Privacy: The New Battleground for In-House Counsel


On September 6, 2012, the Association of Corporate Counsel hosted a webcast entitled "Privacy: The New Battleground for In-house Counsel," which discussed the impact of data privacy laws and governmental standards on businesses as well as the basics of achieving privacy compliance. The speakers were: J. Trevor Hughes, President and CEO of the International Association of Privacy Professionals (IAPP); Michael McCullough, Vice President of Enterprise Information Management & Privacy at Macy's; and Marty Provin, Executive Vice President of Jordan Lawrence (a privacy and records management service company). The following is a brief recap of the seminar, based on our observations.

Marty Provin explained that privacy has become a major concern for businesses throughout the country. The vast majority of states have enacted data breach notification laws and other data privacy laws, the U.S. Securities and Exchange Commission's recent cybersecurity guidance requires publicly traded companies to report data breaches, and cyber insurance is the fastest growing insurance product. Further, there has been increased litigation arising from data security breaches.

J. Trevor Hughes explained that there are over 300 state and federal data privacy laws in the U.S., many of which are strongly enforced by regulators as well as the plaintiffs' bar. Thus, attorneys practicing in this area must understand a vast body of knowledge. U.S. government agencies have become very active in the data privacy arena; for example, earlier this year, the Federal Trade Commission's privacy framework and the White House's privacy framework and Consumer Privacy Bill of Rights were introduced. In Europe and other countries, privacy is viewed as a fundamental right. The European Union Data Protection Directive (Directive 95/46/EC), promulgated in 1995, imposes heavy compliance burdens on companies doing business in Europe.

There are risks associated with handling any personal information of individuals, including the risk that a data breach could result in regulatory enforcement actions, litigation from the plaintiffs' bar, and reputational damage. To manage these risks, every business should understand the steps required under applicable data privacy laws.

Michael McCullough emphasized that the privacy environment is increasingly complex, uncertain, and volatile. Particular areas of concern for companies include ensuring vendors with whom they do business have adequate data security measures, and ensuring consistency among internal policies relating to data privacy and security. Other challenges include investing resources and time to defend against increasingly sophisticated hackers, and training employees on data privacy law compliance. Every organization takes a different approach to developing a data privacy framework, which will depend not only on legal compliance obligations, but also on the purpose of the organization and its mission statement.

Marty Provin concluded the webcast with practical data management suggestions. He noted that the majority of data breaches result not from hacking, but rather, from internal employee issues, such as lost laptops and flash drives. Identifying the personal information the business handles and stores is an important initial step in compliance and risk mitigation. Further, it is important for businesses to understand that retaining data for longer than necessary creates a risk. Thus, businesses should determine how long the data must be retained and properly destroy it after that point.

For more information on the state or federal data privacy laws impacting your business, please contact David Governo ([email protected]) or Corey Dennis ([email protected]).