Your Guides to Data Protection and Compliance

The experts agree on the best practices for protecting private, personal information and achieving compliance with privacy laws. Here they are:


  • A comprehensive, written information security program (WISP);


  • A person dedicated to overseeing the information security or Privacy Officer; and


  • Employee training and information security awareness.


Here is the proof. Take a look at the following documents (agreements, consent orders, or judgments) relating to legal enforcement of privacy and data security standards by the Federal Trade Commission. These are the final results of the FTC’s investigation and settlement of some of the largest data security incidents in the country. These are the documents that outline the mandate from the FTC on what the best practices (or required practices) are for companies that take in personal information.


You will notice that each of these FTC legal conclusions outline the same plan for the companies. Whether the company is an internet phenom like Twitter, a self-professed information security defender such as LifeLock, retailers like the TJ Maxx entities, or even health care organizations like Rite-Aid, the clear push from the Federal Trade Commission is for the adoption of these three elements:



Life Lock:


Rite Aid:



The Comprehensive Written Information Security Program

The company shall “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards…”


The “Privacy Officer”

The program must include “the designation of an employee or employees to coordinate and be accountable for the information security program.”


Employee Information Security Awareness Training

At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management …”


This does not mean that adoption of these three elements will guarantee complete data protection or satisfy each administration or regulator. But there is no doubt that these items are the core elements that are identified and often required by the legal enforcement entities.



Google: An example of how to use these elements

The search engine giant used these principles to avert further federal investigation. Here is how:

The FTC recently investigated Google for the unauthorized collection of information by its “Street View” application. While many citizens were outraged at the invasion of privacy, the FTC eventually decided not to pursue the matter further with Google.


Here is the letter from the FTC to the attorneys for Google. The letter confirming that the FTC is closing its investigation due in large part to the actions already taken by Google to address the data protection concerns. What where those actions? Identify a “Privacy Officer” and additional employee training for information security awareness across the entire organization.



All companies can take a lesson from the FTC interaction with these companies. In short, the best practices for data protection and compliance are not necessarily complicated or expensive. Call or email us to find out how Redpoint can help you with compliance and data protection.