May 3, 2024
Joel Schroeder
In today's digital age, where customer data is the lifeblood of businesses both big and small, the importance of data privacy protocols cannot be overstated. As technology continues to evolve and society’s reliance on digital platforms grows, companies face an ever-increasing responsibility to safeguard the personal information of their customers and employees. Additionally, data breaches have become commonplace, resulting in financial loss, reputational damage, and significant legal repercussions.
This article explores what data privacy means, the importance of instituting data privacy protocols, the legal obligations associated with data collection, and why it is important for companies to speak with IT and legal professionals about data liability.
Readers of this article should contact their attorney to obtain advice concerning any particular legal matter. This article does not and is not intended to constitute or replace legal advice, nor is any kind of attorney-client relationship created by reading this article. However, if you have any questions about the legal impact of data privacy or any other business law questions, please feel free to contact us at Alecozay Law Firm, PLLC, or call us during office hours at (210) 774-2741. We are always happy to help by offering business law solutions with heart.
What Is Data Privacy?
Data Privacy is a branch of cybersecurity that focuses on the protection of data from unauthorized access, theft, or loss. It's also known as information privacy. The type of data commonly subject to data privacy protocols is information that identifies, relates to, or could reasonably be linked with consumers (and employees) or their households, also known as personal information. The information can range from low priority (such as an individual’s name and age) to high priority (such as social security numbers or patient health records).
When the personal information of an individual is leaked, it can have serious and far-reaching consequences for both the individual and the organization responsible for the data breach, including identity theft, financial loss, emotional distress, legal consequences, operational disruption, and reputational damage. Therefore, having a data management protocol is crucial for business operations. No matter the size of the business, having adequate cybersecurity defenses and knowledge is crucial to prevent serious harm.
What are the Relevant Authorities on Cybersecurity?
As technology has grown to become the dominant method for data storage and collection, cybersecurity standards have been developed by various organizations and agencies in response. Some of the entities involved include:
• The National Institute of Standards and Technology (the “NIST”): Originated in 1901, and is now a part of the U.S. Department of Commerce. The NIST developed the NIST Cybersecurity Framework 2.0 (the “CSF”) (version 2.0 was released in 2024), which provides guidance to both government agencies and industry members. The CSF is a voluntary framework for cybersecurity and risk management.
• The Computer Security Act of 1987: Directed by the National Bureau of Standards (now the NIST) to develop standards of minimum acceptable practices. It was an early attempt by the U.S. Federal Government to ensure federal agencies implemented security and privacy protections for their information systems. The CSA was a precursor to the Federal Information Security Modernization Act (“FISMA”) (recently amended in 2014) which now mandates federal responsibilities and oversight of cybersecurity issues.
• The International Organization for Standardization (the “ISO”): A global “counterpart” of the NIST, the ISO establishes voluntary international standards without being tied to any specific government. The ISO focuses on various industry standards, including but not limited to data privacy and information security, AI, and technical infrastructure.
What Laws Enforce Data Protection and Rights in the U.S.?
Surprisingly, there are no federal laws that directly enforce consumer data privacy rights in the U.S.. Historically, the U.S. has permitted the collection of personal information without express consent by the consumer. However, in recent years, an increasing number of states (including California, Utah, Colorado, Connecticut, and Virginia) have enacted state privacy laws for their residents, largely based on the legal framework of the GDRP (a data privacy regime from the EU notably setting the standard for empowering users to make their own decisions regarding their own data). California led the way in 2018 with the CCPA, which established numerous consumer protections that companies are required to follow. It has been amended by the CPRA to expand its initial requirements.
Multiple states have now passed data privacy laws to empower consumers to choose how and when their data is collected. You can keep track of whether your state has passed data privacy laws at the following link: IAPP State Privacy Legislation Tracker. These state laws often include the right to know what personal data entities are collecting about consumers, the right to correct, access, or be forgotten, and opt-out procedures that help consumers control their data.
An example of state data privacy laws is the Colorado Privacy Act (the “CPA”), enacted in 2023. Colorado’s approach is considered less “business friendly” than some of its more conservative counterparts, but not as stringent as California's CCPA. The CPA applies to a wider array of entities compared to other state privacy laws in part because there is no revenue threshold, and non-profits must also comply.
The main determiner of whether a business in Colorado must comply with the CPA is the number of consumers the business has data access to, which can be as simple as access to IP addresses, browsing behavior, or access to more sensitive data such as social security numbers or phone numbers. If the business collects the data of 100,000 or more consumers, OR if the business collects and generates revenue from the sale of the data of 25,000 or more consumers, then the CPA applies.
In addition to common requirements of allowing consumers opt-out/consent options and giving privacy notices, the CPA requires businesses to actively practice data minimization, limiting data collection to data that is “reasonably necessary for the purposes of processing” AND to regularly review and delete collected data at least once a year. Failure to comply with the CPA can lead to an investigation by the Colorado Attorney General and/or local district attorneys, civil fines of up to $5,000 per violation, and the possibility of individuals filing civil suits against alleged violators.
An alternative, more conservative example of recently passed data privacy legislation is from our law firm's home state, Texas. The Texas Data Privacy and Security Act (the “TDPSA”) (slated to take effect on July 1, 2024) is considered to be a more “business-friendly” data privacy act. The TDPSA applies to persons that 1) conduct business in Texas, 2) are not “small businesses” under the SBA definition, and 3) process or engage in the sale of personal data. The TDPSA allows certain small businesses that meet the SBA definition of “small businesses” to avoid many of the regulations of the TDPSA. However, small businesses must still provide consumers with notice and obtain consent if they engage in the sale of personal information. This notice of sale requirement applies to all businesses in the state.
Texas’ TDPSA also requires many of the common data security requirements seen in other state data privacy acts, such as allowing opt-outs for consumers, requiring consent for information sale, giving privacy notices, and the requirement to maintain “reasonable” data privacy safeguards. However, if there is a violation, the TDPSA allows for a 30-day cure period. This 30-day cure period commences upon proper notice from the Texas Attorney General, and if the violation is cured within that timeframe, no enforcement action shall occur. However, if the violation is not corrected, business entities may incur civil penalties of $7,500 per violation, but there is no private cause of action for individuals to sue businesses under the TDPSA.
Despite the lack of federal regulations on consumer data privacy, there are certain federal acts and agencies that regulate the collection, disclosure, and overall use of specific types of data, such as student records (Family Educational Rights and Privacy Act), private health information (Health Insurance Portability and Accountability Act of 1996), and financial information that is stored by financial institutions that “engage in an activity that is financial in nature” (Gramm-Leach-Biley Act). Also of note, although the FTC does not directly address consumer data privacy rights, if companies operate in a manner that is considered to be unfair or deceptive according to Section 5 of the FTC, and if the activity happens to involve consumer data, the FTC will respond.
Examples of Section 5 violations that pertain to consumer data include companies that fail to follow their own data privacy policies and companies that do not handle data in a way that the consumer can reasonably avoid substantial injury. Recent cases of these examples include Equifax and Cambridge Analytica, where the FTC pursued these entities for Section 5 violations, suing them for hundreds of millions of dollars.
Finally, companies that execute internal agreements with their employees or external agreements with customers (including website privacy policies), third-party contractors, and other entities, will be bound to any data-related provisions contained within them. These provisions are treated in the same manner as any other provision of an agreement, and a failure to comply may lead to a breach of contract action. For example, should a company get into an agreement with a third-party vendor for services, and that vendor fails to follow the provisions of the agreement articulating the company’s data management policies, that vendor may be liable for breach of contract, leading to monetary damages, or even an unfavorable termination of the contract.
When contemplating the inclusion of data policies in your contracts, compliance with such policies, or concerns about enforcement, please consult your attorney or contact us at Alecozay Law Firm, PLLC.
What are Some Basic Data Management Protocols?
Implementing data management protocols promotes organizational efficiency and security, ensuring that business operations are streamlined while safeguarding sensitive consumer and business information. The following processes are some basic steps you can take to begin the data management process:
1. Inventory: An inventory of data held should be conducted on a regularly scheduled basis and during any major changes within the company. This inventory should include all data records, including client and employee data, and the exact location of the data.
2. Categorize: Once all data held by the company has been identified and inventoried, the data should be categorized into different data types and sensitivity levels. The data types and sensitivity levels should dictate who in the company has access and the method of storage/protection required. This should be determined according to internal agreements and state/federal regulations. High-sensitivity information, such as medical records and social security numbers, requires high protection and limited access. Meanwhile, low-sensitivity information, such as publicly available records, may require less stringent forms of protection and can be accessed by a broader range of parties within the company.
3. Data Flows: Finally, after all the data has been properly inventoried and categorized, it should be determined where such data flows to and from, both inside and outside of the business. Data flows should be categorized by their various storage destinations. For example, if a consumer goes into a car dealership to buy a car, the salesperson will likely collect information from the consumer. Moments later, that data may be transferred to a sales database or the finance department by an in-person delivery of paperwork or via email. If it’s through email, other departments and individual parties may be included in the message, which creates additional travel paths. The consumer data initially captured by the salesperson may now be in the hands of various individuals, departments, and perhaps outside entities (like potential lenders, warranty servicers, insurance companies, etc.). Therefore, data flows should be documented based on a company’s specific activities and communications with other entities.
Following the above steps (and repeating them on a regular basis) can reduce cybersecurity risks, encourage data awareness, and reduce response times should an incident occur. Additionally, each phase should be documented. However, please note that the foregoing data management steps are simply foundational and should be supplemented with more detailed activities depending on the nature of each business.
What Else Can Be Done to Better Protect My Business?
Each business requires a tailored approach to data management. This may require the professional assistance of a forensic IT specialist and an attorney familiar with data privacy laws to help craft a data privacy plan. However, there are some general activities and steps that all business entities should consider implementing, regardless of business type or size:
1. Website Opt-Outs: Numerous states require businesses to offer consumers an opt-out option from having data collected, either for storage purposes or sale. Even in states where this is not required, it is wise for businesses to offer opt-outs to minimize potential liability. This can be in the form of a button or link that allows the user to simply “opt out” from having their information collected. Ideally, it should be displayed on the company's main page of its website or under a conspicuous subpage heading. Additionally, it should be accessible within user profile settings, with an opt-out or opt-in option. This opt-in/opt-out option raises a public policy question as to whether or not businesses can or should offer users an incentive to allow the collection of personal data. Currently, there are no real prohibitions against incentivizing user consent to data collection, most often in the form of a discount or coupon, but this may change in the future.
2. Privacy Policies: Seeing the words “privacy policy” on a website often draws out a disinterested sigh from most users, but these policies remain important to protect online business activities and consumer data. They set expectations with website users by informing them of the types of data being collected and how it is used. Even those who choose not to read the legalese of a privacy policy may trust a business more for simply having it. Studies show that data privacy is a growing concern amongst consumers, both American and foreign, and the existence of a privacy policy can boost a business’s credibility with consumers and search engines. From a legal standpoint, having a privacy policy can also protect companies from civil penalties, like those discussed above.
3. Appointing a Data Privacy Officer and Giving Them Duties: Companies having a data privacy officer ("DPO") is largely mandatory in the EU under the GDPR, but that is not the case in the U.S. with the exception of entities that must comply with HIPAA. Even so, appointing a DPO can have major benefits. DPOs can be made responsible for monitoring data-related laws that affect the business and its obligations, as well as being the point of contact for applicable regulatory authorities if necessary. DPOs can also monitor internal compliance with data management/privacy protocols. Finally, having an active DPO can increase credibility with third parties and good standing with the community. For smaller businesses, the duties of a DPO can simply be added to the job description or title of a current employee (although giving said employee a minor pay bump would be encouraged in such instances).
4. Train Staff to be Data Conscious: While reading this article (and making your employees do so too) may be helpful, more should be done to train your staff to be data conscious. Employee errors are the most common source of data leaks, and employees who violate data privacy regulations can cause liability for their employers, just as if they had injured a customer while on the job. To prevent employee negligence and ignorance, it is wise to have employees (including and especially executives) complete a data privacy seminar on an annual basis (like this one from EasyLlama).
5. Create an Incident Response Plan: An Incident Response Plan (an "IRP") is not unlike a fire response plan, in that it is important to discuss what to do in the unlikely event of an incident. An IRP is a written document that lays out the plan for how a company will react to and contain a cybersecurity incident, should one occur. It also designates an IRP team to facilitate the plan. Team members will often include IT employees or outside computer forensics consultants, legal counsel, accountants, and other parties who may have access to critical data or knowledge of applicable laws and regulations. Numerous IRP software options exist to help craft a plan, and all business entities should invest in creating an IRP. Additionally, annual training should occur using the IRP. A common IRP training tool is the use of a "tabletop" exercise. A tabletop exercise simulates a cybersecurity incident that the IRP team must respond to and neutralize.
6. Obtain Cyber Insurance: Depending on company size and potential liability, cyber liability insurance may be beneficial to help cover losses in the event of an attack. As the selection of software and insurance depends on your company’s budget and needs, we will refrain from making any specific recommendations, but in the recent past, cyber insurance rates have stabilized, and such insurance offerings are expansive in coverage type to meet different levels of need.
Conclusion
As you can see, there are numerous considerations and concerns regarding data privacy and evolving regulations. Therefore, every company, regardless of size, should implement proper data management protocols and protections. Furthermore, receiving professional guidance from parties such as IT specialists and attorneys familiar with data privacy law can mean the difference between a healthy business and a financial catastrophe.
If you believe your company could benefit from our guidance, please feel free to contact us to schedule a free consultation! You can schedule an appointment via email at sam.a@alecozaylaw.com or by phone at 210-774-2741 during standard office hours. We look forward to hearing from you!
Opmerkingen