Published in NH Bar News 12/18/2019
Information privacy and security can seem complex and confusing. Breaches are common, impacting even sophisticated and well-financed corporate giants like Marriot, Equifax, Anthem, and Yahoo!, and leaving small and mid-size companies wondering if they stand any chance of protecting themselves. Adding to that sense of hopelessness, divergent laws emanate from foreign jurisdictions like the European Union, Great Britain, and Canada, as well as populous states like Massachusetts, California, Illinois, and New York. To make matters more difficult yet, there are relatively few experienced attorneys capable of helping clients properly address these issues.
What are businesses to do? What should we do as attorneys for our clients and our own law firms? Here is a pragmatist's solution.
Rise Above Regulatory Turmoil
Just a couple of years ago, far fewer regulations existed addressing information privacy and security, and the ones that existed typically governed niches, like HIPAA for health care and FERPA for public schools. Expansion began when a number of states — following the lead of Massachusetts — adopted laws requiring businesses to conduct risk assessments and implement safeguards to prevent the loss and theft of certain personal information. Those regulations extend extraterritorially to all businesses that possess such information about residents of those states. Adding to that growing list of security statutes, states began enacting privacy laws, which afford individuals rights with respect to specific categories of information, like biometrics, social media accounts, and information collected online.
The movement gained momentum in 2018 with the implementation of a broad privacy law in the European Union called the General Data Protection Regulation (or GDPR), and its extension into Great Britain. GDPR applies to United States businesses that have operations or employees in Europe, furnish goods or services to European residents in Europe, or sign a contract (typically at the behest of a European customer or vendor) agreeing to comply with GDPR. Not to be outdone, California recently adopted a similar privacy law that takes effect in January 2020 called the California Consumer Privacy Act (or CCPA), and comparable legislation is pending in several other states.
Unlike prior privacy regulations, GDPR and CCPA are not limited to specific categories of information, but instead encompass broad swaths of personal information, including simply an individual's name, address, email, etc. These laws again extend extra-territorially, requiring businesses that possess information about residents of those jurisdictions to provide notice and (in some situations) obtain consent from individuals when gathering and before using protected information about them.
The regulations also grant individuals certain rights with respect to such information, like the right to limit a business' use of their information, obtain a copy of it from the business, require the business to provide it to another business, and mandate that the business erase all information about them, known as the "right to be forgotten."
Privacy and security laws differ greatly with respect to the information regulated, individuals protected, and obligations imposed on businesses. It is impractical (if not impossible) for organizations to differentiate between the varied rules that apply to the different information they have about numerous individuals. Organizations simply to not retain or use information in such a rigidly categorical way. As a result, business leaders often opt for a more pragmatic approach, by applying industry accepted processes and standards to all types of confidential, sensitive, and personal information that their organizations possess.
Fortunately, accepted processes and standards exist for information security. Associations like the National Institute for Standards and Technology (or NIST) and International Standards Organization (or ISO) have promulgated detailed compliance regimes for information security. Attorneys experienced in this area employ a NIST or ISO process, and use an amalgamation of standards from the most comprehensive information security laws, to conduct a comprehensive risk assessment and bring a business into compliance with any potentially applicable security laws. The outcome is a business that not only conforms to the regulations and is less vulnerable to cyber-attack, but also one that safeguards all of its confidential, sensitive, and personal information, and is more valuable overall.
A NIST or ISO process also can be used for information privacy compliance, however, accepted privacy standards are more elusive because the area is less mature. While GDPR and CCPA are the benchmarks and enumerate detailed standards, experienced attorneys work with their clients to determine which standards the clients will implement, how they can do so, and the amount of time it should take to achieve compliance. Upon considering the growing body of legal regulations and the expectations of their constituents (customers, employees, directors, shareholders, etc.), most organizations (even small and mid-sized ones) elect to transition to the notice-and consent model required by GDPR and CCPA, and to honor some or all of the privacy rights afforded by those statutes, even if they are not necessarily subject to GDPR or CCPA. Again, such decision-making ensures not only compliance with both current and potential forthcoming privacy laws, but also tangibly improves the profile and increases the value of the business with consumers and in a competitive marketplace.
Tailor the Plan to the Organization
Comprehensive risk assessments are essential for information privacy and security. To be able to identify and remediate vulnerabilities and areas of non-compliance, businesses must first assess what information they possess, how they use it, where they store it, who has access to it, who they disclose it to, how they transport it physically and transmit it electronically, when and how they destroy it, etc. Without undertaking such a methodical analysis, organizations are unaware how they use information, what safeguards they employ to protect it, whether those protections are sufficient or other more effective safeguards are readily available, and whether their operations comply with applicable privacy and security laws. There is no shortcut for the detailed work conducted in a comprehensive risk assessment.
When performed by an experienced information privacy and security attorney, the outcome of such an assessment is a thorough report, written in plain English, that will remain privileged in the event of a regulatory or legal proceeding (e.g., following a breach). The report details the business' particular vulnerabilities and areas of non-compliance, categorizes them based on factors such as degree of risk and cost for remediation, and suggests measures to remediate the issue that are affordable and compatible with the operations and culture of the business. Quality information privacy and security planning is never a one-size-fits-all approach.
Even after completing the assessment, compliance does not occur overnight, nor is it achieved at a distinct point in time. For example, it is common for businesses engaging in this process for the first time to need several years to address the issues identified in the report. That is ok, because the basic principle of information privacy and security is not that businesses must be perfect or impenetrable, but rather better – with privacy procedures and security safeguards reasonably tailored to the resources of the organization and the magnitude of the risks. Moreover, business leaders who commit to take this seriously realize that proper compliance requires the integration of information privacy and security into the organization's everyday operations, just like sales, finance, human resources, and other business functions.
Information privacy and security seems complex and confusing now primarily because it is new to most businesses. Here is the pragmatist's approach to compliance: (1) retain an attorney who is experienced in this area to help guide the organization through the process; (2) conduct a comprehensive risk assessment to identify the vulnerabilities and areas of non-compliance, and prepare a privileged report to guide the remediation process; and (3) integrate information privacy and security into everyday business operations.
Cameron G. Shilling is a Director at McLane Middleton, P.A., where founded and chairs the firm's Information Privacy and Security Group.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.