- 10 for 2016 on Data Privacy
- February 9, 2016 | Authors: Jason C. Gavejian; Joseph J. Lazzarotti
- Law Firm: Jackson Lewis P.C. - Morristown Office
- In honor of Data Privacy Day, we offer the following “Top 10 for 2016,” a list of critical areas in data privacy that businesses should know about. These are intended to help inform businesses about data privacy and security and the steps they can take to protect the information they maintain.
EU/U.S. Data Transfer (Safe Harbor)
The Court of Justice of the European Union (CJEU) has ruled in Schrems v. Data Protection Commissioner (Case C-362/14) that the voluntary Safe Harbor Program, used extensively by organizations that needed to transfer data from the EU to the U.S., did not provide adequate protection to the personal data of EU citizens. Since the October 6, 2015, decision, U.S. companies have been unclear how they may transfer data out of the EU in a compliant manner. The resolution of this issue is one of the most worrisome privacy topics for 2016.
People Analytics, including Employee Tracking/Wearables
The Federal Trade Commission’s January 2016 report on “big data” should alert businesses to the issues of data analytics as both consumer data and the application of big data tools in the workplace. People analytics, generally, a data-driven approach to managing an organization’s human capital, likely will be a significant trend for employers. Some of the data to perform the analysis is collected through devices employees use and wear. For example, as GPS- and RFID-enabled devices become ubiquitous, employers must balance the workplace risks against their ability to obtain information about an employee’s whereabouts, information that can substantially increase productivity. Privacy and discrimination risks surface where, to gain substantial benefits and help control healthcare costs through analytics, wellness programs seek to incentivize employees (including household members) to live “healthier” lives and wearable technology, such as FitBit, collect data.
Risk Assessment/Written Information Security Program
Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’s critical information assets must be the first, and perhaps the most important, step in tackling information risk. Adequate safeguards cannot be erected for something of which one is unaware. Moreover, businesses may be subject to federal or state penalties for failing to conduct a risk assessment. Even if adopting a written information security program (WISP) to protect personal information is not a legal mandate in your state (some states, including California, Connecticut, Florida, Maryland, Massachusetts, and Oregon, have such a mandate), having one is critical to limiting information risk. An organization’s WISP also should account for company data outside of the company’s control, such as data or information provided to vendors who provide services to an organization. Not only will a WISP better position a company to defend claims related to a data breach, it will aid in managing and safeguarding critical company information. It may even help avoid a breach from occurring in the first place.
Telephone Consumer Protection Act (TCPA)
According to data compiled by WebRecon LLC, 3,710 TCPA lawsuits were filed in 2015, a 45 percent increase over 2014, marking the eighth year in a row of increasing TCPA suits. Moreover, 23.6 percent of suits (877) were filed as putative class actions. With the recent U.S. Supreme Court decision making defense of class actions under the TCPA more difficult, the number of such suits likely will continue its upward trajectory in 2016. Many of these suits are aimed not just at large companies, but often at small businesses that may violate the TCPA unknowingly. With statutory damages ranging from $500 to $1,500 per violation (e.g., per fax/text sent or call made), these suits can result in potential damages in the hundreds of thousands, if not millions, of dollars. See our FAQs for the TCPA to take the first step in complying with the TCPA.
Whether they are regulated by the U.S. Food and Drug Administration (FDA) or the U.S. Commodity Futures Trading Commission (CFTC), organizations must ensure industry-specific rules or guidance on cybersecurity and the safeguarding of the information they maintain are followed.
Recognizing the risks of allowing employees to use their own electronic devices in the workplace, many businesses are turning to Bring Your Own Device (“BYOD”) programs, but without considering all of the risks and other related issues. Some organizations are sticking with Corporate Owned Personally Enabled (“COPE) programs. Review our comprehensive BYOD issues outline and determine whether BYOD or COPE is the better option for your organization.
Social Media Investigations
Social media use continues to grow on a global scale. The content available from a user’s profile or account often can be sought in connection with litigation or employment decisions. While publicly available content generally may be viewed without issue, employers improperly accessing content available only privately can find themselves facing serious repercussions. Moreover, the list of states legislation protecting social media privacy continues to grow.
Federal Trade Commission (FTC), Federal Communications Commission (FCC) Enforcement
Both the FTC and FCC continued enforcements actions in 2015 for companies’ alleged failure to properly safeguard data. FCC actions resulted in consent decrees that included penalties in the hundreds of thousands of dollars and mirrored previous consent decrees entered into by the FTC. However, last year’s decisions in cases stemming from the FTC’s actions found the FTC may have difficulty proving that a company’s alleged unreasonable data security practices caused substantial consumer injury or that a consumer whose personal information was maintained by a company suffered any harm as a result of the alleged conduct. Just how far the FCC and FTC will go in 2016 is unclear. Nevertheless, organizations must be conscious of the statements or promises they make about their data security practices and implement appropriate safeguards to protect the personal information they maintain.
The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it will launch Phase 2 of its audit program in early 2016 to measure compliance with HIPAA’s privacy, security, and breach notification requirements by covered entities and business associates. Having the right documents can go a long way toward helping an organization survive an OCR HIPAA audit. It is clear that these audits are coming and covered entities and business associates should invest the time now to identify and close any HIPAA compliance gaps before an OCR investigator comes knocking. The largest HIPAA settlements have been less about harm, and more focused on compliance.
Plan for Breach Notification
All state and federal data breach notification requirements mandate that notice be provided as soon as possible (with some setting specific time periods). Failing to respond appropriately could result in significant liability. Among data breach issues, the leading cause of breaches is employee error. Developing a breach response plan is not only prudent, but also may be required under federal or state law. A proactive approach is often the simplest and cheapest way to avoid liability.
Managing data and ensuring its privacy, security, and integrity is critical for businesses and individuals. These activities have become the subject of broad, complex regulation. Companies must address state legislation and industry guidance. Organizations, therefore, must be vigilant to remain compliant and competitive.