Understanding data privacy: A compliance strategy can mitigate cyber threats

Data privacy compliance in the legal world requires more than just following government regulations.

Organizations must develop solid data security policies and practices to help prevent serious incidents, including information breaches involving customers and employees. Robust data privacy policies and practices also help avoid potential lawsuits and regulatory investigations involving data security. Avoiding incidents like these also provides significant reputational benefits.

With the increasing threat environment, your legal team must know your obligations to protect the personal data of customers and employees. You must understand the risk of breaching those obligations and the security measures needed to remedy any deficiencies.

Challenges of privacy compliance in today's legal arena

In 2023, there were 3,205 total data breaches in the U.S. — with over 350,000,000 victims — according to the Identity Theft Resource Center. That’s an increase of 72% from 2021. The total costs to a company are staggering, with potential regulatory fines added to the dollar losses caused by a breach.

Companies also need to create and continuously update data breach response plans. Information from the Ponemon Institute finds that only 56% of organizations have a business continuity plan in the event of a data breach, and 64% have no set time for reviewing and updating these plans.

Deciphering U.S. and international privacy laws can be bewildering, primarily because they often cover different data sets. Here's a deeper look at some of the key regulations:

• General Data Protection Regulation (GDPR). The EU's comprehensive law protects the personal data of its residents. Noncompliance can result in fines of millions of euros.
  
• Health Insurance Portability and Accountability Act (IPAA). This act protects health information in the U.S. Violations can result in civil and criminal penalties, including fines and potential jail time.
• California Consumer Privacy Act (CCPA). This landmark privacy law grants California residents rights over personal data. The California Privacy Rights Act (CPRA) expands on the CCPA.
• FISMA (Federal Information Security Modernization Act). This act governs federal government data and systems security. Enforcement varies by agency but can include disciplinary actions and fines.
• SOX (Sarbanes-Oxley Act): This act focuses on financial reporting but includes data security provisions protecting the financial information of publicly traded companies.
• Payment Card Industry Data Security Standard (PCI DSS). This security standard comprises a set of guidelines for organizations handling credit card information. Noncompliance can result in fines, penalties, and loss of the ability to process payments.

Unfortunately, many U.S. legal and compliance departments are unfamiliar with the intricacies of data privacy laws and how to comply with them. Moreover, as laws become more numerous and expansive, the risks of penalties for noncompliance increase dramatically.

An international effort

Europe has taken the lead in data protection and privacy. The overarching GDPR imposes stiff fines on companies for noncompliance, such as unlawful processing and disclosure of personal data. Australia's Privacy Act, Argentina's Personal Data Protection Law, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) are examples of countries setting comprehensive data protection laws.

In the United States, a patchwork of privacy laws exists at the federal and state levels based on industry and data types. However, 15 states — including Delaware, Florida, Texas, and Tennessee — now have comprehensive data privacy laws going into effect in 2024 and 2025. More than a dozen additional states have consumer privacy bills in legislative cycles.

Adding to the compliance landscape, the Federal Trade Commission (FTC) has signaled an aggressive approach to enforcement with data privacy and cybersecurity matters. Companies can expect the FTC to take a more active approach to pursuing violations under its authority to enforce existing consumer privacy laws and regulations.

Legal and compliance departments must determine which laws and regulations apply at the state, national, and international levels. Where do you begin?

Set up a systematic compliance effort for your organization or firm

A good framework that guarantees data privacy for your clients and employees will include the following components.

Creating an overall compliance strategy

Many organizations lack a comprehensive, integrated, measurable, and centralized strategy for achieving data compliance. Developing a high-level set of principles and documentation, known as a data protection compliance program, will outline the measures the organization will take concerning personal data — as defined by applicable laws — thereby ensuring better data security. All vital stakeholders and areas in the organization must be represented.

Having compliance subject matter experts (SMEs)

No one can be an expert in the myriad of regulations requiring data sharing, security, and management compliance. One option is assigning and training SMEs to be experts in specific regulations, such as HIPAA or GDPR. This strategy ensures a single source of expertise to develop legally compliant policies and practices. Dedicated SMEs can drive data protection compliance standards in your area.

Inventorying and assessing personally identifiable information (PII) or sensitive personal information (SPI)

Companies must identify and tag personal data when it’s collected, and they need to provide a method to track it. This process will help you locate and appropriately protect personal data in accordance with legal, state-based privacy laws and other recommended standards.

Establishing data protection policies and procedures

A privacy-compliant organization provides solid administrative, technical, and physical security safeguards to ensure confidentiality, integrity, and data availability. This protection includes effectively detecting and preventing unauthorized or inappropriate access to data and cybersecurity risks. The organization must continually assess, monitor, and update information security to meet new threats. Data sharing must also have a strict set of controls and policies.

Developing a response strategy and plan

No system is perfect, despite full adherence to compliance policies. Cyberattacks and data breaches continue to outsmart some of the best systems. An effective data breach response plan and escalation process can mitigate the impact of an intrusion. The organization should train employees responsible for breach response on these plans and escalation channels. The corrective actions in the response plan must be implemented and documented as proactive preventive measures against a repeat incident.

Keeping proper compliance documentation

It's critical to document compliance plans and processes correctly. Content management systems such as Microsoft SharePoint, OneDrive for Business, and others can house and track all documents, reports, and records related to your data protection compliance program. Assigning an employee dedicated to managing document security and compliance is ideal.

Guaranteeing proof of compliance

It's not sufficient to know you are data privacy compliant. You must be ready to present your conformance for internal inquiries or external audits. Compliance should be clearly verifiable and readily accessible through reports and documentation. Your organization should have a process for reporting noncompliance and a clearly defined evaluation path. Appropriate monitoring, auditing, and use of controls can help ensure compliance with confidentiality principles.

Fast-forward data privacy compliance concerns

Whole new dimensions of the technology and business landscape are emerging that will compound the issues in protecting personal data. Big data and its vast datasets will pose problems for controls and management. International data transfers have increased exponentially and require new security measures in networks and Internet infrastructure. On the legal and regulatory horizon, tighter consent requirements are emerging. Individuals are gaining increased control over the use of their personal data and how it’s handled.

Protections and challenges related to the use of private information will only increase in 2024 and beyond. Use Practical Law resources to fully understand the legal landscape affecting personal data and adopt a comprehensive compliance system to conform to it so that your legal team knows it's meeting its data privacy obligations.