Privacy Policies and Disclosures – What’s the Big Deal?

Dealing with privacy and cyber risks can be daunting, but it does not have to be; it’s just a matter of re-framing the conversation to reflect the fact that your web site, mobile app and digital footprint are an extension of your organization’s real estate. You would not consider entering into a real estate or branding transaction without the proper legal and insurance guidance, the same emphasis needs to be placed on the necessary and appropriate digital disclosures.

Why? Any organization that collects data / information through their website or mobile application (that is, every single company) should have an external facing policy that describes their privacy and security practices (which should follow the law). Too many organizations fail to do this and the negative results speak for themselves.

Start with a recent Federal Trade Commission (FTC) enforcement action brought in conjunction with the NJ Attorney General. TV maker Vizio has to pay $2.2 million for failing to disclose to users the information that the company collected. Or take membership reward service Upromise having to pay a $500,000 civil penalty to settle allegations regarding disclosures about its data collection practices.

These are not anomalies. Since December 1, 2016, it is the fifth and sixth FTC action on privacy policies and secure application practices. For the NJ Attorney General, in the past 2 years, the Vizio settlement is the fourth action that it has brought for failing to disclose data, privacy and security practices in violation of NJ’s Consumer Fraud Act.

Based upon the potential cost of a violation, small and middle market businesses need to be concerned as these violations and subsequent penalties, generally, fall outside of the scope of insurance coverage.

This is so important that we have been discussing how to best express this concern. We felt this introductory post might be useful.

The easiest way to get the process of analysis and risk management started is through the examination of an organization’s website and mobile application privacy policies and security practices.

For a quick understanding of whether these issues apply to your organization, contact either of us at  or, for a complementary initial consultation.


By Khizar A. Sheikh, Esq. and James Venezia

Khizar A. Sheikh, Esq. is a Member of Mandelbaum Salsburg, P.C., and chairs its privacy and cybersecurity law group.

James Venezia is an Insurance Professional with Phoenix Insurance Group, Inc.