How Complex is the Data Privacy and Protection Regulatory Environment?
Our economy is becoming increasingly digital, and businesses are benefiting from more sophisticated data analytics tools. As more personal information is collected from consumers, there is growing concern about what information is being collected and how it is being stored and used. Consumers are demanding better privacy measures and disclosures from businesses.
At the same time, legislators and regulators are stepping up their efforts to address the concerns of consumers and provide them with the data protections they need. Stronger scrutiny is being placed on how and what consumer information is collected, stored, processed, and used. In the data privacy world, a distinction is drawn between controllers, who collect the information and want to use it, and processors, who process the information on behalf of controllers. A third party may also be involved in the process as well. For example, if telephone numbers are collected for telemarketing purposes, then to comply with telemarketing regulations, a controller may send the file filled with phone numbers to a third party to scrub the numbers against national and state do-not-call lists. This sharing of information needs to be considered for data privacy and protection issues.
Data privacy and protection law is evolving in the United States and elsewhere. Until recently – except in specific areas, like HIPAA for healthcare – there was no comprehensive privacy law in the United States at the federal or state level. But that has changed as regulators, concerned with the historical lack of data privacy regulation, are augmenting efforts to fill the void. Numerous states have imposed their own stringent privacy laws in recent years, and the federal government is making strides as well.
Data privacy and protection rules are often confusing. But they apply throughout the whole lifecycle of data, and therefore a program needs to be put in place to handle these issues. Businesses need clear, actionable recommendations from counsel so they can use and manage data effectively.
Solid Data Privacy Practices are a Competitive Advantage
There is also increasing pressure from the market. One factor that consumers are weighing more significantly in selecting sellers is whether their data is being treated appropriately. Businesses should expect that going forward, good data privacy and protection practices will become more of a competitive advantage.
Consider the following:
- A 2020 report from Cisco suggests that for every $1 invested in privacy, companies saw a $2.70 return. Additional studies point to improved customer loyalty, improved ROI, and less reliance on outsourced data.
- Salesforce found that 76% of consumers will remain loyal to organizations that provide data security.
- A study published by the Cyber and Privacy Innovation Institute asserts that 64% of Americans would fault the company they trusted with their information before blaming the hacker in the instance of a breach.
- Gartner predicts that by 2024, 40% of consumers will intentionally devalue personal data collected about them via VPNs or opting out of data collection altogether.
To stand out competitively, businesses across all industries must proactively embrace Privacy and Data Security across functions and departments not just as a defensive position, but as a key driver for sales and retention as well.
Let’s talk about how we can help your business manage data privacy effectively.
How Much Harm Could a Data Breach Cause to Your Business?
For most business executives, the prospect of a data breach represents their worst nightmare. A major breach can be catastrophic not only to the bottom line, but to your business’s operations, customer trust, even its survival. Types of harm could include:
- Legal liability and substantial financial penalties
- Damage to brand reputation
- Clients substituting to competitors
- Distracting employees from important work
- Loss of intellectual property
Even a small data breach can trigger significant time and related costs for those who work at the company. Breaches impose obligations to, among many other things, remedy the underlying vulnerability, address future threats, communicate to customers, and mitigate the harm caused to them. Ordinary business is interrupted and distracts employees from revenue-generating work.
Valuable intellectual property that the firm could lose includes competitively advantageous trade secrets. Loss of confidence can occur not only among customers but with investors and vendors. This reputational damage may extend not only to firm leadership but also to the brand itself.
There is also the risk of legal liability, as a data breach can lead to follow-on lawsuits that cause further distraction, cost money to resolve, and more. Potential lawsuits could come not only from private citizens but regulators, too. Experienced counsel can work with your information security team to identify and mitigate potential risks, and in the event of data breach, guide you through a comprehensive response strategy that mitigates the legal, operational, consumer, and public relations impacts of the breach while preserving brand reputation.
Let’s talk about how to prevent data breaches from happening in the first place.
How Should Businesses Prevent and Respond to Data Breaches?
Businesses have data security obligations to prevent and respond to data breaches. The legal frameworks vary depending on the jurisdiction.
But there are a set of best practices that our privacy and data security attorneys recommend. A business can choose to implement different standards based on different frameworks in each jurisdiction where it operates or apply the strictest standard across the board.
How to Prevent Data Breaches
Businesses should establish security measures that adequately protect data. It’s important to work with experienced privacy counsel that can direct comprehensive compliance audits to assess risk exposure of an existing program. A typical audit might include the following components:
- Analysis of documentation including existing privacy policies, information security program, data breach response plan, and business continuity plan
- Interviews with key personnel and vendors
- Assessment of vendor contracts and due diligence reports
- Review of information security reports, including penetration test and SOC 2 reports
Audits should occur regularly. Based on audit results, a remediation plan may be put in place to remedy compliance gaps. You may be surprised at how simple some fixes can be. For example, have someone check that employee login information is difficult to guess, not just easy for the authorized person to remember.
Updating compliance programs involves designing and implementing actionable steps that keep the business moving forward while satisfying legal obligations. Written policies and training sessions are important, as well as scenario planning and quality assurance measures.
Any data you acquire from a third party, or provide to a third party, should be accompanied by due diligence on how they handle their data. You need a reasonable basis to believe that their data privacy and security practices are also compliant with applicable laws.
How to Respond to Data Breaches
When it comes to a data breach, preparation is key. You cannot wait for an incident to occur to begin developing your response plan. You will need to act quickly, so having an established plan in place will facilitate your investigation and containment of the breach, notification of affected parties, and other responsibilities.
Your response plan should cover the entire lifecycle of a data breach event, not just the immediate aftermath. It should ensure that, if followed, the business will be compliant with all applicable data breach response obligations. Your plan should also have an identified list of the key resources and vendors that will be necessary to respond to the breach, including their contact information. This could include a public relations consultant, forensic IT firm, insurance company providing your cyber liability coverage, contact center or customer relations resource to field consumer questions, and of course, your privacy legal counsel.
Want to learn more about developing a data breach response plan? We can help.