Data Security

Podcast: Data Do, Data Don’t

Published: Aug. 16, 2017

Updated: Oct. 05, 2020

Most websites and apps collect information from its users. But are you doing it in a legally-compliant way? We won’t be taking over any New Year’s countdowns, but listen to our radio-ready voices as we describe some best practices on handling user data.

Data Do

Take Stock – 3:47
Jake Sommer & Jon Frankel
It isn’t a legal requirement that you take stock of your data, but you can save yourself time and heartache later if you know what you have stored and what you collect. Jake poses a puzzle – “imagine one of your customers has hacked you and you want to know everything you have about that customer. What data have you collected about them and where is it stored?” By taking stock of your data you’ll be able to better describe your practices to others and avoid making misrepresentations.

Provide Notice and Choice – 4:27
Ken Dreifach & Mason Weisz
An increasing amount of information based on where we go, what we do, and what we browse online, is used and linked by companies to market to us in more relevant ways. Yet as these technologies grow more sophisticated, certain traditional privacy “first principles” continue to apply. Notice and Choice is a keystone principle of privacy rights – sometimes expressed in laws and sometimes as a “best practice.” Ken offers a high level view of the importance of accurately describing privacy and data collection practices and providing ways for users to opt out, while also discussing the rules of “self-regulatory” groups like the DAI and NAI.

Understand Biometric Data Laws – 2:44
Anna Hsia 

While you might never be able to throw down a slam dunk like LeBron James or Blake Griffin, some video games let you scan your face into the game, allowing you to literally be dunking with (or over) your NBA idols. But then, what data laws apply to your face scan? Finger prints, facial scans, and voice recognition are all unique physical characteristics about individuals that also can be categorized as “biometric data.” Because biometric data reflects an individual, it is more sensitive than other forms of data and particular laws govern its collection and use. Anna talks about the different laws that govern biometric data and the penalties associated with compliance violations.

Safe Disposal – 3:25
Jon Frankel & Jake Sommer

News about data breaches seem to emphasize computer hacks, which reveal  personal data such as birthdates, addresses, social security numbers, etc., but often good ol’ fashioned dumpster diving has led to troves of customer data. Whether your company retains physical data files or stores data electronically on hard drives, when it comes time to get rid of data, don’t be lazy, destroy it correctly! Jon discusses what types of data warrant more robust destruction methods, FTC cases brought against companies that fail to adequately destroy data, and best practices for such destruction.

Data Don’t

Fail to Secure the Data – 2:13
Marci Rozen & Jason Wool
Obvious right? Well, we hope so… No matter the type of data, whether it is customer data, internal financial data, or employee data, you should be securing it. Why? Regulators like the FTC and several states require businesses to implement reasonable security measures, and 48 states and 3 territories have some form of data breach notification statute. And that’s just the tip of the iceberg. Marci will discuss the range of regulators that will come knocking should your company experience a breach, and the particular challenges your company may face if its security has not been up to snuff. She also offers why encrypting data has its own set of advantages such as making your company eligible for safe harbors under state data breach statutes.

Collect More Than You Need – 1:24
Alexei Klestoff
“Collect now, find a use later!” Exercise caution with this approach. Many companies roll out products and collect unnecessary data as part of the registration process with the idea that it might come in handy later. In this episode, Alexei lays out the risks a company takes on when they decide to collect more data than what they need. As Alexei says “you can’t lose what you don’t collect.”

Provide Unnecessary Access – 2:44
Jason Wool & Marci Rozen
We might live in the “golden age of information sharing,” but that doesn’t mean your company should provide unfettered access to data around different departments. The sales team probably doesn’t need access to HR files. HR probably doesn’t need access to the sales team’s customer data. Jason and Marci offer a couple different ways companies can grant credentials for access, ensuring a log or trail that can more easily be audited.