In honor of Data Privacy Day, we provide the following “Top 10 for 2017,” a list of critical areas in data privacy that businesses should know about. While not exhaustive, the list points out hot topics on data privacy and security for organizations to consider in 2017.
1. Phishing Attacks and Ransomware
Phishing, as the name implies, is the attempt, usually by email, to obtain sensitive or personal information by disguising oneself as a trustworthy source. The IRS reported a 400-percent surge in phishing and malware incidents in 2016 and dedicates a website page to phishing and online scams. A relatively simple, yet effective safeguard against such an attack is for organizations to advise employees (especially those in HR and Payroll) to be on the alert for email requests, often appearing to come from a supervisor, for the personal information of all, or large groups of, the company’s employees. Before responding electronically, employees should confirm such requests verbally. This is especially true as organizations begin the W-2 process and are compiling large amounts of personal information.
Phishing attacks have delivered ransomware in some cases. Ransomware is a type of malware hackers use to stop owners from accessing their data. The hackers then can require the owners to pay a ransom (often paid in cryptocurrency, such as Bitcoin) to get it back. According to the FBI and the Department of Health and Human Services’ Office of Civil Rights, ransomware attacks have quadrupled, occurring at a rate of 4,000 a day. These agencies and the Federal Trade Commission have offered guidance to help curb these attacks. Among other things, the guidance urges organizations to be prepared. A great start to combat ransomware’s effectiveness is to consider whether backups of electronic systems are maintained regularly.
2. Safeguards Required to Protect Personal Information
State laws requiring businesses to protect personal information continue to emerge and expand. Joining such states as Florida, Massachusetts, Maryland, and Oregon, Illinois businesses must implement and maintain reasonable safeguards to protect personal information beginning January 1, 2017, and California clarified what it means to have reasonable safeguards. Similar rules go into effect in Connecticut beginning October 1, 2017, for health insurers, health care centers, pharmacy benefits managers, third-party administrators, utilization review companies, or other licensed health insurance business. In addition, during 2017, entities regulated by the New York Department of Financial Services, such as banks, check cashers, credit unions, insurers, mortgage brokers, and loan servicers, and some of their subcontractors, likely will become subject to a complex set of cybersecurity regulations many view as the first of their kind in the country.
3. Big Data, Analytics, AI, Wearables, IoT
New technologies and devices promise a myriad of societal, lifestyle, and workforce advancements and benefits, including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. This will continue in 2017, and will require an unprecedented and unimaginable collection of data, which often will be personal data. Federal agencies, such as the FTC, Equal Employment Opportunity Commission, and others, are taking note. While these advancements are undoubtedly valuable, the potential legal issues and risks should be considered and addressed before a business should implement or use the new technologies or devices.
4. HIPAA Privacy and Security Enforcement
The Office for Civil Rights continues in enforcement mode in 2017, announcing two settlements so far in January 2017, totaling nearly $3 million. In one action, the agency for the first time addressed the 60-day rule for providing notification of breaches of unsecured protected health information. In this case, the covered entity discovered the breach involving 863 patients on October 22, 2013, but did not notify OCR until January 31, 2014, about 41 days late. The settlement amount was $475,000, or approximately $11,500 per day. OCR Director Jocelyn Samuels reminded covered entities that they “need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”
5. Breach Notification Laws
There are 47 states with breach notification laws, and they continue to update those laws. For example, beginning in 2017, California businesses and agencies can no longer assume that notification is not required when personal information involved in a breach is encrypted. Illinois also changed its breach notification law, effective January 1, 2017, to expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data, among other things. These laws continue to evolve and be amended to address the extensive amount of sensitive data that is stored electronically.
6. The Telephone Consumer Protection Act (TCPA)
Lawsuits filed in 2016 under TCPA totaled 4,860, according to statistics compiled by WebRecon LLC. This represents an almost 32-percent increase over 2015 and marks the ninth consecutive year where the number of TCPA suits increased from the preceding year. With the U.S. Supreme Court decision in Campbell-Ewald making defense of class actions under the TCPA more difficult, the number of TCPA suits likely will continue to grow in 2017. Many of these suits are not just aimed at large companies. Instead, they often are focused on small businesses that may unknowingly violate the TCPA and can result in potential damages in the hundreds of thousands, if not millions, of dollars. Understanding the FAQs for the TCPA and taking steps to comply with the TCPA is a great first step.
7. The EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield
GDPR has been adopted. While it will not apply until May 25, 2018, there is a lot to do to become compliant. For example, GDPR adds a data breach notification requirement for data controllers; if notification is required, it must be provided to the data protection authority within 72 hours. Further, the EU-U.S. Privacy Shield data transfer agreement, replaced the EU-U.S. Safe Harbour agreement, which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s ruling in Schrems v. Data Protection Commissioner. As of August 1, 2016, organizations based in the U.S. were able to self-certify their compliance with the Privacy Shield. For more on this, see our detailed Q&A on some of the most common questions.
8. President Donald Trump
While it remains to be seen just how the new administration will address privacy and cybersecurity issues, insights on some of these issues can be gleaned from the President’s campaign as more clarity comes from the White House.
Social media use continues to grow on a global scale and become a more prevalent issue for organizations. This is especially true as generations who have lived their entire lives in a Social Media World represent an ever-expanding percentage of the workforce. User profiles or accounts are sought regularly and reviewed in litigation or employment decisions. While public content generally may be viewed without issue, employers need to be aware of how they are accessing social media content and ensure they are doing so consistent with state laws protecting social media privacy and avoiding access to information they would rather not have.
10. Be Vigilant and Watch for Changes
As more personal information and data are available and stored electronically, it is important for organizations to realize this data is extremely valuable, especially in the wrong hands. To this end, and as outlined above, organizations should be assessing constantly how best to secure their electronic systems. This is particularly true as law and industry guidance are constantly change and evolve in an effort to keep up with technological advancements.
Managing data and ensuring its privacy, security, and integrity is critical for businesses and individuals. These activities have become the subject of broad, complex regulation. Companies must address state legislation and industry guidance. Organizations, therefore, must be vigilant to remain compliant and competitive.