One of the many high points of JW Michaels is partnering with the most sought after and talented leaders across a range of industries. Recently, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy icon Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC) and former Chief Privacy Officer at GE Capital. As a proven expert in Privacy and Data Protection Law, Cybersecurity law, Information Governance, Data Analytics, and AI, Orrie shared invaluable insights from his impressive history working with complex organizations in the financial services industry.

Introduction

Q: What does Marsh & McLennan Companies do?

A: We are a global professional services company with a focus on risk, strategy and people. We have 75,000 employees in over 130 countries, so this is a large organization with clients literally all over the world.

Q: And tell us about your background

A: I started my legal career as an IP litigator. My privacy journey began in 1998, writing privacy policies for websites, but it really took a more serious turn when I joined GE Capital in 2001. Over my 13 years there, I set up and ran three privacy programs, ultimately serving as the CPO of GE Capital. In 2014 I moved to MMC as their first global CPO.

Privacy Team Structure and Management Best Practices

Q: Orrie, you clearly have experience setting up several privacy teams from the ground up. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.

A: My short answer is the role should report where it can be the most effective and that will differ between companies. In my first CPO role at GE, I reported to the CCO, and then I got moved under the GC. In my current role, I first reported to the Chief Risk & Compliance Officer, but now I report jointly to the CIO and the CCO. No matter who you report into, I would say that you want two key elements from your placement in the organization: (1) being visible and effective and (2) being in a position where you are keyed into what’s going on. To me, the first element usually supports a reporting line into Compliance, and the second element means having a reporting line into IT. I have that dual reporting structure in my current role, and it works really well.

Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?

A: Privacy touches all parts of the organization because there’s data everywhere. I see IT and Operations as the core partners. Information security is a second key partner because privacy and security go hand in glove, and when things go wrong, we need to be aligned and work together. The other key partners are HR for employee data, Vendor management for all vendor interactions, and of course the broader Legal and Compliance team provides a lot of our core support in terms of resourcing and support with our day to day work like contracting. While not one of the key players we regularly interact with, I’ve also found Internal Audit to be a really effective partner. So it really takes a village, and here at MMC, these are all great partnerships that help me do my job effectively.

Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ addon generate the expectation of privilege?

A: This is a tough question! Let me start by saying that I would not put a “chief privacy counsel” in charge of a privacy program because, at its heart, the CPO role is not a legal role. So the question then becomes should a CPO always be a lawyer. As a lawyer, I have always had a bias for hiring lawyers to my team in the senior roles because a CPO needs to be able to give legal advice and be able to interpret the law, and I always found it a bit of a strange construct where a CPO needs to consult the privacy counsel in order to give advice. But the reality is that many non-lawyer CPOs know the law as well as the lawyers (if not better) and they rarely go through the formality of consulting legal unless they need to issue formal advice. I have also found that privacy professionals with compliance orientation tend to have a much stronger operational sense and business understanding compared to lawyers. And I can tell you from experience in my own team that our non-lawyers bring a level of business and operational savviness that really brings great value. So at the end of the day, I think there’s no right answer here – there are great CPOs out there who are lawyers and great CPOs who aren’t. The key is to get the right person and if there’s a need for a CPO to work closely with a “chief privacy counsel” to make sure their roles are well defined and there’s no competition over who does what.

As to the attorney/client privilege, clearly where you have a lawyer in the role, it is easier to assert the privilege but let’s not forget that the privilege doesn’t apply automatically to everything I do or say simply because I’m a lawyer. A lot of the CPO work is not privileged by nature. And where it’s important to assert the privilege, companies can easily get the work of the CPO covered by attorney-client privilege (usually through what we call in the U.S. an “Upjohn letter”).

Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?

A: This is a great question, and it is actually part of a transition that is occurring in the way CPOs are looking at their roles and the way companies are looking at the CPO role. Basically, this is all driven by the rise of the importance and value of data. Most companies don’t have a data czar, and they also don’t have a data lawyer, so on both sides when they look around, often all they see is the CPO. And this means CPOs are increasingly asked to weigh in on broader data questions like governance and quality and ethics. But in the last few years, there’s been an emergence of a new role of the Chief Data Officer or CDO. These come in many flavors with some focused on technical elements like building data lakes and managing the data, others are data scientists and focus on the analytics, and others come from a data governance angle. These are all different disciplines, and they require different skills, and sometimes these roles don’t sit under the same structure, leaving a gap in coordination. Add the CPO, the CISO, and maybe a few others who have a stake in data, and it can get messy quickly. So sometimes someone emerges as the leader of the group. And if that leader is not the CPO, then the CPO needs to make sure that his/her role in this structure is understood and valued. The risk CPOs face is that the data discussion is moving away from a privacy/compliance-driven discussion to more of a technical or operational discussion where the CPO’s role is reduced. And of course, the CPO should always make sure he/she is involved in the data strategy and planning discussions with all of these players before the final strategy becomes crystalized so they can make sure to build in privacy by design elements before it’s too late.

Q: In light of this shift, is “Chief Privacy Officer” still the right title?

A: For now it is but as noted above there’s a change happening and I think that in the next 2-3 years we will see more variability in the titles. It reminds me that when I started working at GE, my title had “e-commerce” in it, and GE had a “chief e-commerce lawyer.” One day in 2003 he told all of us that he was changing his title to “chief privacy officer” and we were all shocked that he was not going to have “e-commerce” in his title. Now you would be hard-pressed to find a lot of people who even understand what e-commerce means! So I predict that in a few years we will see a change and maybe “privacy” won’t even be part of the title. And then I have to wonder what the IAPP will do to its name…

Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?

A: Great question. I think the jury is still out on what the European regulators expect from the DPO role. We see a lot of variability in how companies have defined the role, where the DPO sits and what they are expected to do. Some companies are clearly treating the role as a strategic one, and on the other end of the spectrum, I see cases where it is treated as a somewhat junior, bureaucratic one, and most DPOs fall somewhere on that spectrum. I think the DPO title will remain and the DPO role will remain a somewhat narrow role simply because the obligations of the DPO are prescribed in the GDPR and that includes a need to avoid conflicts of interest. So I think it will be hard for DPOs to evolve into a broader data-driven role that the CPOs seem to be pulled into.

Management and operations:

Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program forever slight difference?

A: The pace of change is my number one concern. We all emerged from a two-year blitz to comply with the GDPR just to fall right into CCPA and LGPD, and of course, there’s new laws all over the world and changes to existing laws, and in the U.S. there’s a constant barrage of new state-level laws. Just reading all the alerts I get requires a few hours every day! And then actually doing something about all these laws feels like an endless game of whack-a-mole. So to me and many of my peers I think the path forward is emerging in the form of a set of global principles we apply everywhere with modifications on unique elements like appointing DPOs or dealing with data localization restrictions on a case by case basis. And that, of course, is easier said than done but as a concept, I think it is where we are heading, and we are spending a lot of time on defining this path forward.

Q: What are your key factors for determining staffing levels? Department budget?

A: I think any CPO on the planet will tell you that they are short on staff and their budget is tiny. Certainly, if we compare ourselves to the information security teams, we fall short by a lot. But to me, the answer is not to think about this narrowly. Going back to the partnerships I mentioned, the key to success is leveraging these partnerships. Getting people from other functions to help champion privacy and to support our projects and to pay for things is the way forward, and it doesn’t all have to fall under the CPO. For example, for GDPR, we had some 700 people working on the project, and we spent in the seven figures. This was not my team and not my budget. But we got the work done, and that’s what matters. And now for CCPA, we are similarly marshaling resources and budgets well beyond the core privacy team and budget.

Q: What are the key factors you look at in hiring outside counsel?

A: I have two core requirements — first – expertise. If you don’t know the answer when I call or within a short while afterward, then you’re probably not the right lawyer. Second, practicality. Privacy laws are often really hard to apply in reality, and there’s a lot of creativity that needs to go into translating what the law says into what we think the regulators expect and what is practical in a business setting. Most regulators I have spoken to are practical and rational, and they apply the law based on something other than a dry reading of the words. I like to work with outside counsel who understands that and ideally have those insights from the regulators. Just telling me what the words are in section X of the GDPR or the CCPA or telling me how big the fine will be if I’m not in compliance doesn’t provide any value.

Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?

A: My view is that experience matters, but there’s a shortage of experienced privacy professionals. We have a huge amount of newbies in the profession, and that means you sometimes need to compromise on experience. The two things I find most valuable are brains and attitude. A smart person who likes and wants to do privacy will learn what they need to be successful. An experienced person who is not as smart or motivated will often not be as productive. I should add that a CIPP certification helps because to me, it shows a commitment to the profession. It’s not about studying and passing the test; it’s about the need to maintain your certification through constant CPE credits. That tells me this person is invested in privacy as a career. And then, of course, we get to more specific needs so, for example, I strongly value the need to have a good PM on my team, and that’s a unique skill set. A good PM is worth more than just adding another privacy person to your team because they bring unique skills and so much of what we do these days is a project by nature and requires the right skills to manage it and move it forward. So my advice to new privacy professionals is to make sure you can show how you will provide value day 1. Companies aren’t law firms – we don’t have time to teach you and grow your skills and knowledge over several years. We need people who can function well from the day after they walk in the door.

Q: What is the top privacy or data security issue that keeps you awake at night?

A: I tend to sleep quite well, but obviously, I worry the most about data breaches. They are hard to totally avoid, and when they happen, you can find yourself in a world of hurt from clients, regulators, and other constituents. That will totally destroy your ability to do anything else while you’re managing the crisis and therefore breaches are a huge disruption to your work. So that keeps me up, not just because of the fear of having to deal with the fallout from a breach but just as much because I fear it will take me away from doing my day job.

Q: Anything else you’d like to share?

A: I started my career as an intellectual property litigator. I morphed into an e-commerce lawyer, and from there, I shifted into technology and privacy work with a short stint working on Y2K matters. Along the way, I worked on a lot of new and emerging issues, and I have to say that of all the things I worked on the privacy work has been by far the most interesting and also the most satisfying. When we do what we do as CPOs, we have a unique role because we are always keeping one eye on what’s right for the company, one eye on what’s right for the individuals whose data we manage and a third eye on what the regulators expect from us. It’s never just about the bottom line, and that’s very satisfying. Additionally, emerging technologies are giving rise to new issues, and that keeps us constantly on our mental toes and makes it so much fun. When I think of the issues I handled 5, 10 and 15 years ago, some of them haven’t really changed much, but there’s a lot of fresh and challenging concerns to contend with (such as AI, Blockchain, Internet of Things) and even more new things heading our way in the coming years. So I think this is the best legal profession to be in and the best time to be in the privacy field.

ABOUT ORRIE DINSTEIN

Orrie Dinstein is the Global Chief Privacy Officer at Marsh & McLennan Companies (MMC). He has global responsibility for data protection, and he works closely with the Legal & Compliance, IT and Information Security teams, as well as other functions, to establish policies, procedures, processes and tools related to privacy and data protection matters. Prior to joining Marsh & McLennan, Orrie was the Chief Privacy Officer at GE Capital.

Orrie received an LL.M. degree in intellectual property from NYU School of Law and is a graduate of the Hebrew University of Jerusalem School of Law. He is a member of the New York State Bar and the Israel Bar. He is a Certified Information Privacy Professional (CIPP) and a frequent speaker on privacy, security, technology and social media matters. Click here for IAPP contributions by Orrie Dinstein

To learn more about how JW Michaels can assist with your privacy searches, please contact Lawrence Brown.

Guest authors Rita Heimes and J. Trevor  Hughes share their expertise about the rise of privacy and personal data as a job skill. Information privacy practices can promote trust, and in turn enterprises collecting and using data have a fiduciary duty to their customers to use their data ethically and to the customers’ benefit. Heimes and Hughes of IAPP, an International Association of Privacy Professionals, bring invaluable insight on just how valuable information privacy can be to consumers and enterprises.

With the California Consumer Privacy Act deadline fast approaching, we’re thrilled to welcome a relentless advisor of consumer privacy, data security and identity protection, Tracy Shapiro, Partner DLA Piper, as our guest author. Tracy’s insight into privacy protection is invaluable and her article is a must-read for companies and consumers alike.

As the FTC kicks off its hearings on Competition and Consumer Protection in the 21st Century in Washington DC, it is the perfect time to welcome Tim Sparapani, Founder & Principal of SPQR Strategies, PLLC, as our guest author. Prior to launching SPQR Strategies, Tim served as the first Director of Public Policy at Facebook and in recent years has served as the VP of Policy, Law and Government Affairs for the Application Developers Alliance and continues to advise start-up tech companies on a wide range of policy matters. Tim’s insight into privacy and policy are invaluable and his article is a must-read for companies and consumers alike.

The FTC’s Opportunity

Newly-minted Federal Trade Commission Chairman Joseph Simons and the FTC have given the Commission a rare chance; which is the chance to break truly new ground to help consumers with the most pressing privacy problems. The Commission is seeking to replicate the influential hearings from two decades before held by then-FTC Commissioner Bob Pitofsky. Those hearings built a record that guided prudent policymaking and enforcement actions by the Commission in the time since. By holding a series of hearings this fall concerning Competition and Consumer Protection in the 21st Century, the Commission has a chance to step back and rethink its goals with respect to what’s working and what’s not in our economy with respect to technology policy generally and privacy specifically.

My unsolicited advice to the Commission: Go Big and Go Broad!

While the Commission has worked hard to pick meaningful cases for enforcement actions, it’s no secret that the Commission is resource constrained. Given those constraints, the Commission has unfortunately ignored important violations of the law or abuses of consumers’ privacy. It has quite logically chosen to build its privacy and security jurisdiction consent decree-by-consent decree, typically choosing to bring actions against either fraudsters committing egregious violations of the law or the highest profile companies. The former cases are slam dunks, usually quickly resolved for the public’s benefit, and the latter cases — typically targeting the world’s best-known tech companies — are premised on the heretofore correct assumption that the press would broadcast those investigations and consent decrees around the globe so that all other companies would be put on notice about what constitutes a privacy or data security violation.

Those choices were reasonable but they have left too many privacy and security abuses unchecked, keeping consumers too often exposed. A change in direction could and should be inaugurated by these hearings. There’s a ton for the Commission to do as it builds a record for broadening and redirecting its enforcement actions.

Here are some recommendations for the Commission with how to use these hearings.

Broaden the Lens and Broaden the Consumer Benefits

Every company has data so broaden your focus from Uber, Google, Facebook, Amazon, Apple and Microsoft. It’s been true for two decades now; in addition to producing whatever goods and services a business is offering for sale, that business also has consumer data that it collects and that deserves protection. Anyone who doubts this ought to look at the size of the membership — tens of thousands now — of registered members of the International Association of Privacy Professionals. It’s an important signal. Every company has a Privacy Officer now but the problems stemming from data misuse aren’t limited to just traditional tech companies. Since every company has data responsibilities, the FTC cannot always limit its efforts to protect consumers to the same handful of companies that are internationally known tech companies.

If consumers are giving their data to dozens, if not hundreds of companies in any given year, does it make sense to solely, repeatedly focus all efforts of the Commission on just a handful of companies? Don’t consumers deserve protections from misuses of data from all the companies who might obtain their data? If the Commission broadens its focus surely the benefits to consumers will grow commensurately from a broader policing of companies.

Broaden the Review of Harms

Just as every company is now a consumer data engine that needs to be policed, the list of harms to consumers from all those companies is growing and those new harms deserve scrutiny. Everyone truly fears a broader set of harms than the Commission is addressing. A too-careful focus on data security and data breach or ad tech privacy issues misses all the real, emerging threats to consumer data from misuse of consumer data.

New harms are emerging in the digital age. Three examples of these emerging harms prove this point. The Commission ought to take testimony about those harms and take actions to prevent them from harming consumers before those harms from misuse of consumers’ data become commonplace. Data brokers are buying and reselling consumers’ data without providing any recourse to consumers who will have no idea their data has been sold, to which companies it has been sold, or what the potential consequences to them are from those sales. The Commission needs to take action to prevent the misuse of genetic information to prevent people from being insured or employed. Similarly, price discrimination that forces some consumers to pay more than others for the same goods or services deserves scrutiny and action by the Commission.

In short, the FTC has an important opportunity to rethink and reframe the Commission’s efforts in the digital age. If the Commission embraces the opportunity and thinks more broadly, these hearings will have even more consequence for consumers than did those that these hearings were modeled after.

About Tim Sparapani and SPQR Strategies

Founded by Tim Sparapani in 2011, SPQR Strategies is a full-service strategic consulting firm that offers customized, high-quality solutions to a growing list of prominent Fortune 500 companies, including GE, Google, Intuit, Kayak and Syniverse, as well as many startup companies, such as Bytes Media, Caremob, Hero, Koozoo, Quizlet, Spend Consciously, Womply and Xcinex. In addition to many of these multinationals and startups, SPQR advises a leading technology trade association, CALinnovates, as well as two privacy advocacy organizations, the Family Online Safety Institute and World Privacy Forum. Additionally, SPQR previously provided support to the Application Developers Alliance. To learn more visit: http://www.spqrstrategies.com.

With the rapidly moving privacy world and new spotlight on legal, regulatory and ethical considerations, we’re thrilled to welcome privacy veteran Leigh Feldman, Managing Director & Head of US Privacy at Promontory Financial Group, an IBM Company, to weigh in as our guest author. JW Michaels VP of Legal, Lawrence Brown will be joining Leigh live at IAPP KnowledgeNet to continue the conversation on what to expect from organizations moving forward and discuss the skills/experiences candidates need to be ready to move into newly created privacy opportunities.

Privacy in 2019, Moving Beyond Compliance and into Digital Ethics

Privacy and the ethical use of personal information entered the forefront of public consciousness in 2018. With developments like the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, as well as the emergence of new threats arising from the collection, use, and sharing of information, the challenges of data processing in today’s information age have never been more apparent.

As organizations continue their digital transformations and expand product and service offerings, those that have robust privacy programs and emphasize ethical data use will achieve greater returns on investments in new technologies, products, and services. The vastly increased penalties under GDPR and greater risk of reputational damage alter the privacy risk analysis, making privacy much more central to good business operations – beyond risk mitigation and regulatory compliance.

We expect organizations will face increasing market and compliance pressures to demonstrate ethical treatment of data as the public and regulators grow more sophisticated in their approach to data privacy issues. Ethical considerations move beyond what is legally or technically possible into questions of morality, bias, discrimination, human rights, and societal harms. The wider and deeper collection of data and deployment of more advanced technologies such as artificial intelligence will continue to be competitive advantages. However, the ability to optimize the collection, use, and sharing of personal information in an expected, appropriate, and ethical manner will emerge as a competitive advantage as well.

Organizations that can be effective and efficient on issues such as transparency, choice, risk assessments, cross-border data movement, and personal data management, including retention and deletion, will be able to more quickly launch new and modified products and processes. Organizations that have more mature privacy programs will be better positioned as trusted information stewards and to reap the economic rewards of the data age.

In response to these rapid changes in the privacy landscape, we believe organizations across multiple industries will need to establish new mechanisms to address emerging digital ethics issues brought about by new methods of collecting, using, and sharing personal information, broader public awareness, and increasing regulatory scrutiny. The result will be a shift in how organizations approach privacy. Beyond just legal compliance, organizations will begin to see their privacy programs as business competencies that must be matured to support customer expectations, innovation, and growth.

ABOUT LEIGH FELDMAN
Leigh Feldman is a managing director at Promontory Financial Group, an IBM Company, where he leads the U.S. privacy practice within the firm’s global privacy and data protection practice group. Leigh has been in the privacy space for over 15 years, advising on all aspects of information collection, use, and sharing. He was previously the chief privacy officer at Citigroup, American Express and Bank of America, and chief privacy counsel at Merrill Lynch.

When looking to make the transition from law firm to a coveted position in-house, or for in-house privacy lawyers looking to distinguish themselves and be considered for more senior positions, being prepared and knowing what company CPOs/Executives look for beyond the resume experience, is key. A recent article written for IAPP by Vice President, Chief Privacy Officer at Adobe Systems, Alisa Bergman offers invaluable insight into the in-house privacy culture and the transferable skills that companies are looking for.

Unlike the law firm style of practice, companies look for candidates who demonstrate business acumen and the ability to interact with various teams and board members. According to If privacy principles are from Venus, then engineering rules are from Mars, Alisa Bergman explains why in today’s GDPR and privacy-inspired world, privacy professionals and software engineers need to find orbital alignment:

Whether you’re a privacy professional or a software engineer, you likely have many stories about the opportunities, challenges, and spirited debates within your organization, particularly in the recent run-up to the EU General Data Protection Regulation. Privacy and engineering teams ultimately share a common goal: to create great customer and user experiences. Getting there, however, can feel like the other team comes from a different planet. To engineers, privacy principles advanced by privacy professionals may appear to come from Venus, while to privacy pros, engineering rules may appear to come from Mars. In today’s GDPR and privacy-inspired world, these teams and their planets must find orbital alignment.

Reflections on the run-up to the GDPR remind us that the journey for all stakeholders hasn’t always been easy. But then again, it’s all about the journey — and looking back, it has been remarkable. Here are some of the consistent challenges both planets face as we learn how to better collaborate to define the privacy and engineering requirements that address the following high-level privacy principles:

• Data minimization and purpose limitation versus big data
• Right to explanation versus “the black box”
• Right to be forgotten versus data deletion
• Data portability versus protecting the secret sauce
• Evangelize your privacy culture and extend your reach
• Follow emerging technical standards
• Embrace agility in a changing, global privacy landscape

 
To read the full article visit: https://iapp.org/news/a/if-privacy-principles-are-from-venus-then-engineering-rules-are-from-mars/. It is a must-read for anyone looking to improve their career and move up in their department.

About Alisa Bergman
Alisa Bergman is currently Vice President and Chief Privacy Officer at Adobe where she leads the Privacy, Trust & Safety team. Bergman has been a senior executive, global Chief Privacy Officer and law firm partner for the last 20 years. She has deep experience in privacy, data, emerging technologies, advanced advertising strategies, data security and incident response, data governance and information risk management, as well as legislative, regulatory and public policy matters, and government investigations. Prior to joining Adobe, Bergman was Senior Vice President and Chief Privacy Office at Warner Bros. Entertainment Inc. Before coming in-house, she was a law firm partner in three leading privacy practices (DLA Piper, Venable and Dentons) in Washington, DC and Brussels.

We are honored to welcome Chris Cwalina, Global Co-Head of Cyber Risk and Tristan Coughlin, Associate at Norton Rose Fulbright as guest authors. Chris Cwalina and Tristan Coughlin recently joined the Washington D.C office as part of a rebuild and expansion of the Norton Rose Fulbright’s Global Cyber Risk Group.

A Variety of New Data Breach Laws May Significantly Impact Your Business

Guest post by Chris Cwalina and Tristan Coughlin

While many businesses in the U.S. and around the world have been focused on the EU’s General Data Protection Regulation (“GDPR”),  which came into effect on May 25, 2018, many may have missed the steady trend of U.S. states that have busy amending and enacting more onerous data breach notification and security laws.  While there has not been much activity at the federal level, a number of new state data security and privacy laws have been passed or enacted that will impact businesses (some significantly) doing business in the United States.

California made headlines by recently enacting a sweeping privacy law with GDPR –like privacy controls.  The California Consumer Privacy Act of 2018 ( “CCPA”) gives California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, and a lot can happen between now and then in terms of implementing regulations and State AG Guidance, the law will require U.S. companies to implement substantial compliance regimes and make a number of operational changes (including to disclosures and practices).  The CCPA also provides for a private right of action and statutory damages in the event of a data breach.

On the security front, as of March 2018, every U.S. state, as well as District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers or citizens if their personal information is compromised.  Data breach laws are well understood but new state data breach laws are being drafted to more broadly encompass the information covered and specifically mandate security requirements are met.

Below is an overview of recently enacted or amended U.S. data notification and security laws which further demonstrates U.S. states are taking action to protect consumer information.

Alabama(SB 318)

Alabama passed its first data breach notification law which went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form.  The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security.  The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.

Arizona (H.B. 2145)

On April 11, 2018, Arizona’s governor signed H.B. 2154 to amend the Arizona data breach notification law.  The law was effective upon signing and among other things, amends Arizona’s data breach notification law to expand the definition of personal information, refine the time period in which consumers must be notified, and prescribes circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified.  The key amendment highlights are as follows:

• Definition of Personal information: Arizona’s previous definition of personal information was limited to an individual’s first and last name or first initial and last name and Social Security number, Driver’s License Number or State-Issued ID Number, or financial account number or credit/ debit card number in combination with any required security code, access code or password that would permit access to the individual’s financial account (together and hereinafter the “Core Categories” of personal information). See Rev. Stat. §18-545. The new law broadened the definition of personal information to  include: (1) an individual’s first name or initial and last name in combination with: (a) a private key that is unique to an individual and is used to authenticate or sign an electronic record, (b) an individual’s health insurance identification number, (c) information about an individual’s medical or mental health treatment or diagnosis by a health care professional, (d) an individual’s passport number, (e) an individual’s taxpayer identification number, or (f) unique biometric data used to authenticate an individual when the individual accesses an online account; and (2) an individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.
• Consumer Notification Requirements: Companies and government agencies doing business in Arizona must notify individuals affected by a data breach within 45 days. In addition, the amended law requires the consumer notification to include: (1) the approximate date of the breach; (2) a brief description of the personal information included in the breach; (3) toll-free numbers and addresses for the three largest consumer reporting agencies; and (4) the toll-free number, address and website address for the Federal Trade Commission or any other federal agency that assists consumer with identity theft matters.
• Attorney General (“AG”) and Consumer Reporting Agency (“CRA”)[1] Notification: If more than 1,000 Arizona residents are notified, the AG and CRAs must be notified within 45 days.
• Risk of Harm Analysis: The amended law does not require notification to be made if an independent third-party forensic auditor or a law enforcement agency determines that a security breach has not resulted in or is not reasonably likely to result in a substantial economic loss to affected individuals.
• Potential Penalty: The Attorney General may: (1) impose a civil penalty of up to $500,000 for knowing and willful violations of the law relating to a breach or series of breaches; and (2) recover restitution for affected individuals.

California Consumer Privacy Act of 2018 (A.B. 375)

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, the law will require companies to implement compliance plans similar to those required under the GDPR.  Specifically, the CCPA requires business to disclose to consumers, among other things, the categories and specific types of personal information collected about the consumer, the sources  from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared.  In addition, the CCPA provides consumers with various GDPR like rights, including but not limited to: (1) the right to access and data portability; (3) the right to opt-out of data sharing; and (4) the right to be forgotten. The CCPA limits private actions by giving the California Attorney General the right to enforce the law, subject to certain exceptions, however, the CCPA does provide for damages in data breach cases of up to $750 per consumer per incident and in proceedings instituted by the Attorney General.  Entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.

Colorado (H.B. 1128)

Effective September 1, 2018, Colorado’s updated data security and breach notification laws will go into effect.   Among other things, the new law establishes data security and disposal requirements and expands Colorado’s state breach notification law. The key highlights are as follows:

Data Security Requirements

• Definition of Personal Identifying Information: The amended law defines personal identifying information as: (1) a Social Security number (“SSN”); (2) a personal identification number; (3) a password; (4) passcode; (5) official state or government-issued driver’s license or identification card number; (5) government passport number; (6) biometric data; (7) employer, student, or military identification number; or (8) a financial transaction device.
• Covered Entities: The data security requirements apply to any person that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation or occupation.
• Disposal Requirements: The amended law requires covered entities that maintain paper or electronic documents ( together “documents”) during the course of business that contain personal identifying information to develop a written policy for the destruction or proper disposal of such papers and electronic documents. Moreover, when the documents are no longer needed, the covered entity must destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying the personal identifying information in the documents to make the information unreadable or indecipherable.
• Data Security Program: The amended law requires covered entities to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
• Data Security and Third Party Contracts: Unless a covered entity agrees to provide its own security protection or the information it disclosed to a third party, the amended law requires covered entities to require third-party service providers implement and maintain reasonable procedures and practices.

 
Breach Notification Requirements

• Definition of Personal Information: The amended law expands Colorado’s definition of personal information from the Core Categories to include a Colorado resident’s first name or first initial and last name in combination with an individual’s: (1) SSN; (2) student, military, or passport identification number; driver’s license number or identification card number, medical information, health insurance identification number, or biometric data. In addition, the amended definition of personal information also includes a Colorado resident’s: (1) username or email address in combination with a password or security questions and answers, that would permit access to an online account or (2) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
• Notification Time Period: If an investigation determines that the misuse of information about a Colorado resident has occurred, notice must be made not later than 30 days after the date of determination that a security breach occurred.
• Notification Content: The amended law requires the consumer notification letter to include: (1) the estimated date or date range of the security breach; (2) a description of the personal information that was, or reasonably believed to have been acquired; (3) information that the resident can use to contact the covered entity to inquire about the security breach; (4) toll-free numbers addresses, and websites for the consumer reporting agencies; (5) the toll-free number, address, and website for the FTC; and (6) a statement that residents can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. In addition, if the type of personal information disclosed included a resident’s username or email address in combination with a password or security questions and answers, the notice must also advise the consumer to promptly change their password and security question or answer, or to take other steps to protect the online account with the covered entity and all other online accounts for which the individual whose personal information was breached use the same username or email address and password or security question or answer.
• Notification to the Attorney General: Companies must notify the Colorado Attorney General not later than 30 days after the date that a security breach has occurred, if the security breach is reasonably believed to have affected 500 Colorado residents or more.

Iowa (H.F. 2354)

Effective July 1, 2018, Iowa’s new data security law prescribes requirements for the protection of student personal information. The law applies to “operators” of internet sites, online services, online applications, or mobile applications which have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed and marketed for such purposes.  Among other things, the law prohibits the use of students’ information for certain purposes, as well as sets out information security requirements.

• Prohibited Uses of Student Information: Subject to certain exceptions, the law prohibits operators from: (1) engaging in targeted advertising if the information used for targeting is based on information that operator has acquired because of the use of that operator’s applicable site, service, or application; (2) using information gathered by the operator’s internet site, service, or application, to amass a profile of a student; (3) sell or rent a student’s information; and (4) disclosing personally identifiable information about a student.
• Information Security Requirements: Operators are required to implement and maintain security procedures and practices appropriate and consistent with current industry standards and all applicable state and federal laws, rules, and regulations in order to protect student information from unauthorized access, destruction, use, modification or disclosure. In addition, operators are required to delete a student’s information upon request a school or school district.

Louisiana (Act. No. 382)

Effective August 1, 2018, the Louisiana governor enacted amendments to Louisiana’s Database Security Breach Notification Law. The law broadens Louisiana’s data breach notification law and implements new data security requirements. The key highlights are as follows:

• Definition of Personal Information: The Act broadens Louisiana’s definition of personal information from the Core Categories to include a resident of Louisiana’s first name or initial and last name in combination with: state identification card number; passport number; and “biometric data.”
• Notification Time Period: Any entity must notify affected Louisiana residents within 60 days of determining that a security breach occurred.
• Data Security Requirements: Any entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information must implement and maintain reasonable security procedures and practices.
• Data Destruction Requirements: Any entity that conducts business in Louisiana or owns or licenses computerized data that includes personal information must take “all reasonable steps” to destroy or arrange for the destruction of all records with personal information if the records no longer need to be retained. Destruction of records with personal information must occur via shredding, erasing, or otherwise modifying the personal information so that it is unreadable or undecipherable.
• Risk of Harm Analysis: If, after a reasonable investigation, the business determines that there is no reasonable likelihood of harm to Louisiana residents, then notification is not required. Such a determination must be documented in writing, with a copy of all supporting documentation, for five years.  This determination must be provided to the Attorney General within 30 days if requested by the Attorney General in writing.

Nebraska (L.B. 757)

Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.

Oregon (S.B. 1551)

Effective June 2, 2018, Oregon implemented updated data breach notification and information security laws. Among other things, Oregon’s laws were amended to expand the scope of those who must provide notice of a security breach and are subject to the information security laws. The key highlights are as follows:

Data Breach Notification Law

• Definition of Personal Information: Oregon amended the definition of personal information to include a consumer’s first name or initial and last name in combination with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”[2]
• Expanded Scope: The amendment expands the scope of those who must provide notice under the data breach law to include those who “otherwise possess[]” personal information. The law was previously limited to those who own or license personal information.
• Notification Requirements: The law has been revised to require notice to affected Oregon residents within 45 days of determining that a security breach occurred.
• Credit Monitoring Services: The amended law prohibits entities offering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

 
Information Security Law

• Expanded Scope: The law expands the information security law to apply to any entity that “has control over or access to” data that includes a consumer’s personal information. The law was previously limited to entities that “own, maintains or otherwise possess[]” data that includes personal information.
• Security Requirements: The amended law updates various administrative, technical and physical safeguards required to be included in an applicable entity’s information security program.

Vermont (H. 764)

Effective January 1, 2019, a new Vermont law will regulate data brokers. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  Among other things the law requires data brokers to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosure to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.
 

Virginia (B. 183)

Effective July 1, 2018, Virginia’s data breach notification law was amended to require individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation without unreasonable delay upon the discovery or notification of unauthorized access to an individual’s “return information” if the tax preparer has a reasonable belief that: (1) the information was accessed and acquired by an unauthorized person; and (2) such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld assessments, or tax payments.”
 

Conclusion

States are actively strengthening their data privacy and security laws and we expect this trend to accelerate. With California’s enactment of the CCPA, we expect more states to follow California’s lead in expanding consumer data privacy rights.  California was the first US state to enact a mandatory breach notification law in 2002 and now all 50 U.S. states have their own breach notification law.  Should history repeat itself, and should the federal government fail to step in and implement comprehensive legislation regarding data breach notification and data security, we anticipate U.S. states will continue to strengthen their data breach notification and security laws in a piecemeal manner -implementing certain requirements that are similar to the CCPA and the GDPR.

Companies should continually reassess the effectiveness of their risk mitigation controls, as well as their written data protection policies and security procedures. In addition, for laws like the CCPA, companies should consider conducting a gap assessment to determine how their existing procedures will need to be revised in order to comply with new state laws.  Because we expect amendments to the CCPA, as well as other enactments of GDPR-like legislation, it is increasingly important to have legal and compliance teams work closely with the business, marketing, and Information Security teams to monitor changes in the regulatory landscape.

[1] The Consumer Reporting Agencies consist of Equifax, Experian and TransUnion.

[2] Oregon previously had a robust definition of personal information which included an individual’s name and:  (1) SSN; (2) driver license number or state identification card; (3) passport number or other identification number issued by the United States; and/ or (4) financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. See Or. Rev. Stat. §646A.602(11)(a).

About the Authors

Chris Cwalina | Global Co-Head of Cyber Risk at Norton Rose Fulbright
Chris Cwalina is the Global Co-Head of the Cyber Risk Group and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations. Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

Tristan Coughlin | Associate at Norton Rose Fulbright
Tristan Coughlin is an associate in the Washington, DC office.Ms. Coughlin focuses her international practice on cybersecurity, data protection, and privacy matters. Ms. Coughlin helps clients navigate the various state, federal and international laws that govern the protection of data, as well as advises clients on data breach preparation and cybersecurity risk management, including but not limited to conducting information security and privacy program assessments and developing and conducting tabletop exercises. Ms. Coughlin also counsels clients in investigating and responding to events compromising information and systems security, working closely with third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She is also well versed in managing any resulting regulatory inquiries that may follow the discovery of a data security incident.

About Norton Rose Fulbright

Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/