In honor of National Data Privacy Day, businesses can learn about data privacy and security and take steps to protect the information they maintain. We offer the following list of “Top 15 for 2015” on the critical areas in data privacy that businesses will need to consider in 2015.

  1. Inside Threats for Healthcare Providers and Business Associates. While reports of security risks often focus on hackings and breaches caused by individuals, terror groups or even countries, many organizations, including healthcare providers and business associates, face significant and perhaps more immediate risks from members of the organization’s own workforce. Organizations are not without recourse and can take steps to reduce their risk for a data breach. (For more, see Healthcare Providers and Business Associates: Don’t Ignore the Insider Threats.)
  2. Telephone Consumer Protection Act (TCPA). According to data cited by the U.S. Chamber of Commerce, TCPA suits have increased 30 percent in the past year, with many being filed as class actions. Many of these suits are not just aimed at large companies, but often are focused on small businesses that may unknowingly violate the TCPA. With statutory damages from $500 to $1,500 per violation (e.g., per fax/text sent or call made) these suits can result in potential damages in the hundreds of thousands, if not millions, of dollars. See our FAQs for the TCPA to take the first step in understanding the law.
  3. Location-Based Tracking. As use of GPS-enabled devices becomes increasingly prevalent, employers must decide just how much information they want about an employee’s whereabouts. This decision may come up when an employee is absent from work, is traveling on business, or makes a questionable representation as to his or her location. The case law in this area is evolving rapidly.
  4. Technology Budgets. Technology initiatives often are focused on increasing employee productivity or company profits, but businesses must increase their technology budgets accordingly as well. Appropriately funding a company’s IT and data security functions should not be overlooked when implementing technology initiatives (e.g., moving company information to the cloud or making it available to employees remotely. Budgetary constraints will not justify poor technology support or data security.
  5. HIPAA Litigation. While HIPAA does not provide for a private cause of action, cases brought in 2014 utilized the HIPAA rules as an element in common law tort claims. For example, the Connecticut Supreme Court holding that HIPAA did not preempt a negligence claim where a healthcare provider disclosed patient information in response to a subpoena demonstrates how the HIPAA rules are being utilized as an element in a common law tort claim. The potential direction of these types of actions is unclear and is worth monitoring closely.
  6. BYOD. The risks of allowing employees to use their own electronic devices in the workplace have businesses considering Bring Your Own Device (“BYOD”) programs. On the other hand, 2014 saw some companies return to strict company-owned device policies. Businesses considering BYOD should review our comprehensive BYOD issues outline.
  7. User-Generated Health Data. The continuing conversion of health information into electronic format has been well-documented. One of the biggest concerns for 2015 is electronic health data that individuals voluntarily provide to track or chart their own health or fitness on devices such as Fitbit or similar applications. The privacy and security of this information is debatable. 
  8. Risk Assessment. Many businesses are unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and the like. Getting a handle on a business’s critical information assets is the first, and perhaps the most important, step in tackling information risk. Adequate safeguards cannot be erected for something of which one is unaware. Moreover, businesses may be subject to federal or state penalties for failing to conduct a risk assessment.
  9. Written Information Security Program (WISP). Even if adopting a WISP to protect personal information is not a legal business requirement in your state (some states, including Connecticut, Maryland, Massachusetts, and Texas, have such a mandate), having one is critical to limiting information risk. Not only will a WISP help a company in defending claims related to a data breach, but it will aid in managing and safeguarding critical company information. It may even help avoid employee whistleblower claims.
  10. Dealing with Vendors. Company data may be used or accessed by vendors during the course of the vendor’s services. Companies should be aware of the legal requirements on company-owned data, as well as how to negotiate confidentiality and security provisions in service agreements.
  11. Plan for Breach Notification. All state and federal data breach notification requirements mandate that notice be provided as soon as possible. Failing to respond appropriately could result in significant liability — even when the number of individuals affected is relatively small. A data breach also can negatively affect a company’s reputation. Developing a breach response plan is not only prudent, but also may be required under federal or state law. 
  12. Federal Trade Commission (FTC), Federal Communications Commission (FCC) Enforcement. Last year, the FCC issued its first fines against a telecommunications carrier for alleged failure to reasonably secure customers’ personal information in violation of the Communications Act. Further, in a challenge to FTC enforcement authority as to a company’s data security practices absent specific statutory authority, a federal appeals court in Atlanta has ruled companies subject to FTC regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are final. Additional FTC and FCC action, as well as legal challenges to any enforcement by either agency, is likely in 2015.
  13. Social Media Investigations. Social media use continues to grow and the content available from a user’s profile or account can be sought in connection with litigation. In fact, failure to preserve relevant information in social media may have dire consequences in a lawsuit. Further, while publicly available content generally may be utilized without issue, improperly accessing content available only privately can have serious repercussions.
  14. Watch for New Legislation. Today, managing data and ensuring its privacy, security, and integrity is critical for businesses and individuals. It has become the subject of broad, increasingly complex regulation. As yet, the United States has no national law requiring protection of personal information, although President Barack Obama has stated that data security is one of the top issues for legislation in 2015. In the interim, companies are left to navigate a growing web of state legislation. They must be vigilant to remain compliant and competitive.
  15. Jackson Lewis Webinar Series. Attend Jackson Lewis’ comprehensive webinar series, held on the fourth Thursday of every month, on data privacy and security and how they may affect businesses. Go to our sign-up page at jacksonlewis.com and complete the electronic form (select “Privacy, e-Communications and Data Security” as an “Area of Interest”) to receive invitations to each of the sessions in the series as they are released.