On the Grid: Data and Privacy Protection Act
In a presentation by Ward and Smith attorney Angela Doughty, In-House Counsel Seminar attendees received an overview on a variety of topics relevant to privacy and data security, including current state regulations, the potential federal American Data Privacy and Protection Act, and business-oriented solutions for counseling in our uncertain U.S. privacy landscape.
Doughty is a Certified Information Privacy Professional and a North Carolina State Bar Board Specialist in Trademark Law. As the Director of Legal Innovation for Ward and Smith, she routinely counsels and assists clients with identifying, protecting, and managing their U.S. and International Intellectual Property rights.
“Most of us probably get an email about privacy every day, to the point where if you’re like me and you have to read one more data privacy blog, you’re going to throw your computer out the window,” laughed Doughty.
A possible reason behind the inundation of information pertaining to data privacy could be that the teeth of these privacy and data security has only recently gained the attention of business leaders and owners. “These business folks are looking at us, as legal counsel, to craft solutions around and mitigate the problems created by these complex and uncertain regulations,” noted Doughty.
Whether federally regulated or not, American businesses have traditionally collected vast amounts of data. “This data now poses significant risks for businesses and the business teams we counsel on a day-to-day basis,” Doughty commented.
Safeguarding the data presents a substantial cost. Additionally, Doughty explained that: “The developing grid of overlapping privacy regulations poses a significant cost for businesses in terms of resources, potential penalties, technology upgrades …this touches everything, and no one appears to be exempt from dealing with these requirements.”
Currently, the states are enacting a variety of different rules, creating a patchwork of regulations. In many instances, it is difficult for a business to understand which rules to follow and how to make that happen.
“The American Data Privacy and Protection Act might have been a saving grace for both consumers to be able to manage their expectations and for businesses to be able to offer compliance and protection to those consumers,” said Doughty. “But unfortunately, it doesn’t look like we’re going that way in the short term.”
Lack of a Federal Regulatory Framework
The patchwork of regulations has brought gridlock to the privacy and data security landscape. Some of the issues associated with the lack of Federal regulations include:
Jurisdiction concerns – with employees and/or customers in different states, inadvertent jurisdictional issues arise, such as how to select the right insurance, how to perform risk assessments, or how to best address venue requirements in contracts;
Threshold chaos – states have different thresholds pertaining to revenue and data processing, as well as the selling and sharing of data with the legal definitions of selling and sharing also varying;
Preemption headaches – states that adopt stricter rules may supersede any proposed Federal regulation; assessing the patchwork nightmare to make a risk-based decision on which regulations apply and which to aim for compliance.
“We still have to practice law; we have to navigate this gridlock in a way that approaches these issues and provides valuable legal counsel, in a way that supports the business' operations,” advised Doughty. “We certainly don’t want to be a hindrance, so we’ve started looking at this with a more holistic view.”
This involves analyzing state, foreign, and draft U.S. federal regulations to identify patterns and common themes. “There’s simply no way you’re going to be 100 percent compliant; there are simply too many overlapping regulations, and the regulations are too often of a moving target,” noted Doughty.
Data Privacy Compliance Best Practices
To work towards compliance, businesses should focus on adopting and including the following common privacy principles in their policies and processes:
Privacy Notice: A notice that informs customers about what data is being collected and how it will be used.
Use Limitations: Limit use of the data to the purpose for which it was originally collected and is set forth in the Privacy Notice.
Safeguards and Security: Safeguarding data means not only firewalls and software patches, but also employee data protection training, physical security, and access limits.
Vendor Risk Management: It is important to understand the differences between service providers and third parties and to ensure the appropriate contractual restrictions are in place.
Data Subject Rights: The collected data belongs to the individual, not the business; consumers should have certain rights over their information
Incident Preparedness: Security incidents are inevitable, and businesses should have a written incident response plan
Threshold considerations are another factor to consider. Many times these thresholds will determine if a certain regulation even applies. “A lot of these have to do with revenue and data processing thresholds,” commented Doughty.
After strict regulations were imposed in certain jurisdictions, many businesses decided to simply limit their operations in those locations or eliminate them completely. There is certainly an opportunity cost to such drastic actions, and Doughty added that “while we would never advocate for actions that would minimize revenue, we often counsel and make recommendations around approaches that minimize data collection and processing in order to avoid triggering heightened compliance requirements.”
A best practice is to not gather any information that does not have a business value. “Businesses should weigh the risk against the reward when it comes to data collection,” said Doughty.
Businesses should also implement reasonable safeguards when it comes to that data, but that does not necessarily mean everything must be encrypted or stored offline. It is also important to have a data retention and deletion policy in place to further minimize risk; delete once the value no longer outweighs the risk.
Evaluating service providers and their contracts could be effective for shifting and minimizing liability. “Talking to your teams and figuring out what data service providers are going to have access to, how that data will be processed, and what their privacy and data protection policies look like is essential,” explained Doughty.
Training employees on the best way to share confidential information can help to improve security. To shed light on the subject, Doughty shared the example of an overworked HR executive that started sharing confidential information in PDFs for the sake of convenience. “She did not realize that all of those documents stayed in her email. There was a hack, and it only affected her email; everything else was protected either through encryption or cloud-based locations. But the IT forensic team could see the PDFs containing social security numbers and financial accounts were removed, so we went from having an incident to a breach just by the transferring of data in an everyday business situation,” Doughty noted.
"Using the B-word" and Dealing with a Breach
Having an incidence response plan, and training team members and employees on the incidence response plan is critical for risk avoidance. “It’s important that your team have someone to call immediately. Do not have team members email or text anyone, and definitely advise against using the word 'breach' as that is a legal determination,” commented Doughty.
Having a plan and a cyber-insurance policy in place can help to alleviate the negative impacts associated with a breach. ”Once you choose insurance, if you have made a choice about counsel, go ahead and have them approved, so you can immediately call that person,” said Doughty. “That way, you’re covered under attorney-client privilege, and you’re off to the races without waiting for insurance panel counsel to be appointed.”
The fines and penalties resulting from a breach can be extensive. Being able to show that policies and procedures regarding the safeguarding of data were already in place can help to minimize the potential costs. “Some of these regulatory agencies assessing fines are going, ‘Wow, these fines could fund us forever,’” added Doughty. “So they are going to impose the biggest possible fine, and a business' actions before an event is a big factor when calculating these fines.”
In many cases, the fines can amount to between $1,500 and $7,500 per violation. “For whatever reason, Colorado decided that $20,000 per violation sounded like a good number, which is just insane to me,” noted Doughty. “And considering that the average breach involves thousands of data sets, it’s easy to see how small mistakes can have a significant impact. Being protective and proactive about the data you are collecting and sharing is the best thing to do.”