The privacy and cybersecurity legal framework is an area under rapid development. It is becoming increasingly newsworthy as more and more businesses are suffering hacks and breaches to their networks and valuable data. It is important for every business to have a basic understanding of privacy and cybersecurity issues and their implication on operations. Below are a few areas that business executives and leaders should be aware of to keep their businesses safe:


The United States does not have a single comprehensive privacy law. Instead, the U.S. uses a a multi-level approach to privacy regulation. The U.S. follows industry-specific federal laws, including HIPAA/HITECH in the medical industry, the Gramm-Leach-Bliley Act for financial institutions/insurance companies, and FERPA for educational institutions. The Federal Trade Commission and states' attorney generals are empowered with more general enforcement oversight for unfair and deceptive trade practices relating to privacy claims. Many states are passing laws (which often include extra-jurisdictional enforcement) governing businesses that collect, control, process or possess personal information of the applicable state's residents requiring such businesses to implement commercially reasonable data security frameworks. This includes New York and California.

New York's SHIELD Act, applicable to any entity that processes personal information of a New York resident, provides some direction on what would be considered commercially reasonable. Each company is required to implement commercially reasonable administrative, technical, and physical data security practices that protect the security, confidentiality, and integrity of personal information in the company's possession. Often companies that are HIPAA- or GLBA-compliant are exempt from complying with the state laws, but this should be reviewed on a case-by-case basis as new state laws are implemented.


Every business with a website needs a customer-facing privacy policy and terms of use. On the surface, a privacy policy and terms of use for a website might appear simple, but such policies can also give rise to an unfair and deceptive trade practice claim if the business does not abide by the terms of its own policies. There are ongoing serial lawsuits targeting businesses who are in violation of their own policies. Regardless of the ultimate success of these lawsuits, the suits cause the defendant businesses significant time and expense.

The privacy policy and terms of use create a binding contract between the website owner and the user. Newly effective state laws have varying requirements of what rights users from those states have relating to their personal information and the website policies need to be tailored to satisfy those requirements. It is also important that businesses understand that, even if they are physically located in a specific state, they may still need to abide by the laws where the end user is viewing their website. It is important that all businesses review their policies on an annual basis to be viewed as reasonable by most enforcement agencies.


Many businesses use third-party vendors for their data security. The review of these agreements, including licensing arrangements, is important to protect a business. The EU-model for privacy frameworks places the burden of ensuring third-party contractors have reasonable data security practices on the initial data controller or the party obtaining the information for its business purposes. This model has been making its way into U.S. operations. It is important that, when businesses contract or negotiate with a vendor, the binding agreement is reviewed on the front-end to ensure that the business is properly protected.


Businesses should consider conducting a privacy impact assessment. This can be, in its most basic form, documenting the flow of information through data-mapping from data intake, access, storage, and deletion. Mapping allows a business to understand vulnerabilities and where potential legal exposure exists. From this assessment, a business can develop its own internal privacy policy (differing from the website policy) on how it protects, maintains, and deletes personally identifiable information. A privacy impact assessment also allows a business to have effective discussions and exercises regarding how the business would respond to a cybersecurity incident.

A risk assessment can also prevent possible issues and the potential misuse of personally identifiable information. A risk assessment looks at each user in a business and identifies who should and who should not have access to the information (personally identifiable or otherwise) necessary for that user to carry out its business purpose.


A business can invest in cyber insurance to protect the business and the data it houses. Like all insurance policies, cyber insurance policies are only as effective as their exclusions. It is important to review or have legal counsel review the cyber insurance policy to make sure that the policy properly covers a business. One increasingly popular provision excludes coverage if payments have been made on a ransom demand. It is also important to review a company's other insurance policies, as business interruption related to cyber events can, in some instances, be covered by general business interruption insurance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.