Octo tober r 16, 2019 019 Th The Secur urity ity Im Implications ications of Ne f New and nd Em Emergin rging g Priv ivacy acy Laws Kaylee Cox Bankston on Counsel, Manatt, Phelps & Phillips LLP Liz Heier Director, Global Data Privacy, Garmin International, Inc. Drew Bagley Drew Bagley, VP & Counsel, Privacy & Cyber Policy, CrowdStrike, Inc.
Th The Secur urity ity Im Implications ications of Ne f New and nd Em Emerging rging Privacy vacy Laws • Purpose of Session This panel will focus on the potential security implications of the new and evolving privacy regulatory frameworks in the U.S. and abroad, including the California Consumer Privacy Act. Panelists will discuss the potential impact of new privacy requirements on data security investigations, business operations, security controls, liability exposure, and more.
In Intro trodu duction ction & L Land ndscape scape • Historical U.S. State and Federal legislative activity • Data Security • Data Privacy • Breach Notification • EU General Data Protection Regulation (GDPR) and global impact • Trending: California Consumer Privacy Act (CCPA) (and more states to come) • Emerging standards and common themes • • • Extraterritorial Transparency and Third-Party Reach Notice Oversight • • • Expanded Data Subject Governance and Definition of Rights Risk Assessments • • Personal Data Security and Liability Information Breach Notification • Threat landscape • Nation-state threat actors showing no signs of diminishing
Tr Transparency nsparency and nd Secur urity ity • Definitions of personal information keep expanding • Data Subject Rights • Access, Deletion, Portability, etc. • Fiduciary Duties • Proposed laws like the New York Privacy Act would impose fiduciary duties on any legal entity that collects, sells, or licenses personal data, and defines those duties broadly • Data Processing and Security Disclosures • Privacy Notices • SEC Disclosures • Potential Dichotomy: Transparency and Compliance vs. Security and Risk Exposure
Cross oss-Border Border Im Impacts cts • Certain data privacy frameworks prohibit transfers of personal data without lawful transfer mechanisms in place (e.g., SCCs, Privacy Shield Frameworks, BCRs, etc.) • Supervisory authorities may request copies of documentation associated with these transfer mechanisms for review • Additionally, some data privacy and security frameworks may allow data subjects to impact how companies use personal data given the increasing availability of data subject rights • Impact on security operations and information sharing
Im Impact ct on n Produ oduct ct Of Offer ferings ings • Emerging privacy and data security frameworks generally attempt to be “technology - agnostic” • Government entities or industry groups may promulgate non-binding guidance to assist companies in developing and implementing best practices • For example, in respect of medical devices, the FDA has many resources to help companies adopt best practices regarding pushing regular security patches to consumers in the world of IoT • Practical effect may impact technological solutions • Supply chain and operational security also play a role
Re Reasonable onable Secur urity ity • Reasonableness in data security is fluid given the rapid pace of change in information technology and cyber threats • What is “reasonable” is context -specific and provides companies with options given their size, complexity, and the nature of their activities and the data they collect and use • Flexibility can also result in subjectivity • Impact on litigation risks • Changes in the threat landscape may also affect how reasonableness is defined • Some states (e.g., Ohio) point to certain recognized security frameworks (e.g., ISO and NIST) as examples of reasonable data security
In Incide ident nt Re Response onse and nd Liability bility Ex Exposure osure • Increasingly, privacy and data security laws grant a private right of action in the event of a data breach • Some legislative proposals would consider expanding to other privacy violations • Anticipated that plaintiffs ’ lawyers will continue to challenge companies and directors in data breach litigation (e.g., assertions of breaches of fiduciary duty and corporate negligence) • GDPR enforcement is ramping up with two significant fines announced this summer: • British Airways – € 204,600,000 ($222,917,838) • Marriott – € 110,390,200 ($120,273,435) • Approximately 22 enforcement actions with varying fines announced by various supervisory authorities in the last 4 months alone • At the Congressional level, we see attempts to place liability at the executive level along with board oversight requirements
Go Governa ernance nce • Challenges exist regarding how to address privacy and data security issues as a top line risk and ensure directors and executives fulfill applicable fiduciary duties under U.S. and international law • Continuing uncertainty in boardrooms and executive suites exists as to what risk means for individual directors and executives • Allocation of duties • Resource management and investment • “Cybersecurity is a team sport”
Ta Takeaway aways • Emerging trends in privacy and data security frameworks • Legislative considerations • Role of security versus privacy • Top tips for companies in a constantly evolving and potentially conflicting legal environment?
Q&A Questions?
Que uestio stions ns + Conta ntact ct Kaylee Cox Bankston Liz Heier Drew Bagley Director, Global Data Privacy Counsel VP & Counsel, Privacy and Cyber Policy Garmin International, Inc. Manatt, Phelps & Phillips, LLP CrowdStrike, Inc. liz.heier@garmin.com kbankston@manatt.com drew.bagley@crowdstrike.com
Recommend
More recommend