2016 will be remembered as the year that privacy became the buzzword small businesses took notice of. We saw the establishment of the first ever Federal Privacy Council this year, read about numerous data breaches (and maybe even felt the impacts personally), and the US
specifically felt the repercussions of the overturning of its data transfer treaty with the EU – the Safe Harbor – and the implementation of its successor, the Privacy Shield, the latest buzzword.
Like with most buzzwords, it’s important to know exactly what the buzz is about, and how it affects you and your business. At the rate that businesses and consumers are being impacted by hacks, breaches and disclosure requests there is much to take stock of. Identity theft can reap havoc in the lives of unlucky participants in the digital economy. Hacked emails and social media accounts can cause jobs to be lost, relationships to be severed, and grave financial losses to individuals and corporations alike.
While many countries use a comprehensive approach to developing privacy laws that apply throughout the economy, privacy laws in the US have been developed using a sectoral model, such that privacy laws apply piecemeal to a selected market segment. The first such privacy law to be enacted in the U.S. was the Fair Credit Reporting Act (FCRA) in 1970. This law mandates accurate and relevant data collection to give consumers the ability to access and correct their information, amongst other core functions. The Gramm-Leach-Bliley Act (1999) applies to financial institutions in the U.S., and the Health Insurance portability and Accountability Act (HIPAA, 1996) creates national standards to protect the privacy and security of personal health information. In each case, the laws promulgated under these acts apply specifically and exclusively to data collection, storage, use and disclosure in a particular industry or to collectors of the same type of data across different industries.
It would seem then, that data that is collected outside of the reach of exist
ing industry-specific laws is subject to no oversight, and the individuals whose PII is improperly collected, stored, used or disclosed have no recourse or remedy. The Federal Trade Commission (FTC) fills in many gaps in the sectoral privacy protection afforded in the U.S., under Section 5 of the FTC Act. The FTC has increasingly used its substantial authority to aggressively police within the context of information privacy and data security, investigating numerous unfair or (more often) deceptive practices against website operators and other online service providers engaged in the collection, use, and storage of users’ personally identifying data (PII) for failing to adhere to their stated privacy policies and practices. However, the scope of the Commission’s authority has been challenged, and although it has prevailed so far on its exercise of power, it is only a matter of time before the FTC is compelled to curb its enthusiasm.
However, external forces may provide the comprehensive data security and information privacy framework modernization that businesses in the U.S. could benefit from. In October 2015, the Court of Justice of the European Union (CJEU) invalidated the E.U.-U.S. Safe Harbor, which governed data transfers between the E.U. and the U.S. For much of 2016, lawyers and lawmakers in the U.S. and E.U. worked on a negotiated new framework known as the E.U.-U.S. Privacy Shield, providing a legal mechanism for transferring personal information from the E.U. to the U.S.
What can businesses do to avoid non-compliance?
The basic premise of the Privacy Shield is simple: if a U.S. business has even a single European user, and collects PII from that European user, regardless of whether or not it has offices or significant operations in Europe, the business must comply with the GDPR and the requirements under the Privacy Shield. What can U.S. businesses do to prepare for Privacy Shield compliance?
- Create a Team
Regardless of size, businesses operating online should create a team of specialists to advise on and be able to handle matters of cybersecurity, insurance, information technology and privacy regulation compliance. This may mean hiring specialists – dedicated privacy officers and data security experts. At the very least, businesses should engage with counsel practicing in privacy law, to make sure regulatory requirements are being met, to review the coverage of any cyberinsurance policy a business may have, and to deal with civil lawsuits or government audits.
- Create a Policy – and Use it!
The easiest and most effective way to responsibly collect data, and maintain compliance with federal and state privacy laws, as well as foreign requirements of U.S. companies, is for a business to develop, adopt and implement a privacy policy that is consistent with its purpose of collection and use of PII. Simply having a policy is not good enough – it must be put to use in reality, or else risk FTC action. Once a policy has been agreed to internally, companies should publicize relevant portions of the policy that concern users and their data, in a privacy statement that is easily accessible on the company website, mobile applications, software or other appropriate platforms.
A good privacy policy will outline why the company collects certain data, how it intends to protect such data (especially PII), and what it will do with the data once the stated purpose has been satisfied. Over the last decade, IBM and Ponemon Institute have conducted annual Cost of Data Breach studies: in 2015, the study showed an 11% increase in the total cost of a single data breach in the U.S., and the average cost per lost or stolen record was roughly $217.
A solid privacy policy also prepares companies to better respond to data security problems, in the event of inadvertent disclosure, or an external breach. While there may be no way to ward off the most malicious hackers, businesses need to be prepared to take rapid counteraction, and communicate openly about breaches. Such openness may help to manage shareholder and user expectations, as well as to overcome claims of negligence brought by the FTC and other federal agencies, or even foreign entities having jurisdiction to do so.
- Review existing relationships
The main relationships a business needs to focus on in the privacy and data management context are with its employees (internal), and with the vendors, partners and other third parties that it works with (external). Employees should be given comprehensive and regularly updated training and education to prevent inadvertent disclosures of sensitive company or user information. When employees at every level are engaged in the process of implementation, maintaining compliance with a stated privacy policy becomes a much less arduous undertaking.
Businesses should also revisit existing agreements with the third parties it works with. These include cloud storage platforms, software and software as a service (SaaS) vendors, and other processors of PII, as new regulations may hold the party on whose behalf data is collected, stored or processed responsible for the actions of these third party vendors in the event of breach. Contracts should explicitly include an expectation of certain privacy and data security measures (both technical and physical), clear limitations on liability in the event of mishandling of data or the improper disclosure of PII, and the appropriate representations, warranties and indemnification language as negotiated between parties.