Privacy and Security Law for Business Lawyers

Not every lawyer gets the chance to be a privacy and security lawyer. Oddly, not every lawyer may even want to. Yet every lawyer—and every business—should be able to identify how privacy and security law risks, opportunities, and obligations impact their clients or their business activities.

Privacy and security law is a relatively new concept in the United States. It did not exist when I was in law school (prehistoric times). Virtually all of the relevant law for commercial enterprises is less than twenty-five years old, with much of it arising in the past several years (with ongoing changes every year). From humble and narrow beginnings, this body of law now impacts essentially any business of any size in any industry anywhere in the country (and really the world). My goal is not to turn every lawyer into a privacy lawyer (I don’t need the competition); instead, my goal is to teach general business lawyers why they should be familiar with basic privacy and security law issues and how to identify when and where these issues arise.

The General U.S. Privacy Framework

U.S. privacy law—unlike the laws of virtually every other country in the world that has privacy laws—falls into various categories, with many detailed laws to address specific situations and activities. (By contrast, other countries tend to have one generally applicable law.) These U.S. laws fall into four general categories:

• Sector-specific law. U.S. privacy law is often described as “sectoral.” What this means is that there are key federal laws regulating privacy in certain sectors, in theory designed for specific issues related to those sectors. These include the Health Insurance Portability and Accountability Act (“HIPAA”) for the health-care industry, the Gramm-Leach-Bliley Act (“GLBA”) for financial services, and the Family Educational Rights and Privacy Act (“FERPA”) for education.
• Practice-specific laws. We have a variety of federal laws (often with state counterparts) that relate to specific business practices, primarily those that relate to marketing, including the CAN-SPAM Act (email marketing) and the Telephone Consumer Protection Act (“TCPA”) for telemarketing and texting.
• Data-specific laws. We also have a variety of state and federal laws regulating certain categories of data. This can include both federal laws and rules (e.g., the 42 C.F.R. part 2 rules for substance abuse treatment information, the Children’s Online Privacy Protection Act (“COPPA”) rules for children’s data, and the Genetic Information Nondiscrimination Act (“GINA”)), as well as a broad and growing range of state laws such as the Illinois Biometric Information Privacy Act (“BIPA”) and the Washington My Health My Data Act for consumer health information.
• State “comprehensive” laws. Although there is no generally applicable federal privacy law, since California passed the California Consumer Privacy Act, we now have twenty state laws that are said to “comprehensively” regulate privacy law in those states for residents of those states. While these laws generally are less comprehensive than the General Data Protection Regulation (“GDPR”) in Europe, as they exempt smaller companies, generally exempt nonprofits, and generally exempt entities that are subject to other laws, these state laws provide an important gap-filling baseline for a wide variety of previously unregulated businesses.

Accordingly, while U.S. privacy law may not be obviously comprehensive in the way that European law is under the GDPR, our existing (and expanding) legal structure applies multiple overlapping and perhaps inconsistent laws based on who is doing what with what data. This regulatory complexity creates part of the challenge of developing appropriate compliance that addresses a typical business’s full set of privacy risks.

Beyond these privacy laws, we also see two other important categories of relevant and related laws. First, there are multiple laws at both the state and federal level related to data security. These can include sector-specific data security laws, such as with HIPAA or GLBA, or state-specific laws, such as the Massachusetts data security law. These laws create general standards, often couched as “reasonable and appropriate” safeguards; but these provisions can lead to meaningful enforcement, and security breaches are the primary driver of class action litigation and regulatory enforcement in this space. Second, there also are laws related to data breach notification in every state, as well as additional data breach notice laws in other contexts. These laws require notification to consumers and often regulators and/or the media in the event of data breaches involving specific kinds of personal information.

On top of this vast array of laws, we also see additional “law” based on enforcement activities from key regulators that take action on data privacy and security issues often independent of specific laws related to privacy. For example, the Federal Trade Commission (“FTC”)—under section 5 of the Federal Trade Commission Act—regulates “unfair or deceptive acts or practices,” which it regularly views as including issues related to data security incidents, potential improper collection, and use or disclosure of personal information. State attorneys general also engage in similar enforcement of privacy and security principles based on their own consumer protection authority.

Business and Legal Areas Implicated

This complicated set of laws (which is being supplemented on a regular basis, particularly at the state level) encompasses a broad range of businesses across every industry. In addition, these requirements are creating material issues across a wide range of legal practice areas outside of a privacy specialization. For example, lawyers in the following practice areas need to be cognizant of privacy issues in their space:

• Mergers and acquisitions (“M&A”). Virtually every corporate transaction triggers the need for a privacy and security review. Every acquired company has a computer system and employees. Almost all have business contact information. More and more companies collect, use, and disclose a much broader range of consumer information in various contexts than in the past. All of these issues need to be examined in transaction diligence and incorporated into integration plans post-acquisition.
• Litigation. Litigators need to be aware of privacy and security issues for two separate reasons. First, there is a growing range of class action litigation about privacy law. This most frequently includes either class action litigation following a data breach or class action litigation based on other kinds of practices that the plaintiffs’ bar views as problematic (such as the use of tracking technologies on websites). Beyond these privacy-specific litigation matters, litigators also need to understand the impact of privacy law on other kinds of litigation. If you are bringing a medical malpractice case, you need to understand the privacy rules for obtaining information from health-care professionals. If you are conducting discovery (or are subject to discovery) involving your employees’ activities or a review of their communications, you need to understand how privacy law impacts this information-gathering activity. Even where the case is not “about” privacy law, privacy law impacts a wide range of litigation issues in cases that are not directly about privacy at all.
• Employment. Employment law increasingly is about data. Artificial intelligence (“AI”) and data analytics are driving the hiring process. Employee monitoring is growing particularly as the workforce is more remote and more mobile. These issues raise fundamental privacy issues, where formal U.S. law is sparse but growing (with lots of risks from faulty or misused data) and international law is fully developed.
• International trade. Privacy also is impacting international trade and overall international business activities. European privacy law, for example, prohibits the transfer of personal data from Europe to countries that do not have “adequate safeguards” for this data—which often includes the United States. Several efforts to “fix” this inadequacy have been stopped by the European courts—leading to high-level diplomatic negotiations to restart the ability of companies to move data to the U.S. Recent developments in U.S. law have started to impose meaningful restrictions on data flows to certain countries. The overall complexity of international privacy law impacts global compliance and raises costs and the difficulty of operating internationally.
• AI. AI law is largely being modeled on the development of privacy law. As with privacy law, the European Union is moving to a single overall regulatory model. As with privacy law, the U.S. seems to be moving in fits and starts and regulating specific practices, largely at the state level to date. The regulators will be primarily the same as with privacy law (mainly the FTC and state attorneys general in the U.S.).
• Antitrust/competition law. Increasingly, business success is driven by data. More data typically is better, particularly in connection with the development of AI. This race to grow data volumes now turns privacy and collection of personal data into a competition issue on top of being a privacy issue.
• Cybersecurity. Data security also is a broad area of concern for any business, independent of specific legal requirements. These risks can be incidents involving personal information (where consumer protection and regulatory requirements are more extensive) or “cybersecurity” incidents, which can relate to national security concerns, commercial interests, and/or overall systemic interconnections. A company that is shut down because of a ransomware attack freezing corporate information systems may not necessarily have personal data issues—but it makes running a business quite challenging when the company is not able to run its computer systems or website.

Some Key Areas for Consideration

These issues impact different companies in different ways: a consumer health company has a very different risk profile than a clothing store. But there are some critical common themes that apply to virtually any company operating in the United States (and typically around the world as well):

• Security policies and incident response preparation. Security risks should be top of mind for virtually any company. Data security requires constant, ongoing attention—to stay on top of technological developments, understand how most incidents occur, and evaluate the impact of regulatory enforcement actions on your business. This is an area where thoughtful advance planning is critical not only to build effective information security programs but also to develop a specific incident response plan for how to handle the inevitable incident when it does in fact happen. An easy hint: Evaluate where you do not have multifactor authentication in place, as well as every place in your company that you store or collect Social Security numbers.
• Data minimization / data maximization tensions. Companies need to understand both the privacy issues and the security risks from common efforts to gather as much data as possible. Privacy laws increasingly are mandating specific data minimization or minimum necessary requirements when companies engage in permitted data activities. At the same time, companies thrive in their business analytics—especially if developing appropriate AI is part of the plan—by gathering and analyzing as much data as possible. But the collection and long-term maintenance of data create security risks—security incidents are always bad, but an incident involving data that you should not still have will be worse.
• M&A integration. An extraordinary percentage of large-scale security beaches involve situations where a recently acquired company becomes a target of an attack before its security practices are effectively integrated with the parent company’s approach. Threat actors know to attack this weak spot. An effective and prompt integration plan on data security issues is critical.
• Business expansion issues. There are similar acquisition impacts related to privacy law. The small acquired company may not be subject to many of the U.S. state laws. Once acquired, however, the purchaser (typically a bigger company) will inherit a set of practices that may not have violated law before the acquisition—but now will. Also, companies may face real challenges in integrating data from acquired companies or engaging in specific activities where the two business operations are being combined. These issues involve both the small-company perspective (your potential purchaser may be very concerned about the vendor contracts that you signed as your business was getting going and that contain unlimited liability provisions, or you may have limited data rights because you had little leverage in getting your business going) and the larger-company view (where the benefits of an acquisition may be reduced if there is a data breach or acquired data cannot realistically be integrated under applicable law). Thinking about size, these issues impact both start-ups and much larger companies, although in different ways.
• AI overlay issues. Companies need to evaluate their approach to AI alongside of privacy law. Do you have contractual or legal rights to use the data that you have for AI purposes? Are you making decisions using AI that is regulated by privacy law? Does privacy law impact what permissions you need from consumers before using their data for AI purposes? The law in this area is already confusing and likely will continue to grow in its complexity for the foreseeable future.

U.S. privacy law is increasingly chaotic. It will continue to be challenging to stay on top of all of the different developments and for many companies to understand the full range of relevant concerns. A few key points to think about:

• You should be considering any place in your company (or your client’s company) where you are collecting, using, storing, or disclosing sensitive categories of personal information. These data categories are the most regulated and overall the most risky, both for privacy and potential data security breaches.
• You need to understand the geographic footprint of your business operations. Do you operate nationwide (meaning you will likely be subject to all of the relevant state laws)? Are you subject to the GDPR because you are either in Europe physically or taking steps to seek consumer business from Europe?
• You need to consider whether you are subject to some of the riskier state laws, such as the collection of biometric information in Illinois or the use of consumer health data in Washington.

Conclusion

While privacy and security law will continue to be a specialty area of legal practice, the implications of privacy and security law apply much more broadly. As a lawyer, you are not effectively representing your clients if you do not understand how privacy law impacts their operations. If your business doesn’t yet have a privacy officer, you likely should have one now or will need one soon. And the one you have should be a reasonably high-level person in the company with appropriate compensation and legal authority.