Twelve Cyber Data Hygiene Habits for 2015
January 28 is International Data Privacy Day. How are you celebrating? We are kicking off a year-long series on data privacy and security, featuring twelve security and privacy habits to review and put into place in your enterprise in 2015. To kick off the series: know what legal framework applies to your business.
Most US businesses are unregulated on the data security front. A few highly regulated types of data must be kept secure and/or private in certain sectors; but outside of financial services, healthcare and children's marketing, there are very few affirmative requirements of data security or privacy for civilian commercial enterprises. If you operate a business in any of these regulated sectors, you should be aware of the privacy and security requirements applicable to your consumer data: with whom it may be shared, for what purposes it may be used, and whether consumers have any rights of access to or control over data you collect and keep regarding them. These rules can be tricky, and may have different application to different businesses depending on what role they play in a particular transaction. If you fall under one of these regulated types of entities, it is prudent to have an expert in the legal obligations and exemptions on whom you can call when you do any of the following common things (for example):
- Design Web sites and privacy policies.
- Sign an agreement with an IT vendor.
- Offer games or apps for download by the public.
- Disclose consumer information to affiliates or to third parties for marketing or research purposes.
- Conduct online marketing, sweepstakes, or advertising.
This is not an exhaustive list, but it does give some idea of the breadth of activities that could trip data protection or security requirements within these few regulated industries.
For most other businesses, the real legal issue is not what to protect, but what to do if you suffer a breach of private data. The solution to a breach may be complicated; there are forty-seven state laws governing breach response, each enacted to protect citizens of that state. Some states pride themselves on their pro-consumer laws and may impose complex and arduous notice rules on companies that suffer a breach. In some cases, you may not have any duty to notify consumers, depending on the circumstances of the breach. In others, you may have to notify both consumers and state law enforcement (such as the State Attorney General) of a breach. In any breach that involves residents of more than one state, you will have to assess the requirements in each affected state and make a determination about the best way to proceed in each state and overall.
Whether your data habits are regulated in the ordinary course, or whether you are simply subject to breach notice laws after an event, understanding the general obligations for your businesses is invaluable. If you ever do suffer a data incident, having an idea in advance of what you must do and why can save you valuable time and may lessen the scope of any data loss.
Next month: Know What Data You Collect, Keep and Use (and Why).
- Product Liability
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Intellectual Property
- Public Policy
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate