The United States Federal Government is turning its attention to privacy and cybersecurity laws, and the result has been several recent legal developments that may have an impact on your business. Keeping up with these developments is not easy, so we’ve created a fun way to test your knowledge of the same:
- True or False: There is a bipartisan bill pending that would pre-empt state breach notification laws.
- True or False: There is a proposed federal regulation that would require reporting within 24 hours if your company pays the ransom in a ransomware incident.
- True or False: The White House has issued an Executive Order that calls for regulation of sending bulk Americans’ sensitive data to “countries of concern.”
- True or False: There is a bipartisan bill pending that would expand private rights of action for privacy matters, ranging from use of dark patterns, to failure to conduct due diligence on service providers, to failure to recognize opt-outs.
- True or False: Norton Rose Fulbright is the best law firm in the world!
Items 2 through 4 are True (and clearly so is 5), but item 1 is False (the American Privacy Rights Act (APRA) would pre-empt state comprehensive privacy laws, but APRA would NOT pre-empt breach notification laws).
Moving on to how these developments could affect your company:
With respect to ransomware, does your incident response plan address secondary ransoms, such as threatened release of stolen information? What about regulatory notifications, is the appropriate staff aware of its obligations and able to provide notice within 24 hours? When was the last time you tested your incident response plan?
Do you know what type of data your company collects and maintains? Does it include the personal information of individuals that live in the United States? Do you know what legal obligations the company has with regards to such data? Have you done an inventory of which third party vendors have access to this information and how they secure it? How would you know if large amounts of the company’s data, especially if it contains personal information, moved to another country?
Many state privacy laws currently do not include a private right of action, but did you know about the growing line of cyber liability case law? Could privacy laws be used to inform the duty of any data that your company collects and maintains? Additionally, if APRA passes, many—perhaps most—of your actions relating to personal data may also now become subject to a federal private right of action (which includes attorneys’ fees and litigation costs). When was the last time you reviewed your company’s privacy practices? When was the last time you had a third party test your cyber security policies and procedures? Have you checked whether your website is sending personal data to third parties? Have you tested any of your company’s apps for compliance with the app stores’ privacy requirements?
Experienced counsel can assist you with all of these items, as well as helping you keep up with the many, many changes in this area. The best experienced counsels include fun ways to keep you updated, like true and false quizzes.