Editor’s note: This is the latest in a 5-part series from law firm Parker Poe on data privacy law to bring some clarity to one of the fastest growing and most complex areas of technology law.

+++

This article is the culmination of our prior four articles and closes out our series. The first thing to say is you should not feel bad for not having instant recall of all of the pieces of the data privacy puzzle. For as complex as the legal landscape already is, only 10% of the states have enacted a data privacy law. But there is hope even there.

For example, there have been many times over the past 2-3 years when it seemed very likely that a couple of states would pass a new data privacy law that included a private cause of action for violations of the law. Sometimes a bill with this provision made it all the way through one body of a state legislature only to fail in the other body. Massachusetts has been headed this way for most of the past two years, but that effort seems to have stalled for now.

Still, 14 states now authorize private causes of action for data breaches resulting from the failure to provide reasonable data security. That should send a chill down any CEO’s spine. Our advice to clients is, if you suffer a data breach, you should expect to be sued. So, make this a priority now while you can still control the agenda.

Besides, given the growing complexity of these laws, we already know enough to act. That is because the best approach to all of these new risks is to create a sound data management program that fits your budget. We recommend that you:

  • Assemble a data privacy assessment team comprised of representatives from each office or department that handles personal information,
  • Conduct an assessment of the laws and regulations to which your business is subject based upon its geographical scope and operations,
  • Analyze what personal information is collected, where and how it is collected, from whom it is collected and where it travels in the enterprise, both internally and externally. Review both structured and unstructured data,
  • Establish data processes for the proper handling and treatment of data subject requests and user preferences,
  • Implement effective employee training, and
  • Meet the diverse documentation and recordkeeping requirements, including privacy notices, responses to data subject requests, data protection assessments and data storage and destruction policies.

This may sound like a lot of work, and it certainly requires a significant commitment, but a well-designed data management game plan can accomplish a lot between now and next year. Your goal is to commence a good-faith effort towards compliance rather than to create the perfect solution.

Realize that we won’t have regulations in place for most of these states (other than California) for at least another year. In California, the CPPA intended to have new regulations in place by July 2022. It has missed that date and is still conducting stakeholder consultations about the new regulations.

But when the CPPA does act, we can expect it to be aggressive and it has already made clear that a major focus will be automatic data processing and profiling, two areas that can have a substantial impact on your data operations.

The other key danger is California’s and other states’ private cause of action for a data breach resulting from the failure to implement reasonable data security. Class actions that were filed 8-9 years ago for large data breaches were often unsuccessful in proving actual damages from the breaches.

Many states in addition to California with its Consumer Protection Act (CCPA) have now incorporated statutory damages to eliminate those hurdles to litigation. In California, statutory damages of $100-$750 per incident can easily run to tens of millions of dollars for a single breach, so you don’t want to leave yourself open to those types of claims.

Also, since data security is part of data protection, it is worth noting that Verizon’s 2021 Data Breach Investigations Report (DBIR) cites phishing and use of stolen credentials as representing 25% of data breaches with ransomware doubling its rate to 10%. That is why cyber insurance premiums have skyrocketed by 300% in the past year and companies with poor data security practices cannot get it at all.

About the authors

Steve Britt, CIPP/E, CIPM, is a cyber, data privacy & technology attorney at law firm Parker Poe. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt counsels his clients on the full range of data protection laws. He may be reached at stevebritt@parkerpoe.com.

Sarah Hutchins, CIPP/US, is a cyber, data privacy & technology attorney at law firm Parker Poe. She helps clients navigate business litigation, government investigations, and data privacy and cybersecurity. Hutchins may be reached at sarahhutchins@parkerpoe.com