Page 22 - November 2019 BarJournal
P. 22
CYBERSECURITY, DATA PRIVACY
FEATURE& EMERGING TECHNOLOGIES
to undertake compliance efforts to satisfy the information processing mean that most smaller and update — i.e., in the parlance of GDPR,
14
requirements of GDPR. In the United States, to mid-market companies, in particular, no ‘data protection by design.’
businesses with operations, customers or longer attempt to provide or perform all relevant
consumers in California are (or should be!) IT services in-house. Rather, they contract with CONCLUSION
similarly engaged in preparation for the CCPA various vendors for hosting activities, application As the prevalence and notoriety of data breach
taking effect. But particularly for smaller to development, maintenance and support, incidents rises, privacy and cybersecurity are
mid-market companies that have not (yet) sometimes even outsourcing the IT function growing in importance within almost every
been directly touched by these laws or fully entirely. In light of such practices, it can be organization. The rapidly-changing legal landscape
appreciated their implications and, thus, have critical to address cybersecurity and data privacy is elevating the risks to organizations which fail to
not devoted significant resources to addressing considerations not only within an organization address this subject effectively. A comprehensive,
data privacy and cybersecurity to date: What but with its third party vendors, typically through multi-disciplinary approach can help a business
should they be doing?! the vehicle of the licenses, subscriptions and to develop a data privacy and cybersecurity plan
services agreements that govern the provision which, if practiced and actively maintained, can
TAKING DATA PRIVACY & of such services. Most IT vendors, of course, not only enable it to reduce the risks of a data
CYBERSECURITY SERIOUSLY have their own form contracts, which customers security incident and be better prepared to address
The integration of information systems in frequently execute as presented, without full same effectively — with minimum harm to the
virtually all facets of business enterprise means appreciation of the terms to which they are company and its reputation — should one occur,
that addressing data privacy and cybersecurity agreeing. Any effective approach to data but contribute qualitatively to data management
seriously requires a comprehensive approach, privacy and cybersecurity for businesses that practices within the organization.
with input from across an organization, rely on third party vendors will necessarily
1 Codified at 42 U.S.C. § 300gg; 29 U.S.C § 1181 et seq.; and 42 USC 1320d
involving multiple disciplines. Generally, that entail a proper assessment of such contracts. et seq.
means business managers and sponsors who From such assessments of data inventories, 2 See 45 CFR §164 for Security and Privacy Regulations.
are responsible for collecting and using such business processes and contractual arrangements, 3 See 12 U.S.C. §§ 78, 377; 15 U.S.C. § 80. The Graham-Leach-Bliley Act
also repealed the Glass-Steagall Act, a decades-old law that had histori-
information (prominently including deciding data privacy and cybersecurity teams can start cally separated commercial and investment banks and banking activities.
what information is collected and used); to develop a comprehensive policy for the 4 See 15 U.S.C. §§6501–6505.
5 See 16 CRF Part 312. These also apply to operators of websites or online
software, IT and other technical personnel who enterprise that subsumes and reflect all of those services that know that they are collecting personal information online
maintain the systems and technology that enable areas. In that sense, such a policy is both broader from a child under 13 years of age. Id.
6 See, e.g., https://www.ftc.gov/news-events/press-releases/2018/02/
the collection, storage and distribution of such and deeper than simply the privacy policy or paypal-settles-ftc-charges-venmo-failed-disclose-information (visited
information; and risk management and legal statement which many enterprises publish on 10/10/2019) regarding settlement of FTC complaint charging that online
payment service, Venmo, misled consumers about the extent to which
personnel who can help to identify risks that their websites. Those are commonly developed they could control the privacy of their transactions.
are most relevant to the enterprise. Particularly based principally (only?) on activities and 7 See O.R.C. §1349.19
for smaller to mid-market enterprises, securing interactions on the website itself, and often do 8 Id.
9 See https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:
appropriate input across these disciplines may not represent a comprehensive articulation of 32016R0679&from=EN (visited 9/16/2019).
involve contributions from external advisors and appropriate data handling practices and privacy GDPR has received the greatest attention in the U.S., but privacy and
cybersecurity laws and initiatives are in place and/or ongoing in many
counselors, as well as from employees. commitments across the entire enterprise — i.e., countries, including, e.g., Australia, Brazil, Canada, China and Japan,
Developing a plan for appropriately addressing beyond the scope of the website proper. among others..
10 See GDPR Portal: Site Overview, https://www.eugdpr.org/ (visited
cybersecurity and data privacy starts with A robust data privacy and cybersecurity 9/16/2019).
understanding what data an enterprise receives, policy is also likely to include a data breach 11 This so-called ‘right to be forgotten,’ see GDPR Art. 17, has engendered
collects, holds, analyzes and distributes. Thus, incident and/or recovery plan that addresses considerable public interest and commentary.
12 See Cal. Civ. Code §§ 1798.100 to 1798.198, which provisions were
doing an inventory of data repositories and data specific roles and responsibilities within the added by Cal. Stats. 2018 ch. 55 § 3 (AB 375).
streams (inbound and outbound) to identify organization in event a data breach or security 13 Id.
where within an organization data is collected, incident occurs. (For online enterprises, these 14 See GD
kept and used and what types of data are may be characterized as business continuity
received and stored is a critical component of any or recovery plans.) Further, in order to be
thoughtful approach to cybersecurity and data effective, such a plan should be more than a Dan McMullen is a Partner with
privacy. Similarly, reviewing business processes document saved in a directory or printed in Calfee, Halter & Griswold, where
and practices regarding data handling and storage, hard copy and placed on a shelf. Best practice he practices intellectual property
including access rights (internally and externally) guidance in this arena prescribes more than law, leads the firm’s Information
and channels of distribution, both within and simply developing a plan; it includes testing or Technology Practice, and focuses
outside the organization, is similarly critical. practicing it — e.g., through so-called “tabletop” on computer software and Internet application
Another, often overlooked, arena that exercises. Organizations which do so are far development and licensing, cloud hosting
is critical to developing a coherent plan is better prepared to deal with breach incidents subscriptions, data rights, cybersecurity,
assessing the contracts that an enterprise may and critical recovery activities should they blockchain, IoT and other IT-related
have regarding the collection, processing and occur. More aspirationally, the data privacy and transactions and dispute resolution. He has
dissemination of data. The complexity of cybersecurity policy should become an organic been a CMBA member 1986 and is a CMBF
the technology, the demands of commercial part of the organization and its operations, Fellow. He can be reached at (216) 622-8656 or
environments and the changing architecture of subject to regular, ongoing (annual?) review dmcmullen@calfee.com.
22 | CLEVELAND METROPOLITAN BAR JOURNAL CLEMETROBAR.ORG
