With budgets being slashed and reductions in work force the norm, a company might be tempted to reduce its security budget or lay off privacy staff. This might end up costing the company a lot more than the savings it hoped to reap from such cuts.
Companies have a legal obligation to ensure that the confidentiality, integrity and availability of personal information that they create, receive, maintain, store or transmit is ensured. Companies are responsible for the protection of personal data en- trusted to them.
Companies and their officers, as custodian of the company’s assets, have a continuing duty of care and must ensure that the company’s information assets are adequately protected and handled in compliance with applicable laws.
While it may be tempting to cut expenses, in a down economy, essential for the protection of personal information, laying off security staff or reducing security initiatives may result in the personal data in the custody of the company being at risk and may also expose the company to compliance risk and public relation risk. The company may also be tempted to dispose of data in order to save physical storage space which should be done in compliance with the data disposal regulations.
Further, companies should be careful not to let their personal data management practices make them the target of potential lawsuits which might be something a competitor might attempt in order to exploit the errors made and gain a competitive ad- vantage.
Also, beware of the creativity of marketing departments which may be tempted to come up with marketing campaigns that may violate applicable personal data laws since exploiting and mining personal information database may be prohibited.
Troubled companies are often an easy target for a sale or takeover. Due diligence in order to deter- mine the value of the personal information, restrictions as to transfer and compliance with applicable laws should be undertaken to ensure the feasibility and worth of such a transaction. Keep in mind that bankruptcy laws might also come into play.
It might also be that the company’s database is being held hostage by a third party subcontractor. Keep in mind that the company remains responsible for the data entrusted to a third party. A proper service agreement should address these issues.
Finally, and not least, laid off employees may retaliate with such actions as the theft of data, the modification or destruction of data, or even the introduction of viruses or malware in the company’s systems.
In conclusion, difficult decisions must be made and the company needs to identify priorities in light of the legal background in order to focus its activities on what will make financial sense.
Alain D. Bourassa is a lawyer and a registered patent and trademark agent with over a decade of experience drafting, prosecuting, and litigating pat- ents and trademarks. Fluently bilingual, Alain specializes in all aspects of intellectual property law with extensive expertise in the international coordination of patent and trademark registration and prosecution. Alain is a frequent speaker and writer on intellectual property.
This article was originally published in the October edition of the Perlaw Reporter.