Cyber threats come from many sources, each looking to obtain personal information for benefit or exploitation. As intrusions become increasingly sophisticated, more regulatory and internal safeguards are needed in response.
Internet privacy is a subset of the larger world of data privacy that covers the collection, use, and secure storage of PI generally. Internet privacy is concerned primarily with how PI is exposed over the Web, through tracking, data collection, data sharing, and cybersecurity threats.
A Pew Research Institute study found that controlling PI on line is “very important” to 74% of Americans. According to another Pew study, 86% of Americans have taken action to maintain their privacy — deleting cookies, encrypting email, and protecting their IP address.
Digital footprints are everywhere. Every time you visit a website, enter your credit or debit card information, sign up for an account, give out your email, fill out online forms, post on social media, or store images or documents in cloud storage, you are releasing personal information into cyberspace. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Your personal information may be shared in ways you don’t expect or are unaware of. Your information may be at some risk because even the best information security programs are not 100% guaranteed.
Internet Privacy Laws
The potential for breaches of online privacy has grown significantly over the years. There is no single law regulating online privacy. Instead, a patchwork of federal and state laws apply. Some key federal laws affecting online privacy include:
The Federal Trade Commission Act (FTC)– regulates unfair or deceptive commercial practices. The FTC is the primary federal regulator in the privacy area and brings enforcement actions against companies. This includes failing to comply with posted privacy policies and failing to adequately protect personal information.
Electronic Communications Privacy Act (ECPA)  – protects certain wire, oral, and electronic communications from unauthorized interception, access, use, and disclosure.
Computer Fraud & Abuse Act (CFAA)  – makes unlawful certain computer-related activities involving the unauthorized access of a computer to obtain certain information, defraud or obtain anything of value, transmit harmful items, or traffic in computer passwords. The law has been in amended six times.
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)  – governs sending unsolicited commercial email and prohibits misleading header information and deceptive subject lines. It also requires senders to disclose certain information, include a valid opt-out mechanism, and it creates civil and criminal penalties for violations.
Financial Services Modernization Act (GLBA)  – regulates the collection, use, and disclosure of personal information collected or held by financial institutions and requires customer notices and a written information security program.
Fair and Accurate Credit Transactions Act (FACTA)  – requires financial institutions and creditors to maintain written identity theft prevention programs.
Many states have also adopted laws affecting online privacy, for example, consumer protection statutes, laws that protect certain categories of personal information, information security laws, and data breach notification laws. In addition to complying with these laws and implementing robust information security programs, there are steps organizations can take to help mitigate cybersecurity threats. A combination of government regulations and responsible individual practices can only thwart potential cyber threats, not eliminate them. Your compliance & legal area can do its part by implementing comprehensive threat analysis and response measures.