Page 20 - November 2019 BarJournal
P. 20

CYBERSECURITY, DATA PRIVACY
                    FEATURE & EMERGING TECHNOLOGIES




        DATA PRIVACY & CYBERSECURITY

        WHAT’S A BUSINESS TO DO?!





               BY DANIEL J. MCMULLEN




                  he explosive  growth over the past   what circumstances they disclose various items   care arena has produced HIPAA (the Health
                  two decades of online activity of   of information. Giant global corporations have   Insurance  Portability  and  Accountability
                  all sorts, from e-commerce to   devoted considerable resources in recent years   Act) and HITECH (the Health Information
                  social media platforms to digital   addressing  needs  and  interests associated with   Technology for Economic and Clinical Health
        T exchanges of many types, has      protecting and securing data repositories in   Act),  authorizing establishment of privacy and
                                                                                   1
        seen a corresponding explosion in the amount   their custody. There remains, however, a very   security rules to protect individuals’ personal
                                                                                             2
        of information —  i.e., data — exchanged by   significant challenge for many small to mid-  health information  and imposing obligations
        individuals and organizations via the Internet.    market companies that want to continue to derive   on the parties collecting and handling such data
        The advent and future growth of the Internet   value from the data streams they generate, collect,   and their business associates with which they
        of Things will, of course, only multiply such   aggregate, analyze and commercialize, but do so   share such information. Similarly, in the financial
        data volumes.                       in a way that properly addresses a much more   services sector, the Gramm-Leach-Bliley Act
          Similarly, recent years have seen growing   challenging risk environment then in the past.    (also known as the Financial Modernization
        numbers of incidents of data being wrongfully   Thus, in the present technical, social and   Act of 1999)  imposes specific duties on banks
        accessed, taken and/or appropriated in widely   legal context, one may ask: What is a business   and other financial institutions regarding the
        publicized  data  breach  incidents  that  have   (particularly in the smaller to mid-market strata)   collection and disclosure of private financial
        brought great embarrassment and considerable   to do about data privacy and cybersecurity ?  information (i.e., the data they collect, receive,
        costs to the proprietors of those data repositories                    process, store and disseminate from their
        and heightened public consciousness of such   THE LEGAL RISK LANDSCAPE  customers) and also stipulates that such financial
        risks.  As a consequence, public sensibilities   In  broad  terms,  one  may  characterize  risks   institutions must implement security programs to
                                                                                                 3
        and attitudes about data rights and privacy,   associated with the challenges of cybersecurity   protect such information.   Other special purpose
        particularly regarding our personal information,   and data privacy in both technical/operational   online privacy considerations have been manifest
        have evolved significantly from the early days of   and legal terms. It is beyond the purview of this   in the arena of protecting minors through
        the Internet.  In its early years, the Internet grew   article to address the numerous technical and   federal  legislation  like  COPPA  (the  Children’s
        rapidly and organically, subject to relatively little   operational risks that the present environment   Online Privacy Protection Act of 1998),  which
                                                                                                           4
        meaningful regulatory oversight, particularly   presents. However, along with those technical   required the Federal Trade Commission  (FTC)
        here in the United States.  As models for   and operational risks, it is also important for   to promulgate rules imposing requirements on
        commercialization of the Internet emerged, one   companies  to  recognize  risks  present  in  the   operators of websites or online services directed
                                                                                                      5
        significant  form  found  online users gratefully   current and rapidly evolving legal landscape  (a   to children under 13 years of age.
        adopting powerful, “free” online services (e.g.,   particular challenge for smaller to mid-market   Somewhat more broadly, the FTC has exercised
        for search, email, image- and video-sharing, etc.)   companies that may not have substantial in-  a regulatory role regarding online businesses’
        that required little more in exchange from them   house legal resources monitoring such matters)  treatment of consumer information that is
        than “registration” — i.e., submission of various   As noted, the growth of the Internet and online   collected, particularly in view of their published
        (seemingly innocuous) items of information   commercial enterprise has occurred, particularly   privacy  policies.  The  FTC  has  brought  legal
        about themselves. In recent years, some of the   in the United States, under a prevailing  laissez   actions against organizations that have violated
        trade-offs in swapping personal information   faire legal regime.  In exchange for providing   consumers’ privacy rights, or misled them by
        for “free” services have become more apparent,   numerous online  services  that  many  Internet   failing to maintain security for sensitive consumer
        particularly  in  the  aftermath  of  data  breach   users and consumers value, service-providers   information.  In many of these cases, the FTC has
        incidents.  As public attitudes have evolved, they,   have been able to collect and use data from such   charged the defendants with violating Section 5 of
        in turn, have precipitated corresponding action   users with relatively little government intrusion,   the FTC Act, which bars unfair and deceptive acts
        from governments, in the form of enforcement   involvement or oversight.   and practices in or affecting commerce, including
        activities, regulation and even legislation.                           for failing to adhere to their own stated privacy
                                                                                     6
          In many respects, these factors have combined   Industry Specific Laws  policies.
        to create the proverbial “perfect storm” of   Exceptions to this  laissez faire treatment can
        growing risks regarding data privacy and security.    be found in specific industry verticals, where   State Laws
        Many individuals are starting to make more   data sensitivity is particularly acute. Thus,   In parallel with such federal legislation, going
        discerning judgments about when and under   for instance, federal legislation in the health   back a  number  of  years  ago,  states  began
      20 |  CLEVELAND METROPOLITAN BAR JOURNAL                                                    CLEMETROBAR.ORG
   15   16   17   18   19   20   21   22   23   24   25