I support innovators by providing them with a comprehensive approach to data privacy and cybersecurity to both protect them and free them to function at full capacity. This includes providing clients with: i) a clear understanding of the data privacy laws and regulations applicable to their businesses; ii) guidance in conducting an operational risk analysis and recommendations on subsequent implementation of administrative, physical, and technical safeguards to best protect trade secrets and regulated personal information (e.g., PII, PHI, financial information, etc.) and iii) a comprehensive Incident Response Plan to respond to potential data security incidents quickly, efficiently, and effectively to contain threats and mitigate loss.
Currently, the United States does not have a unified set of data privacy laws, such as GDPR in the EU. Each state continues to develop its own legislation regulating the safeguarding, collection, transmission, and use of protected information. See California’s 2020 Consumer Privacy Act amendment (regarded as one of the most robust and stringent state data privacy legislation); New York’s recent enactment of the SHIELD Act
(mandating safeguards of personal information for employers with New York employees);
and Illinois’ Biometric Information Privacy Act (mandating civil penalties of $1,000 or $5,000 for each instance of misuse of biometric information).
Clients must also be informed of their regulatory obligations regarding data privacy and cybersecurity. For example, the Department of Health and Human Services has been vocal in establishing guidance for health care providers regarding compliance under HIPAA’s Breach Notification Rule. Likewise, the SEC continues to pursue enforcement actions against SCI entities for failure to maintain appropriate cybersecurity safeguards. Several other federal and state regulators continue to pursue similar enforcement actions.
Innovators must be able to navigate this web of laws and regulations while remaining trained on their mission. Therefore, it is essential to understand the ability to lawfully use information and data to innovate.
It is also necessary to implement safeguards to protect the “secret recipe” that gives your business a competitive advantage. It is worth noting that in cases regarding the theft of trade secrets, courts look to the protective measures taken before determining information to be a trade secret. To establish proper safeguards, you must begin by conducting a thorough risk analysis to identify the location, access and flow of personal and sensitive information.
This will uncover vulnerabilities jeopardizing the secrecy of that information. Thereafter, businesses can implement appropriate administrative, technical, and physical safeguards. By taking such measures, businesses can demonstrate diligent efforts to protect the most sensitive information and data in their custody or control. Such evidence I valuable not only in trade secrets matters but also in regulatory compliance investigations, and data breach litigation.
Effectively responding to a potential data security incident begins with implementing a robust Incident Response Plan (“IRP”). You know that it is only a matter of time before you have to address your next potential data security incident and a proper response is critical to the containment of risk and mitigation of loss.
Your IRP should include but not be limited to : i) individuals immediately following discovery of the potential incident (this should always include your counsel to maintain attorney-client privilege); ii) information regarding your cyber liability insurer; iii) the protocol to be taken by IT to identify and quarantine the risk (while preserving forensic data); iv) known investigation and notification deadlines (you may only have 72 hours); and v) a plan to handle client communications (vendors, call-centers, public relations etc.).
The information above is not meant to be exhaustive. But, think about the issues identified herein and what steps you have taken to address your data privacy and cybersecurity legal obligations. Feel free to reach out with any questions or concerns, and together we can allow you to continue to “advance the ball” as innovators!
Joel Bruckman is a Freeborn & Peters LLP attorney whose practice concentrates on Data Privacy & Cyber Security, Commercial Litigation, and White Collar Criminal Defense & Investigation matters. As a former prosecutor, Joel has experience investigating and prosecuting cyber offences as a former member of both the FBI Cyber Crimes Task Force and Cook County Regional Organized Crime Task Force. Joel counsels innovators across industries including emerging technology developers, manufacturers, education institutions, and more on legal obligations regarding data privacy and cybersecurity.