Fractured Privacy Laws Increase Business Risk
Increasingly, legal counsel, chief privacy officers, and risk managers are struggling to meet a patchwork of privacy requirements in the jurisdictions where they do business.
There has been a lot of focus on privacy laws since the passage of the California Consumer Privacy Act (CCPA), which became effective Jan. 1, 2020.
It jump-started a range of actions in other state legislatures and attorney general offices. The International Association of Privacy Professionals has been monitoring state privacy legislation action across the United States. Its national privacy map indicates that 16 states have privacy legislation in committee and Nevada and Maine have already enacted new privacy laws.
The flurry of activity at the state level has renewed discussions regarding whether the time may finally be right for a federal privacy law. Numerous privacy laws have been proposed over the years in both the House of Representatives and the Senate, but none has been successful. In large part, this is due to the wide gap between business groups and consumer advocates regarding what a federal law should require.
In the meantime, state legislatures took on the role of protecting their citizens from identity theft and other risks flowing from data breaches of personal identifiable information (PII). All 50 states plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have breach notification laws. They include various reporting and notification requirements to victims, regulators, consumer protection agencies, and law enforcement.
The CCPA moved beyond breach notification and established basic privacy rights for all California residents. California broadened the definition of PII, specified data rights for all residents, required certain information in privacy policies, forbade discrimination against consumers who did not comply with all data requests, required companies to train their personnel on CCPA privacy rights, and placed requirements on an organization’s response to data subject requests. It also afforded victims a private right of action with statutory penalties for certain privacy violations. The law started a trend that has not lost momentum.
Although there are significant differences between the CCPA and the European Union’s General Data Protection Regulation (GDPR), the California law had some similarities to the GDPR. Consumer advocates got a new burst of energy for privacy legislation, but businesses, many of which had just labored to comply with the GDPR, shuddered.
The term ‘reasonable security procedures and practices’ is not defined, but companies would be wise to align their cyber-security programs with best practices and standards, such as the Center for Internet Security’s Top 20 Controls, ISO standards, and NIST guidance for cyber-security programs.
There is certainly no agreement in Washington, or around the country for that matter, that federal privacy legislation finally has a chance, but businesses are starting to feel the impact of a fractured global legal framework of privacy compliance requirements. Increasingly, legal counsel, chief privacy officers, and risk managers are struggling to meet a patchwork of privacy requirements in the jurisdictions where they do business.
Two of the biggest obstacles for any federal legislation will be federal preemption of state laws and private right of action provisions. State attorneys general are bound to argue that they can best protect the interests of their residents, and businesses are certain to howl over private rights of action.
Whatever is proposed at the federal level is almost certain to include a provision that mirrors the CCPA’s Section 1798.81.5 requirement that all companies implement “reasonable security procedures and practices appropriate to the nature of the information…” The term “reasonable security procedures and practices” is not defined, but companies would be wise to align their cyber-security programs with best practices and standards, such as the Center for Internet Security’s Top 20 Controls, ISO standards, and NIST guidance for cyber-security programs. This is consistent with the GDPR requirement that companies implement technical and organizational measures to ensure a level of security for personal data appropriate to the risk.
As a signal that the United States may be on the edge of a breakthrough, new approaches are being suggested to traditional privacy approaches. For example, Kaitlin Asrow authored a report for the Federal Reserve Bank of San Francisco titled The Role of Individuals in the Data Ecosystem: Current debates and considerations for individual data protection and data rights in the U.S. The report examines whether the United States should shift from the concept of “data ownership” to “data rights” and whether the notion that a person’s consent to use his data should be replaced with the requirement that a business must have a “legitimate purpose” to process it (the processing is necessary for the product or service but not harmful to the individual).
While not everyone may agree with these concepts, the point is that they introduce fresh thinking into the conversation. The United States is not exactly in a position to lead a global privacy debate: current U.S. privacy laws have been rejected by the EU as inadequate, and the two privacy frameworks negotiated by the U.S. Commerce Department (Safe Harbor and Privacy Shield) have been invalidated by the Court of Justice for the European Union. If U.S. businesses hope to reach any sort of globally harmonized privacy framework, the needle is going to have to move in the United States, which means consumers and businesses are going to have to come together and embrace some new concepts.
The EU has dominated the privacy stage since it enacted its Data Protection Directive in 1995 and declared its extraterritorial application to EU data that was transferred outside its borders. Today, the GDPR applies to the 27 EU member states, and 12 additional countries have laws so similar they have been declared adequate jurisdictions by the EU. The GDPR has influenced numerous other countries when drafting their national privacy laws. Brazil, the largest country in South America, recently passed the General Law for the Protection of Privacy, which is similar to the GDPR. As U.S. companies continue to implement CCPA requirements (enforcement began July 1, 2020) and ponder how to manage cross-border data flows without the Privacy Shield program, they should be simultaneously examining their risk strategies and conferring with their brokers and agents on whether fines and legal fees are insurable. In addition to lawsuits brought under the CCPA’s private right of action, companies can expect an increasing number of enforcement actions for failure to implement reasonable cyber-security procedures and practices to protect personal data. With a global framework of inconsistent privacy laws, a trigger-happy plaintiffs bar, and consumers fed up with bearing the burden of privacy breaches, it has never been more important to ensure insurance coverage keeps pace with privacy and cyber-security risks.
