In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.”  While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014.

  1. Location Based Tracking.  As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to face this issue in the near future.
  2. Bans On Requesting Social Media Passwords. As we have previously discussed numerous states have passed legislation prohibiting employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. 16 states introduced measures in 2013 and it is expected that many of these measures will be passed in 2014.
  3. Disaster Recovery Plans. Protecting information and technology assets from natural disasters and other emergencies is often an afterthought. This is especially relevant given the numerous weather difficulties faces by businesses through 2013, from floods to fires, to subzero temperatures.  However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
  4. BYOD. More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  5. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the future.  However, one of the newest concerns for 2014 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or similar devices or applications are allowing individuals to enter more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  6. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be considered by any organization which maintains personal information.
  7. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees.
  9. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will not only aid in defending any potential breach of privacy claim that may be asserted against the company, but also may prevent a potential breach from occurring.
  10. HHS/OCR Investigations.  The Office of Civil Rights has recently stepped up its efforts to enforce the HIPAA Security Rule.  As we previously discussed, these enforcement activities are likely to increase in 2014 following a recent report from the Office of the Inspector General which concluded the OCR did not meets its federal requirements for oversight and enforcement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  Developing a breach response plan is not only prudent but also may be required under federal or state law.
  12. Investigating Social Media.  Social media’s grown continues to grow on a global scale and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  13. New Technologies. As anyone who has purchased a phone or television in the last year has seen, technology is evolving extremely rapidly and a product which may be the “latest and greatest” today if often outdated 6 months down the road.  Staying familiar with these types of technologies and their capabilities will only allow businesses to better address any potential issues or concerns which may be implicated, including how those technologies address information risk.
  14. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.