Complying with the ever-increasing number of privacy laws is a daunting task. In addition to comprehensive state laws, like California’s Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act and the Colorado Privacy Act, there are a multitude of targeted laws on the federal and state level. Other laws to consider include the EU’s General Data Protection Regulation (and corresponding laws in the United Kingdom, Switzerland and a host of other countries); industry specific laws, like the Health Insurance Portability and Protection Act and the Gramm-Leach-Bliley Act; privacy and security standards issued by governmental and industry authorities; and the ever-present risk of individual and class actions that follow a data breach. And the landscape is in constant flux.
At the same time, firms are under attack by increasingly sophisticated threat actors. Bad agents have graduated to attack tools that are comparable to nation-state crypto-weapons, and are often sponsored, explicitly or implicitly, by host nations. The availability of malware on the Dark Web, often in the form of software as a service, has increased the number of potential bad actors, as has the increase in the marketplace for stolen information. Phishing expeditions continue, and individuals continue to open emails they should not, visit websites that expose them to hacking, and publish personal information on social media, making them and their companies more vulnerable.
So what is a company to do? Whether a firm seeks to comply with privacy and security laws or face potential sanctions, or to create actual data security, companies are simply not prepared to face the task in full, especially when the demand for competent privacy and security experts far exceeds the supply.
What Can We Do?
There is, however, one thing that companies can do to reduce their compliance costs and narrow the likelihood of a devastating task – collect less information.
Businesses have become indiscriminate collectors of data, including personal, sensitive and proprietary information. The byword of the information age has been that information has value, and the more information one collects, the greater the enterprise value. Companies collect information from clients, employees, website guests and others that is often unrelated to the goals and needs of the enterprise. The fact that data storage is inexpensive makes it easy to justify the collection of data; if it’s not needed now, perhaps it can be used, or sold, in the future.
Costs of Data
Collecting and retaining data is not, however, costless; in fact, it can be very expensive.
- In order to comply with modern privacy laws – California, Colorado, Virginia, and those to come – an enterprise has to account for all of the personal information it collects. The enterprise needs to identify the information, where it resides, how it is used, and who has access to it, including not just internal use, but vendors and partners. Simply keeping track can be a monumental task, and the less information collected, the lower the cost.
- The same laws also allow individuals to control their information. When a consumer asks what information was collected and how it was used, or asks that it be deleted, or exercises do-not-sell rights, a company has to consider all the information collected, advise internal users, evaluate the validity of the request and any exceptions to compliance, and monitor the compliance of its vendors. Again, the less information collected, the easier the task.
- Companies are required to notify consumers of the intended use of personal information. When the use changes, the company needs to notify the consumer and obtain consent. This is a particular challenge when there was not intended use, and the notice can create confusion and distrust among clients, employees and others whose information is collected.
- When companies collect and retain unnecessary information, they hold themselves more vulnerable to attack; they become a more attractive target for bad actors, and reduce their ability to protect data. If that information is discovered and exfiltrated by hackers, the company will need to undergo a process of notification (harming its reputation), dealing with potential ransomware demands, and remediating compromised systems, all of which can have costs in the millions.
Data minimization is not, of course, a cure-all, but like any great adventure, data privacy and data security begins with a single step. Reducing the personal information a company collects and retains can be the beginning for a company that creates a culture of privacy and security, and leans into the future.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.