Data protection issues corporate counsel should understand
August 2015 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
Data is becoming an increasingly valuable asset for most companies and, as demonstrated by regular headline-making news, data privacy and security incidents can have serious economic and brand tarnishment implications for companies that fail to properly maintain data. This article will discuss 10 things, based primarily on United States laws, that in-house and outside corporate counsel should be addressing with their business clients. Additional considerations apply outside the US. Developing an understanding of the fundamentals of these 10 data protection issues will enable corporate counsel to identify and address potential data-related issues that are lurking in the background of day-to-day corporate transactions and business counselling.
Reasonable data security and privacy compliance are US obligations
Myriad US state and federal laws have established a duty to data subjects (e.g., consumers and employees) of reasonable care of data maintained by a company. The US Federal Trade Commission (FTC) takes the position that failure to reasonably secure consumer data is an unfair business practice under Section 5 of the FTC Act. A number of state statutes impose a general duty to protect personal information without specifying particular safeguards or practices. For instance, California requires entities to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect personal information (broadly defined) from unauthorised access, destruction, use, modification, or disclosure”, and to contractually require non-affiliated third parties that receive such data from them to do likewise.
Businesses must take “all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by: (i) shredding; (ii) erasing; or (iii) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means”.
Massachusetts goes even further in protecting a more narrow scope of personal information (name plus one of several types of information like account or ID numbers), by requiring companies that use or store the personal information of Massachusetts residents to adopt a comprehensive written information security programme (WISP) that satisfies the specific requirements of the Massachusetts regulation, including certain encryption requirements, and requirements relating to the engagement of third party service providers that will have access to such personal information. Most states have data security breach notification laws, with differing definitions of covered data and differing obligations in the event of an incident.
Privacy law in the US is not omnibus and there are a patchwork of state and federal laws that mandate privacy obligations for particular industries and types of information, particularly financial, healthcare, educational, children’s, communications, cable and video viewing, and employment data. California requires websites and online services to post a statement of their privacy practices, and the FTC and most states treat false or deceptive privacy notices as false advertising. California’s ‘Shine the Light’ Act requires that businesses that share consumer personal information with third parties (including in some cases affiliates) for third parties’ direct marketing purposes either give consumers the ability to limit that sharing or institute a particular method for consumer to obtain certain information regarding that sharing.
It is important to note that companies are responsible for their vendors that handle their data. IT service providers, and other vendors with access to company data, need to be required not only to maintain it as confidential, but to also reasonably secure it and to notify the company of suspected compromises and agreements with them should specify their obligations, and provide the company with adequate remedies.
Sectorial and international issues may create heightened responsibilities
Heightened data protection obligations may apply in connection with financial services companies, healthcare entities (including employer self-insured health plans), credit or background checks and reporting, children under 13, electronic communications and cable and video viewing and human resource issues. In addition, the EU, Canada and much of the rest of the world have far more restrictive data protection laws than the US, and the EU and others prohibit transfer of certain personal information to the US, or access to it from the US, absent certain safeguard commitments such as participation in the US Department of Commerce EU Safe Harbor programme. Thus, companies with protected data under sectorial laws, or that engage in cross-board data access or transfer, need to ensure their data practices meet these higher standards and comply with restrictions that do not apply to ordinary personal information in the US.
Oversight of information governance and data protection is a duty of the board
The boards of directors of Target, Heartland Payment Systems and TJX have all been sued for allegedly breaching their fiduciary duties of care and loyalty following data security breaches of those companies. The claims are based on either a failure of duty of care in connection with data protection measures or a failure to act reasonably in implementing and overseeing data protection measures. While Courts, especially in Delaware where many US companies are incorporated, give considerable deference to business judgment and are loath to hold board members personally liable absent ‘red flag’ knowledge of material problems, boards do need to task management to ensure that data protection is being reasonably addressed and take reasonable efforts to monitor the company’s efforts to act on reasonably foreseeable and addressable data protection risks.
Material cyber and data risks are disclosable
In October 2011, the US Securities and Exchange Commission (SEC) issued guidance that identifies cyber risks and incidents as potential material information to be disclosed under existing securities law disclosure requirements and accounting standards. While the guidance is not a rule or regulation, it was drafted to assist companies preparing disclosures required under US federal securities laws (such as registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934) designed to protect investors. A broad range of factors are identified for consideration, including prior cyber incidents, business operations and outsourced functions that have material cyber risks and potential costs and consequences, and relevant insurance coverage purchased by the company to address its exposures. This blueprint for assessing and evaluating cyber risk exposures, and for determining reporting obligations as to material exposures, is relevant not only for public companies but can also guide the development of risk factors in private placements and other financings.
Insurance is available to mitigate risks
Companies should consider various cyber liability, advertising injury, errors and omissions and business interruption insurance policies to help mitigate the costs of potential issues. Counsel should understand the company’s policy coverage and exclusions, and those of its vendors and business partners, and consider additional coverage. Coverage counsel and risk management professionals can help to prepare for and complete an application and to negotiate terms and exclusions. Be prepared to demonstrate that you have an appropriate data privacy and security protection compliance programme when applying for insurance or seeking additional coverage to better address data risks. It is recommended that companies have their lawyers of choice (and their rates) pre-approved by the carrier as part of coverage negotiation.
Privacy and security incident preparedness is part of a business continuity plan
Data protection programmes need to be designed to respond to requests (including by litigants, the government and data subjects), inquiries (including regulatory investigations), complaints (including by whistleblowers and consumers), compliance failures, security breaches, and disasters and other business interruption. There should be preparedness plans and systems in place for all, which should include vendor risk management. Data protection incident response preparedness is similar in many respects to a good business continuity and disaster response plan, and indeed is a component of such planning. Key to the ability to respond is preparation, which is not only having well-conceived plans and procedures, but practical exercise to build the experience necessary to respond effectively when the time comes. This can be done through table top exercises putting response team members through likely scenarios, including litigation, public controversy, internal and external breaches and natural and man-made disasters. Furthermore, US state laws and federal and state healthcare information laws may require data security incidents to be reported to regulators, data subjects and the public. These laws are far from consistent and may result in different obligations from state to state under identical facts. Having the ability to expeditiously address those requirements in the event of an incident, typically through outside legal counsel, is part of appropriate response preparedness.
Data due diligence may be appropriate for many transactions
Data ownership, use and protection need to be addressed in IT services and other vendor agreements
Organisational obligations regarding data privacy and security extend not only to the data in a company’s possession, but also to its data in the possession of a third-party service provider or business partner. Firstly, the ownership and permissible uses of the data should be established in the vendor agreement. For instance, a vendor may be permitted to use de-identified, aggregate analytical data not attributable to the company, but no other company data. This is a common request by vendors who seek to build big data analytics offerings based on their clients’ data. The FTC has recommended de-identification standards, and more exacting de-identification standards are required for protected health information under the US federal HIPAA (medical privacy) law that governs certain covered entities (which includes not only healthcare providers and insurers, but also companies’ self-insured medical insurance plans) and their vendors. In addition, third-party relationships should be subject to the same risk management, security, privacy and other protection policies that would be expected if a business were conducting the activities directly. This generally involves exercising due diligence in selecting service providers and business partners, contractually requiring implementation of appropriate privacy protections and security measures, monitoring the performance of the third parties that have access to your data, and providing for adequate remedies for non-compliance.
Advertising, marketing, promotion and CRM raise complex privacy issues
The company’s marketing department is likely amassing personal information for marketing purposes. Collection and use needs to be consistent with privacy policies and statements and marketing communications need to comply with applicable laws, such as regulation of email and text marketing. Retailers need to take care when collecting consumer data as part of or in connection with credit card transactions, which is restricted in several states. Consumer tracking and targeting, online and in connection with mobile devices, is subject to industry self-regulatory rules and has spawned many lawsuits under a variety of legal theories. Privacy impact assessments should be conducted on marketing campaigns that involve the collection or use of consumer data.
Information governance minimises risks and protects assets
An information governance plan that includes identifying a company’s data and accessing and addressing data privacy and security risks on an ongoing basis, articulating policies and procedures, educating employees and contractors and providing for reporting, enforcement and accountability, will go a long way to mitigate risks and protect assets. Corporate counsel should keep an eye out for how data is collected, used, stored, processed and transferred in connection with operations and transactions they deal with. Internal legal counsel should work with information security, risk management, compliance and other appropriate stakeholders to develop an appropriate information governance and data privacy and security programme that meets the company’s obligations under the law and to its shareholders.
Alan L. Friel is a partner at BakerHostetler. He can be contacted on +1 (310) 442 8860 or by email: firstname.lastname@example.org.
© Financier Worldwide
Alan L. Friel