How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.
The statement from Hotels and Resorts’ website, represents, in part, that “[w]e safeguard our Customers’ personally identifiable information using industry standard practices” and make “commercially reasonable efforts” to collect personally identifiable information “consistent with all applicable laws and regulations” and, among other things, that “[w]e take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy.” (Id.).
The way Hotels and Resorts allegedly violated its own guidelines seems straightforward. According to the court, beginning on p.37 of the decision:
The FTC also alleges that Defendants “failed to adequately inventory computers connected to Hotels and Resorts’ network so that Defendants could appropriately manage the devices on its network,” “failed to employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations,” and “failed to follow proper incident response procedures, including failing to monitor Hotels and Resorts’ computer network for malware used in a previous intrusion.”
Now researchers at Carnegie Mellon University and Microsoft Research have come up with a way to more accurately translate privacy policies into computer code and to check the code to ensure it complies with the policies.
Go raibh maith agat