Data Security and Privacy in the New Year

January is the traditional time to take stock of the year that passed and plan for the year ahead. The same is true of data security and privacy practices.

In 2018, cyber regulation dominated the news. The trend is likely to continue in 2019 as existing and new cyber regulations will impact an ever-expanding array of business.

For example, in 2018, the insurance, banking and finance industries were tasked with complying with New York’s Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500). Notably, the Cybersecurity Requirements impact both New York entities and entities located outside New York that provide financial services in New York.

Two important deadlines are quickly approaching under this regulation. First, by February 15, 2019, all regulated entities and licensed persons are required to file their annual Certification of Compliance for 2018. Also, all 2017 or 2018 exemptions expired as of January 2019. Accordingly, any entity that is entitled to an exemption must file an “Initial Notice of Exemption” prior to the February 15, 2019 due date for annual compliance.

Similarly, the California Consumer Privacy Act (CCPA), although targeting entities located inside California, will likely impact all entities that collect the data of California residents regardless of where those entities are located. Although the CCPA was passed in 2018 and does not take effect until 2020, entities that may be subject to it must comply in 2019 with its requirements, including in many cases, altering their business practices and their data collection processes.

California and New York are hardly alone in seeking regulation to address the challenges of data security and privacy. In 2018, Colorado enacted privacy legislation that is deemed to be similar but not identical to the CCPA. As an alternative approach, Ohio’s 2018 law intended to incentivize voluntary corporate responsibility. It provides companies with an affirmative defense in litigation resulting from a data breach when the company can demonstrate it complied with one of several industry-created, security frameworks listed in Ohio’s law. Accordingly, companies should explore which security framework best suits their needs and how to effectuate its directives.

Many other states have proposed cybersecurity and privacy initiatives, which may be adopted in 2019. The inconsistencies of the proposals and the resultant confusion that multiple state laws will have on business has led many technology insiders and companies with national or international business to propose that federal legislation be enacted to pre-empt not just state legislation but the patchwork of federal laws that govern cybersecurity and privacy on an industry-by-industry basis. It is far from clear that such an omnibus provision is likely to pass in 2019, given the political climate and competing business and consumer interests, which favor the imposition of different technical standards. There is, however, general agreement that something should be done to provide businesses with a unified and consistent standard to follow throughout the U.S.

Finally, the multinational nature of business in the 21st Century implicates the possibility that compliance with extraterritorial cyber-regulation may be required. The most frequently discussed regulation in 2018 was the European Union’s General Data Protection Regulation (GDPR). However, other laws in other nations with significant business ties to the U.S., such as Canada, Australia, China, etc., may also need to be considered.

Whatever the regulatory future holds, there are certain steps that entities should consider now to minimize their cyber risk.

First, know which laws will likely apply to your company’s privacy and data security practices.

A variety of factors may need to be considered. In the United States, we have created a patchwork of state laws and regulations that apply to certain industries or economic segments. The physical location of the business, its clients and customers and even where data is stored may impact which laws need to be followed. The nature of the data and its purpose may also be an important factor.

Once you determine which laws may apply, take note of important deadlines and filing requirements. A deadline to certify compliance with a technological standard, for example, often needs substantial pre-certification work to achieve. Note, too, that cyber law and regulations are constantly evolving; you should periodically check on potential shifts in the law to make sure your compliance efforts do not become outdated.

Second, assess your current data and privacy practices.

In order to properly address cybersecurity and privacy risk in the future, a company must first understand its present data practices. For example, it is not unusual for a company’s data practices to have evolved over time, so that the company is no longer in compliance with its own published privacy statement that it drafted years ago, or, conversely, it continues to collect and maintain personal data from customers that it no longer needs.

The beginning of the year is a good time for the company to take a snapshot of what data it collects, stores, maintains and uses. With that snapshot, the company will be in a better position to understand whether its security and privacy practices are still reasonable in 2019 or need to be updated to reflect the times. Perhaps it is time for a revision of the company’s online terms of service, privacy policy or security statement, or to reconsider antiquated practices that unnecessarily collect and expose personally identifiable information. The point is, without knowing what data the company has and what is being done with that data, company leadership cannot improve on its practices nor be fully prepared to expeditiously address a breach.

Third, remind your employees of the company’s data security and privacy practices, and the requirement that they be followed.

It is often suggested that data security and privacy practices are “aspirational” and most often honored in their breach. It is also said that data security is only as strong as the weakest link in the chain. Regular reminders of the need to follow good “cyber hygiene” and training as to what that entails are important if cyber and privacy practices are to be followed.

Finally, make sure you have assembled the right cyber/privacy team to take the protective steps and respond in the event of a problem.  

It makes good business sense to invest, not just in technology, but in the right people. Cybersecurity and privacy require a team approach that includes qualified information technologists as well as participation by executives, human resources, vendors and legal counsel whether in-house or outside. Having the right people on the team is essential to proactively controlling cyber risk. Companies should reconsider the nature and extent of available cyber-coverage before insurance is renewed for 2019, in light of the knowledge obtained from the assessments discussed above.

Having a team in place to carry out the company’s rapid-response plan if and when a cyber event occurs will reduce the cost and shorten the life-cycle of the cyber event.