Privacy Laws and Cybersecurity Issues for Businesses

The privacy and cybersecurity legal framework is an area under rapid development. It is becoming increasingly newsworthy as more and more businesses are suffering hacks and breaches to their networks and valuable data. It is important for every business to have a basic understanding of privacy and cybersecurity issues and their implication on operations. Below are a few areas that business executives and leaders should be aware of to keep their businesses safe:

Privacy Laws

The United States does not have a single comprehensive privacy law. Instead, the U.S. uses a multi-level approach to privacy regulation. The U.S. follows industry-specific federal laws, including HIPAA/HITECH in the medical industry, the Gramm-Leach-Bliley Act for financial institutions/insurance companies, and FERPA for educational institutions. The Federal Trade Commission and states’ attorney generals are empowered with more general enforcement oversight for unfair and deceptive trade practices relating to privacy claims. Many states are passing laws (which often include extra-jurisdictional enforcement) governing businesses that collect, control, process or possess personal information of the applicable state’s residents requiring such businesses to implement commercially reasonable data security frameworks. This includes New York and California.

New York’s SHIELD Act, applicable to any entity that processes the personal information of a New York resident, provides some direction on what would be considered commercially reasonable. Each company is required to implement commercially reasonable administrative, technical, and physical data security practices that protect the security, confidentiality, and integrity of personal information in the company’s possession. Often companies that are HIPAA- or GLBA-compliant are exempt from complying with the state laws, but this should be reviewed on a case-by-case basis as new state laws are implemented.

Website Privacy Policy & Terms of Use

Every business with a website needs a customer-facing privacy policy and terms of use. On the surface, a privacy policy and terms of use for a website might appear simple, but such policies can also give rise to an unfair and deceptive trade practice claim if the business does not abide by the terms of its policies. There are ongoing serial lawsuits targeting businesses that violate their own policies. Regardless of the ultimate success of these lawsuits, the suits cost the defendant businesses significant time and expense.

The privacy policy and terms of use create a binding contract between the website owner and the user. Newly effective state laws have varying requirements of what rights users from those states have relating to their personal information and the website policies need to be tailored to satisfy those requirements. It is also important that businesses understand that, even if they are physically located in a specific state, they may still need to abide by the laws where the end user is viewing their website. All businesses must review their policies on an annual basis to be viewed as reasonable by most enforcement agencies.

Third-Party Vendors

Many businesses use third-party vendors for their data security. The review of these agreements, including licensing arrangements, is important to protect a business. The EU model for privacy frameworks places the burden on ensuring third-party contractors have reasonable data security practices on the initial data controller or the party obtaining the information for its business purposes. This model has been making its way into U.S. operations. It is important that, when businesses contract or negotiate with a vendor, the binding agreement is reviewed on the front end to ensure that the business is properly protected.

Assessments on Data

Businesses should consider conducting a privacy impact assessment. This can be, in its most basic form, documenting the flow of information through data mapping from data intake, access, storage, and deletion. Mapping allows a business to understand vulnerabilities and where potential legal exposure exists. From this assessment, a business can develop its internal privacy policy (differing from the website policy) on how it protects, maintains, and deletes personally identifiable information. A privacy impact assessment also allows a business to have effective discussions and exercises regarding how the business would respond to a cybersecurity incident.

A risk assessment can also prevent possible issues and the potential misuse of personally identifiable information. A risk assessment looks at each user in a business and identifies who should and who should not have access to the information (personally identifiable or otherwise) necessary for that user to carry out its business purpose.

Cyber Insurance

A business can invest in cyber insurance to protect the business and the data it houses. Like all insurance policies, cyber insurance policies are only as effective as their exclusions. It is important to review or have legal counsel review the cyber insurance policy to make sure that the policy properly covers a business. One increasingly popular provision excludes coverage if payments have been made on a ransom demand. It is also important to review a company’s other insurance policies, as business interruption related to cyber events can, in some instances, be covered by general business interruption insurance.

For questions about how to protect your business in the ever-changing world of technology and cyber security contact the author, Justin Molitoris, a business attorney and Certified Information Privacy Professional (US) by the International Association of Privacy Professionals, or a member of the Cybersecurity team at Barrett McNagny.