Controlling data is akin to putting a genie back in its bottle.
With the rise of the Internet, so too came the corresponding rise of big data. If not controlled or managed properly, it can unravel quickly. In an expanding web-based world, protecting both a company's information and that of its investors, clients and employees is an increasingly high priority.
Panelists at Business Law Section's program, "Cyber, Information and Data Security: Protecting Confidential Information" examined current cyber, privacy and information security issues, including recently enacted or expanded regulations and laws (i.e. General Data Protection Regulation (GDPR), California Consumer Privacy Act, NY's SHIELD Law), their implementation and associated challenges.
Taa Grays of New York (MetLife) said, "We have more regulations that are coming from different jurisdictions. This is not a drip in the pan; this is a shift." She advised attendees to ask themselves what information do I have and why do I have it?
"Companies must understand how they use and store data," said Grays. She provided a data checklist to use including: what is your data; where does it live? For how long? Who controls and touches the data? Who are the stakeholders who should be involved?
It was General Data Protection Regulation (GDPR), the EU's data protection law, that got the ball rolling on data privacy, said Laura Jehl, global head of McDermott Will & Emery's Privacy and Cybersecurity Practice.
"Europeans view privacy as a fundamental right," said Jehl. "They were pretty disturbed by the Snowden allegations." Edward Snowden infamously revealed confidential information from the National Security Agency in 2013.
GDPR was adopted on April 14, 2016, but took effect on May 25, 2018 to give companies adequate time to prepare. Under GDPR, data breaches must be reported within 72 hours of discovery. The maximum fines under GDPR is the greater of €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year. Companies have cited outdated technology and costly upgrades as significant challenges with GDPR Compliance.
Jehl said that businesses not established in the EU are only subject if they "offer goods and services" to EU data subjects and in so doing process their personal data, or if they engage in monitoring the behavior of individuals in the EU. "GDPR draws distinct roles that businesses play with data. It effectuates the rights of data subjects to access, correct or delete data. Companies must have procedures in place to do so."
There were a number of businesses that had no idea what data they held, according to Jehl. "It gets unmanageable really quickly, but you have to find all of it. It's really hard." She recommended that companies not keep data just to have it and only keep what you need for as long as you need it. Attorneys should tell clients what data they have and its intended purpose.
Upon visiting a website, you have likely noticed a pop-up window asking you to accept cookies on the site. This is the direct result of GDPR and the California Consumer Privacy Act (CCPA), that became effective on January 1, 2020.
Emma Maconick of Menlo Park, CA (Shearman & Sterling) detailed the new law, which differs slightly from GDPR. Under CCPA, consumers have certain rights regarding their personal information. Businesses may not discriminate against consumers who exercise their rights. They also must implement "reasonable" data security. The law is intended to protect California "consumers."
Consumers have the right to obtain their data in a portable format, opt out of the sale of their information, and request deletion of their information. The CCPA does not give the right to correct data, unlike GDPR. Fines under CCPA are $7,500 per violation.
New York SHIELD Act
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) expands New York State's existing data breach notification laws and imposes prescriptive data security program requirements. It applies to all business that possess the private information of New York State residents, regardless of whether the businesses have any physical presence within New York.
Michael Riela of New York (Tannenbaum Helpern Syracuse & Hirschtritt) discussed the administrative, technical and physical safeguards that must be implemented by March 21, 2020. For example, companies must designate one or more employees to coordinate the data security program; regularly test and monitor the effectiveness of systems; and dispose of private information after it is no longer needed.
The SHIELD Act provides a limited "small business" modification to these rules for businesses with fewer than 50 employees; less than $3 million in gross annual revenue in each of the last three fiscal years; or less than $5 million in year-end total assets.