Data Privacy Day 2020—What Actions Businesses Can Take

January 28 was Data Privacy Day. This is a day to raise awareness, foster dialogue, and empower companies to act to ensure proper privacy (and security) of all types of data and information.

Data privacy, as a concept, deals with how information is used, as well as whether an organization has the legal right or proper permissions to use the information it obtains. Data security is an extension of privacy, and it relates to the protection of data, once collected, from unauthorized access or disclosure.

Data is everywhere, and it is valuable. Governments, businesses, and individuals maintain, retain, and share vast quantities of data. When individuals provide information about themselves, the recipients of that information have a responsibility to protect it—either entirely or to a specified degree. Unfortunately, not all businesses fully appreciate this responsibility. Further, many companies are oblivious, often unwittingly, to the extent of information they are collecting.

For example, when a consumer downloads a company’s app on their smartphone or device and agrees to the privacy policy and terms-of-service agreement that goes along with the download, that app is gathering information—such as geolocations, browser data, stored contacts, microphone audio, photographs, etc.—from the consumer’s device. Much of this information may be unwanted or unnecessary for the company’s purposes; however, it’s still being collected by the company via the app, oftentimes without the company even realizing that the app is collecting the data. This is because app developers program apps to take on all sorts of information, simply because it’s possible, even though they have not asked or been informed about what information a company actually wants or needs to track.

Unfortunately, there remains no comprehensive federal-level data protection authority or privacy legislation that regulates the overall collection and use of personal data in the United States. Instead, while various sector-specific data protections exist on a federal level, the majority of data privacy and security regulations exist at the state level. And state-level requirements are multiplying rapidly. Following the California Consumer Privacy Act (CCPA), which went into effect on January 1, multiple states have enacted or proposed similar bills to protect consumers through comprehensive privacy and security legislation. With this piecemeal onslaught of new laws coming into effect so quickly, too many businesses fail to realize that, while they may not have any specific operations in California (or in the other states that have enacted similar legislation), the laws still apply to and impact them.

Companies bear the brunt of navigating this system of highly complex variations of laws related to data privacy and security. Doing so comes with a hefty price tag as well as a heavy administrative burden.

But don’t be dismayed: There are things companies can do to ensure that they are on the right track with respect to protecting their data! Actionable steps for businesses include:

• Review your company’s privacy policies and terms-of-service agreements. Make sure they meet the legal requirements that are applicable to your company and industry. Verify that users or customers can easily understand what data is being collected and what is being done with it, and make sure that clear opt-in or opt-out processes are provided.
• Critically assess the data that your company collects and retains. If your company is collecting unnecessary or unwanted information, update the processes of collection to appropriately limit the information that is obtained and retained.
• Map the data that your company collects. You need to be able to track and manage the information that is being collected at all points in the process, including where it may end up in the future.
• Consider appointing a data officer who will be responsible for your company’s legal compliance with privacy and related issues. This person should keep up to date with legal developments, news, and trends related to your company’s and industry’s specific data privacy needs, or work with competent counsel to help with this.
• Adopt a proactive mindset of responsibility when it comes to handling data. Build for the future with privacy in mind, instead of having to backtrack to implement policies and protections as reactionary measures.
• Require multifactor authentication—one of the best current defensive tactics to avoid a cyber incident.
• Add levels of encryption for data and devices. Enact and enforce policies that will help to avoid data breaches on a systemwide level.
• Obtain sufficient cybersecurity insurance protection. If you don’t have cybersecurity insurance, get it now. If you have coverage, make sure that your coverage is sufficient for your business needs. In addition, don’t forget how cybersecurity coverage might intersect with other policies and coverage, such as business interruption and crime policies.

Alisa Chestler, a shareholder in the Washington, D.C. office of Baker Donelson, concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters. Contact her at achestler@bakerdonelson.com.

Leslie Isaacman Yohey is of counsel in the firm’s Memphis office and is a member of the firm’s health care litigation group. She focuses her practice primarily on medical malpractice litigation and other types of professional liability matters. Contact her at at lyohey@bakerdonelson.com.

From: Corporate Counsel