This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of Rights released by the White House during the last week in February. One example of good practical guidance was offered by Jessica Rich, Director, Bureau of Consumer Protection, relating to how companies go about creating written information security programs (WISPs). She said, “No checklists.”
We did not understand Ms. Rich to be suggesting businesses not use checklists as a tool in building a WISP. Of course, well-crafted checklists can be enormously helpful for companies, particularly small and mid-sized companies, to learn about best practices and to ensure they have met the applicable compliance requirements. This is true regardless of the topic of compliance or the industry. For example, when a health care provider or one of its business associates is trying to grasp the different administrative, physical and technical standards under the HIPAA Security Rule, a checklist could be very useful in helping to understand the scope of the project and for organizing an efficient compliance effort. Similarly, when creating a data breach response plan, there are a number of legal and practical steps that need to be taken, and a checklist can help to organize those steps.
We believe Ms. Rich was emphasizing that each business must understand its particular circumstances when developing a WISP, and not rely solely on a checklist. More specifically, we understood her to be calling for businesses to dig deeper and assess their particular risks, vulnerabilities, resources, needs and other circumstances in order to move toward compliance and appropriately mitigate the risks and vulnerabilities identified. That process can be aided by one or more checklists, but the process has to be informed by the circumstances actually facing the company and the process has to be ongoing. That is, completing the checklist neither completes the WISP nor the things a business needs to be doing to ensure its WISP is appropriate for its business at any given time.
Comprehensive federal privacy legislation seems to be moving more vigorously than it has in recent years. What form it will take, if any, and what role the FTC will play is unclear at this point. What is clear is that companies in all industries have to use their best efforts to maintain the privacy and security of personal and other important data. This requires a comprehensive and deep understanding of the business, it practices, its customers, its products and services, its employees, its resources, its legal and regulatory environment, and how those factors shape its overall information risk. Checklists can help gather and analyze this information, and implement solutions, but they are no substitute for understanding the business’ risks and being able to address those risks now and in the future.