Data breaches are the nightmare scenario for any organization in the 21st Century. No matter how tech-savvy the company, there is no airtight way to protect a network and the wide array of sensitive client and customer data that resides in it. A single determined hacker can erode confidence, expose secrets and damage the reputation of even the largest corporate entity.
But just as worrisome for a company’s top lawyers may be the increasingly complicated legal ramifications of nascent laws meant to protect consumers in the information age. As legislation bubbles up from American state houses and European capitals, it heaps new worries and additional responsibilities onto the plates of corporate general counsels worldwide and close to home.
“If something goes wrong, the technical people may know about it first, but you can guarantee that the whole stinking mess is going to end up on the general counsel’s desk sooner or later,” said Daniel C. Nelson, a partner and co-chair of Armstrong Teasdale’s privacy and data security group in St. Louis.
Like many others, Nelson points primarily to two emerging regulatory initiatives: the recently adopted General Data Protection Regulation document in the European Union and the soon-to-be-enforced California Consumer Privacy Act.
Both have been roiling the waters of the legal world well beyond the confines of their own borders because jurisdiction is driven not by the location of the company holding the information but by the residency of the affected individual.
“California has taken the position with all of its privacy laws and will take the position with this one that if you are in possession of the personal data of a California resident, you are subject to the law even if you are in Missouri,” Nelson said. “And California is not alone in that.”
Indeed, Europe’s GDPR is driven by a similar philosophy. So are revamped state laws which are sharpening legal requirements for data-holding companies from coast to coast.
“What I always tell clients is that you should look to the most restrictive state, and what you do for one, you do for all,” said Jena Valdetero, a partner in the Chicago office of Bryan Cave Leighton Paisner.
Valdetero noted that requirements to notify both regulators and affected parties of a breach vary from state to state, with some giving firm deadlines and others with more vague language that simply indicates that notification should take place as soon as possible.
The kind of information exposure which triggers a legal-breach notification also may be different. For many states, “personal information” constitutes a name in conjunction with data such as Social Security, driver’s license or financial-account numbers. But others have expanded that paradigm to include any information that exposes a user name and password that would grant access to any online account.
All of that is dwarfed by California’s new law. Set to go into effect in 2020, it allows virtually any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly,” with a person as personal information. That includes everything from browsing history to geolocation data. One somewhat head-scratching clause even covers “visual, thermal, olfactory or similar information.”
“It is possibly the most broad definition of personal information in the world,” said Colman McCarthy, a Kansas City associate at Shook, Hardy & Bacon who focuses on privacy and data-security issues.
New Mexico and Massachusetts are considering laws inspired by the California measure, while Illinois and Texas have passed laws relating to the protection of biometric information, McCarthy said. Washington State falls into both categories.
McCarthy called the California privacy act “a game-changer” for U.S. data law which expands the concept of personal information to almost anything not already accessible to the public.
“I think the spirit behind these definitions of personal information is not just that you have information you could look up in the White Pages but that you have enough information that an attacker could do some kind of damage with it,” he said.
Valdetero said that one of the biggest changes being ushered in by the California law will be the ability of any resident to seek statutory damages without showing that they’ve been hurt by the results of a hack. The penalty may reflect how well the company handled the breach.
“Data-breach lawsuits have historically been a little hard to get off the ground because it is hard to show that you have been harmed,” she said, noting that California would allow for $100-$700 awards to individuals. “What you need to be thinking is, ‘Do I have everything in place so that if we have a data breach, we can help minimize it and respond quickly so if somebody is seeking statutory damages we’re going to be hit on the low end of that range?’”
James Shreve, a partner in the Chicago office of Thompson Coburn and head of its cybersecurity practice, said CCPA was drafted rather quickly as part of an effort to avert a larger ballot initiative — and it may yet change.
“I think there will be significant efforts to amend the requirements of the law from industry and consumer advocates because it doesn’t all hang together well,” he said. “That’s something general counsels need to keep an eye on in the coming year.”
It isn’t just states whose regulations should draw concern.
Federal data-privacy rules are sparser and usually centered on sectors such as health care via the Health Insurance Portability and Accountability Act or finance via the Gramm-Leach-Bliley Act, but they still can present an avenue for possible liability, Shreve said.
“Even beyond the usual regulated entities, we’ve seen the [Federal Trade Commission] pursue actions against companies, [as in] the Wyndham case where they went after a hotel chain saying it was an unfair or deceptive act or practice under Section Five of the FTC Act to fail to reasonably secure personal information,” said Shreve. He referred to a 2008-2009 hack which, according to the Harvard Law Review, compromised more than 600,000 accounts and caused more than $10.6 million in fraud losses.
Meanwhile, Nelson called California’s new law “the tip of the spear” when it comes to more U.S. privacy regulations that could mirror Europe’s GDPR. He notes that companies are increasingly focused on examining possible data-related liabilities that could be acquired in mergers and acquisitions.
“We’re starting to see some general counsels make it a point to include in their due-diligence process a look at what kind of potential exposures might exist on the privacy and/or security front in terms of companies they are acquiring or otherwise doing business with,” he said.
Contractors need to be put under a microscope as well.
“There is an awful lot of potential personal data traveling back and forth between a company and vendors,” Nelson said. “I think some of the more forward-thinking general counsels are spending a lot of time trying to see how we legally by contract provide more protection for our client dealing with all these other parties out there we may be giving data to or receiving data from.”
Jill Rhodes, part of the American Bar Association’s Cybersecurity Task Force as well as its standing committee on law and national security, said that general counsels often can serve as catalysts for spreading information in their organizations on how best to avoid falling victim to a hack.
“The majority of these data breaches happen because smart people are doing silly things,” she said. “Often, it is someone in the company who clicks on a phishing email or becomes victim to social engineering attacks. That’s how the bad guys get in.”
Lucie F. Huger, a shareholder in the data privacy and security group at Greensfelder, Hemker & Gale in St. Louis, agrees.
“Another thing that’s important — and we always emphasize this — is educating your workforce,” she said. “Everybody in your company with access to personally identifiable information has a responsibility to keep that information secure.”
Shreve said he believes that lawyers can be central points of contact who help different areas of the organization to understand each other.
“Quite often there can be a communication issue between the board and information-security people. They are often speaking entirely different languages,” he said. “The general counsel can help translate between those two sides.”
Benjamin Shantz, an associate at Spencer Fane in Springfield, said that regardless of what happens the future won’t be the same for in-house lawyers who need to think not just in terms of compliance but of best practices that can mitigate risk of private, personal or privileged information being exposed.
“Until now most U.S. general counsels have only had to worry about things in their sandbox. Now California is changing the paradigm potentially in response, or at least in consideration of what Europe has done with the GDPR,” he said.