Keeping pace with the state of data privacy and data privacy regulations is becoming a pressing responsibility for businesses in the digital age. Data privacy legislation is on the rise, with jurisdictions adopting stricter protective measures on a national and global front. If you are an organization that handles customer information, it is essential that you have a comprehensive understanding of data privacy to avoid costly consequences and damages to brand reputation.
This guide will cover what data privacy is, what consumer information is protected, regulatory measures of data privacy, and considerations to prevent a data breach within your organization.
What is Data Privacy?
Put simply, data privacy is the right of an individual to control the flow of and access to their personal information. What constitutes personal information that is protected by privacy laws is often defined broadly.
How does Data Privacy differ from Data Security?
While data privacy focuses on the rights to protect personal information, data security is a technical term that refers to the measures taken to protect such data from unauthorized access, use, or destruction.
What Type of Information is Protected by Data Privacy Regulations?
It is important to note that protected personal information covered by data privacy legislation varies from jurisdiction to jurisdiction, but is generally defined similarly to cover any information relating to an identified or identifiable natural person whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
Names, Addresses, Social Security Numbers, Date of birth, Email Addresses, Medical Information, IP address, Geolocation, Financial Information.
What are Common Threats to Data Privacy?
Data privacy can fall at risk to various malicious attacks and non-malicious actions.
Common threats to data can include, but are not limited to:
- Cyber-attacks: hacking, data theft, viruses, ransomware;
- Unauthorized access: employees accessing data they should not have access to;
- Employee misconduct: employees leaking data or selling it to third parties;
- Human error: accidental loss, sharing of, or deletion of data;
- Mobile devices and Applications: collecting information;
- Third-parties: data collected, stored, or used by vendors or business software;
- Outdated Policies: security and data privacy policies;
- Regulations: New and proposed regulations.
What Regulations Protect Data?
In the U.S., data privacy regulations break down into a variety of jurisdictions. At present, the U.S. does not have a comprehensive federal data privacy regulation. Rather, federal measures protect industry-specific data while more comprehensive data protection falls to a state level.
The U.S. States with Data Privacy Laws
Many states are proposing comprehensive data privacy regulations in response to the increasing number of data breaches and cyber-attacks.
State-level proposals have continued to increase in activity over recent years. California was the first state to pass comprehensive data protection laws starting with the California Consumer Privacy Act of 2018 (CCPA) and later the California Privacy Rights Act of 2020 amending the CCPA. For 2021, 23 states introduced comprehensive privacy bills. Of those 23, 15 bills did not advance to full legislative vote, 6 bills remain active but are still in committee, and only 2 bills (Colorado and Virginia) were signed into law.
A great resource to keep tabs on state-specific proposals is the International Association of Privacy Professionals (IAPP). IAPP provides regular updates on various state legislations, like the U.S. State Privacy Legislation Tracker below:
How Do State-specific data privacy regulations affect businesses?
Provided data privacy is regulated on a state-by-state level, businesses need to know which jurisdictions they offer or advertise their services and products to, or collect and utilize consumer data from. While your business may be based outside of California, if you have clients in California or marketing targeting California residents or companies, you may be responsible for adhering to California data privacy regulations.
To ensure that your company is complying with current legislation, it is imperative to review your data retention policies with a specialized data privacy attorney to comply with all applicable state data privacy laws.
U.S. Industry-specific Regulations
Within the U.S., there are a variety of industry-specific regulations that cover data protection. In particular, there are protections for the finance industry, retail industry, healthcare industry, consumer data industry, defense industry, and energy industry.
Federal data protection regulations include:
Global Data Privacy Regulations (GDPR)
Outside of the U.S., data privacy regulation varies also from country to country. In Europe, for example, there is a comprehensive data protection law called the General Data Protection Regulation (GDPR). This regulation applies to companies that process or store data belonging to individuals in the European Union. The GDPR replaces an earlier data protection directive from 1995, updated as consumer data use and accessibility evolved.
The GDPR protects the following data of individuals within the E.U.:
- Name, address, and I.D. numbers.
- Their physical or mental health data.
- Data about criminal offenses.
- Financial data including bank account details or credit card information.
- Personal data relating to their racial origin, sexual orientation, political opinions, and religious beliefs.
The law also requires that individuals have access to the data companies hold on them and why the data is being processed, where the data will be stored, and who the data might be shared with.
The GDPR does not apply to data collected in the U.S, and however, it still applies if your business targets or does business with European residents. It is essential for companies engaging in international data transactions to carefully review their data privacy policies and contracts to ensure that they are compliant with E.U. data privacy regulations- both during the initial setup of these relationships and on an ongoing basis.
Learn more about the impact of GDPR here.
Other Countries with Data Privacy Regulations
While the U.S. and E.U. have predominantly taken the limelight in the rise of data privacy and protection regulations, more and more technology-centric countries are following suit, including, notably, Japan and China.
In 2020, Japan’s Ministry of Economy, Trade, and Industry enacted the Act on the Protection of Personal Information (APPI). The law set to take effect in 2022 would require organizations to obtain consent from consumers regarding the collection of sensitive data and disclose the purposes of personal information in data collection, among other requirements.
On November 21, 2021, just two months after its passage into law, the China Personal Information Protection Law became effective. The PIPL shares many similarities with the GDPR, including its extraterritorial reach, restrictions on data transfer, compliance obligations and sanctions for non-compliance, amongst others. After a very short period from passage into law to its effective date, the PIPL still has gaps that must be addressed through guidance from the Cyberspace Administration of China so companies are able to comply with the letter and spirit of this new law. Companies operating in China should pay close attention to regulations, guidance documents and enforcement actions related to the PIPL.
While the momentum for data regulation continues to increase globally, so does the volume of costly data breaches. A data breach can occur when an unauthorized person or entity accesses, uses, or discloses confidential information, which may include personal data. Data breaches are commonly associated with cyber-attacks but can also result from inadequate cybersecurity policies and practices within organizations. These breaches often result in costly consequences and even impact an organization’s trust amongst clients, peers, and vendors. Furthermore, current data suggests that these breaches are not slowing down or lessening in their financial impact.
Recent Data Breach Trends
- Cyberattacks are increasing. The Identity Theft Resource Center reported more data compromises in the first three quarters of 2021 than the entirety of 2020, noting cyberattacks, particularly Phishing and Ransomware, as the most prevalent forms of attacks.
- The cost of data breaches is increasing. According to IBM‘s Cost of Data Breach Report, 2021 encountered the highest average data breach cost, rising from $3.86 million to $4.24 million.
- Remote work plays a role in higher data breach costs. Additionally, IBM reports that the average cost of a data breach was $1.07 million higher when remote work was a factor.
- Credentials are being compromised. Additionally, IBM says that compromised credentials account for 20% of data breaches.
Best Practices to Prevent and Identify Data Breaches
Businesses of all sizes must understand the importance of data privacy and implement necessary safeguards to protect their customers’ personal information. Organizations can take several preventative measures to help mitigate the risk of data breaches early on. We recommend consulting with a Cybersecurity or Data Privacy Attorney to navigate regulatory and contractual measures. In addition, companies should consider the following:
- Implement comprehensive cybersecurity policies and practices. These practices and procedures should include data loss prevention (DLP) measures, such as strong password requirements and data encryption, employee training on cybersecurity best practices, and regular vulnerability scans.
- Restrict access to data. Only allow employees who need access to specific data sets and use strong authentication measures, such as two-factor authentication.
- Use data loss prevention technologies. Technologies such as data encryption and tokenization can help protect data from being accessed or used if compromised or stolen.
- Run cybersecurity audits. Test your employees’ knowledge of cybersecurity policies and practices, and run penetration tests to identify potential vulnerabilities in an organization’s systems.
- Run data privacy audits—review data handling procedures and identify areas where personal data may be unnecessarily collected or stored.
- Seek legal assistance with your website Privacy Policies. Generic Privacy Policies are available across the web. However, if your organization collects, stores, utilizes, shares, or sells consumer data, a specialized data privacy attorney can ensure that your business complies with all applicable regulations.
- Implement data breach response policies and protocols. These should include data breach notification procedures that comply with state laws.
- Ensure data privacy measures are included in contracts. When working with third-party vendors, data-sharing agreements, or any other contract that involves handling consumer data, make sure to include specific data privacy clauses.
- Implement a Data Classification Process. Efficient and effective data classification can help to ensure that data is appropriately categorized and protected according to its sensitivity level.
Data Privacy is an essential component of our digital economy and should not be overlooked by businesses of any stage or size. By understanding the importance of data privacy, implementing the above-mentioned best practices, and staying on top of new data protection regulations, your organization can help protect your customers’ data and avoid costly data breaches.
Contact us today to learn more about data privacy legal solutions for your business.
Stan Sater is a corporate and technology attorney at Founders Legal. Stan advises clients on corporate transactions, data privacy, contract drafting, regulatory analysis, intellectual property licensing, terms of service, and outside general counsel assistance.
Founders Legal (Bekiares Eliezer LLP) is a boutique Corporate & Intellectual Property Law Firm based in Atlanta, Georgia USA, and trusted by thousands of companies nationwide. Founders Legal focuses exclusively on complex matters in the areas of Intellectual Property, Corporate, Transactional, and Securities law.