[BreachExchange] 12 Questions Retailers Should Ask to Avoid Ghosts of Privacy Breaches Past

Destry Winant destry at riskbasedsecurity.com
Thu Oct 18 10:57:20 EDT 2018


As retailers head into the holiday shopping season, the ghosts of
privacy breaches past may come to mind just as easily as the 12 days
of Christmas carol! From Target to Michael’s to Neiman Marcus,
retailers remember these headlines well. Given the challenges
presented by a thorny regulatory and litigation landscape and recent
privacy and data security crises, data privacy concerns have become a
board-level issue. Here are 12 key privacy questions to ask your
business teams so that the ghosts of privacy breaches past don’t
become the ghosts of privacy breaches present.

1. What jurisdictions do you do business in and what jurisdictions are
you targeting? Are you marketing globally?
2. Where are you collecting and storing your data? Specifically, are
you storing any data in the European Union (EU), APEC, Canada, 3.
California and/or Vermont?
4. Do you use digital marketing (e.g., targeted ads)?
5. How are you managing privacy? Do you have written privacy policies
and procedures? Do you have both website and employee policies? Do you
have a chief privacy officer or privacy leader/task force?
6. Have you conducted a risk assessment and, if so, what are you doing
to mitigate risks?
7. Have you implemented a privacy and data security impact assessment
process, particularly for any new products that may implicate
privacy/security concerns?
8. Do you have sufficient data security safeguards in place, such as
an incident response plan and/or an auditing mechanism?
9. Do you have a vendor management program?
10. Do you use artificial intelligence (AI), Internet of Things (IoT)
or machine learning in your business?
11.Do you collect biometric, medical or health/wellness/fitness data?
Do you have an incident response plan and other security governance policies?
12. Have you conducted a recent table top exercise to prepare to
respond to an incident?

By answering these questions, you will have a better sense of your
privacy and data security risks. The next step is ensuring that you
are aware of privacy and data security legal developments as it is a
complex, fast-evolving field.

In May 2018, the General Data Protection Regulation (GDPR) went into
effect in the EU, ushering in a new, sweeping privacy and data
security law framework that affects not only businesses located in the
EU, but also companies that offer goods and services to EU residents
or monitor their behavior. Then, in June 2018, the California Consumer
Privacy Act was passed—a landmark law that, like the GDPR, will impose
far-reaching requirements on businesses to protect consumers’ personal

Other notable developments this year include Vermont passing a data
broker law in May, Chicago introducing a data protection ordinance in
June, Japan and the EU agreeing on a reciprocal finding of adequacy in
July, and China enacting its Cybersecurity Law last year. These recent
global developments have underscored the need for retailers engaging
in digital marketing, e-commerce as well as in-store promotions to
develop a topline privacy compliance strategy. To do so, you must
first determine the applicable jurisdictions and then develop privacy
and data security practices that comply with the jurisdictional
requirements. A comprehensive review of your business practices in
collecting, using and sharing personal data, as measured against the
applicable regulations, is critical in avoiding legal pitfalls and
enforcement actions.

More information about the BreachExchange mailing list