How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.
Is there a way for a business to protect itself by ensuring that its privacy policy is properly, and consistently, carried out? There might be, and it involves something called Legalease, which actually clears things up rather than makes them more confusing.
The highest profile recent case in which the FTC has alleged that a company deceived the public by failing to live up to the promises made within its own privacy policy, is the FTC v Wyndham Worldwide Corp., et al. We previously wrote about the April 7, 2014 decision of Esther Salas, U.S.D.J., which denied the motion of one of the defendants, Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”), to dismiss the complaint against it. In that decision the court describes the FTC’s deception claim this way, beginning on p.33:
Hotels and Resorts also challenges the FTC’s deception claim (HR’s Mov. Br. At 23). In this claim, the FTC cites the Defendants’ privacy policy disseminated on Hotels and Resorts’ website and alleges that, “in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access” but that “Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access.” (Compl.paragraph 21, 44-45). Accordingly, the FTC alleges that Defendants’ representations “are false or misleading and constitute deceptive acts or practices” under Section 5(a) of the FTC Act. (Id. Paragraph 46).
Hotels and Resorts’ privacy policy seems innocuous, though it does sound suspiciously like the FTC’s “Reasonable Precautions” cybersecurity standard that Wyndham complained so loudly about in the same case. The privacy policy says the company will comply with certain amorphous standards without defining what those standards specifically require. According to the court, beginning on p. 37 of its decision:
The statement from Hotels and Resorts’ website, represents, in part, that “[w]e safeguard our Customers’ personally identifiable information using industry standard practices” and make “commercially reasonable efforts” to collect personally identifiable information “consistent with all applicable laws and regulations” and, among other things, that “[w]e take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy.” (Id.).
The way Hotels and Resorts allegedly violated its own guidelines seems straightforward. According to the court, beginning on p.37 of the decision:
The FTC also alleges that Defendants “failed to adequately inventory computers connected to Hotels and Resorts’ network so that Defendants could appropriately manage the devices on its network,” “failed to employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations,” and “failed to follow proper incident response procedures, including failing to monitor Hotels and Resorts’ computer network for malware used in a previous intrusion.”
The problem is that the privacy policy and the allegations are written in legal language, not computer code. They are written by attorneys who like to leave room for interpretation, yet have to be turned into specific instructions for computers to follow, or computer code, by computer programmers.
Believe it or not, lawyers and computer programmers do not always speak the same language. What, after all, is the meaning of “using industry standard practices;” and “commercially reasonable efforts,” as used in Hotels and Resorts’ privacy policy, and how do you turn them into specific instructions for a computer to follow? Do they really require, as the FTC contends, that Hotels and Resorts must “adequately inventory computers connected to Hotels and Resorts’ network,” so that they can “appropriately manage the devices on its network…”; and “employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations”? Even if that is what the privacy policy requires, what exactly are “reasonable measures to detect and prevent unauthorized access to Defendants’ computer network;” what is a proper “security investigation;” and what does it mean to “appropriately manage the devices on its network,” as the FTC uses the terms?
With all of the room for interpretation, between lawyers who are used to dealing with ambiguities and programmers used to dealing in specifics, someone has to ensure the computer instructions properly implement the privacy policy. Until now, most have been checked manually. This means that many violations are missed because of the potentially tens of millions of lines of code that have to be checked.
Now researchers at Carnegie Mellon University and Microsoft Research have come up with a way to more accurately translate privacy policies into computer code and to check the code to ensure it complies with the policies.
The researchers developed a new computer programming language, Legalease, written specifically for lawyers and privacy advocates. It follows the basic structure of privacy policies and laws: allow and deny, with exceptions. Since lawyers generally write in much the same way, it should be easy to comply with privacy policies and privacy statutes. The researchers tested 12 Microsoft employees: They each were given a one page document that described Legalease; studied it on average for less than 5 minutes; and then were able to encode nine privacy policy clauses, from Microsoft’s search engine, Bing, with a high degree of accuracy, in an average of under 15 minutes. By combining Legalease with a way to check existing programs for compliance, by using a data inventory tool named Grok, the researchers showed that just 5 people in a day could run a compliance check on millions of lines of code.
Knowing how to accurately translate a privacy policy into computer code, and through automation, to ensure the code complies with the policy, is a good start. You still need to know what the words mean with some degree of certainty. As we’ve previously written, having a more precise definition of the “Reasonable Precautions” the FTC wants businesses to take to protect their customers’ private digital information, might be a good place to start.
Then again, maybe you should think twice before making the same promise in your privacy policy. Voluntarily mimicking an ambiguous standard makes it difficult to complain that you don’t know what the standard means because it’s ambiguous; just ask Wyndham. It’s just a thought.
Go raibh maith agat
Ray Grasing