This article was originally published in the Union Leader and can be found here.
NH Legal Perspective: Data Privacy, Security Laws Closing in from all Directions
By: Doug Verge
March 7, 2020
Until recently, many businesses took a lax view of privacy and security controls. Some businesses did not see the need for a privacy policy. And even where privacy and security laws were applicable, businesses were willing to run the risk of noncompliance.
However, every year more and more data privacy and security laws are being enacted, some carrying stiff penalties for noncompliance. Although our neighbor, Canada, has a central privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), the United States does not have a general data privacy and security law. There are, however, many specific laws such as the Health Insurance Portability and Accountability Act (HIPAA, covering the privacy of protected health information), the Family Educational Rights and Privacy Act (FERPA, covering the privacy of certain student education records) and the Gramm-Leach-Bliley Act (requiring financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data).
All states have now enacted some form of data breach notification law. However, California was the first to state to enact a comprehensive and wide reaching personal information data privacy and security law (California Consumer Privacy Act of 2018 or CCPA). Other states are following suit. In fact, New Hampshire has a similar comprehensive law, HB 1680, currently pending in the Legislature. Massachusetts also has comprehensive privacy legislation pending (S. No. 120).
If these laws are enacted, they grant various rights to individuals (such as the right to have their personal information deleted) and will impose substantial obligations upon businesses collecting personal information of New Hampshire and Massachusetts residents.
The European Union first drew the attention of businesses with its far-reaching General Data Protection Regulation (GDPR), protecting the personal information of individuals located in (but not necessarily residents of) the European Union. That law subsequently was extended to the European Economic Area. The GDPR instilled fear into the hearts of businesses with its upper-end penalties reaching the greater of 20 million euros ($22,356,500 U.S. ) or 4% of a company’s annual revenues.
The GDPR, like the California law and the pending New Hampshire and Massachusetts legislation, calls for a number of notices to be given to individuals whose personal information is collected and processed by businesses, and also gives individuals the right to make certain requests of businesses with regard to their personal information (including in some instances the right to have their personal information deleted). While the GDPR penalties are the most severe, these types of laws impose penalties for noncompliance, and in some cases allow for private rights of actions by individuals.
One of the key activities that the new data privacy laws are focused on is buying and selling personal information of individuals for business purposes. While the laws noted above address this issue within the context of the consumer protection aspect, some states are beginning to address it from a regulatory perspective akin to securities broker regulation.
For example, Vermont recently enacted a data broker registration law, applicable to persons selling the personal information of Vermont residents. California also has passed a data broker registration law. Interestingly, “sale” under these laws has a much broader meaning than the traditional view of exchanging ownership of personal information for money, and includes licensing personal information and other exchanges of personal information for consideration.
In order to comply with the various data privacy and security laws, companies must put in place appropriate administrative/organizational, physical, and technical measures, and provide training as to the same. Administrative/organizational measures include appropriate policies, programs and procedures (e.g., privacy policy, disaster recovery plan). Physical measures include securing the physical facility and assets from unauthorized intrusion or access. Technical measures include having appropriate information technology protections in place such as firewalls, antivirus software, and the like.
Under Massachusetts law, every person who owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive written information security program (WISP) addressing administrative, technical, and physical safeguards to protect personal information. In many respects the WISP merely codifies best practices that a company should already be implementing.
Of course businesses must be aware of the various privacy laws in order to comply with them. A review of what laws apply is necessarily tied to where companies do business and from where they collect/process personal information. Companies need to undertake data mapping, that is, charting what personal data they collect, why they collect it, who they collect it from, what they do with that data (including who they share it with), and how long they retain the data.
Additionally, businesses, particularly those who deal with sensitive personal information, should have data impact assessments undertaken to determine vulnerabilities and risks that arise from unauthorized access to and/or use of the personal information. As the old saying goes, a chain is only as strong as its weakest link. A data impact assessment will go a long way towards identifying the weak links, and enable you to put in place a plan for addressing those.
The various data privacy laws deal not just with providing individuals with notices and responding to their rights; they also deal with security measures that need to be put in place. Most IT security specialists will tell you that is not a matter of whether you will be hacked, but when. And when that unfortunate circumstance occurs, businesses can avoid a lot of headaches and some potentially severe business interruptions, penalties and financial losses, if they have put all the proper procedures in place.
Ignoring these data privacy and security laws is not an option. Companies should be budgeting for data privacy and security compliance and protection. Knowledge is not just power — in this circumstance knowledge is critical to averting disaster.