SUB TITLE TECHNOLOGY IN THE LAW PRACTICE
BY THOMAS CODEVILLA
TECHNOLOGY IN THE LAW PRACTICE
Numbed by the constant stream of privacy law news, Colorado companies without out-of-state locations may be tempted to think privacy laws from other jurisdictions do not apply to them. Similarly, counsel for those companies may miss the nuances of laws like the General Data Privacy Regulation (GDPR), California Consumer Privacy Act (CCPA), Children's Online Privacy Protection Act (COPPA), or Video Privacy Protection Act (VPPA) that compel their seemingly exempt clients to comply.
To further complicate matters, many privacy laws require information "security" without defining the term, partly because reasonable security is organization-specific and partly because lawyers discussing cybersecurity sound like your grandparents trying to explain the Internet. Luckily, security organizations and professionals have begun to fill in the gap.
What follows is an exploration of the several ways privacy laws from other jurisdictions can apply to Colorado businesses and how those businesses can approach the concept of "reasonable" security.
A Security and Applicability Cheat Sheet for General Practitioners
The Appendix contains a chart with several issue-spotting tools for generalists who might think their Colorado-only clients are exempt from the provisions of the GDPR, CCPA, COPPA, or VPPA. As a refresher: the GDPR governs the collection and use of personal data from EU data subjects; the CCPA governs the collection and use of personal information from California consumers; COPPA sets rules for the collection of personal information online from children under 13 in the United States; and the VPPA protects individuals' video viewing history. As the chart shows, the laws provide little guidance on required security; the second part of this article attempts to fill that gap.
The chart highlights two themes in privacy law. First, collecting information online usually subjects a company to some kind of regulation, meaning that companies seeking to shrink their compliance footprint should first catalog their data collection, use, sharing, and retention in a practice known as "data mapping." Without a comprehensive data map, it is impossible to begin privacy law compliance and nearly impossible to secure a business's data.
The second theme is that privacy laws are terrible at spelling out security requirements for the data the laws purport to protect. So, what might reasonable security look like?
Practical Security for Privacy Law Compliance
Suppose your client must comply with one of the above laws and asks how to secure its data. How would you proceed beyond imploring the client's IT staff to explain their jobs to you?
First, there is a separate but increasingly parallel world of security policy. Organizations like the National Institute of Standards and Technology (NIST) and the International Organization for Standards (ISO) have created detailed standards for security, complete with best practices. My conversations with regulators have indicated that implementing NIST or ISO standards might inspire some regulatory lenience in case of a data breach. Both standards contain practical guides to securing your organization's data in layman-accessible language. Familiarize yourself with NIST and ISO requirements and then buy the IT department lunch; you will be shocked at how much you learn.
Second, on your IT "front end," update your privacy policies and contracts to reflect your commitment to security:
■ As mentioned above, map your data to ensure you have a comprehensive view of your organization's practices.
■ Update your terms of service to specify age limits for your users, your rights to use the data collected, and a process for handling disputes.
■ Amend contracts with third party vendors handling data to ensure they store your data securely and only use it as you instruct.
■ Vendors handling sensitive information should sign a comprehensive data processing agreement (DPA) containing an increased commitment to security, assisting with consumer rights requests, and breach reporting.
Third, on the back end, there are some basic security protocols that companies of any size can implement:
■ Create information security, data retention/deletion, and incident response plans, then train relevant staff periodically on how to implement each policy.
■ Perform penetration testing on all networks at least once a year or before the roll-out of any new Internet-connected service or product.