The position of a General Counsel (GC) has evolved dramatically in today’s hyper-connected and data-driven society. Previously limited to managing legal concerns within a business, the modern general counsel now finds himself at the vanguard of an essential and ever-expanding domain: privacy.
While privacy compliance isn’t only a legal problem that should involve the entire organization, it’s something GCs are frequently expected to lead on, ensuring processes are in line with any applicable laws and assisting in anticipating and mitigating any harm when or if a data breach happens. And, with a recent poll finding that more than half of firms had a data breach in the previous 24 months, the chances of a breach occurring under your supervision are decreasing.
Taking on your first position as general counsel may be exciting, inspiring, and terrifying. For individuals starting as first-time general counsel, the complexities of privacy law and practice may appear to be a maze. This essay is intended to act as a guide, providing light on the main parts of what a first-time GC needs to know about privacy.
A Prelude
There was a time when privacy was the realm of the information technology department and security specialists. Few businesses had designated privacy officers. Lawyers who specialized in privacy concerns were concentrated in specific industries such as finance, health care, and e-commerce.
However, for various reasons, privacy concerns have surfaced as a top priority for corporate America. First and foremost, privacy is personal, and it is at the core of a consumer’s (or employee’s) relationship with a corporation. Second, because of the intricate patchwork of federal, state, and international regulations, it is straightforward to commit mistakes. Finally, as businesses amass vast amounts of personal and sensitive data, privacy and security regulatory enforcement and litigation are rising. Protecting this information has become not only a legal requirement but also a critical component of safeguarding an organization’s reputation, trustworthiness, and sustainability.
According to the Association of Corporate Counsel (ACC) 2023 Chief Legal Officers Survey, which polled almost 900 chief legal officers (CLOs) from 35 countries, the three most pressing challenges confronting CLOs today are cybersecurity, regulation and compliance, and data privacy. More than two-thirds anticipate an increase in privacy-related regulatory enforcement in 2023.
While privacy compliance isn’t only a legal problem that should involve the entire organization, it’s something GCs are frequently expected to lead on, ensuring processes are in line with any applicable laws and assisting in anticipating and mitigating any harm when or if a data breach happens. And, with a recent poll finding that more than half of firms had a data breach in the previous 24 months, the chances of a breach occurring under your supervision are decreasing.
Guidelines That a General Counsel Should Follow
As a general counsel, you understand how demanding your work is, with various demands competing for your time and money. Inside those questions, however, it is possible to stay on top of privacy and develop a culture of continuing compliance inside your firm.
Assessing The Security and Privacy Risks
An organization should perform a complete privacy and security assessment to understand its privacy and security environment fully. This will entail a study and evaluation of existing third-party supplier arrangements (including any subcontractors) and vendor selection, contracting, and monitoring procedures. Most data privacy and security rules apply to the information’s owner or controller. A third-party review involving corporate data is critical since a firm cannot outsource its responsibility for data breaches.
Adopting a Formal, Written Data Security Compliance Program
Despite the unequal, patchwork approach to privacy and security laws in the United States, more businesses are now required to use ”reasonable” data security safeguards. Among the laws requiring some form of ”reasonable security” are:
- The HIPAA security regulations apply to the healthcare industry.
- The Gramm-Leach-Bliley Act (GLB Act) ”safeguards” regulations for financial institutions.
- State insurance law analogs the GLB Act Safeguards Rule applicable to insurance companies.
- State laws govern businesses that maintain the personal information of residents of Massachusetts, Nevada, California, Connecticut, Rhode Island, Oregon, Maryland, Arkansas, Texas, and Utah.
Since 2005, the FTC has used the ”unfairness doctrine” to assert that failing to employ reasonable and appropriate security measures may constitute unfair and deceptive practices that harm consumers, even if a company makes no specific representations about its security practices. Wyndham Worldwide Corp. and LabMD Inc. have challenged the FTC’s jurisdiction to use the unfairness concept to enforce data security requirements under Section 5(a) of the FTC Act in highly watched proceedings. The FTC was granted permission to proceed in both enforcement proceedings in 2014, implying that the FTC’s application of the unfairness concept will be sustained.
However, the court in the FTC v. Wyndham Worldwide Corp. case cautioned that this ”does not give the FTC a blank check to bring an action against every hacked corporation.” To further complicate matters, the Federal Communications Commission claimed its power to regulate security for the first time in October 2014, with enforcement actions against TerraCom Inc. and YourTel America Inc. The FTC has routinely demanded robust information security procedures lasting up to 20 years, followed by independent third-party audits, in its enforcement proceedings, typically provoked by security breaches. Companies would benefit from proactively developing a formal, documented data security compliance policy or upgrading an existing program regularly. It may not be enough to implement reasonable security practices in the aftermath of a high-profile security breach; it is also critical to thoroughly document those practices through policies, procedures, and processes to effectively defend against regulatory enforcement actions and class action lawsuits.
Implementing a Breach Response Plan
According to a recent poll by Experian Data Breach Resolution and the Ponemon Institute LLC, data breaches are ”among the top three incidents that harm a company’s reputation.” However, according to a recent FTI Consulting Inc. poll, 27% of directors claimed their organization needed a documented security breach response strategy, and 31% needed clarification. These findings show that, while security breaches can constitute a significant danger to a firm, they are frequently not effectively addressed. A breach response plan is part of a company’s official security compliance program. Still, it deserves special attention since it is much more than a technical, systems-oriented document, unlike other security policies. A breach response plan involves all aspects of a company, as evidenced by the incident response team formed under the program, which should include representatives from compliance, legal, human resources, public relations, investor relations (for public corporations), and information technology. A corporation must have an engaged and active incident response team ready to respond to a significant breach to ensure its security breach response strategy is adequate.
Addressing Privacy and Security in Other Transactions
Outside of outsourcing, activities such as joint ventures and mergers and acquisitions can raise privacy and security concerns. A target firm may breach privacy or data protection rules, and a prospective acquirer may be required to bear any liabilities resulting from the target’s noncompliance. To mitigate these risks, a corporation must conduct thorough due diligence, which includes investigating how the target handles data, assessing compliance with applicable laws, and checking the target’s information security strategy and privacy procedures.
Conclusion
Data is quickly becoming a business’s most important asset. This trend is being accelerated by advancements in data analytics, artificial intelligence programs that leverage data, and other technology. Unfortunately, bad actors who want to get access to or attack your data and systems are also innovating. Personal data breaches may result in lawsuits, investigations, fines, penalties, and reputational loss. While no organization can altogether avoid these dangers, there are specific steps you may take to secure data in the hands of general counsel.
