Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Craig S. Horbus on September 18, 2019
In several recent blog posts, Brouse McDowell has discussed GDPR and other laws, focusing on the increased need for businesses to up their game on cybersecurity and privacy. To recap, GDPR was effective in May 2018 and is the European Union’s (EU) data privacy law, applicable to anyone anywhere in the world who has an EU citizen’s personally identifiable information (PII). These laws were created to give EU citizens the right to control who has their personal data and how it is used. With specific requirements for data processing and control activities that GDPR compliance requires, many U.S.-based companies find themselves living in two worlds — the GDPR world and state law world. For companies that operate in several states, this can be very burdensome. Enter the Business Roundtable’s Data Privacy “Roadmap” proposal to Congress this week.
The “Roadmap” provides Congress with several key objectives for a federal consumer privacy law. The letter to House and Senate Majority Leaders was drafted and signed by prominent American company CEOs like Amazon’s Jeff Bezos, and those from Bank of America, Dell, EY, FedEx, General Motors, IBM, Stryker, and Walmart who are members of the Business Roundtable. Their call to Congress urges a comprehensive federal privacy law that protects consumers in a transparent and meaningful way because “[c]onsumers should not and cannot be expected to understand rules that may change depending on the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services.”1
The “Roadmap"2 contains a framework for the law and its objectives. Some of the proposed characteristics include a “consistent, uniform framework to the collection, use, and sharing of personal data across industry sectors” with consideration for the size of a company and its resource availability. A clear definition of what constitutes personal data along with enhanced security requirements for more sensitive data is another prong of the proposal. Additionally an important element of their recommendation includes the requirement of a company to conduct a risk analysis that balances its risks with its need to protect consumer data. Finally, the proposal urges that while the federal laws should recognize individuals’ rights to data protection, consumers should also not have a private right of action for “breaches.”
In many ways, this proposal has similar features to that of GDPR and is long overdue. With the proliferation of sophisticated and rampant data breaches and hacks, we have discussed in past blogs a company’s need to conduct security risk assessments and develop and implement compliance policies. None of these recommendations should change or stop. Data privacy and security oversight should be an ongoing process for any company. Policies and workflows should be reviewed routinely (as in at least once per year), and technology solutions should be up-to-date to keep up with current laws both domestic and international. This can be an overwhelming task, but managing this in small pieces will make this necessary compliance more manageable. Fortunately, a uniform standardization in an IT-platform neutral manner would be a welcome enhancement to our current regulatory state. Preventive data security compliance is a marathon, not a sprint.
Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.