2016 will be remembered as the year that privacy became the buzzword small businesses took notice of. We saw the establishment of the first ever Federal Privacy Council this year, read about numerous data breaches (and maybe even felt the impacts personally), and the US
specifically felt the repercussions of the overturning of its data transfer treaty with the EU – the Safe Harbor – and the implementation of its successor, the Privacy Shield, the latest buzzword.
Like with most buzzwords, it’s important to know exactly what the buzz is about, and how it affects you and your business. At the rate that businesses and consumers are being impacted by hacks, breaches and disclosure requests there is much to take stock of. Identity theft can reap havoc in the lives of unlucky participants in the digital economy. Hacked emails and social media accounts can cause jobs to be lost, relationships to be severed, and grave financial losses to individuals and corporations alike.
While many countries use a comprehensive approach to developing privacy laws that apply throughout the economy, privacy laws in the US have been developed using a sectoral model, such that privacy laws apply piecemeal to a selected market segment. The first such privacy law to be enacted in the U.S. was the Fair Credit Reporting Act (FCRA) in 1970. This law mandates accurate and relevant data collection to give consumers the ability to access and correct their information, amongst other core functions. The Gramm-Leach-Bliley Act (1999) applies to financial institutions in the U.S., and the Health Insurance portability and Accountability Act (HIPAA, 1996) creates national standards to protect the privacy and security of personal health information. In each case, the laws promulgated under these acts apply specifically and exclusively to data collection, storage, use and disclosure in a particular industry or to collectors of the same type of data across different industries.
It would seem then, that data that is collected outside of the reach of exist
ing industry-specific laws is subject to no oversight, and the individuals whose PII is improperly collected, stored, used or disclosed have no recourse or remedy. The Federal Trade Commission (FTC) fills in many gaps in the sectoral privacy protection afforded in the U.S., under Section 5 of the FTC Act. The FTC has increasingly used its substantial authority to aggressively police within the context of information privacy and data security, investigating numerous unfair or (more often) deceptive practices against website operators and other online service providers engaged in the collection, use, and storage of users’ personally identifying data (PII) for failing to adhere to their stated privacy policies and practices. However, the scope of the Commission’s authority has been challenged, and although it has prevailed so far on its exercise of power, it is only a matter of time before the FTC is compelled to curb its enthusiasm.
However, external forces may provide the comprehensive data security and information privacy framework modernization that businesses in the U.S. could benefit from. In October 2015, the Court of Justice of the European Union (CJEU) invalidated the E.U.-U.S. Safe Harbor, which governed data transfers between the E.U. and the U.S. For much of 2016, lawyers and lawmakers in the U.S. and E.U. worked on a negotiated new framework known as the E.U.-U.S. Privacy Shield, providing a legal mechanism for transferring personal information from the E.U. to the U.S.
What can businesses do to avoid non-compliance?
The basic premise of the Privacy Shield is simple: if a U.S. business has even a single European user, and collects PII from that European user, regardless of whether or not it has offices or significant operations in Europe, the business must comply with the GDPR and the requirements under the Privacy Shield. What can U.S. businesses do to prepare for Privacy Shield compliance?
- Create a Team
Regardless of size, businesses operating online should create a team of specialists to advise on and be able to handle matters of cybersecurity, insurance, information technology and privacy regulation compliance. This may mean hiring specialists – dedicated privacy officers and data security experts. At the very least, businesses should engage with counsel practicing in privacy law, to make sure regulatory requirements are being met, to review the coverage of any cyberinsurance policy a business may have, and to deal with civil lawsuits or government audits.
- Create a Policy – and Use it!
- Review existing relationships
Businesses should also revisit existing agreements with the third parties it works with. These include cloud storage platforms, software and software as a service (SaaS) vendors, and other processors of PII, as new regulations may hold the party on whose behalf data is collected, stored or processed responsible for the actions of these third party vendors in the event of breach. Contracts should explicitly include an expectation of certain privacy and data security measures (both technical and physical), clear limitations on liability in the event of mishandling of data or the improper disclosure of PII, and the appropriate representations, warranties and indemnification language as negotiated between parties.