(updated 1/28/2021)
Businesses face a multiplicity of laws governing information privacy and security, and the regulatory landscape expands continuously. Addressing each applicable law and responding to each emerging regulation is not operationally feasible or cost effective. We need a strategy that gets us and keeps us ahead of the regulatory curve.
Cyber regulations have expanded in two ways: (1) the scope of information covered; and (2) the types of obligations imposed. Early widespread cyber laws covered limited information, known as personally identifiable information (PII). PII consisted of an individual’s name in combination with social security, financial account or governmental identification number. Most such laws imposed only an obligation to notify regulators and affected individuals of a breach.
Initial regulatory expansion imposed obligations on businesses to affirmatively identify their cyber vulnerabilities, implement measures appropriate to the business to mitigate or eliminate the risks, adopt an information security policy, and train employees. Massachusetts and California led with such laws, which impacted New Hampshire and other states, since the regulations apply to any business that has covered information about residents of Massachusetts and California. At the same time, federal regulations expanded to encompass many businesses that handle protected health information (PHI) for HIPAA covered entities.
Recent regulatory expansion has dramatically increased the scope of covered information. At first, such laws encompassed additional categories, like genetics, biometrics, geolocation, and social media information. However, now, regulations have grown to cover all information that is identifiable to an individual, including information as basic as name, address, and email, which is simply called personal information (PI). One example of such a law is New York’s artfully named Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act.
Recent regulations also dramatically expanded the obligations imposed on businesses with respect to the privacy of PI. Such laws require a business to notify individuals about what PI it collects about them and how it uses the PI, obtain consent from individuals before using certain sensitive PI, and honor rights that individuals have with respect to their PI, such as requiring the business to correct inaccurate PI, give a copy of their PI to individuals and other businesses in a usable format, restrict use of their PI, and delete all PI that the business has about them.
These broad privacy regulations initially emanated from the European Union General Data Privacy Regulation (GDPR) and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, California has adopted similar laws called the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, and many other states (including New Hampshire and Massachusetts) have had such privacy bills pending in their legislatures. These laws apply extra-territorially to businesses that have PI about residents of those jurisdictions, and engage in business either with those individuals or in those jurisdictions.
Getting ahead of the regulatory curve requires businesses to address both security and privacy for all PI. Doing so means, first, conducting a comprehensive assessment to identify what information the business has, how it is used, and what risks exist to the confidentiality, integrity, and availability of it. Given the complexity of regulations and the lack of experience most businesses have in this area, it is critical to retain a knowledgeable professional to guide you through the process and select an appropriate compliance regime.
Based on that assessment, a business must then implement measures that remediate the risks, adopt policies that comprehensively address current and forward-looking privacy and security issues (including existing and likely forthcoming laws), and train employees about information privacy and security. While this can seem daunting, businesses that commit to the process can and do achieve compliance with information privacy and security regulations.