Data privacy, once primarily a concern for finance and healthcare, is rapidly becoming a priority for nearly all types of organizations, particularly those that collect personal information for marketing analysis.
Today's collection of piecemeal and rapidly changing privacy mandates makes planning for future requirements much like aiming at a moving target. Yet a growing number of businesses are gradually coming to the realization that failing to anticipate the demands of future privacy legislation may leave them vulnerable to future lawsuits and significant financial losses.
There's currently no comprehensive law governing the collection, use sale, or other disclosure of personal information across the United States, noted Gerald Sauer, a founding partner of Los Angeles-based law firm Sauer & Wagner. "A handful of laws set guidelines for use of personal information for specific purposes, such as medical and financial information."
Scott Pink, special counsel at Los Angeles-based law firm O'Melveny, believes that future mandates are likely to promote greater consumer control over personal data. "Some jurisdictions will consider providing more robust private rights of action, although there has been pushback on this in the United States," he observed. "There will [also] be increased focus on more sensitive types of data, such as biometric data, facial recognition and tracking of activities in the home."
As Congress considers a national data privacy law fashioned along the lines of the European Union's General Data Protection Regulation (GDPR), organizations should err on the side of caution, Sauer advised. "Don’t reveal user information without express authorization to do so," he suggested. "Provide users the opportunity to opt-out of (or opt-in to) data collection and comply with existing laws that apply to your industry, the type of information you handle or the use of personal data in your state."
"Staying current with a national standard, like the one from the National Institute of Standards and Technology (NIST), is one way to stay ahead or at least even with changing demands," Hanna advised.
Before attempting to build a forward-looking security policy, it's important to conduct a thorough data inventory to fully understand exactly what types of data are being collected, how the data is being used, and where it is stored, Pink observed. "You cannot create an effective policy without having this understanding."
Privacy regulations alone don't offer consumers more privacy. "Privacy regulations are aimed at making collectors and processors of data better custodians of collected data, and more accountable for what they do with the data," Rogers explained.
Laws will never be able keep up with the rapid pace of technological change, so predicting future requirements is a little like crystal-ball gazing, Sauer observed. "However, industry watchdogs and trade groups tend to be proactive in anticipating trends, so it would be prudent to follow their guidance and stay current on trends," he recommended.
For more on data privacy, check out these articles: