Privacy concerns continue to be a major challenge facing the spatial technology industry. Unfortunately, thus far there has been little legal guidance as to what steps a company should take with respect to spatial data that can be attributed to a particular individual. The Wireless Communications and Public Safety Act of 1999 restricts a telecommunication carrier’s authority to access, use or disclose certain wireless location information "without the express prior authorization of the customer." However, there is a good deal of confusion and misunderstanding concerning the exact requirements and applicability of the act. Another piece of legislation, the Location Privacy Protection Act, introduced by then-Senator John Edwards in 2001 died in committee.

Nevertheless, there are a variety of federal laws that govern companies that collect, process and distribute personal data - such as financial records, health records, social security numbers and PIN numbers. These include the Health Insurance Portability and Accountability Act, commonly known as HIPAA (medical records); Gramm-Leach-Bliley Act (GLB, financial records); Fair Credit Reporting Act (pdf) (credit information), and the Children’s Online Privacy Protection Act (information on minors collected over the Internet). In addition, a number of states have enacted legislation protecting an individual’s personal data. At this point, none of these laws relates directly to personally identifiable spatial (PIS) data, although spatial companies that use data sets with medical records or financial records, for example, may be subject to applicable laws. However, these laws serve as useful models for a spatial company on what steps it should be taking concerning its collection, usage and distribution of PIS data, as future privacy legislation concerning spatial data will almost certainly follow along similar lines.

Federal Trade Commission
In fact, spatial companies that deal directly with consumers may already be subject to regulation by the Federal Trade Commission (FTC). One of the FTC’s primary missions is consumer protection. Section 5 of the Federal Trade Commission Act grants the FTC broad enforcement authority to protect consumers from unfair trade practices. For a number of years, the FTC has used this enforcement authority to ensure that companies complied with the privacy statements they made (i.e. on their web sites) with respect to protecting a consumer’s personal data. However, more recently the FTC has expanded its enforcement actions to include companies that have lost or had stolen consumer’s personal data, even if they did not have a stated privacy policy. Enforcement actions have included fines and other civil penalties. Specifically, the FTC has found that the failure to adequately protect personal data is an unfair trade practice, irrespective of whether a company has a privacy policy. While it has not specifically stated that PIS data is personal data subject to its authority, given the FTC’s broad and expanding enforcement authority, spatial companies with PIS data should consider following its rulings and actions.

Data Security Plan
The FTC’s enforcement actions in this area have primarily focused on the failure of companies to adequately protect personal data from improper use or access once it has been collected. Through its actions and other pronouncements, the FTC has stated clearly that the failure to develop a comprehensive security plan with respect to sensitive data is an unfair trading practice. This concept of a security plan is not new; it is similar to that required under HIPAA for medical records and GLB for financial records. However, it has only recently been applied to all companies that collect personal data. According to the FTC, the plan should be comprehensive and in writing and should be based upon the size of the company and the sensitivity of the data. The FTC does not expect a security plan to prepare for all contingencies; however it should include provisions on the following.

• Risk assessments - The goal is to identify risks and determine how to mitigate those risks. The FTC has made it clear that not every risk has to be identified, only those that are reasonably foreseeable.
• Employee training on information security issues - Employees have frequently proven to be responsible for lost or stolen personal data. A plan should provide that access to PIS data is limited to those employees with a legitimate need, and those with access should be trained on proper security procedures.
• Disposal procedures for PIS data – PIS data should not be retained longer than necessary. Although PIS data, unlike financial data for instance, is typically less valuable over time, it is still important for a spatial company to have a regular system in place to delete or dispose of PIS data.
• Requirements for regular monitoring and updating of security plan - Security threats and technology change over time. According to the FTC, a comprehensive security plan should be updated periodically in anticipation of both.
• Plans to report, respond to and manage security incidents - Any data security plan should address what happens if PIS data is lost, stolen or misused. The plan should detail who should be alerted and what steps should be taken to mitigate further damage.
• Policies in hiring third parties - There have been a number of instances where third party contractors have lost or stolen personal data. A comprehensive security program should address due diligence concerning vendors and contractors and also should include required data security provisions in contracts.
• Designated employee(s) responsible for data security - The FTC has stated that designating a senior level employee as the person responsible for implementing and maintaining a plan is the best way to make sure that it is followed.