{"id":302,"date":"2019-12-20T08:47:23","date_gmt":"2019-12-20T13:47:23","guid":{"rendered":"https:\/\/pbacyber.com\/?p=302"},"modified":"2020-01-03T14:42:56","modified_gmt":"2020-01-03T19:42:56","slug":"looking-ahead-to-2020-in-the-us-preparing-for-changes-in-privacy-and-security","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2019\/12\/20\/looking-ahead-to-2020-in-the-us-preparing-for-changes-in-privacy-and-security\/","title":{"rendered":"Looking Ahead to 2020 in the US: Preparing for Changes in Privacy and Security"},"content":{"rendered":"

By\u00a0Jordan L. Fischer<\/a>\u00a0of XPAN Law Group LLC<\/p>\n

 <\/p>\n

As we close out 2019, it is a good time to reflect on the numerous changes to the privacy and security legal landscape, while also preparing for what is to come in the new year. The short predictions:\u00a0 the craziness of 2019 is going to continue for some time. Patchwork data privacy and cybersecurity requirements, at both the domestic and international level, are not going away soon. It is important to dedicate time and resources to preparing for current obligations, which will hopefully position your organization well for the new wave of legal requirements that are coming down the pike.<\/p>\n

 <\/p>\n

First, what did 2019 bring us?\u00a0<\/b><\/p>\n

Let\u2019s start with cybersecurity.\u00a0 On par with the theme of this entire decade, it feels like cybersecurity breaches are on the rise (or at least firmly here to stay!).\u00a0Capital One<\/a>\u00a0suffered a breach in July, impacting approximately 100 million individuals in the United States and approximately 6 million in Canada.\u00a0Quest Diagnostics<\/a>\u00a0suffered a breach as well, exposing the financial data, social security numbers and medical data of approximately 11.9 million patients (thankfully, the exposure did\u00a0not<\/b>\u00a0include laboratory test results). The Quest breach was a great reminder that you are only as strong as your weakest supplier\/vendor: it was Quest\u2019s vendor\u2019s vendor that was breached.<\/p>\n

 <\/p>\n

In a scary (or scarier) turn of events,\u00a0a single server containing 1.2 billion records<\/a>\u00a0was found exposed online. And, why is this scarier? The server appeared to contain four different data sets and it was unclear how the data got there and where it came from. While it does not appear that a company was \u201cbreached\u201d in a traditional sense, it does show that data vulnerabilities come in all different shapes and sizes.<\/p>\n

 <\/p>\n

Local and state governments<\/a>\u00a0had a tough year as well.\u00a0Baltimore city<\/a> suffered a ransomware attack, shutting down the city\u2019s technological resources and disrupting critical services across the entire area. The Baltimore city attack highlights a key issue going into 2020: repeat victimization of governments who do not necessarily have the resources to maintain a robust cybersecurity infrastructure. In Texas<\/a>, at least 23 towns were impacted by a \u201ccoordinated ransomware attack.\u201d This was after the state of Louisiana<\/a> was forced to declare a state of emergency when cyberattacks shut down the school systems throughout the state. And, earlier this month, the city of Pensacola, Florida<\/a> suffered a cyberattack impacting the city\u2019s network, phones, email and even some buildings. All in all, government entities were viewed as very attractive targets, with less resources than private entities to prepare for and protect against various cyber threats.<\/p>\n

 <\/p>\n

Next, there have also been significant changes to the data privacy landscape, creating a U.S. domestic regulatory flurry around privacy. In October, Nevada\u2019s Internet Privacy Law<\/a> went into effect, which regulates the security and privacy of personal information collected by operators of commercial websites and online services and provides Nevada consumers with the ability to opt-out of the sale of their personal information. There is an increasing focus by state legislatures to pass\u00a0biometric data laws<\/a>, beyond the well-known Illinois Biometric Information Privacy Act (which\u00a0continues to survive attacks<\/a>\u00a0from across a variety of industries).<\/p>\n

 <\/p>\n

The\u00a0Federal Trade Commission (FTC)<\/a>\u00a0expanded its enforcement in the security and privacy realm, entering into a\u00a0$170 million settlement with Google and YouTube<\/a>\u00a0for illegally collecting data from children without their parents\u2019 consent in direct violation of the Children\u2019s Online Privacy and Protection Act (COPPA). And, the FTC made headlines with its largest fine to date:\u00a0$5 billion against Facebook<\/a>\u00a0for several privacy-related violations, including that Facebook allowed users to choose settings that purportedly limited access to their personal information just to their \u201cfriends\u201d without adequately disclosing that another setting allowed their information to be shared with developers of third-party applications used by the \u201cfriends.\u201d<\/p>\n

 <\/p>\n

The FTC also actively enforced the EU-US Privacy Shield Framework, taking action against\u00a0companies falsely claiming to participate in the Framework<\/a>. The FTC\u2019s involvement was seen as a positive in the\u00a0EU\u2019s 3rd Annual Review<\/a> of the Framework, where the U.S. received a passing, but not stellar, grade. The Framework continues to garner attention, both in the U.S. and abroad, and faced legal challenge in front of the CJEU in 2019, with a decision expected in 2020 (C-311\/18, Facebook Ireland and Schrems<\/a>).<\/p>\n

 <\/p>\n

The National Institutes of Standards and Technology (NIST) introduced its first-ever\u00a0draft Privacy Framework<\/a>\u00a0in September. The goal of this Privacy Framework is to drive better privacy engineering and help organizations protect individuals\u2019 privacy by building customer trust, fulfilling current compliance obligations, and facilitating communication about privacy practices with all stakeholders. NIST has previously provided valuable guidance in the cybersecurity space, especially with its\u00a0Cybersecurity Framework<\/a> (a great starting point for all sized businesses who are just scratching the surface of cybersecurity and privacy management). NIST\u2019s proposed Privacy Framework signals two key things going forward: (1) Privacy, and proactive privacy management, is here to stay; and (2) the U.S. is starting to weigh-in on the international (and heavily EU dominated) privacy conversation.<\/p>\n

 <\/p>\n

Finally, the courts continue to grapple<\/a>\u00a0with the challenge of cybersecurity and data privacy lawsuits.\u00a0 When should companies be held accountable for cybersecurity breaches? What constitutes a breach of privacy? Is the taking of data alone enough, or do we need something more? These are the questions that courts across the country are facing.\u00a0 Successful litigants are finding standing in statutory violations (mostly in the biometric data space): the\u00a0Ninth Circuit<\/a>\u00a0certified that a class action lawsuit against Facebook under the Illinois Biometric Information Privacy Act. As more regulatory causes of action go into effect, this area of litigation will be tested further, and likely make its way up to the Supreme Court (sooner or later).<\/p>\n

 <\/p>\n

So, to put it lightly, 2019 was an interesting year. The patchwork approach to data privacy and cybersecurity with an assortment of laws across the U.S. is keeping companies on their proverbial toes.\u00a0 Each new regulation or law requires a company to have a deep understanding of how the data they collect can impact their compliance obligations and potential liabilities in all jurisdictions in which they do business. On the flip side, consumers are gaining ground on the issue of transparency. Most states are moving in the direction of giving consumers the ability to track the data that is collected about them, and, in some instances, more control over that data going forward.<\/p>\n

 <\/p>\n

So what can we expect in 2020?<\/b><\/p>\n

Likely, (and somewhat, sadly), a lot more of the same. Technology is moving at a rapid rate; and, it feels like we are all just hanging on to see what happens next. But, there is hope.<\/p>\n

 <\/p>\n

Proactive requirements for companies who collect, process and maintain personal information are on the rise. California hits the ground running on Jan. 1, 2020, with the California Consumer Privacy Act (CCPA). The CCPA brought to the U.S. what is becoming a standard approach to privacy abroad: personal information requires proactive protective measures, and comes with liability for the company collecting, processing and maintaining that data. And while California continues to make headlines (especially with proposed 2020 ballot initiative<\/a>\u00a0that would alter the current iteration of the CCPA), it is not the only state weighing in on how to protect individuals in the digital age.<\/p>\n

 <\/p>\n

New York passed the SHIELD Act<\/a> in 2019, and it goes into effect in March 2020. This regulation aligns with the trend towards general data protection regulations, requiring companies to take certain privacy and security measures proactively (instead of retroactively after<\/i>\u00a0a breach has occurred).\u00a0 Further, many states who took an unsuccessful pass at privacy legislation in 2019 are likely to go in for a second round in 2020.\u00a0\u00a0Pennsylvania House Bill 1049<\/a>\u00a0proposes CCPA like protections in the Commonwealth of Pennsylvania, and is pending in the legislature. Washington State\u2019s first attempt at a privacy bill failed, there are already\u00a0conversations to push again in 2020<\/a>, both on general data privacy and facial recognition protections.<\/p>\n

 <\/p>\n

Heading out of 2019, and into 2020, the federal government also is weighing in on proactive privacy requirements. On Nov. 26, 2019, Senator Maria Cantwell (D-WA) along with other democratic senators introduced the Consumer Online Privacy Right Act (COPRA)<\/a> to establish digital requirements for companies and to ensure certain consumer rights to their personal data. We anticipate that debates around a federal privacy law, and exactly whose interests will be accounted for, will dominate in 2020.<\/p>\n

 <\/p>\n

Cybersecurity threats and exposures are only going to grow. As more and more companies rely on both technology and third-party providers to supply critical services, the risks of data exposure and system infiltrations only increase. So the moral of the story is, understand what regulations apply to your business and begin the process of working toward compliance.\u00a0 The enemy of companies (and the hero for hackers) is doing nothing. Because in 2020, more so than ever before, luck favors the prepared!<\/p>\n

 <\/p>\n

\n

Jordan L. Fischer<\/a>\u00a0is co-founder and managing partner of\u00a0XPAN Law Group LLC<\/a>, a women-owned boutique international cybersecurity and data privacy law firm, and she serves as an editor of this blog.<\/p>\n","protected":false},"excerpt":{"rendered":"

By\u00a0Jordan L. Fischer\u00a0of XPAN Law Group LLC   As we close out 2019, it is a good time to reflect on the numerous changes to the privacy and security legal landscape, while also preparing for what is to come in the new year. The short predictions:\u00a0 the craziness of 2019 is going to continue for
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,4],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/302"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=302"}],"version-history":[{"count":2,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions"}],"predecessor-version":[{"id":305,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions\/305"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}