by Lynn H. Wangerin, Stoll Keenon Ogden PLLC
Data Privacy Day is recognized in the United States, Canada and 47 European countries to promote privacy and data protection best practices. Privacy, security and managing cyber risks were hot topics in 2015 and 2016 is likely to be no different. Following are issues to watch for in 2016:
Here
Regulators are watching how businesses use and protect personal information and other data. The Federal Trade Commission (FTC), US Department of Health and Human Services (HHS) and state attorney generals, most notably but not exclusively in California, have been active for years. 2016 is likely to bring expanding oversight and enforcement with these agencies as well as the Federal Communications Commission (FCC) for broadband privacy regulations, the Food and Drug Administration (FDA) regarding connected media devices, the Securities and Exchange Commission (SEC) and others. Penalties for violations can be significant.
In December 2015, LifeLock settled charges for violating a court order (which required it to secure customers’ personal information and prohibited it from deceptive advertising) and agreed to pay the FTC $100 million. In smaller actions the same day, one company agreed to pay $60,000 and another $300,000 in penalties for allowing 3rd-party advertisers to collect personal information from children. Also in December, Comcast Cable Communications agreed to pay California $25.95 million to settle a hazardous waste disposal action that included improper disposal of personal data by discarding actual documents containing customer information without shredding.
In January, the FTC released Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, discussing the implications of using big data analytics to target and make decisions about customers. The report recognizes that big data can provide “numerous opportunities for improvement in society.” However, inaccuracies and biases in data may lead to detrimental effects on low-income or underserved populations, and run afoul of equal opportunity laws, the Fair Credit Reporting Act and other protections. Enforcement actions are expected to increase and penalties, as well as reputational harm, can be significant.
There
Amendments to Canada’s Personal Information Protection and Electronic Documents Act require most companies doing business there to notify regulators and affected Canadian consumers in the event of a security breach relating to personal data with a “real risk of significant harm.” The law also requires companies to maintain a “record of any breach of security safeguards involving personal information” which is expected to be implemented soon. These breach logs may be a boon to regulators and plaintiffs.
In the European Union, the US-EU Safe Harbor framework, under which many multi-national companies have been operating, was invalidated in October 2015. The EU issued guidelines on the transatlantic transfer of data and efforts continue toward a new safe harbor, but the landscape has changed.
In September 2015, Russia implemented a data localization law requiring any personal data collected from its citizens be maintained in the country. To determine compliance, Russia plans to conduct more than 1,000 inspections. Other countries also have enacted data location laws and more may follow.
Everywhere
In Kentucky, a man used a shotgun to ground a drone over his property, citing privacy rights. Is there a right to airspace privacy over your home? Where is the reasonable expectation of privacy over your home? Who regulates drones–the Federal Aviation Administration or individual states?
The Internet of things (IoT) is the coming technology revolution. How may personal data collected by cars, refrigerators, fitness monitors and other “things” be used and how is it protected? IoT is another focus of the FTC in 2016. How data collected by things will be managed in litigation remains to be addressed.
Going Forward
Manage your data. All businesses collect sensitive data, even if only from employees. Conduct a data inventory – you might be surprised where data is located. Know what you are collecting and collect only what you need. Get rid of old data and data that are not used. Be sure that your privacy policy matches your practices. Have data and security policies in place and be sure to train all employees. Require vendors to follow security and collection procedures, and reflect this requirement in vendor contracts.
Check your insurance policy to learn what is covered and if you may transfer some of the risk through additional coverage. Does the policy cover business interruption losses in the event of a breach or cyber-attack? Are breaches through your vendors covered? Are breaches through employee mobile devices covered? Does the coverage include costs of responding to regulators?
Celebrate Data Privacy Day by taking stock of the data you have and how well you are protecting it.