Top 10 Trends Executives and General Counsel Should Follow
Companies around the globe increasingly are collecting ever-greater volumes of sensitive personal information from their customers for business and competitive purposes. If improperly stored, used, stolen, or shared, this information can have devastating reputational and financial consequences. This makes privacy, cybersecurity, and data management critical issues for senior management, board members, and general counsel to understand in order to effectively manage risk.
Following are our lawyers’ perspectives on the top 10 critical trends to follow in the year ahead:
1. Understanding the FTC’s Preeminent Role
The Federal Trade Commission continues to occupy a preeminent role in regulation of data privacy and cybersecurity. As the default regulator in industries not subject to specific privacy regulations, the FTC will continue to play an outsized role in developing U.S. guideposts for what is viewed as “unfair” or “deceptive.”
In the area of data privacy, the FTC faces a challenge this year implementing the new “Privacy Shield” arrangement with the European Union. One of the components of the Privacy Shield is enhanced enforcement of its requirements. Commissioner Julie Brill already has emphasized the agency’s interest in vigorously discharging that responsibility. The agency also continues to grapple with how best to address issues such as mobile location analytics, the questions presented by the Internet of Things, and other newly emerging data uses.
The Commission also remains keenly focused on cybersecurity and on ensuring that companies provide “reasonable” levels of security for consumer data. The agency suffered a setback when an administrative law judge ruled last year that it exceeded its authority in pursuing security concerns against a small medical testing company, LabMD. The agency is appealing that determination to the full Commission – and likely from there to the courts – but in the meantime, expect it to continue to pursue perceived security deficiencies against other companies.
2. Facing New Litigation Risks
Lawsuits arising from cybersecurity and data privacy claims represent a burgeoning industry for the plaintiffs’ bar. With the rise of the Internet of Things and an increase in data breaches expected in key industries, such as healthcare, the trend toward more litigation will continue.
A number of legal issues face companies in the aftermath of a data breach. The issue garnering the most attention in the courtroom, however, remains Article III standing. Plaintiffs continue to struggle to demonstrate cognizable injury arising from data breaches (the vast majority of which lead to no identity theft or other adverse impact), although an increasing number of courts have found that the mere threat of identity theft satisfies the Article III standing requirement. Although the law is far from settled, companies should expect that plaintiffs will more frequently get past standing challenges and be ready to move the cognizable injury debate to the merits determination. Moreover, the recent certification of a class of issuing banks alleging claims arising out of the Target breach signals a potential new trend in payment card breach litigation – corporate plaintiffs who have suffered actual injury. Faced with the possibility of more sophisticated plaintiffs with sizeable claims, companies will need to rethink their data breach litigation strategies.
The ubiquity of data collection introduced by the Internet of Things further presents a number of new litigation risks for companies. In addition to the litigation risks that extensive data collection presents resulting from the exposure of personal data through hacking or other data breaches, companies should expect increased claims by consumers alleging that they were not adequately warned of the scope of data being collected nor informed of its intended (or possible) uses. The collection of consumer data via the Internet of Things has also caught the attention of regulators such as the FTC. The prevalence of enforcement actions for unfair and deceptive practices stemming from companies’ failure to adequately secure consumer data or disclose its collection and use will likely increase over the coming year.
3. The Zen of Privacy Shield/Data Transfers
Privacy Shield Is a Time for Reflection, Not Hyperventilation! While the EU-U.S. Safe Harbor Framework was invalidated in October 2015, from the ashes will rise Privacy Shield, the new EU-U.S. data transfer compliance mechanism negotiated by the EU Commission and the U.S. Department of Commerce. This development is significant for global companies. While more than [3,000] of the largest global companies certified under the EU-U.S. Safe Harbor Accord and will have to consider making changes and enhancements to qualify under the Privacy Shield program (expected to be a big undertaking), the number of companies actually impacted is exponentially greater when you consider the number of companies that relied on vendors who transferred their data under a Safe Harbor certification.
Don’t Be “Data Transfer Compliance Fatigued!” Going forward, there are two camps. On one side, there will be a number of companies in the U.S. and the world (both Safe Harbor-certified and non-certified) that will be considering how to migrate to Privacy Shield. On the other side, many companies may be “data transfer compliance fatigued” and decide at this point just to rely on the Model Contracts that were sent around in a flurry before the EU compliance deadline January 31, 2016. Yet, this second group will miss the opportunity to design an approach (not just contract-to-contract) that may save their organization time and money in the long-term. In fact, a primary reason Safe Harbor was created was to avoid the delay, effort, and expense required to update the data uses and vendor service offerings descriptions in model contracts.
2016 will Be a Time for Reflection and Action. We have already started seeing global companies beginning to re-architect their global privacy approaches in light of the new EU-U.S. Privacy Shield Framework. 2016 will be a year of reflection and action where leading companies will:
Do Not Just Fix U.S.-EU Data Transfers. Use the advent of Privacy Shield as an opportunity to reassess their global data transfer strategies and uses of Privacy Shield in combination with Model Contracts, Binding Corporate Rules, APEC DMPR Safe Harbor to save money and time; and
Develop a Global Privacy Program Framework. Develop or update an integrated global framework to manage privacy regulatory compliance combining key principles under Privacy Shield, the new GDPR, the APEC Framework, and key U.S. and other global laws. Operating under a global, integrated privacy framework will enable a company to quickly, flexibly, and cost-effectively adhere to new laws (like the GDPR) and avoid inefficiently managing privacy compliance in silos from jurisdiction to jurisdiction.
4. Unlocking the Potential of Customer Data
Companies in nearly every sector of the economy will continue to explore new forms of Big Data analytics as a means of unlocking the potential value in existing – and growing – sets of customer data. These efforts to monetize data assets are likely to have implications for day-to-day operations as well as longer-term corporate strategy. At the operational level, companies will find it beneficial to take a holistic approach for complying with the complex patchwork of state and federal privacy and security laws. This means, for example, that in addition to deploying physical and network security, companies will need to ensure that contracts with vendors, suppliers, and customers provide appropriate protections for increasingly valuable data sets. In terms of longer-term corporate strategy, the enhanced value of data assets may cause parties engaging in M&A processes to devote more attention to privacy and cybersecurity topics, both as a diligence issue and in negotiating substantive contractual rights and remedies.
On the regulatory front, internet service providers (ISPs) will have the opportunity to engage with the Federal Communications Commission (FCC) as it drafts new privacy and cybersecurity regulations. Last year, as part of its Open Internet decision, the FCC changed the regulatory classification of ISPs in order to implement network neutrality rules. As a side effect, the FCC’s reclassification also subjected ISPs to the consumer privacy and security provisions of the Communications Act. Yet, the FCC’s existing privacy and security regulations do not mesh well with ISP-specific issues, as the existing regulations were specifically drafted to regulate telephone carriers. Given the need for, and potential impact of, new FCC privacy and cybersecurity regulations, ISPs and other stakeholders are likely to focus significant attention on this FCC proceeding in 2016.
5. Finalizing the Data Protection Regulation
Just when you thought that European data protection law could not get any more exciting, we are expecting the absolute final form of the General Data Protection Regulation (GDPR) in Q1. The GDPR is likely to go live in April 2018, which does not give companies long to get into compliance. As usual with data protection compliance, it is much easier to get into compliance in respect of any new data that a company might receive or obtain than it is to get legacy databases and processes into compliance. For those companies with very large data sets, the challenge is considerable. For some companies, getting into compliance early will help reduce the size of the task in hand as any natural churn will reduce the quantity of legacy data that needs to be dealt with by April 2018.
In addition to updating and translating privacy notices, creating audit trails of any data protection consents that may be received, updating internal processes to deal with new data subject rights – such as the right to be forgotten, the new rules are going to have a dramatic effect on not just multinationals with operations in Europe, but for the first time the GDPR will have extra-territorial effect and will seek to regulate any company that seeks to sell products or services to, or to monitor or profile, consumers in Europe. The rules that you will need to comply with are more onerous than even the ones in Safe Harbor/Privacy Shield. Finally, even if you are not planning to start your GDPR compliance until later this year – we do recommend that in any long term contracts that you sign from today onwards, you give thought in the negotiation as to who will bear the cost of the changes required to get that contract into compliance in 2018. Should you or your supplier/customer pay for this? We think that you should settle that question now before the contract is signed.
6. Running Afoul of Employee Privacy Rights
As technological innovations continue to develop at breakneck pace, companies’ use of workforce data and technologies, in particular, may implicate potentially serious privacy concerns. For example, more and more companies are using human resources-based analytics tools to better understand and develop their workforces as a means to achieve competitive advantages and drive strategic business decisions. Employers are using big data workforce analytics to shape their healthcare benefits strategies, including biometric screening results (such as the number of employees who have high cholesterol or who are at risk for heart disease or diabetes). Companies also are using such aggregated workforce analytics to recruit and hire the best employees, find and predict top performers, identify skills gaps and develop talent, and succession plan their organizations, among other things. Employers seeking to obtain the richest possible analytic results ― with the hope or belief that such results then can be used to help them make competitive gains ― sometimes include within their big data studies sensitive demographic data (e.g., age, disability, race/ethnicity, gender).
While employers’ use of big data to accomplish business objectives may be well-intentioned, this use also can run afoul of employee privacy rights. Privacy concerns, including the potential for breaches to happen, are growing as employers increasingly use HR-data analytics spanning a wide spectrum of databases (e.g., core human resource information systems (HRIS), enterprise benefits and healthcare systems, applicant tracking and talent management systems, to name just a few). As but one potential concern, consider the fact that two pieces of seemingly unconnected information ― when used together ― can result in the unintended disclosure of an employee’s own personal, private information (or that of his or her family member). As a result, employers should take steps to ensure that their HR personnel are well-coordinated with legal and IT personnel before workforce data mining solutions are used, such that the aggregate data is both useful for analytics and designed to safeguard individual privacy rights.
7. Facing Increased Regulation in Financial Technology
The big issue roiling the FinTech world, and we would argue, the financial services world more broadly is whether financial institutions can claim an exclusive right to decide with whom and on what terms information about the accounts that they hold for their users will be shared with others. Consumers and businesses have, of course, been sharing their key financial information--i.e., transaction records, bank statements, etc.--with trusted third parties like accountants, lawyers, and financial advisors for as long as banks, accountants, and lawyers have existed. Advances in technology have made it easier for customers of banks and insurance companies to share information with others. Rather than gathering key documents in shoe boxes and file folders, consumers and small businesses can simply pass along their online and mobile banking credentials. Financial institutions, principally banks and insurance companies, claim with some justification that the widespread practice of allowing others access to sensitive account information creates risks for the financial institution and its customers, and they have periodically taken steps to prevent their users from delegating access to third parties.
But there is another side to this story – namely individual autonomy and competition. Consumers and businesses, after all, need to have access to their account information, and they need to share it with the people and, increasingly, software programs that enable them to file their taxes, keep track of their books, and manage their finances. Although the security and privacy concerns that banks raise about how consumers currently provide others with access to their information are real (i.e., people really should be careful about sharing their mobile banking credentials), technology can solve them. It is possible to provide third parties with safe, secure, and efficient access to account level information. And the objections raised by financial institutions to delegate access, although partly altruistic, are also driven by the recognition that delegated access to account level data creates the potential for competition in certain lines of business that have been effectively protected by regulatory moats and high barriers to entry.
We expect to see interest in this subject across a range of industries including banking, wealth management, and insurance. It will likely spawn regulatory developments, litigation, and possibly civil enforcement actions.
8. Recognizing Opportunities and Challenges Created by the Internet of Things
One important trend for companies to watch will be increased regulatory attention to the so-called
This area already has the attention of regulators. In January 2015, the FTC issued a staff report that urged companies to adopt practices in response to privacy and security concerns raised by the Internet of Things. Its recommendations include building security into the devices; training employees; data minimization; and notice-and-choice to consumers.
What Companies Need to Do to Build a Competitive Advantage (or at Least Keep-Up).
IoT technologies have great promise for allowing certain functions to be triggered by passive monitoring criteria. Some of the biggest challenges for the successful development and roll-out of Internet of Things technologies is balancing convenience with privacy and security. It is therefore imperative to design a compliant system from the onset of development to avoid potentially problematic situations down the road. For companies that want to build a competitive advantage in this space (or at least keep up), 2016 will be the year where many companies start planning and employing new approaches to privacy and security to enable the future adoption, growth, and promise of IoT, including:
Notice and Choice Model for Range of IoT Decision Making. Industry developing new models for notice and choice to explain the range of foreseeable actions and decisions and information sharing an IoT application/technology can take;
Agency of Permissions for Networks and Platforms. A new consent model allowing for agency of permissions to curated networks of trusted merchants, services, and platforms that align with a person’s specific preferences and comfort of IoT decision making and machine learning;
New Privacy Impact Assessment Approaches. Old approaches to privacy impact assessment will have to be overhauled to apply to IoT given the potential for constant monitoring, unintended consequences and uses of IoT information, and the vast number of third parties that will be need to support an IoT advanced network;
Better Cybersecurity Vigilance. Enhanced cybersecurity by all players will be paramount as the privacy and safety of IoT users will depend on the safeguards of the weakest player as the backdoor into the IoT network.
Due to the critical importance of this area, Paul Hastings has started a new practice group devoted to Internet-connected devices. Through this practice group, we will be watching new developments closely and tracking legal and policy requirements.
9. Privacy Penalties – The Velvet Hammer has Arrived
With agreement reached on the General Data Protection Regulation (GDPR), the European Union’s (EU) data protection reform agreement, and other developments such as South Korea’s addition of punitive and statutory damages to its data breach statute, this promises to be the year when people stop questioning the severity of the potential consequences of a privacy mishap.
The GDPR, which will directly bind all EU Member States, will impose fines of up to four percent of a company’s global revenue for GDPR infractions. In practice, the amount of the fine imposed will vary based on the nature of the violation.
For many privacy infractions, such as inadequate recordkeeping or insufficient contractual safeguards in a data controller’s contracts with its data processors, noncompliance could result in a maximum penalty of €10M or two percent of the company’s annual turnover.
Direct violations of data subjects’ rights would be subject to a maximum fine of €20M or four percent of the company’s annual turnover.
In addition to potential penalties, the costs of compliance may also be substantial, as companies implement mechanisms to enhance users’ control over their data, such as the right to have their information corrected or deleted.
Although the GDPR is not expected to take effect until the Spring of 2018, proactive companies – including U.S. businesses with an EU presence – should begin taking steps to comply with its heightened restrictions on the use and flow of data as soon as the regulation is formally adopted in the coming months.
South Korea’s Personal Information Protection Act
Through an amendment that will take effect in July 2016, South Korea expanded its Personal Information Protection Act (PIPA) to enable Korean courts to impose punitive damages of up to three times the actual damages caused by the “loss, theft, leakage, forgery, alteration, or impairment of personal information” stemming from “a deliberate act or a serious error.” Consumers will also be able to seek statutory damages of up to three million Korean won (approximately US$2,455). Companies operating in South Korea – a country known as a leader in Asia for the continuing expansiveness of its privacy obligations – should take steps to ensure the adequacy of their data protection mechanisms.
10. Cyber Tsunami – What Regulators and Congress Have to Say in Response
Cybercrime and Espionage Growth at Epidemic Proportions. Companies are under electronic siege. Over 50% of Fortune 500 companies had a breach last year. New cyber and knowledgeable insider threats increasing incidents of IP and ID theft, insider trading, and other improper access to “crown jewels.” McAfee estimates the annual cost of cybercrime and espionage to be between US$400-$575B. This cost includes the cost of personal information stolen globally, impacting last year more than 40 million people in the U.S., 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China. One estimate puts the total at more than 1 billion individual records compromised. Yet, it has been estimated that 55+% of individuals who had their information compromised were from vendor breaches.
NIST and Other Frameworks Used by Companies and Boards. Moreover, while boards of directors increasingly have been using the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity since its inception on February 12, 2014, as a starting point to ask questions and review cyber safeguards in place, importantly, there also has been guidance from the New York Stock Exchange, The U.S. Securities and Exchange Commission Office of Compliance Inspections and Examinations (for broker-dealers and investment advisors), and The U.S. Food and Drug Administration (for medical devices), and other regulators.
Congress Passes The Cybersecurity Act of 3015 - The Cyber Double-Edged Sword. At the end of 2015, the Cybersecurity Act of 2015 (the Act) was passed – the most important cyber legislation enacted to date. The Act establishes a mechanism to promote real-time sharing of cyber threat indicators and defensive measures with, and receive such information from, both federal entities and other within industry. Since the passage of the Act, companies are starting to create guidelines on when and how to share cyber-attack information with government entities or others within industry without running afoul of antitrust or destroying legal privilege. While privacy concerns have been raised related to the information sharing under the Act, if resolved, the Act may be the first step in an early warning network and potential coordinated defense from cyber-attacks.
To discuss these developments in more detail and learn how Paul Hastings can help you manage risk, contact any member of our Privacy and Cybersecurity team: