and contractors that handle the company's sensitive data.

A recent study of consumer sentiment on privacy by Forrester Research, Inc. makes three important recommendations applicable to product makers of all shapes and sizes. These recommendations include:

• Embrace solutions designed with privacy in mind;
• Evaluate technology and data vendors on their approach to consumer privacy; and
• Turn privacy from a cost center to a marketing opportunity.

See Differentiate with Privacy-Led Marketing Practices, Forrester Research, Inc., July 2013, p. 13.

This is another study in a series of studies whose findings reinforce the notion that consumers are concerned about personal data, feel frustrated by marketers profiting from their data, and may offer their loyalty to companies that have a “privacy led” approach. Id., p. 2.

Indeed, these findings suggest that there is a “bona fide privacy movement afoot.” See “Privacy As the Next Green Movement?” Jeff John Roberts, July 29, 2013 (reviewing Forrester Research survey and quoting an analyst that privacy and the need for transparent data practices may be “the next green movement”). Whether privacy will gain as much importance as being “green” remains to be seen. Sensing ahead, it seems like a safe bet.

Conclusion

In the end, privacy is much more than simply a risk that needs to be managed. Instead, sound data practices combined with a strong compliance program are a means to differentiate you from your competitors.

Jacob Herstek is Counsel with Nixon Peabody's Products, Class Action, Trade and Industry Representation Group. He is also a member of the firm's Privacy and Data Security Team. and a Certified Information Privacy Professional accredited by the International Association of Privacy Professionals. He can be reached at [email protected] or 716-848-8207.