Top Takeaways from IAPP
The world of privacy grows every day as more data goes through the cloud. The new trends and weekly data breaches make conferences like the Global Privacy Summit all the more relevant. Earlier this month we went to IAPP’s annual event and networked with many professionals in the privacy sphere. Here were some of our key takeaways:
1. Connect with your FBI field office
Every FBI field office has a Counterintelligence Strategic Partnership Coordinator (SPC) – an agent assigned to serve as the primary contact with local businesses. Your SPC can help you identify potential threats to your data, such as an employee accessing your information technology resources at odd hours and exfiltration data through unsecured systems or maliciously or unwittingly installed malware. These agents also provide counterintelligence briefings on topics such as economic espionage, insider threats, and foreign workforce. Consider developing a relationship with your local FBI SPC to stay updated on the latest counterintelligence threats and vulnerabilities.
2. HIPAA audits are now underway
If you are a HIPAA covered entity or business associate, now is the time to start assessing your audit readiness. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) expects to start auditing covered entities in May and business associates in June. Although most audits will be focused desk audits, OCR does plan to conduct a small number of onsite audits by the end of the year. Read more about the Phase 2 Audits, including areas of likely focus, the updated audit protocol, and other audit readiness tools and tips here.
3. Government officials seek outside counsel
When working through a breach incident with a regulator or law enforcement, government officials have gone on record that they want to be speaking with a lawyer. While regulators and law enforcement officials don’t take as strong a stance on precisely what role within the breach response a lawyer takes, they want to see that a general counsel and/or outside counsel has been involved before and during an incident. Importantly, when conversations occur and information is flowing between the government and the entity experiencing the incident, regulators and law enforcement officials want a lawyer on the phone to streamline the process, as lawyers better understand what the government actually wants and needs from a legal perspective, and what the entity is able to provide in response to those requests.
4. Student privacy is on the rise
Schools, school districts, and educational technology vendors need to keep an eye on developing laws in the student privacy space. In addition to the FTC’s enforcement of COPPA (for example, bringing action for failure to get appropriate consent before collecting children’s data) and the FTC Act (for example, seeking enforcement where a company signing then failing to live up to the obligations of the Student Privacy Pledge), and the Department of Education’s enforcement of FERPA, among other federal regulations, state legislatures have been busy considering state-specific statutes. Recently, these proposed bills (which have numbered in the hundreds per year) have focused on such topics as the use of student data by third parties, but the conversation is broadening and new bills proposed in 2016 have been increasingly considering the impact of social media and the use of devices in schools.
5. Get ready for the GDPR
Although the General Data Protection Regulation (GDPR) will not go into effect until summer 2018, now is the time to start planning how your organization will come into compliance. More U.S.-based companies will be subject to EU privacy rules due to the expanded jurisdictional scope of the GDPR, which also gives more rights to individuals and increases fines substantially (up to several percent of revenue). U.S. providers of services to EU customers will have many more responsibilities as “data processors” than before, which will require a re-look at liability caps and indemnities in customer contracts. For the first time the GDPR also will require that agreements with data processors include certain provisions and give customers stronger approval rights. Given the level of changes, bringing customer contracts into compliance with the GDPR will take some time so it will be important to get an early start. Contracts being signed now should not be subject to renegotiation because they have to be amended to comply with new EU privacy rules in the next 24 months!
6. Risk assessments are considered privileged
Attorney-Client privilege can protect your company in the event of a data breach. Consider seeking outside counsel to conduct table-top exercises, risk assessments, pre-litigation counseling, and other pre-breach responses to protect your ability to have candid and confidential communications regarding your company’s cybersecurity risks.
7. FTC to continue its role as enforcer
The FTC is embracing its role in safeguarding consumer privacy and information security by bringing enforcement actions against companies for consumer data breaches through its authority to regulate deceptive and unfair trade practices under Section 5 of the FTC Act. In doing so, however, the FTC has still not given concrete guidance on exactly what constitutes “reasonable” security or what level of injury to consumers arises to the level of “substantial harm.” Take the time to review your company’s cybersecurity practices and the promises you make to consumers in your privacy policies to make sure they are proportional to the sensitivity of the information and comport with industry practices.
8. FCC regulated privacy protections for Internet services
The FCC adopted a Notice of Proposed Rulemaking (NPRM) on April 1, 2016, that applies the privacy protections in Section 222 of the Communications Act to Broadband Internet Access Service providers. In that NPRM, the FCC confirmed its commitment that these new privacy rules would not include Edge providers. The FCC is seeking comments on a broad array of questions, including: (1) What should requirements regarding consumer choice look like? (2) What type of information should be considered “Customer Proprietary Network Information,” “Customer Proprietary Information” and “PII”? (3) What level of harm should trigger breach notification? (4) How long should firms have to notify regulators in the event of a breach? Stakeholders should not miss this opportunity to have their voices heard in the process of shaping the telecom privacy landscape. Initial comments are due May 27.
Clearly, the sessions at IAPP were extremely relevant. Let us know what you learned and found most interesting. We’ll continue to keep you up-to-date as developments occur.