34 minute read
Present and Future Data Privacy Outlook
MODERATOR/PANELIST: WENDELL J. BARTNICK, PANELISTS: SHENNA BRADSHAW, ALEXANDRA CHUGHTAIHARVEY, MARY ISENSEE
I. Introduction
Advertisement
The General Data Protection Regulation (GDPR) is now in effect and could apply to companies around the world. U.S. companies are just starting to recognize the issue—data privacy is not something that can be ignored or relegated to a low priority compliance issue because the risks are simply too great.
The GDPR became enforceable on May 25, 20181 and concerns the processing of personal data.2 The GDPR has had a dramatic effect on privacy law and has caused many international companies to expend significant resources in their compliance departments. Subsequent laws in other countries are very similar to the GDPR, for example, in South America and California's California Consumer Privacy Act (CCPA).3 Clearly, privacy law is headed towards some sort of comprehensive body of law, whether federal or state in the United States and across the globe. The landscape is changing, and businesses are faced with higher risk, requiring firms to address how their data is handled internally and externally.
Current data privacy rules constitute a patchwork of laws, due to the influence of the European Union (EU) law and to the new changes to California law, Health Insurance Portability and Accountability Act (HIPAA),4 Gramm-Leach-Bliley Act (GLBA),5 and various state laws.6 One of the most burdensome challenges is resolving how to go about building a privacy compliance program when various, sometimes conflicting, standards apply. Understandably, companies struggle to navigate this legal quagmire.7 Information technology outpaces the myriad of changing laws, data uses change (and expand), and frequently, data volume increases tremendously. These changes are the root cause of the compliance confusion for companies because it is difficult to manage risk with all this change occurring. Understanding that the privacy field is a complex, ever-changing behemoth is fundamental to any approach taken in developing a privacy compliance program.
Additionally, the ambiguity of the laws further complicates privacy law compliance. The GDPR, for example, has ninety-nine articles and two hundred plus recitals that try to describe how a comprehensive privacy legal regime should look.8 The CCPA, effective January 1, 2020,9 contains far less verbiage while attempting to cover almost all the same subject matter that the GDPR covers. Clearly, there is tremendous ambiguity as to what companies are supposed to do to comply with the law. The combination of a patchwork of law, the ever-changing nature of technology and data, and the seeming inability of regulators and lawmakers to articulate what compliance should look like, all contribute to the difficulty in both understanding and complying with privacy law.
One key aspect of privacy is connected to an understanding of the information in scope, the use of that information, and where it is going. Any company that has offices, employees, clients in Europe, or clients that may not be in Europe but market to customers in Europe will be subject to the GDPR.10 Even businesses not subject to the GDPR are pressured to comply because of its enhanced protection measures and the possibility they will fail to retain clients if the business is not GDPR compliant.
Becoming GDPR compliant may require a year’s worth of work, depending on the company’s resources. Such may be the case, for example, where only one attorney is coordinating among the entire company rather than a legal team where the work of building a compliance program can be distributed. With a single attorney coordinating the HR department, the marketing department, the product team, essentially the whole company must get involved. With a single attorney coordinating the checklist, and every department throughout the company having at least one person responsible, GDPR compliance may take a year to complete. Mainly, this is due
to the data mapping process: understanding whose data is involved; data’s categorization; data’s use; and where it goes. This process is fundamental in becoming GDPR compliant.
If that foundational work is not done, compliance is challenging because the law requires answering specific questions. For example, when a company interviews a candidate for a job, often the candidate brings a résumé. If hired, that candidate’s résumé and ID are photocopied and stored into a file. If the photocopier is networked, however, where do the ID and résumé go, and where does that server sit? These questions must be addressed, and the business team must know that these kinds of internal data transactions are taking place.
The GDPR has requirements for notice and consent,11 which are similar to privacy policies in the U.S.12 However, there are five major aspects to the GDPR that differ from existing privacy law in the United States. The first is performing a data inventory, or data mapping.13 The GDPR requires companies to document how all personal data is used, managed, processed, and shared.14 The first thing that a regulator will request in the event of a massive data breach are the processing records following the inventory process in order to prove the company is doing what it is supposed to do. Compiling this inventory involves a significant amount of work and can take months to complete. Outside of the law and irrespective of the privacy regime, whether in Mexico, Canada, or the EU, companies have to know how to perform a data inventory in order to make later efforts to comply with the law an easier task. A fundamental piece of any privacy program, which any company could begin to develop on their own without hands-on legal support, is gaining an understanding that these processes do take a long time to implement and find the necessary internal resources.
The GDPR added a second requirement—granting rights to individuals.15 In the United States, there are certain opt-out rights, such as opting out of email marketing or telemarketing.16 Beyond that, individuals in the U.S. generally do not have the legal right to ask companies to amend the data collected or created about the individuals, to delete the data, or to provide more information on data that a company might have.
By contrast, the GDPR gave every individual the right to learn more about what data a company possesses.17 Companies must provide individuals with all information, not limited to name, address, and telephone number, but rather all information actually possessed and relating to that individual.18 One such purpose for this includes the individual's right to amend that data if it is wrong19 and the right to delete that data if the individual does not want the company to have it.20 This is another internal process change that companies need to implement in order to comply with the GDPR and, soon, with California law. Companies now have to figure out ways to handle these requests from individuals, whether it is consumers, employees, or whomever.
A third item that is important is thirdparty or vendor management, particularly with respect to security. Vendor management is becoming more and more important as many of the data breaches occur through vendors or at vendors.21 This creates a huge area of risk with respect to personal data. Companies should improve their diligence processes, increase vendor monitoring, and have stronger contracts. It is not just a legal requirement under the GDPR, it is good practice. This manner of compliance is a fairly significant undertaking for many companies who had to change every single customer contract or every single vendor contract in order to comply.
A fourth item that is important is something called privacy by design, or privacy by default,22 now required under the law.23 A business runs into privacy issues anytime that it develops new products, changes business processes, or does something new or different with personal data. Companies must determine whether there are ways to minimize the personal data that it is using, whether it has secured its personal data properly, or whether it has transferred data to legitimate vendors. Even after the GDPR, many companies are not yet to that point. Building a culture of privacy in a company is a difficult task and is a future goal at many companies.
Finally, under the GDPR, a company must identify specific individuals to be responsible for privacy at that company. In some respects, an effort to raise privacy should really begin with the C-suite. The law requires a data protection officer (DPO),24 a role filled internally to take on an independent functional role. Europe has laws that make it difficult to terminate a DPO, who is an employee protected under
the GDPR,25 much like whistleblowing immunity.26 Essentially, the company needs to treat the DPO guidance as an important consideration, not to be dismissed lightly, requiring a good reason for non-compliance with what the DPO says that the company is supposed to do. The DPO is expected to have a lot of clout within a company that needs to comply with the GDPR. This adds another layer of difficulty that companies will have in grappling with the new law.
These are the five major aspects of the GDPR that are foreign to the United States; however, other minor aspects of the GDPR, like required employee training, may come as familiar.27
III. Changes to California Law
Many of these aspects of the GDPR are influencing other privacy law regimes around the world. There are at least twelve U.S. states with bills pending on privacy laws that look like the GDPR.28 California passed the California Consumer Privacy Act (CCPA), which took effect January 1, 2020.29 There are many aspects to the CCPA that follow the GDPR, and companies doing business in the U.S. must prepare for this change.
A. Preparing for the GDPR in the U.S.
Companies with a very light touch in Europe may perhaps have assumed that the GDPR was inapplicable. However, companies must still perform due diligence with foreign companies. Companies that ask for personal information are still at risk, whether that information typically stays with the company or whether that information is of such a nature, for example, a passport, which is regulated personal data.30 Furthermore, where the company stores its information, what uses are made of that information, and how long the information is stored, are all reasonable questions to ask.
For companies not heavily involved in Europe, compliance requires determining how far the company goes towards GDPR compliance. Now that the California law is in effect, new privacy laws will sweep across the nation. These changes are also coming to Texas.31
There is another aspect of being in the oil and gas industry, and for those companies in the retail gas station business, choices are made about whether to own and operate those stations or whether to find partners to operate those stations. There is a lot of credit card information that is passed through those stations every day. It is just one of the considerations that goes into how businesses choose to operate and whether to choose to take on that liability with data security.
Service Corporation International (SCI), for example, takes a lot of credit card information, social security number information, and other information that is highly sensitive that belongs to purchasers and decedents.32 SCI did not necessarily face compliance issues with the GDPR, but it does business in California and now faces the pressure of this new law.
There is a major effort for companies in positions like SCI to try to map and inventory all of the collected personal information and the specific data elements, primarily, determining what the data elements are and with whom are those elements shared. The law is still in the process of being amended, has ambiguous language, and features a broad definition of personal information, including more than internet browsing history, demographic information, and biometric information.33 Companies struggle to get a handle on this and how far to take compliance efforts in the face of anticipated law that is still being invented. The California Attorney General is still working on issuing regulations intended to interpret the law.34
For now, the companies should focus on the basics, such as updating policies, training employees, and satisfying certain definite requirements. For example, the CCPA requires a dedicated 1-800-number where consumers can make consumer rights requests.35
The CCPA is similar to the GDPR but it is not exactly the same. There is a lot of gray area and compliance programs struggle. There is not a 100% perfect requirement for a compliance program.
B. Enforcement under the CCPA
Under the CCPA, there is an aspect of the regulation contemplating data privacy, specifically a consumer private right of action, permitting statutory damages if a data breach36 occurs involving “nonencrypted or nonredacted personal information.”37 Any data breach that happens in California now or affects people in California could result in class action litigation where they can get between $100 to $750 per person, without proving up any damages.38 This is pretty atypical. In Illinois, a similar private right of action under its biometric law39 has actually created a cottage industry of private class actions for this reason: any technical breach of biometric data collection practices results in statutory damages.40 By comparison, the CCPA goes further, contemplating the
breadth of personal information, not limited to biometric information, thus carrying potentially drastic consequences.
The California Attorney General pushed for an amendment to make the private right of action, plus the statutory damages, also apply to any sort of violation of the privacy aspect of the CCPA.41 The amendment allows consumers a cause of action to sue for $500 for any technical violations, including the failure to respond to a consumer’s access request within thirty or forty-five days, again without separately provable damages.42
C. CCPA v. GDPR
At present, not much enforcement of the GDPR is taking place within the EU. Stricter enforcement is likely around the bend. The EU may intentionally be a little slow in their enforcement practices, knowing that companies are still trying to comply. Additionally, the EU does not grant a private right of action like the CCPA.43 So, there will be a different manner of enforcement of the law once the California changes are implemented.
It is possible to raise this issue internally as to the resources a company needs for compliance when dealing with either the EU or California. These changes also mean encrypting personal information. The easiest way to prevent any damages from a big class action, is to just encrypt the personal information.
One potential issue the CCPA presents is its application to California residents who browse out of state companies' websites, if such state lacks similar data privacy laws. What do these companies do with their data? It is difficult to say and has sparked a national debate about federal privacy law.44 Both houses of Congress, the House and Senate, have had committee meetings to talk about a federal privacy law.45 If all states have their own privacy laws on par with the GDPR and the CPPA, then the question is one of a conflict of laws.46 This may very well be a field of law that is preempted by future federal regulation by virtue of the Commerce Clause,47 as is patent and copyright law. However, supporters of the California law want any federal privacy law implemented to be as strict as California law.48
One unique aspect of the California law (different from the GDPR) is the concept known as “sale” of personal information. Prevailing thought might suggest that selling data only relates to marketing and advertising companies, those reputed for buying data. However, the CCPA has defined “sale”49 to seemingly include almost any transmission of personal information to a third-party other than to a service provider that will only use the data for the purpose of providing the service. This construction is slightly convoluted, but essentially, if a business gives out personal information to anyone except a service provider, that transaction could be characterized as the sale of data.50
Companies that “sell” data, as defined, should contemplate several actions they will be required to undertake to be in compliance. First, a company’s home page must have a clickable link for individuals to opt-out of any data sales.51 The company’s privacy policy needs to inform readers that the company sells personal information and provide instructions as to how individuals can stop their personal information from being sold.52 The new law has several notice requirements that must be met before data can be sold.53
One of the key aspects to achieving CCPA compliance is determining the character of data transmissions to others: who is the data going to and for what purpose? Second, is this transaction a “sale” under California law, and if it is, how can the company present itself in such a way or notify others that it takes privacy seriously? Future practices will be informed by subsequent clarifications by the California Attorney General in addition to future amendments. Finally, as with doing business in the EU, companies cannot meet compliance obligations without doing a data inventory, as previously described, a now-fundamental function to operating the business.
Consumer rights requests54 are waxing a territory rife with phishing-esque attempts to improperly acquire others’ data through access requests.55 Additionally, consumers may begin asking companies to delete their personal information.56 However, it is still uncertain whether the law requires a hard delete versus a soft delete—a technical question. One concept worth contemplating is termed referential integrity57 in which companies take a certain database down while still allowing another company database reliant on residual data58 to continue running. Such illustrate the lack of clarity companies face in determining how far to go in deletion of data.
D. Vendor Contracts
Another key aspect of the CCPA involves vendors, vendor management, and data transfers that provide access to another party. Managing transfers of data boils down to the terms of the contract entered with the third-party, specifically those that concern personal information. The CCPA
involves personal information in a broad sense of the word–data related to people–not merely sensitive personally identifiable information.59
Third-party due diligence is required when negotiating these types of contracts. Parties must consider the types of information to be shared and how the data will be handled, stored, and processed. Next, parties should consider what law governs such data. Transferring data to third parties involves a certain degree of risk and many greenlit decisions are based on the size of the deal threshold; certain contracts are reviewed based on the dollar threshold. However, a deal’s value does not necessarily correlate with the risk associated with the data involved.
Unsurprisingly, companies struggle to operationalize attorney inclusion in every sort of contract. Companies either do not retain a sufficient number of attorneys or do not know with whom to talk before signing a particular deal. One solution is the incorporation of strict requirements into all contracts. Good practice entails putting the requirements and procurement departments on notice that, regardless of the dollar amount, the contract must get legal approval if it involves anything IT-related.
Further, it is not uncommon for a corporation to reply by developing a set of screening questions that the business team or sponsor of the contract answer. The questions screen for personally identifiable information and systems or network access. If any of the answers indicate the third-party will have access to data or systems, the business team will understand to move further in the protocol, perhaps providing the vendor with a data privacy or cybersecurity addendum. If the vendor objects to any of the terms, then a data privacy attorney may be brought into the mix to further negotiate. It is imperative to ensure that companies utilize effective screening procedures for vendor contracts and to determine if those vendors have access to personally identifiable information, per the broader definition under California law. Moreover, companies should ensure that vendors protect data according to the terms of any provided addendums. Such is a key piece of any privacy compliance program. It is company data at the end of the day. The company is ultimately responsible, regardless of the fact that perhaps an HR vendor houses all of the company’s employee information, and that information still belongs to the company. Therefore, while vendors will seek to limit risk in any negotiation, for this reason sharing risk is vital.
Similarly, vendors utilize checklists and train employees to carry them out. Vendor contracts vary considerably, dependent on who the customer is, where they are located, and so on. Thus, it follows that a freight company may be less attuned to data protection and privacy than say, an airline company–typically handling massive volumes of personal data in its day-today operations—may be in handling that data responsibly. Handling data poses a serious risk and vendors cannot be expected to be poised as insurance providers or accept exposure to uncapped liability. Any company that accepts uncapped liability, an operationally unfeasible undertaking, is one soon going out of business.
With that in mind, it follows that vendors generally are open to negotiating liability caps. Understanding what the vendor’s security policies are and how data will be protected beforehand allows companies to more smoothly come to an agreement. It is important to note that the risk will usually be shared; no one party should assume all the risk. Thorough security addendums with lists of performance expectations help in this regard.
However, requests to a vendor to comply with the other party’s security policies are not possible if the business is built to be a global business and perform work for many customers. Customization detracts from such business model. Sometimes getting to “yes” in a negotiation just takes a conversation; it may be as simple as getting both parties’ security teams on the phone to review security policies and find common ground. Inevitably though, other contractual provisions, such as indemnification, limitation of liability, the obligation to respond in case of a breach, and the extent of measures taken in response to breach, may be more heavily negotiated over.
Vendors frequently push back on the term “audit rights”—that is, the ability to go on-site to perform an audit on the vendor. Limitations on consequential damages are similarly negotiated heavily, as well as termination provisions, specifically those allowing one party to terminate a contract without a penalty. If there is a questionable report or there has been a security event and a vendor has given notice, it is difficult to make the case that another party’s resulting insecurity justifies a clean break absent any penalty. A party that anticipates such may desire to include insecurity as grounds for unilateral termination, but likely invites quarrel in doing so.
Technology companies typically desire
to employ customer data in improving and developing new products and services. Increasingly, permitting companies to use this data in this way must be limited. Companies may decide to compromise, authorizing to the extent data is used internally, for the improvement of products and the like, but beyond that restricting usage as to limit risk. Additionally, the CCPA may demand this approach if companies wish to avoid the transaction’s classification as a “sale” of personal information. Companies may undertake solutions such as the anonymization of data60—that is, unlinking the data from the identity of any particular individual— deemed a sufficient restriction under the law. Technology companies utilizing anonymized data may desire to share the same with sister companies in taking products to market. Sharing in this manner is acceptable to consumers, but only to the extent the best benefit from the product is obtained or the best pricing for that product is allowed.
Owing to the private right of action61 granted by the CCPA—a new legal cure for harm caused by the occurrence of a data breach—vendor agreements concerning data exchanges are being reevaluated. Contracts are now reviewed to ensure adequate privacy protections are present in preparation for the event of a potential breach implicating a California resident’s data. Similarly, companies that utilize addendums to supplement contracts are obliged to update them or draft new versions consistent with current law.
Another discrete piece of protection the CCPA contemplates requires companies to abide by California consumers’ deletion requests and, to the extent such data was previously shared with a service provider, to instruct the service provider to also comply with the deletion request.62 Companies to which this rule applies may consider amending vendor agreements to contractually obligate vendors to comply with received deletion requests.
IV. Confidential Data Security
Beyond personal data security concerns, other sorts of data—such as confidential or proprietary—command a level of significant concern for many companies, often utilizing confidentiality agreements to achieve the security desired. Such companies should focus on the specific data security requirements set forth to protect confidential or non-personal information. For example, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard63 applies specifically to companies in the electrical sector. NERC CIP expects organizations in that industry to comply with a host of data security requirements64 and, further, to push such requirements down to their respective suppliers.65 Vendors must comply with this comprehensive scheme of obligations in order to safeguard data that otherwise would not have commanded such a robust level of
security.
V. Data Breach Response
There are fifty data breach notice laws in the United States,66 updated regularly with approximately fifteen of such laws updated in the past year alone.67 In order to appropriately respond in the event of a data breach, companies should be apprised of the patchwork of governing law in advance. Resources that summarize jurisdictional differences are a useful starting place.
Best practice for any compliance program includes signing up for listservs and bulletins, as well as maintaining an incident response team plan with a team in place. Further, teams may find it helpful to know: who receives the information in the event of an incident; whether or not the recipient is a certain department, such as IT, legal, or cyber; who will disseminate that initial information; how discreet the group of specified recipients are; and lastly, each individuals’ roles in the event of an incident. One document to develop at the outset is a template notice for consumers.
Additionally, practical steps, such as pre-arranging for breach counsel, a credit monitoring vendor, or a mailing vendor and maintaining cyber insurance with preapproved vendors, are advantageous to take in advance. Quarterly table talks, a chance to run through a mock incident response scenario, are a helpful exercise for companies to undertake, particularly if well attended by all the key stakeholders.
Much like the first day back at the gym, commencing a table talk may prove arduous, yet worthwhile; continuous practice improves performance and serves to familiarize teams of their respective roles. Instructive in this respect is the annual Pew Report which sets forth the costs of data breaches over the past year.68 Their research has shown that written incident response plans are the most potent
method to reducing the cost of a given data breach. Further, incident response plans are required under the GDPR.69 Thus, for multiple reasons, it is a helpful tool to be equipped with and there are even companies that specialize in assisting with preparing such a plan.70 Diagnosing the problem in a particular scenario is the key: be prepared to know which phone number to call, whether to reach out to the FBI and forensic teams, and when to contact the cyber insurance professionals.
In terms of policy coverage, cyber insurance is all over the board. As a new industry, insurers may utilize various coverage limits and exclusions. Consequently, it is crucial to carefully understand insurance policies as often times the coverage actually provided is non-intuitive to conventional expectations. On one hand, policies typically include carve-outs for violations of law–notable since nearly all data breaches, for instance a HIPAA data breach, can be characterized as violations of law. Alternatively, policies are not apt to insure other sorts of losses, such as those where an existing contract already covers such losses, including subcontractor agreements. In sum, navigating these policies requires caution, an awareness of the risk inherent in the business, and an understanding of the particular concerns of the business, such as maintenance of a comprehensive cyber policy inclusive of subcontracting, a practicality for those businesses whose data is kept by subcontractors.
VI. Conclusion
Both the GDPR and the CCPA diagnose data privacy concerns as a serious problem, particularly for consumers. Each law seeks to address these concerns, utilizing alternative approaches. In the near future, new laws to further address such concerns will be introduced and given effect, as lawmakers strive to continuously update existing law. Although implementation of data privacy laws is currently less than exacting, prudent companies should begin efforts to develop compliance regimes before, rather than after, the eventual uptick in enforcement is set into motion. Such a regime should account for the ways in which different sorts of data require different sorts of protection, a variety of practical measures to appropriately protect such data, and as ways to mitigate risk in the event of a breach.
1. Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) 87 [hereinafter Regulation 2016/679]. 2. Id. at 32. 3. 2018 Cal. Stat. 1807 (2017-2018 Regular Session) § 1798.120 (to be codified at Cal. Civ. Proc. § 1798.100–1798.198, eff. Jan. 1, 2020) [hereinafter CCPA]. 4. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, § 221, 110 Stat. 1936 (1996); see also Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111-5, § 123 Stat. 226 (amending and expanding certain HIPAA privacy protections). 5. Gramm-Leach-Bliley Financial Modernization Act, Pub. L. No. 106-102, § 132, 113 Stat. 1338 (1999). 6. See Mitchell Noordyke, U.S.
State Comprehensive Privacy
Law Comparison, IAPP.org (last visited January 21, 2020), https://iapp.org/news/a/us-statecomprehensive-privacy-lawcomparison/ [https://perma.cc/ Z2LN-E45Q]. 7. See, e.g., FTC, Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, https:// www.ftc.gov/news-events/pressreleases/2019/07/equifax-pay575-million-part-settlement-ftccfpb-states-related. 8. See generally Regulation 2016/679, supra note 1. 9. CCPA, supra note 3, § 1798.198(a). 10. Regulation 2016/679, supra note 1, at 32–33. 11. Regulation 2016/679, supra note 1, at 37–38, 52. 12. Compare Regulation 2016/679, supra note 1, at 50–52 (where notification of personal data breach must be made within seventy-two hours after learning of it), with Rachel Fefer, Cong. Research Serv., R45584, Data Flows, Online Privacy, and Trade Policy 18 (2019) (discussing the stakeholder perspectives where common themes of emphasis are present in privacy legislation for Congress such as data breach notifications which are similar to GDPR provisions), and Steven Chabinsky & F. Paul Pittman,
USA: Data Protection 2019, ICLG (Mar. 7, 2019), https:// iclg.com/practice-areas/dataprotection-laws-and-regulations/ usa (explaining where breach notification requirements are required under HIPPA at the federal level, and at the state level, notifications are required for data breaches within thirty to sixty days after learning of it in accordance with the specific statute). 13. Regulation 2016/679, supra note 1, at 50–1. 14. Regulation 2016/679, supra note 1, at 50–1. 15. Regulation 2016/679, supra note 1, at 39–46. 16. 15 U.S.C. § 7704 (2018). 17. Regulation 2016/679, supra note 1, at 50–1. 18. Regulation 2016/679, supra note 1, at 50–1. 19. Regulation 2016/679, supra note 1, at 43. 20. Regulation 2016/679, supra note 1, at 43–4. 21. See Adeola Adele et al., More
Vendors, More Problems, Wills Towers Watson (Winter 2016), at 6, https:// www.willis.com/documents/ publications/Industries/ Financial_istitutions/16527%20 BROCHURE_Cyber%20 Claims%20Winter%202016. pdf (“The reliance on thirdparty vendors, whether directly or indirectly, has increased dramatically . . . several studies have reported that loss or compromise of data in the hands of such third-party vendors accounts for a significant percentage of all data breaches or cyberattacks.”) [https://perma.cc/FPX9-GDHJ]. 22. Privacy by Design Pertains to Protecting Data by Designing Technological Measures for Ensuring Privacy. European Data Protection Supervisor, Preliminary Opinion on Privacy by Design 5 (2018), https://edps.europa.eu/sites/ edp/files/ublication/18-05-31_ preliminary_opinion_on_privacy_ by_design_en_0.pdf [https:// perma.cc/BVC4-6247]. 23. Regulation 2016/679, supra note 1, at 48. 24. Regulation 2016/679, supra note 1, at 55–56. 25. Regulation 2016/679, supra note 1, at 55–56; See also Press Release, European Parliament, Protecting whistle-blowers: new EU-Wide rules approved (Apr. 16, 2019), https://www. europarl.europa.eu/news/en/press20190410IPR37529/protectingwhistle-blowers-new-eu-widerules-approved [https://perma. cc/7QPV-C5LQ][herinafter Press Release]. 26. Compare Press Release, supra note 25 (providing for DPO immunity in this regard), with 5 U.S.C. § 2302(b)(8)-(9) (2019) (allowing identical protection for employees against retaliation and also provides safe reporting channels). 27. Regulation 2016/679, supra note 1, at 56–78. 28. Noordyke, supra note 6. 29. CCPA, supra note 3, § 1798.198(a). 30. GDPR, supra note 1. 31. Act of June 14, 2019, 86th Leg., R.S., ch. 1326 (to be codified at Tex. Bus. & Com. Code § 521.053, eff. Jan. 1, 2020). 32. About SCI, Service Corporation International, (Oct. 17, 2019, 5:50 PM), http://www.sci-corp. com/en-us/about-sci/index.page. 33. See CCPA, supra note 3, §§ 1798.105, 1798.140 (o)(1). 34. CCPA Regulations: Coming Soon from the California Attorney
General, CLARIP, https://www. clarip.com/data-privacy/ccparegulations/ (last visited January 23, 2020); see also State of California Department of Justice, California Consumer Privacy Act (CCPA), https://www.oag. ca.gov/privacy/ccpa. 35. CCPA, supra note 3, § 1798.130. 36. CCPA, supra note 3, § 1798.150(b) (1). 37. CCPA, supra note 3, § 1798.150 (a)(1). 38. CCPA, supra note 3, § 1798.150(a) (1). 39. 740 Ill. Comp. Stat. 14/20 (2008). 40. Id. 41. CCPA, supra note 3, §1798.150. 42. CCPA, supra note 3, §1798.150. 43. Regulation 2016/679, supra note 1, at 37, 80–83. 44. Rachel Fefer, Cong. Research Serv., R45584, Data Flows, Online Privacy, and Trade Policy 18 (2019); see Jill Cowan,
The Fight Over a Landmark
Digital Privacy Law, N.Y. Times, May 22, 2019, https://www. nytimes.com/2019/05/22/us/ digital-privacy-hannah-bethjackson-ccpa.html; see Daisuke Wakabayashi, California Passes
Sweeping Law to Protect Online
Privacy, N.Y. Times, June 28, 2019, https://www.nytimes. com/2018/06/28/technology/ california-online-privacy-law. html. 45. Rachel Fefer, supra note 4, at 18; see Stephen P. Mulligan, Wilson C. Freeman & Chris D. Linebaugh, Cong. Research Serv., R45631, Data Protection law: An Overview 7 (2019). 46. Erie R.R. v. Tompkins, 304 U.S. 64 (1938); Donald Earl Childress III, International Conflict of Laws and New Conflicts Restatement, 27 Duke L. J. 361 (2017); William L. Reynolds and William M. Richman, American Bar Association,
Multi-Jurisdiction Practice and the
Conflict of Laws (2000), https:// www.americanbar.org/groups/ professional_responsibility/committees_commissions/commission_on_multijurisditional_practice/mjp_wreynolds/. 47. U.S. Const. art. 1, § 8; see Paul M. Schwartz, Preemption and Privacy, 118 Yale L.J. 902, 928–29 (2009) (explaining that under a federal privacy law, several regulated entities would bear the cost of compliance as it applies to their activities; FTC privacy principles are not going to be enough to help regulate a future privacy law; federal privacy law might be difficult to amend; further, “[w]ithout strong preemptive language built around regulatory ceilings, an omnibus privacy bill would face considerable hurdles to enactment . . . . Legislation without preemption would make the current situation possibly worse, not better, by creating additional uncertainty and compliance burdens . . .”); but see Patricia L. Bellia, Federalization in
Information Privacy Law, 118 Yale L.J. 868, 879–80 (2009) (providing that “the Commerce Clause permits Congress to reinforce a judicial decision that . . . adequately protects privacy or to overcome a decision that . . . does not . . . .” For example, Katz v. United States, rendered the government’s use of wiretapping and eavesdropping techniques illegal unless Fourth Amendment requirements were satisfied. Congress then set out a statute to help authorize these judicial hurdles. For possible future privacy statutes, there are going to be some judicial rulings to help set out permissible official conduct. It will be up to the federal government to impose those standards
end notes
properly for American business. The need for federal leadership in information privacy problems with the adoption of the CCPA coming into play, creating an opportunity for state regulation. Because the Commerce Clause allows Congress to step into a rulemaking role with respect to interstate trade of personal data within states, state privacy regulation is going to need guidance. CCPA has some holes in its provisions, and it will be up to the federal government to intervene in state regulation for federal privacy regulation); see also Cynthia J. Cole and Neil Coulson, Patchwork of U.S. Data Privacy Laws: A Complicated and Preemptive Local Landscape, Baker Botts LLP (2018), https://www. bakerbotts.com/insights/publications/2018/09/patchwork-of-usdata-privacy-laws (explaining that leaving data privacy regulation up to state and local legislation is problematic; first, by “creating a patchwork of [rules] across the U.S. makes compliance both confusing and burdensome for U.S. companies.” If the U.S. continues to allow state laws to regulate personal data laws, many technology companies would have to tailor their interest presence differently for each state; second, “the risk of preemption: strict local laws may conflict with federal principles.” Under the Commerce Clause, there are limits on state action in order to prevent the states from interfering with interstate commerce. This principal is known as the Dormant Commerce Clause, and the CCPA is suspect depending on the extent to which it interferes with interstate trade and commerce); see Cameron F. Kerry, A Federal Privacy Law Could Do Better Than California’s, Brookings Institute (2019), https://www.brookings.edu/blog/ techtank/2019/04/29/a-federal-privacy-law-could-do-betterthan-californias/ (providing that the right federal law could just what is needed to provide broader and stronger protection than the CCPA regulation. “Central to the CCPA are a “right to know” what information businesses collect about you and whether it is shared or sold, and a “right to opt out” from the sale of personal information.” These elements do increase individual control over personal data; however, the exclusive right of control is focused mostly on legacy laws and regulations that rest on faith in the consumer to want to protect their individual privacy interests. This is a good concept to focus on the individual, but many private experts are looking for a law to shift the burden away from individuals to a more business focus mindset. With a federal privacy law, it would do a much better job than the CCPA “by requiring that businesses collect, use, and share personal information in ways that protect the interests of the individuals affected.” Several amendments would help fill the gaps left out of the CCPA with its individual focused mindset, but federal law could improve on the CCPA. “Only Congress has the power to regulate interstate commerce and apply these protections, as well as those in the CCPA, to people and businesses across the country.” Ultimately, a federal privacy law could give “Americans a basis to trust all personal information will be handled in ways consistent with their interests . . .”). 48. Lauren Jehl and Alan Friel, CCPA and GDPR Comparison Chart, Bakerholstetler LLP (2018), https://www.bakerlaw.com/ webfiles/Privacy/2018/Articles/ CCPA-GDPR-Chart.pdf. 49. CCPA, supra, note 3, § 1798.140(t) (1). 50. CCPA, supra, note 3, § 1798.120(b-d). 51. CCPA, supra, note 3, § 1798.120(b). 52. CCPA, supra, note 3, § 1798.120(b). 53. CCPA, supra, note 3, §§ 1798.100(b), 1798.115(d), 1798.120(b), 1798.130(a)(2), 1798.150(b). 54. Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) 43; see CCPA, supra, note 3, § 1798.145(g). 55. Ron Hurtibise, Citrix Hack Exposed Employees to ID Theft &
Fraud, Sun Sentinel, (June 4, 2019), https://www.sun-sentinel. com/business/fl-bz-citrix-databreach-lawsuit-20190604-umb365n6ordchhpqbghejvvzyi-story. html; see Stephen Singer, Patient
Sues UConn Health In Federal Court Over February Data
Breach, Hartford Courant, (Mar. 26, 2019), https://www. courant.com/business/hc-bizuconn-health-data-breach-lawsuit20190326-mbab6zl755fe7f2mvkczsibcfu-story.html. 56. Regulation 2016/679, supra note 1, at 49; CCPA, supra note 3 §§ 1798.105(b), (d)(6), 1798.125(b) (1). 57. Jed Liu & Andrew C. Myers,
Defining and Enforcing Referential
Security, Cornell Univ., Jan. 17, 2014, at 1–2. 58. Zubulake v. UBS Warburg LLC, 217 F.R.D. 309, 324 n. 19 (2003). 59. See CCPA, supra note 3, §§ 1798.140(o)(1), 1798.100. 60. See Regulation 2016/679, supra note 1, at 33, 48. 61. See CCPA, supra note 3, § 1798.150(a)-(b). 62. CCPA, supra note 3, § 1798.105(c). 63. See generally Joseph Abrenio et al,
Cyber Security and the Grid: We’ll
Leave the Lights on for You (If We
Can), 33 Syracuse J. Sci. & Tech. L. 3, 19–24 (2017) (discussing the general framework of the NERC CIP standards). 64. See id. at 20–22. 65. See id. at 15; Mauricio Paez, Kerianne Tobitsch, The Industrial
Internet of Things: Risks, Liabilities, and Emerging Legal Issues, 62 N.Y.L. Sch. L. Rev. 217, 225–26 (2018). 66. See, e.g., Jennifer J. Hennessy et al,
State Data Breach Notification Laws
Chart, Foley & Lardner LLP (2019), https://www.foley.com/ en/insights/publications/2019/01/ state-data-breach-notificationlaws; State Data Breach Notification
Statute Summaries, Davis Wright Tremaine LLP (last updated July 29, 2019) https://www.dwt.com/-/ media/files/dwt-data-breach-notice-summaries-20191007.pdf?la =en&hash=25142B1473042997 9365422D90D82938. 67. See Caleb Skeath & Brooke Kahn,
State Data Breach Notification laws: 2018 in Review, Covington & Burling LLP (2018), https:// www.insideprivacy.com/datasecurity/data-breaches/state-databreach-notification-laws-2018-inreview/; New Data Breach Notification Laws Spring 2018: What
You Need to Know, Perkins Coie (2018), https://www.perkinscoie. com/en/news-insights/new-databreach-notification-laws-spring2018-what-you-need-to.html. 68. Kenneth Olmstead & Aaron Smith, Pew Research Ctr., Americans and Cybersecurity (2017), https://www.pewinternet.org/wp-content/uploads/ sites/9/2017/01/Americans-andCyber-Security-final.pdf; Jacob Poushter & Janell Fetterolf, Pew Research Ctr., International Publics Brace for Cyberattacks on Elections, Infrastructure, National Security (2019), https://www. pewresearch.org/global/wp-content/uploads/sites/2/2019/01/ Pew-Research-Center_Cybersecurity-Report_2019-01-09_Updated-2019.04.30.pdf. 69. See Regulation 2016/679, supra note 1, at 9, 51–52. 70. See, e.g., Kamil Janton, Incident Response and General Data
Protection Regulation, Cisco: Cisco Blog (Apr. 26, 2018), https://blogs.cisco.com/security/ incident-response-and-generaldata-protection-regulation; IBM, https://www.ibm.com/us-en/ (follow “Marketplace: Security: Stop Threats” hyperlink; then follow “Orchestrate incident response” hyperlink).
