Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

20

Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of McGuireWoods’ Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”
  • Janet Peyton – Ransomware: “2020 saw an uptick in, and increased sophistication of, ransomware attacks; the frequency and ambition of such attacks is unlikely to let up in 2021, as evidenced by the SolarWinds breach, in which hackers infiltrated a government vendor’s software update and ultimately gained access to multiple federal agencies. Companies should continue to be mindful of their own security policies and procedures as well as those of their vendors. Guidance regarding paying ransom in response to such attacks continues to evolve with FinCEN and OFAC opining on the dangers, and possible illegality, of paying ransoms for the release of data.”
  • Anne Peterson– Expanding remote workforce: “As the pandemic continues and remote workforces continue to grow, legal challenges presented by remote employees show no sign of stopping. We expect a trend toward increased regulator oversight of remote employee privacy and security as well a significant increase in compliance obligations. Additionally, while there is always a threat of hackers and malicious actors, simple negligence by employees just trying to get through their day poses significant security exposure for employers.”
  • Justin Yedor – California Again: “While the CPRA is (and should be) getting a lot of attention right now, don’t forget about the CCPA, which still applies for the next two years. If you haven’t updated your privacy policies or looked back at your vendor contracts since CCPA came into effect, now is the time – the law continued to evolve as the Attorney General published regulations well into the Fall of 2020, but it seems like the regulations might finally be complete. Plus, a solid baseline of CCPA compliance will have you in good shape when CPRA comes into effect.”
  • Ashley Matthews– Vendor Management: “The recent surge in high profile vendor data breaches – most recently the widespread SolarWinds hack – have put vendor cybersecurity and data protection issues center stage.  Gone are the days of conducting cursory interviews of prospective vendors and signing their forms as-is.  In our new reality, (i) the cybersecurity infrastructure of vendors with access to sensitive data should be thoroughly diligenced (using a comprehensive Vendor Security Questionnaire), (ii) strong contractual protections should be put in place, including those relating to protecting systems and data, indemnification and limitations on liability, and (iii) monitoring should be conducted to ensure the vendor is complying with its contractual obligations on an ongoing basis.  And companies should ensure they know every piece of data that is managed or accessed by its vendors, and have controls in place for when there are changes to the covered data.”
  • Tom Spahn– Privilege/Work Product Issues with Data Breach Reports: “Erroneously emphasizing form over substance, some companies think they can assure valuable attorney-client privilege or work product protection simply by involving a lawyer.  It is common in the data breach context to have the company’s law firm retain the outside forensic expert, but several incidents this year have shown that that procedure alone will not guarantee such protection.  To deserve privilege protection, each communication must be primarily motivated by the client’s need for legal advice. To deserve work product protection, each document must be primarily motivated by anticipated litigation, and would not exist in the same form but for that anticipated litigation.  A large law firm itself (Clark Hill) recently was unsuccessful in seeking protection for a forensic investigation conducted after a data breach exposed its client’s private information.  That a prestigious law firm’s careful steps failed to assure either attorney-client privilege or work product protection should serve as a wake-up call for all companies.”

More at McGuire Woods