Companies should implement and maintain data management procedures
FTC suggests that the procedures a company puts in place to safeguard consumers privacy are to be practiced throughout the life cycle of the product or service they sell. The draft mentions training employees on consumer privacy policies and promote the awareness of privacy best practices within the company. Risk assessment programs help organizations to assess the privacy impact of specific practices, products and services while it ensures that they are following effective procedures to mitigate any risks. The size and scope of the programs should be appropriate to the amount of data, sensitivity of data and related risks, therefore, different organizations put in different levels of resources when implementing privacy programs. Some requirements are already defined in government and privacy acts (US).
The draft illustrates this principle with an example. The recent worldwide disclosure of US government information and other sensitive personal data were leaked through the P2P (peer-to-peer) file-sharing networks. This information became available because businesses allowed employees to download and use P2P at the workplace. No security controls were in place and no awareness programs were done. When businesses incorporate privacy and data security policies in their business processes they are mitigating these risks. Typically, after applying security policies, P2P software would be often disallowed or allowed to run a separate machine where no personal or sensitive data is stored. A similar policy would apply not only to P2P software but to any other software or hardware that the employees may install on the company machines and which may expose consumers’ private data.