By Kirk J. Nahra and John W. Kuzin
Learn From Mistakes
Businesses also need to follow up on mistakes. From both an enforcement standpoint and a risk-management perspective, end-user customers need to be apprised of areas where mistakes or complaints have been made—and they must make sure a plan is in place to modify behavior to address problems promptly. RFID solutions providers can also demonstrate that they learn from others' mistakes by monitoring the external privacy and security marketplace. Did a potential customer suffer a security breach? Were Social Security numbers disclosed in a situation where their use was not necessary? What precautions can be taken in order to limit the occurrence of similar problems?
It should be no surprise that the surest path to strict enforcement action and severe penalties is to know of a problem but take no responsive action (or to be the second company facing a particular problem that has an easy fix).
|
|
John W. Kuzin
|
RFID solutions providers must be aware of these problems and demonstrate agility in addressing them. These providers also would be well served to suggest a security-breach notification plan that its end-user customers should adopt. Two important elements of such a plan (which should be in place before a breach occurs) are a mitigation procedure, and a speedy and reliable means to determine whether notification should be carried out—and, if so, how.
Monitor Privacy Laws
RFID solutions providers need to keep apprised of the scope of the privacy and security laws that can affect their business. The current patchwork of statutes and regulations prescribe varying rules on the privacy of credit reports, medical data, phone records and video store rentals, to name a few. Government agencies and other end-user customers are now including privacy and security requirements in their business contracts. Moreover, the breadth and depth of topics covered—from financial records to health care to employee privacy—is expanding. Thus, RFID solutions providers looking to do business with customers subject to specific laws (such as those in the financial and medical fields) will need to adjust their privacy and security practices accordingly. Customer-specific plans may be necessary.
Privacy legislation is still a hot topic for both state and federal legislators. In certain instances, RFID solutions providers may want to influence pending legislation that could impact their business.
Given the current legal landscape, RFID providers should maintain their privacy and security compliance strategy as a "living document" that is updated in accordance with new laws and lessons learned. Such a strategy will be critical to landing that all-important first customer sale. In addition, savvy RFID providers will use timely updates to their compliance strategy as a means of maintaining ongoing contact with customers, realizing that such contacts often lead to follow-up sales. An effective compliance strategy is one that balances legal requirements with successful business approaches.
Kirk J. Nahra and John W. Kuzin are attorneys at Wiley Rein & Fielding, in Washington, D.C. Nahra is a partner and chair of the firm's privacy practice; Kuzin is a communications and privacy attorney who specializes in RFID technology.
THE WORLD'S RFID AUTHORITY
PREMIUM = Requires Subscription. Learn More
