It seems that California opened the floodgates on privacy concerns when it passed a law with strict requirements on businesses that collect, use and sell data about people. Privacy and related laws have become hot talking points for politicians, business leaders, attorneys like me who do privacy and data security work for clients, and ordinary people sitting in a cafe.
Little wonder it is big news. Every day, there seems to be another story reporting either a breach or a revelation that companies collecting information for one supposed purpose are selling it to third parties for an entirely different reason without anyone’s knowledge or informed consent.
For instance, The Wall Street Journal revealed on February 22, 2019, that app developers – especially in the health field – are collecting vast troves of information about users and then giving that data to Facebook. In a year of embarrassing revelations about how Facebook misuses people’s data, this may be the most-irritating to the most people.
While a recent survey found that 70-percent of Americans are willing to reveal data about themselves for added online convenience, at the same time they are deeply concerned about how some businesses use that information. Although financial institutions are trusted by most respondents, companies selling consumer goods and social media platforms are held in much lower regard.
Perfect Storm
Partly for political reasons but also because of genuine concern, there now are a number of proposals bubbling up through Congress. Privacy has become a perfect storm melding voter demands with political expediency and buffeted by the reluctance of tech companies to address the issue. There are a number of developments blowing in the wind generated by the storm:
- Even before California’s tough privacy law takes effect in January, the state is looking at broadening its scope and reach.
- House Democrats are looking at new laws to provide greater oversight and regulation of tech companies and social media platforms.
- The Illinois Supreme Court expanded the definition of “harm” under the state’s biometric privacy law.
- The head of the General Accounting Office (GAO) told Congress that the U.S. needs national legislation,
- Google revamped its public policy operation to gear up for what it expects will be major legislation that could affect its business model.
- Facebook and Apple also are preparing strategies to fight privacy legislation.
Some consumers are taking privacy in their own hands.
A business acquaintance is so concerned about his privacy that he has gone to great lengths to protect it. He removed all data from his phone, and only conducts searches via an engine that won’t track users as well as employing a browser that doesn’t, as well. He has a VPN and cookie scrubber on his computers, does no online shopping or buying, refuses to have a debit or credit card, and pays cash for everything.
“I don’t need my ISP, telecom provider, device manufacturer, bank and places where I buy things selling information about everything I do to anyone with a checkbook,” he told me.
While he may be an outlier and an extreme example, clearly there are growing concerns by politicians and ordinary people alike about privacy. Smart companies recognize this and try to stay ahead of the curve.
Business Considerations
As a privacy and data security attorney, I am being asked by a growing number of clients about the legal ramifications of the heightened interest in both areas.
Inquiries started when the European Union’s GDPR rules were coming into force nearly one year ago. In particular, in my practice users of ERP software systems store vast amounts of identifiable consumer data and wanted to understand the law to ensure that they were complying so they didn’t risk facing gargantuan fines.
But in recent months, savvy executives have become attuned to the reality that both commercial and individual customers or clients are getting nervous about how their information is stored and used. The first thing I tell them is to make sure there are adequate safeguards in place to reduce the likelihood of having data stolen or misused.
Part of this is having a tough privacy policy in place. But part of it is to limit the number of employees who have access to data, following the “need to know” approach of national security agencies. For instance, keep the number of employees who can access or download identifiable data on personal devices to an absolutely minimum.
It’s also important to react quickly to maintain public trust if there is a problem. A transparent, proactive and public response is essential along with having a plan in place to deal honestly with the breach. One reason Equifax was battered so hard is because it sat on knowing about it for a long time without telling anyone who was affected.
Privacy and data security have become too important for the C-suite to leave it to midlevel managers in the IT department. Any company that collects and stores information about customers or clients should talk with a security consultant about conducting an audit and with a privacy lawyer to draft written policies governing both access and use of the data as well as how the business will react in the event of a breach.
UPDATE: One day after this blog was written came news of another major new data breach. Rush University Medical Center in Chicago told 45,000 patients their information may have been compromised back in May 2018. Apparently, it happened when a third-party vendor improperly disclosed a file containing patient information to an unauthorized source. It’s becoming difficult to keep track of all of the privacy breahes but speaks to one of the points in the blog: Organizations need to audit their data security procedures and have a policy and process in place to react quickly.