Asking which laws require proper security controls for handling privacy data is a trick question. As a general rule, you should consider that all laws in some way require controls over the handling of data. They may vary, though, in their requirements and specific obligations. Well-written policies, rather than focusing on one law, will tend to satisfy regulatory requirements by fostering sound security practices across the enterprise. You should also always remember that you have both a legal and an ethical responsibility to your customers. And you have an obligation to shareholders to protect the company. This includes protecting customers’ personal information, even when a law doesn’t explicitly call for privacy controls.

As a practical matter, a breach of customer information could leave a company facing a long and costly lawsuit. Consequently, it’s simply good business to protect customers’ personal information. Security policies should reflect this thinking—for example, a need-to-know policy, which would limit access to data to just those employees who require the information to perform their jobs. This is a simple security principle that shows customers you protect their interest.

A good rule of thumb is whenever your organization handles personal information, you should be sure your security policies and controls protect privacy. If the company is not currently obligated to follow a privacy law or regulation, there’s a good chance at some point it will be, whether at a state or federal level. Over time, it’s far less expensive and easier to implement core privacy principles, such as those in Table 3-1, than to implement specific controls to keep pace with each changing law. One can also argue it’s simply the right thing to do.

The only conflict comes when an organization wants to use the information beyond the scope of these core principles. At that point, management should determine whether using the information violates current law. Another key consideration is whether the use of the data violates the trust agreement with the customer. This includes both the privacy notice given to the customer and the organization’s core values. If the law allows, and customer trust is deemed not at risk, then a determination can be made to either change the core principles or make an exception. This pushback from business to use information beyond the core principles is healthy. It results in a candid conversation with the business about current regulations and the values the organization wants to embrace. The approach results in better understanding of the law, greater awareness of core organizational values, and a stronger foundation of controls.