The Top Ten Privacy and Data Security Issues to Watch in 2013
Editor's Note—Below are some excerpts from the article “The Top Ten Privacy and Data Security Issues to Watch in 2013,” published in the BNA Privacy & Security Law Report on January 7, 2013. In this article, Privacy Practice Chair Kirk J. Nahra discusses some of the key privacy and security developments to watch for in 2013.
The Eagerly Awaited HIPAA/HITECH Rules
Let's get this one out of the way. For the third year in a row, the Department of Health and Human Services (HHS) definitely—guaranteed—without fail (or at least pretty likely) will issue the long-overdue regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) law. For those of you who may have forgotten, the HITECH law—passed in February of 2009—made specific changes to the text of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. The text of this legislation specified that these changes would be effective one year after passage of the law (meaning February 2010). However—for reasons that have never been clearly explained—HHS made clear—in July 2010, several months after these provisions were to be effective—that in fact the statute meant nothing, and that no changes would take effect until a new regulation was issued. We've been waiting since then. The July 2010 announcement came in the course of the proposed regulation addressing these changes. Since then, nothing, other than various now-inaccurate predictions and a lot of waiting and confusion. The only part of the HITECH law that is in effect—through an “interim final regulation”—is the breach notification provision, which already has had an enormous impact on the health care industry.
- Business associates should start compliance efforts now, particularly for the HIPAA Security Rule.
- Everyone in the health care industry needs to pay close attention to potential breaches.
- Watch for any wild cards in the final rules—topics that haven't been addressed in the statute and the proposed regulation.
The possibility of new privacy and security legislation continues to fascinate legislators, at the state and federal level. For the past several years, the legislative debate on privacy and security brings to mind Shakespeare, as much ado about nothing. Nonetheless, we are likely to see considerable energy spent on development of potential privacy and security legislation. And while the odds of any significant privacy legislation getting through Congress are quite low, the mere discussion of many of the issues begins to affect behavior on a broader level. In addition, developments at the state level are much more subject to current events or legislative whim, such that the likelihood of new privacy legislation at the state level is always significant.
- If there is cybersecurity legislation, will data security and breach notification be attached?
- Will national breach notification legislation pre-empt all the state laws on notification?
- Watch for state legislation on “hot topics” that arise quickly and attract media attention.
While U.S. companies struggle with the wide variety of overlapping and often conflicting requirements at the state and federal level, the international privacy and security structure presents even more complexity. More and more countries are adding their distinctive voices to the emerging cacophony of privacy and data security regulations. Global contracts that involve personal data in any meaningful way are becoming increasingly unwieldy, with more detailed and more confusing requirements and potential obligations being added regularly. The European Union (EU) continues to debate significant changes to its enormously important privacy regulation. Even though formal new requirements in the EU will not go into effect for several years, the mere discussion of these potential changes is already causing behavioral change across the globe.
- Be careful on any contract dealing with personal data that has international implications.
- Focus on reasonableness and risk management—it may be too hard to learn every obligation, so focus on the hard or risky steps.
- Pay closer attention to any countries that become more active on enforcement (although international enforcement remains low).
Regulating the Internet
- Be extra careful if you target your website or any particular programs or applications to children.
- Be smart about your privacy commitments—the FTC is watching promises carefully.
- Be alert to all kinds of potential consumer harm—regulatory enforcement will be broader than claims that can be made in private litigation.
Not all of the most significant issues to watch will involve regulation and legislation. The development of cloud computing as a new technology with enormous benefits, cost savings and potential risk clearly is outpacing the ability of the regulatory process to adapt to new technology. This means that companies need to act and make decisions now, in advance of any new regulatory developments, by adapting an old regulatory framework to a new environment. Companies in all industries are facing the direct challenge of the cloud—understanding what it really is, analyzing the potential benefits and cost savings, and trying to adapt this technology to the confusing regulatory landscape. The cloud also threatens to explode the idea of country-specific approaches to privacy and security, and the idea that data is located in or relates to any area in particular.
- Pay close attention to what cloud vendors are telling you—and don't just accept the standard language.
- Know who can access your data and generally how it is protected.
- Have a strategy on the cloud—and make sure you're thinking about how your vendors use the cloud as well.
On a more individualized level, the bring your own device (BYOD) concept also creates significant tension between privacy and security and appropriate regulation and even good operational practice. Across the United States, individuals consistently, frequently and in increasing volume “bring their own device” into the workplace or use these devices to engage in communications and information exchange around the clock, for an interconnected mix of personal and professional purposes. There clearly is no stopping these technological developments. At the same time, companies are faced with the challenge of trying to rein in these developments, at least to the point that the use of mobile devices does not threaten the full range of privacy and security protections that are imposed in the less mobile aspects of these companies.
- There isn't a “right or wrong” on BYOD yet, but you need to have an approach and you need to make sure you mitigate risks based on whatever approach you choose.
- Make sure you train your people on your policy and have a means of auditing or reviewing overall compliance, especially in the early stages.
Overall Data Security Issues
The BYOD and cloud computing developments highlight the most significant challenge facing companies and regulators in today's environment—protecting the security of personal data (along with a wide range of other business-oriented data). While privacy issues continue to occupy the leading focus of philosophical debate, we are seeing a continuing increase in real security problems relating to data. As the world becomes more intertwined, the risks of adverse security events continue to increase. Many of these events become public; it is clear that many others do not, either because they are not disclosed or, perhaps more troubling, they are not known to the affected companies.
- Security reviews need to be ongoing and consistent.
- Pay close attention to where others are having problems.
- Have a strategy for keeping an eye on your largest vendors as well—that needs to be a key element of your security strategy.
Despite the growth in regulatory and contractual data security requirements, there continue to be an enormous number of security breaches involving sensitive personal data, large and small, affecting virtually every kind of industry. While certain kinds of security practices improve, this has not yet resulted in a material decrease in breaches. Presumably, the breach “opportunities” stemming from increased data flows and technological opportunities for mobile activity more than outweigh any specific improvement in data security practices.
- You will have breaches—make sure you are ready and have a plan.
- Make sure your people know where to go when there is a security problem.
- Move quickly to fix or stop problems, as many potential risks can be reduced or eliminated through quick, effective action.
- Don't let a “no notice” decision stop your efforts to fix problems and take corrective action.
Coupled with the continuing rise in security breaches is the ongoing wave of privacy and data security litigation. Where there are reported privacy or security problems, there will be class actions filed, almost instantly and essentially reflexively. There often are multiple suits, with plaintiff class action firms vying to be first in line at the courthouse.
- Watch for any meaningful crack in the “no damages” wall of precedent, particularly one that can be applied in class action settings.
- You will face private litigation if you have a large breach—but that doesn't mean you will lose the case.
- Regulators can bring cases in areas where private plaintiffs can't, because regulators can rely on broader concepts of consumer harm for their actions.
Back in 2009, many of us expected a new Obama Administration to be significantly more aggressive about enforcement of various privacy and security laws. While there has been a modest uptick in enforcement to date, it has been quite limited and far less than anticipated. Will this change, beginning in 2013?
- Take every enforcement inquiry seriously—more and more enforcement actions are resulting from what are initially limited and minor issues.
- Enforcement agencies will use a tiny opening as a way to explore a broader range of issues—be prepared any time you are providing information to an enforcement agency.
- Remember that the worst impact of privacy and security problems may be in terms of adverse publicity, as enforcement—even where it happens—often is long delayed.
While many of the key issues to watch for 2013 involve theoretical or potential developments, it is clear that these issues are impacting a wide range of companies even before any action is final. Global companies are putting new and more burdensome international provisions into contracts. Pressures to move into the cloud are facing every business. The BYOD debate is real and current, because of the enormous proliferation of new mobile means of communication and data exchange.
For privacy officers, compliance professionals and lawyers in the privacy and data security area, it is crucial to pay close attention to these issues and to make sure that your business—regardless of your industry—has a proactive and thorough means of staying abreast of this constantly evolving field. This will require creative thinking, an awareness of ongoing developments, a quick and thorough response to any problems and a wide-ranging approach to management of overall business operations.