The Year Ahead for Privacy and Security
It has been an interesting and turbulent year for privacy and security, with ongoing security breaches, increased enforcement, international disarray, and a variety of new litigation threats. The year ahead may be no less challenging. Here are some of the key issues and anticipated developments to be watching in 2017.
1. The Impact of the New Administration
Everyone in Washington (and around the country and the world) is watching the incoming Administration, to try to understand, predict, and prepare for a highly uncertain policy environment. This uncertainty and nervousness is prevalent even for the “first-tier” issues of this incoming group. Those who need to deal with what the Trump Administration views as second- or third-tier issues (or issues that haven’t been thought about at all) face even bigger challenges, given that there are virtually no data points to predict developments on many issues that are enormously important to a broad variety of audiences.
We have three broad philosophical elements of the new Administration that could eventually impact privacy and security. First, there is a recognition of the relatively weak state of the country’s cybersecurity efforts. As with many other issues, there is criticism of the status quo without any meaningful solution yet. We expect privacy and security professionals to grapple with the impact of this “philosophy” on the key issues for this field. While it is unlikely that we will see new regulations affecting security issues (as discussed below), the issue of cyber-readiness will be one to watch frequently. Second, there is a willingness in the new Administration to engage in broad surveillance of individuals in connection with national security activities. More companies will be faced with the need to deal with data demands from the government that place the company in direct conflict with its customers and/or employees. The impact of these surveillance issues may be felt most broadly in connection with international privacy regulation, where the more aggressive the United States is in connection with surveillance, the less flexible we may find the European authorities and others in connection with international data flows. Third, we will watch the impact of two other themes of the new Administration – less government regulation and expenditure of less government money. This likely means no new regulations and somewhat less enforcement, rather than broader changes and a rollback on existing privacy rights, but this is clearly an area to watch carefully.
2. The General Data Protection Regulation
Around the world, the biggest privacy and security compliance and planning issue will involve preparing for the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in 2018. For many companies this will be a massive undertaking – and may impact overall business strategies, business partnerships, and a broad variety of significant activities for large and small companies alike.
The new GDPR rules require time, attention, and resources. The regulation will require implementing a broader range of controls across Europe, and will have a material impact on individual consents, the use and disclosure of health care and other sensitive information, and the collection of a broad variety of other information that increasingly is being used by more and more companies around the world. There is a new and aggressive data breach notification requirement. There are unprecedented potential levels for fines. And, because it applies to all personal data, companies interested in new products and services across the entire Internet of Things will be challenged by the need to comply with this broad regulation, including many companies for whom earlier privacy laws had little or no impact.
3. Privacy Shield
The Privacy Shield program deals with another component of the international privacy regime – the transfer of personal data from the EU to a country (the United States) which – in the EU’s mind – does not have adequate safeguards for this personal data. Privacy Shield replaces the Safe Harbor program, which had survived for almost 15 years but was brought down by the new information (the Snowden revelations) about how the United States government collected and analyzed personal data. Privacy Shield strengthens the protections for this data, but there is little confidence that the Privacy Shield program is free from future legal challenge, particularly with a new Administration that does not seem bound by prior agreements and has an interest in mass data surveillance. Companies are forced to evaluate implementation of a Privacy Shield program (particularly where the other alternatives are not appealing or appropriate), even though the program easily could disappear in the future. Many of the European Union policymakers seem determined to support Privacy Shield – but lawsuits and an unpredictable U.S. government may make this position challenging or untenable.
Moreover, significant portions of the U.S. economy cannot rely on Privacy Shield as a means of bringing data to the United States (although there are other data transfer options). Privacy Shield depends on whether a company is subject to the jurisdiction of the Federal Trade Commission (FTC). Insurers – generally speaking – are not subject to the FTC and therefore cannot take advantage of Privacy Shield. The same is true for not-for-profit entities. So, even if this program stands, it is not a viable solution for a considerable number of entities. But, with more businesses becoming increasingly global – through research, multinational employment, Internet customers around the world, wellness programs, vendors around the world, and a broad variety of creative programs across country lines – these international privacy challenges cannot be ignored.
4. Government Privacy and Security Leadership
In any new Administration, there is a shuffling of leadership, both in political positions and among other senior leaders who take the opportunity to move on. This year, we will see more of these changes than in many transitions. For privacy and security, the key issue will be the senior leadership of the key privacy enforcement agencies – including the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights, the Federal Communications Commission (FCC) and others – as well as the fate of the primary “day to day” senior staff who constitute the bulk of the thought leadership and institutional memory of these offices. We also will see whether the new Administration will continue important developments implemented by the current Administration to improve privacy efforts within the government (under the leadership of Marc Groman).
For HHS (which oversees the HIPAA Rules), we can expect to see a new director of the Office for Civil Rights (OCR), with a likely “interim” leader” as well. No names have surfaced in the gossipy world of the presidential transition.
As for senior staff at OCR, we have the rare situation where it will be beneficial for both individuals and the industry to maintain as much of the senior leadership of the office as possible (with a reasonable expectation that this will actually take place). The bigger issue with OCR is whether the new Administration will force or lead any different directions in enforcement or otherwise. We certainly have seen no discussion of these issues as part of the campaign or the transition. My expectation is that we will see few new rules, little or no rollback of existing rights, and a generally similar enforcement policy going forward, coupled with the budgetary wild card that could reduce enforcement simply through reduced staff.
The FCC – a new player in overall privacy and security enforcement – may see the biggest change. The FCC, over the past year, has prepared and finalized an important and challenging set of privacy rules for large portions of the telecommunications industry. While there were many significant issues for debate about these rules, they were moving forward. Now, there may be wholesale changes at the top of the agency that may result in an entire rollback of this privacy program. For the industry, this is a major issue – and will be for a broad variety of related businesses and consumers as well.
On the whole, we likely will see new leadership in most key privacy positions (although not immediately), and a resulting likelihood of somewhat less enforcement and perhaps some pushback on existing regulatory compliance obligations.
5. The Federal Trade Commission
A broader issue for the privacy community involves the future of the Federal Trade Commission and its privacy and security watchdog role. The FTC has a broad overall role in enforcement and setting policy for privacy and data security enforcement. The appointment of future FTC commissioners is very much a first- or second-tier priority for the new Administration. There is a realistic likelihood that new commissioners will have a distinctly different view on ongoing enforcement in many areas, with the realistic possibility that this will include data security. We also are much more likely to see the FTC take a lesser role in overall thought leadership on privacy and security issues generally (although many of the existing staff will remain in place and will continue to bring their strong expertise to these issues). We will need to watch whether the FTC really does change, and whether any other agency (perhaps aggressive state attorneys general?) steps into any void that is created.
6. Big Data
In the privacy world, we are seeing an intensifying debate about how best to regulate big data. This debate is blending with a parallel discussion about whether our current approach to regulation in the United States – which focuses on regulation of “sectors” like health care, financial services and telecommunications – makes sense where the historic lines of these sectors no longer fit today’s world. In the health care field, for example, we are seeing the increased importance of HIPAA’s gaps, due to the massive growth in health care data that is being generated, used, and disclosed by entities that are outside the HIPAA regulatory structure (think websites, mobile applications, and wearables, for example). We are seeing a blurring of HIPAA/ non-HIPAA lines (think wellness programs and the interest of employers in evaluating the health of their workforce). We also are seeing the related developments of HIPAA entities bringing into their systems a broad variety of data that is not normally thought of as “health” data, but where data analytics folks at these companies are finding relevant health care connections (such as income, marital status, number of cars, shopping habits, etc.). The debate on what to do with these developments has been building – there is a growing consensus that something should be done about these concerns, but little consensus on what this reform or new regulation should look like. See generally, Nahra, “Moving Toward a New Health Care Privacy Paradigm,” Privacy in Focus (November 2014).
This same debate also is growing in other sectors, as personal data is being generated (through the Internet of Things) from a broad variety of new sources of data. Coupled with new computing mechanisms and improved analytic models, big data is hitting virtually every industry (and, more importantly, affecting virtually every consumer). The Obama Administration has been promoting a significant variety of important and thoughtful white papers and other policy statements on the risks and opportunities from big data. The positions have been even-handed – big data can bring important benefits to our system and our economy, and may often be helpful to individuals – but this data is being used in new and untested ways and creates risks of discrimination and other unfair practices.
In 2017, while there will be continued significant growth in big data itself, we can expect this debate to slow down and become significantly quieter. I don’t think it will go away, but there is little reason to believe that Congress or any relevant regulatory agency will be using 2017 to develop reasonable new regulations or legislative proposals on these points. As with other areas (and as discussed below), this means that there is a significant opportunity for the private sector to build out appropriate standards for this industry, and to develop best practices to fill in the current gaps in the regulatory structure, since the likelihood of a regulatory solution clearly has decreased.
7. Research and De-Identification
We also can expect to see an ongoing debate about two interrelated issues – improving research and effective de-identification of data. These topics are becoming more important (and more integrated) due to big data and the Internet of Things. There is a recognition across the government of the need to ensure that important research opportunities can be capitalized upon – leading to an ongoing rulemaking proceeding to revise the “Common Rule” that regulates most human subjects research. Now, following almost a year of reviewing comments, the fate of this rule in a new Administration is unknown. Nonetheless, there clearly will be more interest going forward in making personal data available for research purposes and to maintain important individual protections while still permitting research to move forward efficiently.
Whenever there is talk about research, we also hear the discussion about de-identification. De-identification – in theory – presents a win-win for a broad variety of public purposes, including research, public health, and overall data analytics. There remains a significant ongoing debate about whether existing de-identification practices work in today’s environment (where there is a broader array of data available and better technologies available to potentially re-identify). We are seeing de-identification frameworks being developed both in specific segments of the U.S. regulatory structure (including an approach modeled on the FTC de-identification framework for the telecommunications industry), as well as various models around the globe (some of which effectively do not permit de-identification or permit it only in very limited circumstances). There is a challenge for industry in this area – to demonstrate the value in de-identified information, and to evaluate and educate the public and relevant regulators and advocates on how best to protect the data that has been effectively de-identified. There is significant value here – and some of it is being lost because of bad examples of re-identification (where relevant de-identification frameworks were not followed) or misperceptions about how this data is used. This debate will continue – but it will be important for industry and the public at large to support strong, risk-based de-identification methods and a broader understanding of how de-identified data can benefit the public at large in a variety of ways.
8. Security Breach Class Action Litigation
On a different path, class action litigation continues to be a major challenge for any company subject to a large data breach. Cases now are brought routinely when there is a large reported breach. While the plaintiffs’ bar continues to face substantial challenges in proving actual injury (which is a threshold legal issue to get a case started (standing), as well as a meaningful element of causation and damages), they haven’t stopped trying. And there are just enough large and small wins to keep these cases coming. We are seeing theories concerning “breach of contract” injury, where there are allegations that a portion of an insurance premium or other contract payment, for example, goes towards data security protections. We are seeing arguments about the “assumed” risks associated with sensitive information. We are seeing a new range of claims related generally to weak data security practices. In general, the cases keep coming, even without major victories. It won’t take many big wins for the current wall of protection for defendants to come tumbling down.
We also may see over the next few years an enhanced role for these cases as a substitute privacy regulator – if we see a diminishment in the activity of government regulators. We may see privacy advocates being willing to step into more situations where, today, they might lobby the FTC or HHS to bring an enforcement action. If those agencies slow down in their efforts, we are likely to see policy-oriented privacy and security litigation growing as a concern across the full range of industries affected by the privacy and security debate.
9. Breach Notification Legislation
We have seen half a decade of legislative proposals from Congress about breach notification legislation – to create a consistent federal standard on top of, or instead of, at least 47 states’ laws. Many of these proposals are roughly similar, and there is a consensus in Congress on many (but not all) of the key issues. And, with each major breach – Target, Sony, Anthem, Yahoo, Yahoo again – many of us think that “this one” will finally be the tipping point for actual legislation.
So, it will be critical to see if any of the latest breaches – or any new ones in 2017 – finally lead Congress to act in this area. A parallel impetus for legislation could be significant court rulings (maybe in the pending LabMD case?) where the FTC’s overall authority to act in data security cases is cut back.
10. Managing Compliance with Less Enforcement
Lastly, there is a real possibility that the relevant enforcement agencies – due to budget cuts, staffing cuts, leadership changes, overall philosophy, or distraction from other activities – will significantly reduce enforcement activity. Already, in many situations, there is no realistic threat of enforcement. This may only get worse over the next few years. There also is a reduced likelihood of new legislation addressing some of the concerns that have been raised about big data and other emerging privacy issues.
Therefore, companies face a real challenge – how to maintain a focus on compliance and good business practices in light of a reduced likelihood of enforcement. We see these pressures regularly – will a company push the envelope more? Will marketing have a louder voice while compliance and legal isn’t listened to? Will company leaders – facing budget and revenue pressures – be willing to cut more corners, particularly in situations where it is unlikely something bad will become visible? All in all, this will be a challenging time for privacy officials. There will be a need for forceful leadership and creative strategies to address this likely reduction of attention across companies. Part of this message needs to be that many people are watching even if it isn’t tied to enforcement – the news media, consumers, customers, and class action lawyers all aren’t going away. Nonetheless, privacy officials need to be cognizant of this possibility, and have a realistic plan for addressing potential changes in attitude towards privacy and security compliance.
We are living in interesting and uncertain times. The commercial privacy and security issues that are so important to a growing range of industries and their consumers have not been a focus of any material discussion for the new Administration. At the same time, with the expansion of the Internet of Things and improved capabilities for big data analytics, there is no doubt that data and the ability to manage and analyze data have never been more important. Businesses will not stop using data just because there is less enforcement. So, for any entity (or related service provider) looking to be competitive and responsible in the years ahead, the ability to recognize and understand these key developments will be critical. This requires thought, and time, and attention, and planning. It also requires the ability to think beyond the pressures of the day, to develop thoughtful and responsible approaches to the collection, analysis, use, and disclosure of the increasing volume of personal information and related data that is driving success across a growing range of industries.