In the November 27, 2019 edition of The Legal Intelligencer Edward T. Kang, managing member of Kang Haggerty wrote “Changing Consumer Data and Protection Regulations for Companies and Their Counsel.”
Although a European regulation, the GDPR has affected American companies and, as it appears, has also begun to shape American law and policy. GDPR’s strict regulations and rules do not simply apply within the EU and the European economic area—it affects anyone who does business with a person living in those countries.
Last year, I wrote an article that discussed the implications of the European Union’s (EU) General Data Protection Regulation (commonly referred to as GDPR), which came into effect last May. GDPR’s goal was to create and to ensure the rights of European Union and European economic area citizens to protect their personal data. In the wake of numerous data breaches and many company’s morally gray handling of their customers’ personal data, the implementation of the GDPR gives people the chance to understand better and control the dissemination and use of their personal data. The regulation also insists upon a high level of care from any data handler so that personal information is better protected.
Although a European regulation, the GDPR has affected American companies and, as it appears, has also begun to shape American law and policy. GDPR’s strict regulations and rules do not simply apply within the EU and the European economic area—it affects anyone who does business with a person living in those countries or anyone who otherwise monitors the behavior or data of these residents. Consequently, many companies, both large and small, have had to employ data protection officers to comply with GDPR, as violations of the regulation can result in costly penalties.
Recently, American states have started to enact similar consumer privacy laws and regulations. Some of them have already gone into effect or will be very soon. The hallmark so far appears to be the California Consumer Privacy Act (CCPA), which was unanimously passed in June 2018 and was amended in September 2018 as well as last month. This bill is set to become effective Jan. 1, 2020.
The implications of California’s implementing CCPA are momentous. Similar to GDPR’s wide-spanning reach, CCPA is not limited to California itself—the regulations must be followed by any company that serves California residents. Considering that California is also home to Silicon Valley, these new regulations will have a direct impact on the policies of major international companies such as Apple and their employees, who handle massive quantities of consumer data constantly.
The CCPA and GDPR are not identical, however. GDPR is much broader in what it considers to be protected personal data, broader in who must comply, and tends to be stricter about protection. The CCPA, for example, regulates for-profit entities that either have a gross revenue greater than $25 million, handles the personal information of more than 50,000 consumers, or derives at least half of its annual revenues from selling personal information. Meanwhile, GDPR’s “data controllers” and “data processors” implicates a broader swathe of companies and organizations, no matter their size or revenue. A handy chart comparing major aspects of CCPA and GDPR can be found here.
The most interesting implications come from the resulting interactions between GDPR and the CCPA and how companies will—and need to—react. Companies must tailor their internal policies to handle consumers’ personal data under the guidelines most applicable to them.
Yet, all of this data security issue becomes even more complicated when one considers the growing number of state-specific consumer protection guidelines being set into place. This is especially true for us here in Pennsylvania, where House Bill 1049 was introduced earlier this year. Although the bill is still pending before the Committee on Consumer Affairs, it could be implemented sometime in the near future. Neighboring states such as Maryland, New York and New Jersey are also in the process of updating their laws to further protect consumers’ personal data. These types of bills are extremely popular and receive strong bipartisan support—both sides of the aisle can agree on how problematic unregulated dissemination of personal data can be to people’s lives and for their security.
Even though the minutiae of what definition of “personal data” used varies—American pieces of legislation have seemed to tie it to information that can be linked to a consumer or household whereas GDPR appears more inclusive in protecting any personal information—most regulations passed so far are, in practice, mostly similar. The types of information protected include anything from names, mailing addresses and Social Security numbers to biometric information and consumers’ personal preferences; all information that can be reasonably tied back to individuals and potentially build a profile on them.
Consumer Data Protection Law
These policies and their various scope do pose a real conundrum for companies and their counsel. Security breaches are not necessarily what we imagine them to be—they are not always hackers or other nefarious persons trying to steal sensitive information. Very often, security breaches occur when employees leave their former place of work and take certain information with them. Sometimes the intent is innocuous; the employee may take documents that contain specific formatting information they think will be useful to them as a reference point in the future. Other times, the employee takes information about clients so that they might try to contact them in their new job.
The latter is more problematic in intent than the former. In either situation, however, the employee may have in their possession clients’ personal data, and thus a security breach may have occurred. Even if the employee took a document with client information for relatively innocuous purposes, the sensitive information has left the authorized hands of the company who was given the right to the information. Companies must be diligent in tracking this information, as once it leaves the company it could be nearly impossible to keep track of what happens to it next. The former employee could easily lose a USB with the files in question, or their email could be compromised.
Fortunately, there are ways for companies to keep track of what files are being circulated and to where. Almost all of the tactics used to take company information (which often contains this sensitive client information) can be traced. Emails sent to oneself, for example, are readily traceable even if they are deleted (from both the sent folder and delete folder) on the user’s end. But, even other methods such as downloading files to USBs or even printing can be traced by forensic specialists. Because of this, companies should have trusted digital forensic experts they can turn to who can keep track of whether employees took a share of company files before their last day at work.
If information has been taken, then companies need to immediately act to avoid punishment under the regulations applicable to them—whether that is a state statute such as the CCPA or if it’s GDPR. Under GDPR, for example, companies must report these breaches within 72 hours of becoming aware of them. If not, they can face severe penalties (up to 20 million euros or 4% of the preceding year’s annual financial turnover, whichever is greater). Yet, reporting data breaches is also not a straightforward process. Each state requires different information to be reported to their attorney general, and obviously each report must be specific to describe the states’ citizens that were affected by the breach. For smaller companies, following through on all of these reports correctly, essential to avoiding penalties or other reprimands, would most likely entail hiring a third party.
It is essential that companies and their counsel work together to formulate policies that conform with the regulations set out by GDPR, the CCPA, or any incoming state regulations. Although it may seem daunting, it is much easier to work preventively and have a system set in place for handling consumers’ personal data and avoiding security breaches than to be left scrambling in the aftermath of one.
For companies that handle consumers’ personal data, it is important that employees are made aware of what information is protected under these regulations. Consequently, policies should be explicit in detailing what company information or intellectual property cannot be taken and why. Fostering discussion with employees about the potentially sensitive nature of consumer information will help them understand the importance of why certain information should stay within the company. The consequences for both the company and the employees themselves should be explained, as both parties may end up in court over various claims that could be made in relation to the unauthorized taking of information (breach of fiduciary duty, tortious interference, and so on). Of course, it is also key that companies have strong security systems set in place to protect the loss of information to begin with.
When a company learns that its employee left the employ of the company with its confidential information that contains personal data, the company should take immediate remedial measures, including filing a lawsuit and seeking injunctive relief. Under various state trade secret statutes and the federal counterpart, the Defend Trade Secrets Act, the company could get immediate injunctive relief and expedited discovery, which will likely be necessary to assess the extent of the data breach. Given that, according to cybersecurity experts, data breaches are a matter of when, not if, companies and their counsel should have both a preventative plan and contingency plan relating to data breaches, especially ones involving former employees.
Edward T. Kang is the managing member of Kang Haggerty & Fetbroyt. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at firstname.lastname@example.org.
Reprinted with permission from the November 27, 2019 edition of “The Legal Intelligencer” © 2019 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or email@example.com.