The question of the privacy rights of consumers is an increasingly important topic. In the following guest post, Bill Boeck, Senior Vice President. Insurance & Claims Counsel for Lockton Financial Services, takes a look at recent actions the Federal Trade Commission has taken to protect consumers’ privacy rights and to enforce companies’ privacy policies.
I would like to thank Bill for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contract me directly if you are interested in submitting a guest post. Here is Bill’s post:
Companies doing business on the Internet typically have privacy policies explaining how the company will collect and use consumers’ personal information. Various state and federal laws require them. Those privacy policies often contain language to the effect that the company will not give the information to any third party without the consumer’s consent.
The FTC views violations of privacy policies as deceptive trade practices which are prohibited by the FTC Act. The FTC frequently brings enforcement actions against companies for such violations.
[T]he personally identifiable data you submit to ConnectEDU is not made available or distributed to third parties, except with your express consent and at your direction. In particular, the Company will not give, sell or provide access to your personal information to any company, individual or organization for its use in marketing or commercial solicitation or for any other purpose, except as is necessary for the operation of this site.
The policy allows information to be disclosed when the company or its assets are sold, but consumers must be given notice and an opportunity to remove their information.
The FTC states that their concerns would be diminished if ConnectEDU notified individuals that their information was being sold and gave them the opportunity to have the information removed. The FTC would also be satisfied if the information was simply destroyed. (The FTC identified a third option that would apply only in the bankruptcy context.)
The FTC isn’t the only thing companies need to worry about though. It isn’t hard to imagine that individuals and their lawyers will bring class action suits for alleged misrepresentations privacy policies. Such actions are being brought against companies now.
So what should companies do?
If a company faces a claim from the FTC or private plaintiffs it should have the consolation of its insurers’ support. Such a claim should be covered under most good cyber policies. Companies should consider whether their existing policy limits and any applicable sublimits are adequate though. Buying and selling companies should also consider Representations and Warranties Insurance policies to cover any resulting losses.
D&O policies should cover any shareholder claims for breach of fiduciary duty by a company’s directors and officers.