Privacy concerns continue to be a major challenge facing the spatial technology industry. Unfortunately, thus far there has been little legal guidance as to what steps a company should take with respect to spatial data that can be attributed to a particular individual. Attorney Kevin Pomfret comments.
Nevertheless, there are a variety of federal laws that govern companies that collect, process and distribute personal data - such as financial records, health records, social security numbers and PIN numbers. These include the Health Insurance Portability and Accountability Act, commonly known as HIPAA (medical records); Gramm-Leach-Bliley Act (GLB, financial records); Fair Credit Reporting Act (pdf) (credit information), and the Childrens Online Privacy Protection Act (information on minors collected over the Internet). In addition, a number of states have enacted legislation protecting an individuals personal data. At this point, none of these laws relates directly to personally identifiable spatial (PIS) data, although spatial companies that use data sets with medical records or financial records, for example, may be subject to applicable laws. However, these laws serve as useful models for a spatial company on what steps it should be taking concerning its collection, usage and distribution of PIS data, as future privacy legislation concerning spatial data will almost certainly follow along similar lines.
Federal Trade Commission
Data Security Plan
The FTCs enforcement actions in this area have primarily focused on the failure of companies to adequately protect personal data from improper use or access once it has been collected. Through its actions and other pronouncements, the FTC has stated clearly that the failure to develop a comprehensive security plan with respect to sensitive data is an unfair trading practice. This concept of a security plan is not new; it is similar to that required under HIPAA for medical records and GLB for financial records. However, it has only recently been applied to all companies that collect personal data. According to the FTC, the plan should be comprehensive and in writing and should be based upon the size of the company and the sensitivity of the data. The FTC does not expect a security plan to prepare for all contingencies; however it should include provisions on the following.
- Risk assessments - The goal is to identify risks and determine how to mitigate those risks. The FTC has made it clear that not every risk has to be identified, only those that are reasonably foreseeable.
- Employee training on information security issues - Employees have frequently proven to be responsible for lost or stolen personal data. A plan should provide that access to PIS data is limited to those employees with a legitimate need, and those with access should be trained on proper security procedures.
- Disposal procedures for PIS data PIS data should not be retained longer than necessary. Although PIS data, unlike financial data for instance, is typically less valuable over time, it is still important for a spatial company to have a regular system in place to delete or dispose of PIS data.
- Requirements for regular monitoring and updating of security plan - Security threats and technology change over time. According to the FTC, a comprehensive security plan should be updated periodically in anticipation of both.
- Plans to report, respond to and manage security incidents - Any data security plan should address what happens if PIS data is lost, stolen or misused. The plan should detail who should be alerted and what steps should be taken to mitigate further damage.
- Policies in hiring third parties - There have been a number of instances where third party contractors have lost or stolen personal data. A comprehensive security program should address due diligence concerning vendors and contractors and also should include required data security provisions in contracts.
- Designated employee(s) responsible for data
security - The FTC has stated that designating a senior level employee
as the person responsible for implementing and maintaining a plan is
the best way to make sure that it is followed.
Although there is little direct guidance as to how spatial companies should deal with PIS data, there is a great deal of precedent with other types of personal data. As a result, spatial companies that collect, process or distribute PIS data should consider keeping current on federal and state laws that concern personal data. In addition, spatial companies that deal directly with consumers should consider developing a Spatial Data Security Program along the lines set out by the FTC for other types of personal data. Such a program may not only be required by the FTC, but it is also good business practice.