Ten Things: Data Privacy – The Essentials

As in-house counsel, you have probably been asked the following question by a panicked (or at least pretty stressed-out) CEO or CFO: “What are we doing about data privacy? Are we okay?”  You likely have a good answer, or at least the start of one.  Still, your answer may be as open-ended as the question and you can feel overwhelmed by the sheer amount of information on the topic.  I know that you want to read another article about data privacy about as much as you’d like to have a safe dropped on your head.  But, don’t stop reading.  This will not be an overly-detailed discussion about all of the nuances of the issue or a list of regulations and laws of multiple countries (though those discussions are valuable). This edition of “Ten Things” will set out the essential things you need to know about data privacy — key points that you can focus on as you work through or oversee data issues for your company.

I have worked on data privacy issues since the mid-1990s, before there even was an EU Privacy Directive (or as my daughters say, before I “fell off my dinosaur”).   One thing I have learned is that data privacy is actually pretty straightforward, common sense stuff.  I’ll go into some specific areas below but the key thing to keep in mind is this: Tell people what you are doing with their personal data, and then do only what you told them you would do.  If you and your company do this, you will likely solve 90% of any serious data privacy issues.

Below are some areas of data privacy law that will help you stay on top of the issues and be able to add intelligently to the conversation where you work:

  1. Take a data inventory.   The first thing to do is to take a data inventory: a) what types of personal data does your company collect, b) from whom, c) how is it collected, d) where and how is it stored, secured, e) how is it used (including potential future uses), and f) when and how will it be discarded?  Since a data inventory is the linchpin of data privacy, take your time to get it right — meaning ask lots of questions of lots of people across the business and always cross-check the answers to be sure everything lines up.  As you go along, build a “data map” based on the answers and be sure to update it regularly, at least once or twice a year.  Don’t forget that the data you collect about your own employees counts as well.
  2. Special data requires special protection.  If you are collecting personal data that is sensitive (e.g., health information, information from children, political affiliation, sexual orientation, viewing and reading habits, etc.) you need to take special precautions to protect the data and to obtain the correct permissions from the individual about how you may use such data, if at all.  Treat sensitive data of your customers or website users the same way you would want sensitive data about yourself treated.  One way companies are starting to take risk out of a potential data breach is to encrypt the data.  If encrypted data is lost or stolen (and the key is not taken too) most data breach notification statutes do not require any notice as the encrypted data is otherwise considered safe.  Depending on your company’s business, this option is worth exploring with your IT team.
  3. Figure out which laws/rules apply.  Next, you need to know which data privacy laws apply to your collection and use of the data.  Typically, it’s a function of three things: a) where is the personal data collected, b) where that data is sent, and c) how is that data used.  In the U.S. you have a mix of state and federal law.  State laws are usually enforced by the state attorneys general and typically deal with things like notification requirements in the event of a data breach.  Federal laws tend to be sector-specific, e.g., Graham-Leach Bliley (financial companies), HIPPA (health information), COPPA (protection for children), Fair Credit Reporting Act (credit agencies, employers), etc.  The FTC is the main, but not the only, federal-level privacy regulator and has wide powers under Section 5 of the FTC Act (prohibiting unfair or deceptive trade practices).  Outside the U.S., privacy laws tend to be comprehensive, applying broadly across all business and data uses, and are enforced by a central agency usually called a “Data Privacy Authority.”   In the EU, for example, there is a minimum level of data privacy protection under the EU Data Privacy Directive that each member state must implement.  Each member state, however, is free to pass more restrictive laws.  The EU is currently overhauling the Privacy Directive so watch for those developments as the revisions will likely change things significantly when finalized.
  4. Create good/accurate privacy policies and notices.  A privacy “policy” is a policy internal to your company, i.e., what the company tells its employees about the collection and use of personal data.  A privacy “notice” is the policy the company shares with the outside world, (usually via a small link at the bottom of the website marked “Privacy Policy”).   Regardless of what you call it, the policy and the notice need to line up.  You cannot tell consumers one thing and do something different internally.  Your internal privacy policy should be a comprehensive set of rules your employees can follow and that tells them how they can collect and use personal data.  You need to keep the policy current (e.g., catch any new uses for the data), which will entail several meetings every year with the employees in charge of or dealing with data.  You also need a training program to educate all your employees about the policy. Inadvertent or deliberate data breaches by employees constitute a large portion of data breaches over the past several years.  On the other hand, a privacy notice is required any place you are gathering personal data from the public (web site, mobile phones, etc.) and needs to set out five core things: a) what data is collected, b) how is it used and secured, c) with who is it shared, d) who do you contact if you have an issue, and e) information about the use of tracking software and “Cookies.”  It is critical that you live up to all promises made in your privacy notice.  If there are changes around the use of data be sure to update your privacy policy and privacy notice as soon as possible.  Remember that changes to the notice will not apply retroactively, i.e., you’ll need to treat data collected in the past under the terms of the privacy notice in place at the time of collection.  As to “tracking” and “cookies” just remember this, fully disclose what you are tracking and how, and give users a way to turn off “cookies” if they want to.  Finally, be sure to have a working “opt-out” link on your website and as part of every email sent in a marketing campaign.  If the consumer can simply tell you to “stop sending me stuff” and you respect that request, you will have much fewer problems.
  5. Stay on top of vendors.  Your company may be a model of best practices with respect to data collection and data privacy.  But, if you use vendors to process any of the data (e.g., the cloud, call centers, outsourcing, etc.) you are still responsible and your company will be the one left holding the bag in the event of problems.  Accordingly, your vendor contracts should require several things: a) your vendors must follow the same data privacy practices as you do with respect to the data you are providing them, b) that vendors provide you the right to audit around data issues, c) your vendors notify you immediately in the event of a data incident, and d) that your vendors will indemnify your company in the event of problems they cause.  Try to stick with well-known and responsible vendors if possible.  There are several companies that rank vendor “security,” e.g., Bitsight Technologies and SecurityScorecard, produce ratings of vendors based on how “securely” the vendors operate.
  6. Get cyber-risk insurance.  A data breach can explode very quickly and the costs to your company can be very high (anywhere from $10 to $200 per record lost).  If your company deals with personal data in a significant manner you should look into whether your current insurance policies (e.g., CGL or E&O) cover a data breach and, if not, obtaining a specific data breach policy.  Your insurance department or insurance broker can be helpful here.  One thing you’ll need to figure out is “how much” insurance do you need.  You have probably seen recent data breach settlements and related costs of 10’s, if not 100’s of millions of dollars (e.g., Target, Home Depot).  Things you need to think about include how much personal data does the company process, what would be the harm of a data breach to the company’s reputation, what is a reasonable cost per record lost, what if the business is materially interrupted in the event of a breach, what will consumers expect the company to do in the event of a breach (e.g., credit monitoring), and so on.  Your insurance company may also be able to help you understand and implement best practices regarding data security, so do not leave that resource untapped.
  7. Make sure you can transfer the data.   The question here is whether or not you can legally transfer personal data from one country to another.  For example, under the EU Privacy Directive, you can freely transfer personal data within the EU but you cannot transfer the data of an EU citizen (including that of your own employees) outside of the EU unless it is being transferred to a country with an adequate level of data privacy laws.  According to the EU, the United States does not have adequate laws. This has caused some real problems for American businesses.  There are several exceptions to the restriction (e.g., binding corporate rules, use of model clauses, explicit consent, the transfer is necessary to perform the contract) but you need to be sure to fall safely within one of the exceptions which DPAs have narrowly construed.  In the U.S. companies can avail themselves to the Safe Harbor agreement to ensure the ability to transfer data out of the EU to the U.S.  As part of your transfer analysis don’t forget to consider “onward transfer”, i.e., transfer of the data by you to a third party (e.g., a processing vendor).  Compliance with regulations/Safe Harbor will require that any party you transfer the data to must follow the same compliant data privacy practices you do.
  8. Create a data breach response plan and practice it.  If you’ve heard from a law firm lately about data privacy issues, odds are good that it is about creating a data breach response plan.  If you happen to have a killer response plan already prepared, you’re in good shape.  If you’re like most companies, your plan probably needs some work.  Meaning, it may be a good idea to take up one of the law firm offers to help you with a plan.  A few important things to think about as you develop or update your plan:
    1. Someone needs to be in charge of data privacy.  If you’re serious about data privacy, then you need to have someone in charge of the issue – a data honcho.  They can come from legal or from the business.  But it needs to be someone senior enough to command respect and resources in the event of a crisis.
    2. Know the difference between a “data incident” and “data breach.”  Just because the problem involves data does not mean there is a “breach.”  It’s important not to prematurely label what has happened as a “breach.”  If you declare a data breach, you have a lot of obligations to fulfill and you are probably headed toward litigation. Start with calling it an “incident” until you are sure.  Be sure that the appropriate people in the legal department and the business understand the distinction, especially at the beginning of an incident when the emails and the documents are flying fast and furious and you will have to live with whatever people write down.
    3. Identify your core team.  Set out in advance who will be sitting around the table if there is an incident.  Some key people will be the head of data privacy, legal, human resources, corporate communications, system security/CIO, outside counsel, outside communications team, forensic team, applicable vendors, and insurance.
    4. Engage legal counsel at the beginning.  If there is a data breach you will want to make sure the investigation is conducted at the direction of counsel (in-house or external) so that any appropriate legal privileges will apply.
    5. Prepare for the notice process.  If there is a data breach, you will likely need to notify the impacted persons.  Your outside law firm or insurance company should be helpful here.  Your insurance company may even have a turnkey vendor who can handle the notice issues and processing.  I recommend you download a copy of the Weil Gotshal security breach notification survey.  It is a comprehensive look at notification requirements by state in the U.S.
  9. Read these core four documents.  There is an incredible number of articles and books about data privacy and data breaches.  It is an overwhelming amount of information for any in-house lawyer to try to digest.  I have read a lot of privacy-related material and if I could have only a handful of documents to read and keep nearby, this would be my list:
    1. The EU Data Privacy Directive & “Cookie” Directive.  If you can read and follow the requirements of the EU Privacy Directive and the companion “Cookie” Directive then odds are high that you are in compliance with most any general data privacy protection law in the world.
    2. The National Institute of Standards and Technology – Framework for Cyber Security.  This is quickly becoming the de facto standard for implementing data security.  While data privacy and data security are two separate things, you cannot have appropriate data privacy without solid data security practices.
    3. The 2015 Verizon Data Breach Investigations Report.  This is a free resource full of great information and data about data breach issues.
    4. A Sample Data Privacy Notice.  A great example of a “state of the art” privacy notice is that of Microsoft.  The Microsoft privacy notice covers multiple Microsoft businesses in one clean, user-friendly document.  I would keep this on hand as a model to emulate and monitor it for changes as those changes are likely changes I would need to consider making to my own notice.
  10. Keep public disclosures current and complete.  Given the growing importance of data and the material harm a breach can cause, you need to be aware of any obligations to discuss or disclose risks relating to data privacy and data security.  If you work for a publicly-traded company in the U.S., risks around a data breach need to be appropriately disclosed in your quarterly and annual reports.  The SEC has issued guidance on such disclosures and its interest in the topic is growing.  Failure to make appropriate disclosures can also lead to shareholder litigation/class actions.  Likewise, in the event of a data breach, you may need to issue an 8K describing the event.

Is there more?  Definitely, yes.  A lot more.  For now, just know that the legal issues surrounding data privacy are here to stay and are getting more risky and complex.  Data privacy is the new black and it is well worth the time of all in-house lawyers to have a basic understanding of the law in this area.  Your job is not necessarily to master every detail of data privacy but to be sure you understand when you need to “herd the cats” and get people into the proper positions and armed with the proper tools so that if (when) there is a data breach your company will be ready.  This is how you can best add value to the company.

Sterling Miller

April 30, 2015

(If you find this blog useful, please pass it along to colleagues or friends and/or “Tweet” it. “Ten Things” is not legal advice or legal opinion.  It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at http://www.TenThings.net or www.sterlingmiller2014.wordpress.com. Follow me on Twitter: @10ThingsLegal)