Changing Consumer Data and Protection Regulations for Companies and Their Counsel
Although a European regulation, the GDPR has affected American companies and, as it appears, has also begun to shape American law and policy. GDPR's strict regulations and rules do not simply apply within the EU and the European economic area—it affects anyone who does business with a person living in those countries.
November 27, 2019 at 01:56 PM
8 minute read
Last year, I wrote an article that discussed the implications of the European Union's (EU) General Data Protection Regulation (commonly referred to as GDPR), which came into effect last May. GDPR's goal was to create and to ensure the rights of European Union and European economic area citizens to protect their personal data. In the wake of numerous data breaches and many company's morally gray handling of their customers' personal data, the implementation of the GDPR gives people the chance to understand better and control the dissemination and use of their personal data. The regulation also insists upon a high level of care from any data handler so that personal information is better protected.
Although a European regulation, the GDPR has affected American companies and, as it appears, has also begun to shape American law and policy. GDPR's strict regulations and rules do not simply apply within the EU and the European economic area—it affects anyone who does business with a person living in those countries or anyone who otherwise monitors the behavior or data of these residents. Consequently, many companies, both large and small, have had to employ data protection officers to comply with GDPR, as violations of the regulation can result in costly penalties.
Recently, American states have started to enact similar consumer privacy laws and regulations. Some of them have already gone into effect or will be very soon. The hallmark so far appears to be the California Consumer Privacy Act (CCPA), which was unanimously passed in June 2018 and was amended in September 2018 as well as last month. This bill is set to become effective Jan. 1, 2020.
The implications of California's implementing CCPA are momentous. Similar to GDPR's wide-spanning reach, CCPA is not limited to California itself—the regulations must be followed by any company that serves California residents. Considering that California is also home to Silicon Valley, these new regulations will have a direct impact on the policies of major international companies such as Apple and their employees, who handle massive quantities of consumer data constantly.
The CCPA and GDPR are not identical, however. GDPR is much broader in what it considers to be protected personal data, broader in who must comply, and tends to be stricter about protection. The CCPA, for example, regulates for-profit entities that either have a gross revenue greater than $25 million, handles the personal information of more than 50,000 consumers, or derives at least half of its annual revenues from selling personal information. Meanwhile, GDPR's "data controllers" and "data processors" implicates a broader swathe of companies and organizations, no matter their size or revenue. A handy chart comparing major aspects of CCPA and GDPR can be found here.
The most interesting implications come from the resulting interactions between GDPR and the CCPA and how companies will—and need to—react. Companies must tailor their internal policies to handle consumers' personal data under the guidelines most applicable to them.
Yet, all of this data security issue becomes even more complicated when one considers the growing number of state-specific consumer protection guidelines being set into place. This is especially true for us here in Pennsylvania, where House Bill 1049 was introduced earlier this year. Although the bill is still pending before the Committee on Consumer Affairs, it could be implemented sometime in the near future. Neighboring states such as Maryland, New York and New Jersey are also in the process of updating their laws to further protect consumers' personal data. These types of bills are extremely popular and receive strong bipartisan support—both sides of the aisle can agree on how problematic unregulated dissemination of personal data can be to people's lives and for their security.
Even though the minutiae of what definition of "personal data" used varies—American pieces of legislation have seemed to tie it to information that can be linked to a consumer or household whereas GDPR appears more inclusive in protecting any personal information—most regulations passed so far are, in practice, mostly similar. The types of information protected include anything from names, mailing addresses and Social Security numbers to biometric information and consumers' personal preferences; all information that can be reasonably tied back to individuals and potentially build a profile on them.
|Consumer Data Protection Law
These policies and their various scope do pose a real conundrum for companies and their counsel. Security breaches are not necessarily what we imagine them to be—they are not always hackers or other nefarious persons trying to steal sensitive information. Very often, security breaches occur when employees leave their former place of work and take certain information with them. Sometimes the intent is innocuous; the employee may take documents that contain specific formatting information they think will be useful to them as a reference point in the future. Other times, the employee takes information about clients so that they might try to contact them in their new job.
The latter is more problematic in intent than the former. In either situation, however, the employee may have in their possession clients' personal data, and thus a security breach may have occurred. Even if the employee took a document with client information for relatively innocuous purposes, the sensitive information has left the authorized hands of the company who was given the right to the information. Companies must be diligent in tracking this information, as once it leaves the company it could be nearly impossible to keep track of what happens to it next. The former employee could easily lose a USB with the files in question, or their email could be compromised.
Fortunately, there are ways for companies to keep track of what files are being circulated and to where. Almost all of the tactics used to take company information (which often contains this sensitive client information) can be traced. Emails sent to oneself, for example, are readily traceable even if they are deleted (from both the sent folder and delete folder) on the user's end. But, even other methods such as downloading files to USBs or even printing can be traced by forensic specialists. Because of this, companies should have trusted digital forensic experts they can turn to who can keep track of whether employees took a share of company files before their last day at work.
If information has been taken, then companies need to immediately act to avoid punishment under the regulations applicable to them—whether that is a state statute such as the CCPA or if it's GDPR. Under GDPR, for example, companies must report these breaches within 72 hours of becoming aware of them. If not, they can face severe penalties (up to 20 million euros or 4% of the preceding year's annual financial turnover, whichever is greater). Yet, reporting data breaches is also not a straightforward process. Each state requires different information to be reported to their attorney general, and obviously each report must be specific to describe the states' citizens that were affected by the breach. For smaller companies, following through on all of these reports correctly, essential to avoiding penalties or other reprimands, would most likely entail hiring a third party.
It is essential that companies and their counsel work together to formulate policies that conform with the regulations set out by GDPR, the CCPA, or any incoming state regulations. Although it may seem daunting, it is much easier to work preventively and have a system set in place for handling consumers' personal data and avoiding security breaches than to be left scrambling in the aftermath of one.
For companies that handle consumers' personal data, it is important that employees are made aware of what information is protected under these regulations. Consequently, policies should be explicit in detailing what company information or intellectual property cannot be taken and why. Fostering discussion with employees about the potentially sensitive nature of consumer information will help them understand the importance of why certain information should stay within the company. The consequences for both the company and the employees themselves should be explained, as both parties may end up in court over various claims that could be made in relation to the unauthorized taking of information (breach of fiduciary duty, tortious interference, and so on). Of course, it is also key that companies have strong security systems set in place to protect the loss of information to begin with.
When a company learns that its employee left the employ of the company with its confidential information that contains personal data, the company should take immediate remedial measures, including filing a lawsuit and seeking injunctive relief. Under various state trade secret statutes and the federal counterpart, the Defend Trade Secrets Act, the company could get immediate injunctive relief and expedited discovery, which will likely be necessary to assess the extent of the data breach. Given that, according to cybersecurity experts, data breaches are a matter of when, not if, companies and their counsel should have both a preventative plan and contingency plan relating to data breaches, especially ones involving former employees.
Edward T. Kang is the managing member of Kang, Haggerty & Fetbroyt. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWhat Judicial Nominations Could Look Like Under a President Harris or Trump
Mental Health Parity Regulations Finalized by the Departments of Health and Human Services, Labor and Treasury
6 minute readOIG Issues Unfavorable Opinion for Proposal to Share a Percentage of Savings
9 minute readPa. Judicial Nominee Enjoys 'Strong Bipartisan Support,' Sen. Casey Says
6 minute readTrending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250