To hear cybersecurity and privacy attorney Jordan Fischer tell it, there is a tidal wave of change in privacy law sweeping across the land.
A tidal wave that is pouring out across the U.S.—one state at a time.
And this growth in privacy regulations is being met by an explosion in the amount of data companies are collecting, transmitting, or storing.
On top of this, Fischer says, the courts are now making it easier to come after your organization if that information is stolen.
This is what we uncovered in a SecureWorld Philadelphia interview with XPAN Law Group Co-Founder and Managing Partner Jordan Fischer. She spoke to us after her session:
[SecureWorld] Tell me about the privacy regulation landscape. At a high-level, what's happening?
[Fischer] So at a very high level it's changing. It's very dynamic right now. I think that any day you check the internet and Google and you'll see that a different state is coming out with a change to their data breach notification laws, a change to their privacy requirements. Each state is sort of taking their own unique twist on it.
So I think California was the first one to really push out this data protection regulation. It's being heralded as the GDPR as of the United States, which is the EU regulation that came out last year. But it's not the only state.
We see Washington following suit, using a very similar type of language as what we see in the CCPA. So in general, I mean the short answer is everything's changing and you need to be very aware of what is going on. Because literally tomorrow everything I just said could be different.
[SW] Is it enough to say, you know what, let’s just choose GDPR, because it’s the most stringent? We’ll just do everything by that?
[Fischer] Unfortunately not. I think that GDPR is based off of a framework of good privacy principles. So it is going to get you maybe 70, 80 percent of the way there, right. GDPR is good privacy practices that you should be doing.
Unfortunately, the way a lot of our U.S. legislation is being drafted, there are these unique carve-outs. There are these exceptions. There's requirements that are sort of tweaked and slightly different than what you see in like the GDPR context.
So you do need to be aware of very state-specific requirements, as it stands right now, because the states are dominating the conversation in the United States.
You can’t have privacy if you're not securing that data, securing that infrastructure. So you really have to have both of them go hand-in-hand together.
And at XPAN we help clients to better understand the legal liabilities that attach to the data that they're collecting, how they're using that data the third parties that have access to or are being transferred that data. And then how they're setting up their network infrastructure and how they're securing that information.
Our goal is to get clients to understand the legal liabilities that they may have, how they can transfer those liabilities either contractually or through insurance.
And then the for the liabilities they can't transfer, how do we mitigate the risk in the event that we have a breach, a privacy incident or even in today's world, an individual comes to us and says hey, what data do you have? Right? Now have liability even in that own--what what might have seemed like a simple question has now become a much more complex question.
So we sort of we like to think of ourselves as spanning that gap between legal and technology and helping to translate what's required from a legal side into what has to happen from a technological side.
[SW] What are you seeing with courts and the way they’re holding companies responsible, or not, for privacy or security violations?
[Fischer] So the court atmosphere right now is really interesting because we have historically seen a challenge in cases going forward because of the Standing Doctrine.
Standing is a constitutional requirement for every case. You have to show that you have the right to be in front of the court. And as part of that right, it has been that you have to show that you've had an injury, you've had damages.
And in the cyber context, it's been very hard to show damages because I could have my identity stolen today or I could have it stolen in 20 years. But if it hasn't been stolen, the future harm is not enough to get you Standing in court. Now we're starting to see that change because judges are seeing that this is really an unfair outcome for a lot of data subjects.
And so we're starting to see is that they're starting to create these common law doctrines that will allow the plaintiffs to get around standing.
So a good example of that, since we're in Pennsylvania, is that Dittman versus UPMC case that came out of the Pennsylvania Supreme Court last year has created a duty of care for employers to protect their employees’ information.
So now there's actually a right of action that employees can use if their information is stolen that they have provided to an employer. So that's one example. We're starting to see this evolution of trying to get court cases to get past the Standing requirement and allow plaintiffs to actually litigate the matters and to hold companies accountable.
RELATED STORIES:
3 Key Facts Every Company Should Know About the CCPA
Top IoT Concerns Among Cybersecurity and Privacy Professionals
