In this episode, Jim Pickle and Starr Turner Drum explore the use of technology in our ever-growing remote world and the effects it has on our privacy and the privacy of our clients. Starr helps us navigate best practices and regulations with regard to cybersecurity law and data privacy.
With increasingly complex laws affecting every facet of a company's operations, Maynard Cooper & Gale decided that updating businesses about important legal issues would be most effectively done over the airwaves. This is the Maynard Business Brief with Jim Pickle. Each half-hour episode we will address a hot-button business legal issue and host an expert who will provide solutions to that issue. The topics range from GDPR, Labor & Employment pitfalls, Shareholder activism, among others. We will address timely legal topics that businesses need to understand. This is the Maynard Business Brief with Jim Pickle.
Welcome to Maynard Business Brief, I’m Jim Pickle and I will be your host. Like our guest, I am an attorney at Maynard Cooper & Gale. My practice focuses on Corporate Governance and Mergers and Acquisitions, whereas our guest’s practice focuses on privacy and cybersecurity. Our guest today is Starr Drum. Starr welcome to the podcast.
Thank you for having me.
As a background, Starr is a member of Maynard’s Cybersecurity and Data Privacy practice group. Starr has worked on a variety of matters in the data privacy and cybersecurity space. Since those matters are complex and exceed my understanding of data privacy and cybersecurity, I will let Starr describe her practice at the start of the podcast.
Sure thing! So first of all there’s always this issue about “what does privacy mean and what does data security mean?” so I like to explain it in a way that privacy is an intentional collection, use, and sharing of personal information. So there’s some sort of intent behind it, you want to have someone give you their personal information. You want to use it for some reason, whether it’s for marketing, whether it’s to hire someone as an employee, you may want to share it for certain reasons like, you know, venders who offer you services or may even want to monetize that personal information. Data security is where you’re addressing how to protect personal information against intentional use or malicious use. So if someone who might gain access to personal information was not authorized to do so, you know, how do you prevent that from happening? If it does happen, how do you react? So it’s really that intentional selection of use verses the unintended or malicious act.
Well, Starr thank you for that high-level overview we’ll discuss the bifurcation between security and privacy later on. But before we do that, we actually just like to get to know our guests better on the podcast. So we ask questions, “Where would you like to go on vacation? Your favorite movie” but in honor of this being a podcast, our question for you is “What’s your favorite podcast?” Selfishly, I hope it’s this one, but it may not be.
Yeah, I honestly haven’t listened to any episodes of this podcast yet and I think that may be because this is the first one. So, I don’t think it’s unfair of me not to say this is my favorite one. Asking people about upcoming vacations is a little mean because there aren’t a lot of vacations on the horizon for a lot of us. So, my favorite podcast is one called “Criminal”. It’s a true-crime podcast, which I know is a genre that has a lot of different opportunities for people to listen. But, the thing I like about it is it does some aspect of a criminal adjacent topic in short 20 to 30 minute vignettes. It’s not a lengthy investigation of a murder that happened like a lot of podcasts that are out there. So, it’s really easy to pick up at different points and drop back in if you don’t listen for a while. It’s a great one to go back and listen to episodes that are years old and they won’t have lost their relevancy. So, especially in a situation where a lot of the news is a little bit daunting these days, it’s a nice escape.
Understood, I’ll have to listen to that one this weekend. Now Starr let’s dive into the COVID-related issues that are currently arising in this environment. But, before that, it’s probably helpful for our listeners to understand the regulatory framework around cybersecurity and data privacy laws. Could you describe that regulatory framework for us?
Yeah, if we have 10 hours to record this podcast. But, I’ll sum it up as best I can in a short period of time. It’s a complicated one, is the short answer. So, there’s a lot of laws across the United States and in other countries. They overlap in some ways, they’re vastly different in others. That’s from both a data privacy and data security standpoint. You know, in the U.S. there’s fifty separate data breach laws, there’s no uniform federal data breach law. For privacy laws, you know, there’s laws in some states that govern certain aspects of privacy, there’s laws in other countries, and it’s all across the board. So a good example is one thing that most privacy laws require is some component of providing notice to individuals about how their information is collected, used, and shared. So we talked about that being an intentional act, usually, you have to notify people under those laws about how you’re doing it, why you’re doing it, what are you collecting, what you’re sharing, why you’re sharing it. So, if you’re a company that is collecting personal information from people, you’re likely going to have to provide them with some sort of notice, regardless of where you operate, regardless of where those people live. But as far as what goes into that notice, you know, the privacy notice for someone who downloads a mobile application in Alabama is going to be different than a privacy notice for some who applies for a job with a company in California, someone who goes to see a healthcare provider in France, etc. etc. So, all the different geographies, contents, etc. are going to change what you have to do as a business just to provide this one simple thing, a privacy notice to individuals. And that’s just one component of privacy compliance.
Well, interesting, Starr. To say the least, it sounds like the regulatory framework is fragmented and potentially patchwork because they differ state to state and country to country. How should businesses keep track of those regulations that apply to it?
It’s a tough process and unless you’re the person, you know, internally in your company specifically tasked with privacy compliance or outside counsel giving guidance to companies on specifically what applies, it’s really just a very large patchwork, as you said, that’s very fragmented and it can be complicated to navigate. There’s a few things you can do to make it an easier process or to focus on if you’re trying to figure out “Do we need to be thinking that this is a potential concern for our business?” So the first one is geography. Where are you located? Where are the individuals located, whose data you’re collecting? And what are the laws that apply in that region? And then, second, you want to focus on the types of information you’re collecting. So, are you collecting health information, are you collecting financial information? Those are going to have different regulatory schemes in certain geographies where the requirements for collecting, using, and sharing that data differ than standard other types of data, like names and addresses, so forth. You want to think about the types of individuals from whom you are collecting data. So, particularly, children are a protected group in most jurisdictions. So, if you’re in the U.S., we have regime where there’s a federal law called COPPA and it protects information about minors who are under the age of thirteen. Some other countries define minors as under sixteen. California’s new law actually has new restrictions for children under sixteen. There are countries where children are defined as under eighteen. So, it’s across the board. And then you want to think about the platforms where you are collecting, using, or sharing personal information. So, if you are collecting thigs in an application, the requirements of the application providers: google play, apps store, etc., they’re going to pose specific obligations on their app providers to comply with certain privacy requirements. There are even laws that regulate things like drone’s collections of personal information, from drones specifically. There’s other laws that regulate CCTV cameras, obviously, a lot of information is collected through computers. So, just the ways in which information is collected, there may be laws that governing those platforms. So, the regulations that are specific to those four different categories: geography, types of data, types of individuals, platforms. Those are going to identify what you need to do for purposes of compliance. The regulations, themselves, they also spell out specifics circumstances in which they apply and will help you sort of navigate whether or not that regulation is specific to your business.
Wow, so four different types of components all that very dramatically and then there could be an overlay of specific regulations per component. I guess to focus in on one component, the geography component, how would a business determine whether that geography component applies to it? It is where the operations of business are? If I run a company in California and have employees there? Or is it I’m that California company but I have customers in Texas, is it where my customers in Texas are? Or both?
Yeah, so generally when you’re thinking about privacy compliance, it’s going to be the residence of the individual. So, for example, there’s an opportunity under two privacy statutes: one is the GDPR, the General Data Protection Regulation that applies in Europe. The other one that we mentioned a couple times is, the CCPA, the California Consumer Privacy Act where individuals have the right to access or delete their personal information. Generally speaking, if those individuals were residents of Europe, for purposes of the GDPR, or residents of California, for purposes of the CCPA, those rights are going to apply to them. Whereas, if I am in Iowa I do not get the rights of a data subject under the California Consumer Privacy Act. Now, the California Consumer Privacy Act as a whole, specifies which businesses it applies to, so within the regulation, it may specify requirements for your business. So if you are a business operating in California, you may not have to give certain rights to an individual in Iowa, but, depending on whether you meet certain criteria, you will likely have to comply with the requirements of the Act. So, I know none of this is easy.
I was going to say “We took it one more level deeper into the matrix”. But broadly, residence of data governs. Right? Which is good to know. So, now jumping in with our base understanding of the legal framework, Starr. A lot of businesses have recently moved their team members to remote working, because of COVID. Broadly, what privacy and cybersecurity issues has this pandemic presented for businesses and your clients?
There have been a lot of interesting issues raised by this pandemic and a lot that we weren’t necessarily prepared for. So, from a privacy standpoint, we’ve seen a few interesting things happen. There has been a heightened level of surveillance. So, essentially a compromise of privacy. So there have been some companies that have undertaken additional monitoring efforts on their employees because they’re working remotely. So they may have implemented technology that allows them to determine whether an employee is actually sitting in front of a computer, how long they actually have their hands on their mouse or their keyboard. So, that is an intense type of surveillance that we saw some of that type of surveillance in place for certain sectors of industries, so people who are driving vehicles, making deliveries. There has been a lot of monitoring in that sector for a while and it’s just ballooned over into other areas where it wasn’t previously available. We’ve also seen in education a lot more surveillance where we’ve got remote teaching, remote proctoring for exams. Essentially, what’s happening is it’s the same, right? Someone is watching you while you’re in class or while you’re taking an exam, or the prior example of where you’re at work and your computer is monitoring you. You may have been watched earlier by a supervisor, for example. But, I think the fact that this is being done through technology now has raised a lot of interesting implications. Especially, for purposes of how long the data lasts and the purposes for which it can be used. So, if you’re in a classroom and your teacher is watching you, that’s, you know, happens at that point, it’s not likely that there’s a recording happening of that at the same time, same thing for a test. Now there’s situations where these things may be recorded, someone can look back later, they’re potentially subject to a data breach which creates additional exposure. So, that’s raising up a whole host of issues. You know, it’s a really interesting spotlight on how we, as a society, balance public health with personal freedom. And so it will be interesting to see how, once this is over, we decide that line should be drawn. On the security side, the number of incidents has just increased exponentially. You know, human error is the predominant cause of security incidents and it just becomes a lot harder to control in a remote working environment. People may not be using the same devices they were always using, people may be trying to circumvent different network security protocols that technical teams have put into place in their operations center, and we’ve also got that combined with threat actors taking advantage of a situation where people are scared, they may be clicking on links that they are susceptible to activating because of a situation of fear. For example, if someone says, you know, “here is a cure for COVID” puts it at a hyperlink, the hyperlink downloads a piece of malware to your device, and it gets into your remote working environment. People are just really vulnerable, and threat actors are taking advantage. So the number of data breaches has increased substantially during this time.
So to all you lawyers out there who use VPNs that are slow, keep using those VPNs is what I’m hearing from Starr. Don’t circumvent the system.
Now, so, Starr you mentioned personal freedom and balancing and protecting public health and safety, have we seen a decrease in privacy enforcement or relaxed standards because there’s a focus on protecting the public health and the safeties of individuals around, you know, our country, the US, and around the globe as a whole?
It’s a mixed bag. So, we’ve seen a lot of relaxation in some privacy enforcement. So some regulatory agencies have said they’re not going to take enforcement actions against companies who share personal information in certain ways, usually directly related to protecting public health, for instance, a positive diagnosis of COVID-19, purposes of contact tracing. Specifically, we’ve seen health and human services take a relaxed approach to some HIPPA enforcement with respect to health care data and how they collect, use, and share personal health information during this pandemic. Then we’ve got other regulators that are taking a “no excuses” approach and don’t really see the pandemic as being a reason to relax privacy enforcement standards. So one key issue that a number of our clients are dealing with, and that we’re also dealing with as a Firm, since we’re subject to it, is, the frequently mentioned, California Consumer Privacy Act. You know, whether that’s because in times of economic stress people look towards legal remedies as a means of income or whether it’s just because, you know, because of the concerns we’ve been talking about where surveillance has sort of increased as a sort of consequence of this pandemic. People are trying to fight back against the sort of going the other way and the pendulum swinging too far in the direction of surveillance from privacy. So it’ll be interesting to see how those shake out, but I expect a lot more of those lawsuits to be filed in the coming months and years. So, then you’ve got the GDPR which has regulatory penalties of up to 20 million euros or up to four percent of your annual revenue, which is a huge chunk of change. Regulatory penalties under the CCPA aren’t as substantial, but there is also a ballot initiative that is going to be voted on this November by California residents that could enhance the consumer protections under the CCPA and actually ask to create a separate enforcement agency in California. So, currently, the attorney general’s office is enforcing the CCPA, their office has to enforce a lot of different laws. This ballot initiative will create a separate agency solely to enforce privacy, data protection in California. And so then even though the regulatory penalties the number of damages may not be that substantial dollar-wise, but that agency will have more personnel solely tasked with enforcing that type of regulation, they will have a lot more targets. So there are a lot more companies that will be at risk if they are not in compliance from a regulatory standpoint.
Wow, and I just want our listeners to focus on that piece of information: there would be regulatory actions, private causes of actions, that our listeners may not even know about, know the individuals who want to bring these causes of action, and fines ranging from $750 per incident, which could be in the millions to additional fines on top of that. And now, potentially in California, it sounds like, an agency solely focused on enforcing this law, come November. That’s a heavy burden for a business, but that’s the world we live in and thank you for letting us know about that.
Starr, thank you again for joining the podcast. The listeners and I sincerely appreciate your COVID-related privacy guidance and I hope you have a great afternoon and hopefully I’ll see you in the office whenever we go back into the office.
This podcast is for information purposes only and should not be construed as legal advice. The information in this podcast is not intended to create and does not create an attorney-client relationship.