Podcast: Data Do, Data Don’t

Published On August 16, 2017 | By Jake Sommer, Jon Frankel, Alexei Klestoff, Anna Hsia, Ken Dreifach, Mason Weisz, Marci Rozen and Jason Wool | Data Security, General, Practical Advice
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

Most websites and apps collect information from its users. But are you doing it in a legally-compliant way? We won’t be taking over any New Year’s countdowns, but listen to our radio-ready voices as we describe some best practices on handling user data.

Data Do

Take Stock – 3:47
Jake Sommer & Jon Frankel
It isn’t a legal requirement that you take stock of your data, but you can save yourself time and heartache later if you know what you have stored and what you collect. Jake poses a puzzle – “imagine one of your customers has hacked you and you want to know everything you have about that customer. What data have you collected about them and where is it stored?” By taking stock of your data you’ll be able to better describe your practices to others and avoid making misrepresentations.

Provide Notice and Choice – 4:27
Ken Dreifach & Mason Weisz
An increasing amount of information based on where we go, what we do, and what we browse online, is used and linked by companies to market to us in more relevant ways. Yet as these technologies grow more sophisticated, certain traditional privacy “first principles” continue to apply. Notice and Choice is a keystone principle of privacy rights – sometimes expressed in laws and sometimes as a “best practice.” Ken offers a high level view of the importance of accurately describing privacy and data collection practices and providing ways for users to opt out, while also discussing the rules of “self-regulatory” groups like the DAI and NAI.

Understand Biometric Data Laws – 2:44
Anna Hsia 

While you might never be able to throw down a slam dunk like LeBron James or Blake Griffin, some video games let you scan your face into the game, allowing you to literally be dunking with (or over) your NBA idols. But then, what data laws apply to your face scan? Finger prints, facial scans, and voice recognition are all unique physical characteristics about individuals that also can be categorized as “biometric data.” Because biometric data reflects an individual, it is more sensitive than other forms of data and particular laws govern its collection and use. Anna talks about the different laws that govern biometric data and the penalties associated with compliance violations.

Safe Disposal – 3:25
Jon Frankel & Jake Sommer

News about data breaches seem to emphasize computer hacks, which reveal  personal data such as birthdates, addresses, social security numbers, etc., but often good ol’ fashioned dumpster diving has led to troves of customer data. Whether your company retains physical data files or stores data electronically on hard drives, when it comes time to get rid of data, don’t be lazy, destroy it correctly! Jon discusses what types of data warrant more robust destruction methods, FTC cases brought against companies that fail to adequately destroy data, and best practices for such destruction.

Data Don’t

Fail to Secure the Data – 2:13
Marci Rozen & Jason Wool
Obvious right? Well, we hope so… No matter the type of data, whether it is customer data, internal financial data, or employee data, you should be securing it. Why? Regulators like the FTC and several states require businesses to implement reasonable security measures, and 48 states and 3 territories have some form of data breach notification statute. And that’s just the tip of the iceberg. Marci will discuss the range of regulators that will come knocking should your company experience a breach, and the particular challenges your company may face if its security has not been up to snuff. She also offers why encrypting data has its own set of advantages such as making your company eligible for safe harbors under state data breach statutes.

Collect More Than You Need – 1:24
Alexei Klestoff
“Collect now, find a use later!” Exercise caution with this approach. Many companies roll out products and collect unnecessary data as part of the registration process with the idea that it might come in handy later. In this episode, Alexei lays out the risks a company takes on when they decide to collect more data than what they need. As Alexei says “you can’t lose what you don’t collect.”

Provide Unnecessary Access – 2:44
Jason Wool & Marci Rozen
We might live in the “golden age of information sharing,” but that doesn’t mean your company should provide unfettered access to data around different departments. The sales team probably doesn’t need access to HR files. HR probably doesn’t need access to the sales team’s customer data. Jason and Marci offer a couple different ways companies can grant credentials for access, ensuring a log or trail that can more easily be audited.


About The Authors

Jacob Sommer's practice focuses on legal issues related to Internet-based services and social networking, with a focus on protecting client's rights in litigation or government investigations involving the Copyright Act, Lanham Act, Digital Millennium Copyright Act ("DMCA"), Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, CAN-SPAM, FISA and federal and state laws governing Internet gambling. He also helps social networks, search engines, e-mail providers, ISPs and other clients fulfill their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.

Jon Frankel has been advising clients on privacy, data security, e-commerce, intellectual property and litigation matters for more than 15 years. Jon provides practical advice to mitigate privacy and data security risks and helps clients navigate a myriad of complex data collection, use and sharing cases. Jon advises on health and children’s privacy; email, SMS and telemarketing; mobile applications; user generated content; contests, promotions, and sweepstakes, online gaming; and requests from law enforcement. Prior to joining ZwillGen, Jon was a partner in the Washington, D.C. office of Bingham McCutchen, LLP, where he co-chaired the Privacy and Security Group.

Alexei Klestoff’s practice focuses on representing clients in a variety of privacy, consumer protection, and e-commerce matters through counseling, litigation, responding to FTC and state Attorneys General investigations, and developing compliance programs. Alexei advises clients on methods to mitigate legal risks associated with new products and services, and also represents clients in complex litigation and regulatory investigations involving false advertising, unfair competition, and privacy claims.

Anna Hsia maintains a diverse practice litigating complex business disputes and counseling clients on privacy issues. With broad litigation experience in unfair competition, false advertising, class actions, and other complex litigation, Anna guides clients through disputes in federal and state courts. As a Certified Information Privacy Professional, Anna has assisted clients with product development and compliance with privacy regulations such as the TCPA, HIPAA, COPPA, state-specific privacy regulations, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.

Ken counsels clients on complex issues involving information privacy and data law, online liability, consumer regulatory and gaming law, including regulatory response, and adherence to self-regulatory guidelines for online advertising. Ken has had more than twenty years of experience in high-profile regulatory, in-house and private practice roles, including as Chief of the New York Attorney General’s Internet Bureau. He is one of the nation’s leading authorities on the relationship between emerging advertising technologies and online privacy.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.

Marci counsels companies on a wide variety of issues involving privacy, cybersecurity, and information law. She routinely helps companies evaluate and develop corporate privacy and information security programs, and provides advice on matters involving cross-border data transfers, insider threat prevention and detection, cloud computing, and electronic surveillance. Marci also assist clients in responding to data breaches, including issuing breach notifications required under state and federal breach notification laws, advising on remediation efforts, and handling litigation and enforcement actions arising from data security incidents.

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.