Credit:jijomathaidesigners/Shutterstock.com

January 28 was Data Privacy Day. This is a day to raiseawareness, foster dialogue, and empower companies to act to ensureproper privacy (and security) of all types of data andinformation.

Data privacy, as a concept, deals with how information is used,as well as whether an organization has the legal right or properpermissions to use the information it obtains. Data security is anextension of privacy, and it relates to the protection of data,once collected, from unauthorized access or disclosure.

Data is everywhere, and it is valuable. Governments, businesses,and individuals maintain, retain, and share vast quantities ofdata. When individuals provide information about themselves, therecipients of that information have a responsibility to protectit—either entirely or to a specified degree. Unfortunately, not allbusinesses fully appreciate this responsibility. Further, manycompanies are oblivious, often unwittingly, to the extent ofinformation they are collecting.

For example, when a consumer downloads a company's app on theirsmartphone or device and agrees to the privacy policy andterms-of-service agreement that goes along with the download, thatapp is gathering information—such as geolocations, browser data,stored contacts, microphone audio, photographs, etc.—from theconsumer's device. Much of this information may be unwanted orunnecessary for the company's purposes; however, it's still beingcollected by the company via the app, oftentimes without thecompany even realizing that the app is collecting the data. This isbecause app developers program apps to take on all sorts ofinformation, simply because it's possible, even though they havenot asked or been informed about what information a companyactually wants or needs to track.

Unfortunately, there remains no comprehensive federal-level dataprotection authority or privacy legislation that regulates theoverall collection and use of personal data in the United States.Instead, while various sector-specific data protectionsexist on a federal level, the majority of data privacyand security regulations exist at the state level. And state-levelrequirements are multiplying rapidly. Following the California Consumer Privacy Act (CCPA), whichwent into effect on January 1, multiple states have enacted orproposed similar bills to protect consumers through comprehensiveprivacy and security legislation. With this piecemeal onslaught ofnew laws coming into effect so quickly, too many businesses fail torealize that, while they may not have any specific operations inCalifornia (or in the other states that have enacted similarlegislation), the laws still apply to and impact them.

Companies bear the brunt of navigating this system of highlycomplex variations of laws related to data privacy and security.Doing so comes with a hefty price tag as well as a heavyadministrative burden.

But don't be dismayed: There are things companies can do toensure that they are on the right track with respect to protectingtheir data! Actionable steps for businesses include:

• Review your company's privacy policies and terms-of-serviceagreements. Make sure they meet the legal requirementsthat are applicable to your company and industry. Verify that usersor customers can easily understand what data is being collected andwhat is being done with it, and make sure that clear opt-in oropt-out processes are provided.
• Critically assess the data that your company collects andretains. If your company is collecting unnecessary orunwanted information, update the processes of collection toappropriately limit the information that is obtained andretained.
• Map the data that your company collects. You need tobe able to track and manage the information that is being collectedat all points in the process, including where it may end up in thefuture.
• Consider appointing a data officer who will be responsible foryour company's legal compliance with privacy and relatedissues. This person should keep up to date with legaldevelopments, news, and trends related to your company's andindustry's specific data privacy needs, or work with competentcounsel to help with this.
• Adopt a proactive mindset of responsibility when it comes tohandling data. Build for the future with privacy in mind,instead of having to backtrack to implement policies andprotections as reactionary measures.
• Require multifactor authentication—one of the best currentdefensive tactics to avoid a cyber incident.
• Add levels of encryption for data and devices. Enactand enforce policies that will help to avoid data breaches on asystemwide level.
• Obtain sufficient cybersecurity insuranceprotection. If you don't have cybersecurity insurance, getit now. If you have coverage, make sure that your coverage issufficient for your business needs. In addition, don't forget howcybersecurity coverage might intersect with other policies andcoverage, such as business interruption and crime policies.

Alisa Chestler, a shareholder in theWashington, D.C. office of Baker Donelson, concentrates herpractice in privacy, security and records management issues; healthcare and insurance regulatory compliance; and corporatetransactions matters. Contact her at [email protected].

Leslie Isaacman Yohey is of counsel in thefirm's Memphis office and is a member of the firm's health carelitigation group. She focuses her practice primarily on medicalmalpractice litigation and other types of professional liabilitymatters. Contact her at at [email protected].

From: Corporate Counsel