by Leslie G. Baird, Esq.,Wright, Finlay & Zak, LLP
[T]he volume of privacy and data security laws is so extensive – and the reach so pervasive – that virtually every company in this country has material obligations related to privacy and data security.
-Privacy and Data Security is for Everyone,
Kirk J. Nahra, IAPP Whitepaper.
The United States does not have a central privacy law. Rather, there are a number of federal laws that either directly or tangentially address privacy. While not a comprehensive list of all federal legislation, the following are existing federal privacy laws:
- US Privacy Act of 1974
- Gramm-Leach-Bliley Act
- Heath Insurance Portability and Accountability Act
- Children’s Online Privacy Protection Act
- Fair Credit Reporting Act
- Electronic Communications Privacy Act
- Computer Fraud and Abuse Act
- Telephone Consumer Protection Act
The Federal Trade Commission (“FTC”) is the primary federal agency that regulates privacy in the United States. When acting as an enforcement agency in cases that allege violations of consumers’ privacy rights, of significant consumer injury, or of misleading consumers by failing to maintain security for sensitive consumer information, the FTC has often charged the defendants with violating Section 5 of the FTC Act. Section 5 of the FTC Act bars unfair and deceptive acts and practices in or affecting commerce. The FTC also enforces other federal laws relating to consumers’ privacy and security.
In addition to patchwork of federal laws, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands each have at least one privacy-related law. Those laws cover a variety of areas which include but are not limited to website privacy policies, consumer data privacy, minors, and data breach notifications.
In California, the California Consumer Privacy Act, the first state-level legislation of its kind, brought landmark and sweeping changes to consumer data privacy. Looking forward, many other states are taking a cue from California and are also exploring the implementation of consumer data privacy legislation. As of late February 2020, Maine and Nevada have enacted comprehensive privacy laws. Additionally, the following states have bills in various stages of the legislative process: Florida, Hawaii, Illinois, Maryland, Minnesota, Nebraska, New Hampshire, New York, South Carolina, and Washington. There are also a number of states that have created privacy task forces as a substitute for a comprehensive bill including Connecticut, Hawaii, Louisiana, North Dakota, and Texas.
Given the current privacy law environment, businesses must take appropriate steps to protect data. To be effective, businesses should understand that data protection must permeate all aspects of the business and each business, no matter what size, should have an effective privacy program. The following, although not an exhaustive list, discuss how to develop and access your data privacy program.
1. Leadership Buy-In
The place to start developing an effective privacy program is at the top – executive leadership must make data security a priority. Furthermore, leadership must be prepared to dedicate the resources necessary to develop a strong data security program. Leadership buy-in is also necessary to cultivate a culture of data security.
2. Where is Your Data?
As you develop or assess your data security program, you should understand where your data is stored and what types of data you store. You should also consider how accessible and sensitive your data is.
3. Monitor Your Data
You must understand where your data is going, who has access to your data, and how that data is being used. You should also consider the sensitivity of your data and evaluate how the varying levels of sensitive data is being used and/or communicated.
4. Develop and Assess Your Program
Your data privacy program should be constantly evolving as you continually develop and assess your data security needs. It is important to develop policies and procedures to address data security, regulatory compliance, and intellectual property issues. These policies should be flexible, match your business model, and address any risky behavior on the behalf of employees. If you are doing business in California, be sure that your program addresses each of the recommendations from California Attorney General’s 2016 Data Breach Report.
5. Employee Training
Once you’ve developed your program, you need to train your people, train your people, and then train your people some more. Your employees must know what behaviors they should avoid every day whether they are sending emails, printing, uploading documents to the cloud, using other portable devices, etc., and they must be reminded often.
6. Address Loss Prevention
In 2019, the Verizon Data Breach Investigation Report showed that 43% of data breaches involved small business victims with 10% of data breaches in the financial industry. The Report also showed the 34% of data breaches involved internal actors.
Your privacy program must include some kind of data loss prevention that will enable you to monitor and control the transfer of your data from desktops and laptops, even when not connected to the corporate network.
7. Consider Cybersecurity Insurance
Depending on the needs of your business, size, and risk associated with your business, consider obtaining a cybersecurity insurance policy to round out your data privacy program. If you do purchase a policy, be sure that you understand the coverage and reporting requirements.
Data privacy legislation in the United States will continue to evolve in the coming years. As we see more state legislation and potentially legislation at the federal level, businesses of all sizes must make compliance with privacy laws a top priority. The worst thing a small business can do is to ignore the various privacy laws, assuming it does not apply to them.
If you have any questions about data privacy issues, please do not hesitate to contact Leslie Baird at firstname.lastname@example.org.
Disclaimer: The above information is intended for information purposes alone and is not intended as legal advice.
Leslie Baird is an Associate Attorney at WFZ’s Utah office.