R E P R I N T F I N A N C I E R W O R L D W I D E. C O M ANNUAL REVIEW DATA PROTECTION & PRIVACY LAWS REPRINTED FROM ONLINE CONTENT DECEMBER 2016 2016 Financier Worldwide Limited Permission to use this reprint has been granted by the publisher PREPARED ON BEHALF OF FINANCIER WORLDWIDE corporatefinanceintelligence www.financierworldwide.com
UNITED STATES ALAN L. FRIEL BAKERHOSTETLER Q IN YOUR EXPERIENCE, DO COMPANIES IN THE US PAY ENOUGH ATTENTION TO THE RISKS ASSOCIATED WITH DATA PROTECTION? ARE THEY BEGINNING TO FULLY UNDERSTAND THEIR DUTIES OF CONFIDENTIALITY AND PRIVACY IN THE DIGITAL AGE? FRIEL: With electronic data an important and valuable asset and data collection, exploitation and sharing becoming increasingly pervasive, organisations are becoming increasingly aware that they should review legal and self-regulatory requirements whenever they are involved in consumer or employee data collection, use, processing, storage or transfer or in transactions where data assets or activities are involved. In addition, consumer data privacy and security issues, including many high profile security breaches, have recently spawned consumer class action and shareholder derivative lawsuits involving various tort and unfair business practices theories, the viability of which are not yet settled. The Securities and Exchange Commission and boards of directors have taken note, and oversight of information management governance and preparedness at the board and C-suite level are becoming the norm. Some of the liability risks may be covered by insurance and the number of companies taking such coverage has increased, though as the law in this area continues to evolve, so do insurers exclusions and specialty policies. Q COULD YOU OUTLINE THE LATEST LEGAL AND REGULATORY DEVELOPMENTS AFFECTING CORPORATE STORAGE, HANDLING AND TRANSFER OF DATA IN THE US? FRIEL: The US lacks an omnibus data protection regime. Instead, data privacy and security requirements reside in a variety of different federal and state laws. Federal laws take a sectoral approach, regulating particular industries, such as healthcare, or issues including children s privacy. Some state laws are more comprehensive and frequently set a higher compliance standard. There are also various self-regulatory programmes regarding data privacy protection that apply to various industries and practices, such as interestbased advertising. Even for companies not in highly regulated industries, like healthcare and financial services, the Federal Trade Commission (FTC), which has jurisdiction over the vast majority of commercial enterprises under Section 5 of the FTC Act which prohibits deceptive and unfair business practices, requires accurate disclosure of material data privacy practices and encourages data subject choice. Section 5 of the FTC also requires companies to maintain reasonable data security safeguards. REPRINT FINANCIER WORLDWIDE DECEMBER 2016
UNITED STATES ALAN L. FRIEL BAKERHOSTETLER Q IN WHAT WAYS HAVE THE AUTHORITIES INCREASED THEIR MONITORING AND ENFORCEMENT ACTIVITIES WITH RESPECT TO DATA PROTECTION AND PRIVACY IN RECENT YEARS? FRIEL: Of the approximately 300 data breach incidents we have seen in the last year alone, 24 percent resulted in regulatory investigations or inquiries and 6 percent resulted in litigation. The Department of Health and Human Services Office for Civil Rights (OCR) initiated an investigation of incidents involving more than 500 individuals in nearly 100 percent of the HIPAA health record related breaches we saw, but rarely for incidents involving fewer data subjects. Of more than 100 OCR investigations, only two resulted in finalised resolution agreements. Certain state attorneys general (AGs) have also been active in investigating breaches. AGs initiated investigations in 36 percent of our non-healthcare incidents and 26 percent of the healthcare incidents. Regulatory enforcement regarding lack of adequate security following a breach is also likely to continue. As for privacy, the FTC is the most active regulator, using its Section 5 deception authority to go after inaccurate privacy promises. Q WHAT INSIGHTS CAN WE DRAW FROM RECENT HIGH- PROFILE DATA BREACHES? WHAT IMPACT HAVE THESE SITUATIONS HAD ON THE DATA PROTECTION LANDSCAPE? FRIEL: Based on our experience of data breaches in 2015, the industries affected were 23 percent healthcare, 18 percent financial services, 16 percent education, 12 percent retail, 9 percent restaurant and hospitality, 6 percent government, 6 percent insurance, 2 percent professional services and 8 percent others. This mix tends to reflect the sensitivity and value of the data collected and used by these respective industries. Of these, 63 percent were private, 14 percent public, 7 percent non-profit and 16 percent other, which could suggest that private companies have less secure data than public and government entities. In terms of company size, 8 percent had revenue greater than $5bn, 32 percent between $1bn and $5bn, 9 percent from $501m to $1bn, 17 percent in the $151m to $500m range, 9 percent between $50m and $150m and 25 percent less than $50m. This shows that data incidents affect companies of all sizes. DECEMBER 2016 FINANCIER WORLDWIDE REPRINT 8
UNITED STATES ALAN L. FRIEL BAKERHOSTETLER Organisations need a contingency plan in place to prepare for near-inevitable compliance failures and security breaches. Q THE USE OF THIRD PARTIES, SUCH AS CONSULTANTS, AGENTS AND DISTRIBUTERS, EXPOSES FIRMS TO UNIQUE DATA PROTECTION RISKS. WHAT ARE SOME OF THESE RISKS AND WHAT STEPS CAN BE TAKEN TO MITIGATE THEM? FRIEL: In 2015, 14 percent of the security incidents we saw were the result of vendors. Where there are specific data security legal obligations in the US, vendor data security diligence, management and compliance is required. The same is included in all government and industry guidance on what constitutes a reasonable data security programmes. Privacy and data ownership and use issues are becoming of greater concern as big data uses such as for analytics, cross-device consumer matching, market intelligence and dynamic pricing evolve. When engaging vendors, companies need to clarify in the contract who, as between the parties, owns the data, what the vendor can use it for and under what circumstances, for example, the use of aggregate or de-identified data, not attributable to the company or its data subjects permitted for the vendor s own use, the security and breach response responsibilities, cyber risk insurance obligations, and the application of indemnity, and liability limitations, on confidentiality, privacy and security violations. Q WHAT CAN COMPANIES DO TO MANAGE INTERNAL DATA PRIVACY RISKS AND THREATS, SUCH AS LIABILITIES ARISING FROM LOST DEVICES OR THE ACTIONS OF ROGUE EMPLOYEES? FRIEL: Companies need to develop robust information management programmes which provide a framework for managing an organisation s data and which consider the protection of that data. Effective programmes need to take an enterprise-wide approach and set policies and procedures according to the business value of the information. That value is based on business considerations as well as legal and regulatory requirements and attendant risk. Programmes are most effective when they reflect the input of all relevant stakeholders, including business units, legal, privacy, compliance, IT and IS. A sound programme should also be adaptable to regulatory changes. Programmes should be built on an operational lifecycle approach where the aim is to assess, protect, sustain and respond with the cycle constantly repeating. Programmes should be managed in a way that there is accountability, and should establish goals and measure performance. REPRINT FINANCIER WORLDWIDE DECEMBER 2016
UNITED STATES ALAN L. FRIEL BAKERHOSTETLER Q WHAT ADVICE CAN YOU OFFER TO COMPANIES IN THE US ON MANAGING DATA RISK, INSTALLING INTERNAL COMPLIANCE PROCESSES AND MAINTAINING COMPLIANCE ON DATA PRIVACY GOING FORWARD? FRIEL: Consistent with FTC guidance, we recommend that organisations appoint a senior level executive to specifically keep abreast of the development of the law in this area and to work to institute an information management programme that combines information governance policies and procedures and addresses data privacy and security issues as products, services, methodologies and practices are developed, rather than addressing them as an afterthought when making changes to comply with law or to minimise risk, which may be more difficult and costly. Compliance programmes should include an assessment of an organisation s data collection, processing, use, storage and transfer practices to ensure that its privacy and security policies are accurate and sufficient. The organisation s practices, and those of its vendors, should be monitored to ensure compliance with those policies. Ongoing impact assessments should also be applied to new products and practices. Finally, organisations need a contingency plan in place to prepare for near-inevitable compliance failures and security breaches. www.bakerlaw.com Alan L. Friel Partner BakerHostetler +1 (310) 442 8860 afriel@bakerlaw.com Alan Friel is a partner in BakerHostetler s Los Angeles office where he coordinates the firm s advertising, retailing, and e-commerce industry initiative and is a member of its privacy and data security, and content, platforms and software teams. He is also an adjunct professor at UCLA and Loyola Marymount Law Schools, and was named one of the most influential lawyers in Digital Media and ecommerce Law by the Los Angeles Business Journal. DECEMBER 2016 FINANCIER WORLDWIDE REPRINT
FW S U P P L E M E N T A N N U A L R E V I E W www.financierworldwide.com