By Patrick Connelly, originally published in Buffalo Law Journal, Buffalo Business First on Jan 13, 2020, 1:06pm EST.
Regulations that affect businesses on all ends are more a part of the legal conversation than ever. Margot Knab of Colligan Law LLP and others explain.
An Apple ad that aired on TV in recent months featured actress Rooney Mara in a voice-over role that touted the iPhone 11’s privacy features.
The message was jarring.
“Right now there is more private information on your phone than in your home,” she said. “Think about that. So many details about your life right in your pocket. This makes privacy more important now than ever.”
Technology in data privacy and security has advanced rapidly to give consumers more protection.
Trailing behind it are regulations. Two of the latest initiatives – the California Consumer Privacy Act and the SHIELD Act in New York – look to pick up where the European Union’s General Data Protection Regulation left off.
The regulations are localized to protect residents of each state but also apply to businesses and other entities that have customers within their confines.
Some businesses are exempt, but the laws are mostly applicable to any entity possessing stored data that includes private information of each state’s residents.
“There’s been so much buzz about consumer data privacy,” said Margot Knab, associate at Colligan Law LLP in Buffalo.
Clients she works with include startups.
“For all of our clients that are developing any kind of technology including apps, that’s a huge concern,” she said. “Consumers are asking the questions now (of businesses to see) what you are doing to protect data, what third parties have access to it and what steps (will the business) take if there is a breach. People want to know if they’re affected.”
Europe’s GDPR was implemented in 2018 and forced entities around the world to be more forthright about what they do with personal information.
Entities must have received formal consent to contact someone and give them a clear way to remove their information or opt out of further marketing, such as through email or text messaging.
“That has an enormous impact on global privacy,” Knab said. “It’s not just Europe. I think there’s some confusion on that. It really protects European Union citizens wherever they are and it also protects anyone who’s in the EU, even if they’re not a citizen.
“It’s pretty expansive, so it’s important that especially tech (sector businesses) and startups that are developing products here realize they are still impacted by that. … The GDPR is very stringent and they need to be incorporating those tenets into their own privacy policies.”
Fines for violations carry a hefty price tag and can be up to 4 percent of a company’s worldwide revenue for the previous year.
Google was cited in GDPR’s early going for insufficient transparency, control and consent violations and the Wall Street Journal reported in 2019 that Facebook was targeted in other investigations.
The California regulations were passed in 2018 and took hold Jan. 1. Portions of SHIELD continue to roll out but those regulations pertain more to breach notification.
While whispers of uniform federal regulations in the United States remain only that, Knab and other attorneys fear more states could issue regulations of their own which would make navigating them confusing for some businesses.
“I think in practice (the latter) would be a nightmare, especially for tech companies that are in every state,” Knab said. “You can’t realistically comply with 50 different privacy statutes if they’re even slightly different.”
Gary Schober, partner at Hodgson Russ LLP, agreed.
“That’s an enormous burden,” he said. “I’m really worried about the ability of the business community to comply with all these laws and still conduct business at the ordinary cost.”
Even without a physical presence in locales where regulations have so far been implemented, entities that do business within a state are expected to be compliant with the varying laws.
“Many of our clients are companies that have their primary business locations in New York state but seek to comply, as well,” said Anna Mercado Clark, partner at Phillips Lytle LLP.
Out-of-state companies that sell goods or services online are expected to be compliant, too.
“Sometimes companies think that’s an excuse … but that’s not the case,” Clark said.
Schober said attorneys at Hodgson Russ were busier in counseling companies about California’s regulations than GDPR.
“There was a flurry of activity a few years back when (GDPR) took effect,” he said. “But I think for lawyers in New York and lawyers in Buffalo, we’ve probably had more activity (now).”
Schober saw data privacy come into existence throughout his career. He was educated in computer science in the 1970s and worked in mainframe computing in defense and aviation when he felt the urge to go to law school.
Legal principles around technology evolved through the years, he said. They mounted to the cry for more protection of consumer data when businesses started to collect and store more information about consumer behaviors and tendencies.
Is someone watching?
Various governmental agencies are suspected to monitor some consumer behaviors but it’s unclear how much.
Alex Betschen, law clerk at Goldberg Segalla, helped draft a lawsuit filed in 2018 to find out more while he was a student at the University at Buffalo School of Law.
The suit is still in progress. It was a joint effort by the American Civil Liberties Union and the law school’s Civil Liberties and Transparency Clinic.
“Our complaint has a lot of examples of what we know already,” he said.
The suit asks that agencies disclose the hacking tools, methods and internal rules they’re bound by when they conduct investigations.
Betschen and other students found the government spends millions on technology from various software developers.
“That’s just the tip of the iceberg in public knowledge,” Betschen said. “There’s so much out there that we don’t know. … Federal law enforcement can have so many tools in their midst that they can use. What we (do) know is a little scary.”
A couple of those tools are cameras and malware attacks, he added.
He enjoyed working on the case because it helped him become familiar with freedom-of-information laws and how to narrow the scope in document requests.
He plans to work in intellectual property law when he becomes licensed, along with copyrights and trademarks.
Cyber attacks and data breaches
Despite the frequency of data breaches internationally, the attorneys said for some entities heightened cybersecurity remains an afterthought. People take notice when it happens in their own community or to their own personal information.
Jeffrey Tyrpak, counsel at HoganWillig PLLC, said the 2017 breach of systems at Erie County Medical Center Corp. turned a lot of heads.
“I think locally (that) breach was huge as far as changing people’s minds,” he said.
Tyrpak advises companies regarding data security and privacy in addition to his work in real estate law.
Over the years, he noticed that many businesses tended not to take action until their hands were forced. With increased awareness, though, he said that mentality has changed.
“I think that is the (mindset) that’s been changing right now,” he said.
Michael Chirico recently joined Beckage PLLC where he assists clients in health care along with other entities.
He previously was an information security officer for a health system in New Jersey.
“Looking forward into 2020, we have to take heed of what we saw in 2019 and 2018,” he said. “Most people would agree and appreciate that fast-moving attacks are top of mind.”
An incident-response plan is crucial so a business doesn’t have to think on the fly if an attack occurs, he said.
Many best practices in response plans are adaptable between industries, Chirico added.