Liisa Thomas, chair of Winston’s Privacy and Data Security Practice, spoke at the U.S. Chamber of Commerce’s Institute for Legal Reform’s 16th Annuual Legal Reform Summit in Washington, D.C. recently on the topic of data privacy liability. Liisa presented a report, created by herself, and Associates Robert Newman and Alessandra Swanson: “A Perilous Patchwork: Data Privacy and Civil Liability in the Era of the Data Breach.” This is a topic we've been speaking on at length here at InTelligence, examining the growing complexities of compliance and liabilities in an era of multiple regulators as well as State / National and Global laws.
“This medley of enforcers and laws, coupled with the evolving nature of privacy concerns generally, means that companies in the United States face significant compliance challenges both when developing new products and technology and when establishing or refining programs to protect existing data and information systems."
The Winston & Strawn report examines how privacy law enforcement, historically the purview of the FTC, has been joined by state attorney generals and the class action bar, to say nothing of industry-specific regulators such as the SEC stepping in, or existing regulations such as HIPAA or the GrammLeach-BlileyAct (GLBA). Existing regulators, such as the FTC, are also stepping up their game with a stronger emphasis on data security precautions in its assessment of organizations. This report summarizes the enforcement actions and expectations of each regulatory body.
As we also recently discussed, class-action suits are now a standard following a data breach. It is not uncommon to undergo years-long investigations and to fight many legal battles, which could go on for years, following a single data breach. Until recently, damages were hard to prove; the recent settlement with AvMed has set the bar for settlements where no ascertainable damage has occurred.
As the Winston & Strawn report indicates, the law is constantly developing, so organizations could face additional legal challenges following a data breach. Following regulatory cases and settlements can help organizations better anticipate what is required in terms of preparedness as well as data breach response. Given the current regulatory environment, it’s best to expect and prepare for regulatory scrutiny, with as many audit logs and data trails as possible to prove compliance.
Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.