“There are only two types of companies: those that have been hacked, and those that will be.” When former FBI Director Robert Mueller spoke those words in 2012, he sounded hyperbolic. Almost a decade later, it seems prophetic.
Most businesses rely on the internet. The internet runs on data. So data collection is at the heart of cybersecurity. Businesses that do not appreciate their data collection laws pay a dear price. This price may range from stiff fines to embarrassing regulatory hearings to the loss of key executives as with Target.
Data collection practices must conform to at least one of four broad areas, depending on the business.
The first area is federal law. The United States has no comprehensive federal data protection law. But it does have sector specific laws. The best-known sector is health. HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) and their implementing regulations contain stringent requirements for data collection and processing. A fundamental premise is data minimization. As I explain to my clients, collect only the data you need. Keep it only as long as needed. And dispose of it properly. The temptation to collect data is almost primeval. It must be resisted. The greater the data, the greater the exposure.
Other sectors have analogous requirements. The Family Educational Rights and Privacy Act (FERPA) governs education; the Gramm-Leech-Bliley Act (GLBA) controls data collection in higher education.
A second, related area is state law. Many federal statutes, such as HIPAA, do not preempt state law. So federal law sets the floor, but not the ceiling for protecting health data. In recent years, courts have been willing to consider class actions for data breach victims premised on violations of state law. In effect, this leaves businesses vulnerable to class actions for HIPAA violations, even though HIPAA itself contains no such provision.
States have become increasingly assertive on the data protection front in the wake of a series of high profile data breaches. For example, the New York Department of Financial Services (NYDFS) regulates a significant portion of the financial sector. New York has enacted stringent data protection regulations for any entity holding a NYDFS license.
Other states have gone even further. The most prominent is California’s comprehensive data protection law, the California Consumer Protection Act (CCPA). The CCPA requires consent or another lawful basis to collect the personal data of any California resident. Use of the data is limited to the purpose for which it was ostensibly collected. The business must delete the data on consumer request. Failure to comply carries stringent penalties.
The CCPA will affect businesses far removed from California. One issue is that it is technically difficult for businesses to handle multiple data collection and processing procedures depending on the residence of the subject. That makes California, the largest domestic market, the de facto national standard. A second issue is that other states are increasingly looking to copy the California model.
A third area is foreign law. The most famous of these is the European Union’s General Data Protection Regulation (GDPR). In theory, the GDPR applies to businesses present in, or providing services to residents of, the European Union. But that does not communicate GDPR’s full impact. For one thing, analogous to California, businesses find it easier to comply with one regulatory regime than many. Since the GDPR is the most stringent, it becomes the de facto global standard. For another, GDPR requires that EU data be transferred only to countries that the EU has determined provide “adequate” data protection. Adequacy is determined by close adherence to GDPR requirements. Alternatively, the non-EU processor can contractually bind themselves to requirements that parallel GDPR strictures.
The GDPR is the most prominent foreign data protection law. But it is not the only one. Most countries have a data protection act. For example, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA). It governs the processing of data that businesses have acquired.
Finally, there is the Administrative state. President Kennedy reputedly told a caller, “I agree with you, but I do not know if the government will.” A large alphabet soup of agencies weigh in on data protection. For instance, the SEC has made cybersecurity a top priority for enforcement. Every publicly traded company undergoing an SEC examination can expect to have its data collection and protection processes subjected to rigorous scrutiny.
Likewise, the Federal Trade Commission (FTC) has aggressively pursued companies whose data collection or protection practices have raised flags. It considers such processes to violate Section 5 of the Federal Trade Commission Act. Section 5 prohibits “unfair or deceptive trade practices” in commerce. FTC action typically ends with a large fine, remedial program, and imposition of a monitor.
The four reasons above are not the only reasons a business should carefully reevaluate its data processing practices. Good security hygiene is also good business. For example, Yahoo! lost hundreds of millions in its acquisition price because of a high profile data leak. A stiff price to pay for data loss.