Throughout the past several years, data privacy and security practices have evolved into more than just defending against identity theft and protecting sensitive data. In fact, since 2014, to help raise awareness for data protection issues, the United States designated January 28th as Data Privacy Day.  In recognition of this internationally observed day, over the next eight weeks, our Data Privacy and Security team will examine eight of the most significant data privacy and security trends and how they may impact your company.

Week 1: The Relentless Progression of Malware

The internet has been plagued by malware since inception. But in 2016 several new forms of malware emerged.  Spear phishing is one common form that involves targeting a specific victim. Another is angler phishing, which involves a fake customer-support account that purports to “help” customers, but actually steals their information.  Perhaps the most malicious technique, certainly the fastest growing, is ransomware. Ransomware holds victims’ data hostage until the hacker is paid money.  Despite the growing awareness of ransomware, it remains a highly effective revenue generating tool for hackers. In fact, it is evolving into new strains, including a form in which the victims are offered the decryption key in exchange for forwarding the virus to new potential victims.  “To pay or not to pay” is indeed the question, and the answer often raises as many concerns as it does solutions.

Week 2: Data Privacy Litigation: Changes in the Liability Standard

There were several significant developments in data litigation in 2016.  Chief among them was the U.S. Supreme Court ruling in Spokeo, Inc. v. Robbins.  Spokeo held that a procedural violation of a statutory requirement, absent concrete harm, does not establish injury-in-fact.  Since then, courts have struggled to consistently interpret and apply this standard in class action data privacy cases.  In 2017, we expect courts around the country will continue to grapple with this standard, particularly as theories of harm continue to evolve. In addition, changes at the Supreme Court and new input into plaintiffs’ attempts at “no-injury” classes could further impact the landscape of data privacy class action litigation.

Week 3: Financial Services Sector

Beginning in January 2016, the Securities and Exchange Commission announced that the Office of Compliance Inspections and Examinations (OCIE) would focus on security protocols implemented by financial firms to protect against cyberattack. That began a long year of financial industry focus on data privacy and security issues.  More recently the New York Department of Financial Services (DFS) proposed the first cybersecurity regulations that would require financial institutions to adopt minimum cybersecurity standards. Shortly thereafter G-7 financial leaders agreed to a set of best practices in the financial industry. Other developments in the industry include:

And all of this is in addition to existing standards and laws, such as the Gramm-Leach-Bliley Act. As the financial industry navigates through these various guidelines and requirements in 2017, it will be interesting to see how these standards will be interpreted, whether a uniform standard evolves, and what impact these standards may have on data protection efforts in other industries.

Week 4: Big Data

The amount of consumer data that is being collected and used is greater than ever. As companies adjust privacy policies and respond to increased consumer and regulatory scrutiny, they are constantly working to protect information and respect consumer choices while still monetizing consumer data. Information governance has quickly become the best way for a business to safeguard data and limit liability. With the development of new mobile applications, artificial intelligence platforms, and cloud data processing systems, Big Data analytics will continue to provide valuable information that must be appropriately harnessed and protected.

Week 5: Mergers and Acquisitions

By the end of 2016, the seemingly endless stream of data breaches made security incidents appear normal, almost predictable. But when Yahoo released statements concerning two separate data breach incidents, affecting more than one billion users, the potential consequences for the company extended far past the norm. Yahoo’s announcement came in the midst of negotiations of a multi-billion dollar sale.  In light of Yahoo’s previously unknown data privacy and security issues, the transacting parties must now determine the impact these incidents will have on the deal.  The lesson here is this: before any terms are finalized, both seller and buyer should engage in thorough data privacy due diligence in order to fully understand the target’s privacy and security risk profile.  This includes an analysis of the target’s information security and governance programs, as well as information relating to known security incidents and vulnerabilities, disputes and enforcement actions.  Engaging in appropriate due diligence from the outset could dramatically change the structure of the deal, as well as the value of the transaction.  Security and privacy issues must also be considered during the negotiation of the transaction documents themselves, particularly with respect to representations and warranties, limitations of liability, indemnification obligations and closing conditions.

Week 6: Critical Infrastructure

The systems that support telecommunications, transportation, water, electricity and other critical networks are at substantial risk of being compromised by a far-reaching cyberattack. For example, since 2015, Ukraine’s power grid has been shut down twice by hackers, leaving thousands without heat during the snowy winter.  Cognizant of this impending threat, both President Obama and President Trump have examined national cybersecurity and how it impacts critical infrastructure. Likewise, roughly one week into the new year, the National Institute of Standards and Technology (NIST) released draft revisions to the “Framework for Improving Critical Infrastructure Cybersecurity” to help clarify and enhance the 2014 version. Going forward, securing critical infrastructure will depend largely on safeguarding the devices that manage those systems.  These devices and the interconnected manner by which they utilize and drive digital communication are known as the internet of things (IoT).  Attacks on the IoT, including medical devices, the healthcare industry, and the internet itself were front and center in 2016. The government and private sector alike must come together in 2017 to combat these imminent and pervasive threats.  For example, to help incentive companies to secure devices and avoid attacks, the Federal Trade Commission recently announced a competition to award up to $25,000 to anyone who creates a solution for securing outdated IoT devices.

Week 7: Safe Harbor Out, Privacy Shield In

In the midst of the summer heat, the European Commission officially adopted the U.S. Privacy Shield as an adequate framework for data transfers between the EU and those U.S. companies who self-certify their compliance with the Privacy Shield. The Privacy Shield replaces and updates the previous Safe Harbor framework which was invalidated by the European Court in 2016. While President Trump’s recent Executive Order, Enhancing Public Safety in the Interior of the United States, may call into question the effectiveness of the Privacy Shield, the US and the EU must continue to collaborate in order to determine the best way to permit and facilitate data transfers. There are also outstanding data implications resulting from BREXIT that will likely affect the UK-EU-US data privacy relationship. While we do not yet know what the post-BREXIT UK-EU relationship will resemble, if the UK also decides to leave the European Economic Area it would no longer be an automatically “safe” destination for EU personal data and so may need to adopt its own UK Privacy Shield in order to receive personal data from the EU. Additionally, the EU’s General Data Protection Regulation (GDPR) will continue to impact business decisions in 2017.  In fact, one study found that 28,000 data protection officers will be needed in order to comply with GDPR. The GDPR will not only impact EU companies, but any non-EU company processing the personal data of individuals in the EU to offer goods or services, or to monitor their behavior. In light of the significant new fines imposed on organizations who breach the GDPR, businesses are well advised to be undertaking their compliance efforts now to be ready for the May 2018 deadline.

Week 8: National Cybersecurity Concerns

This list would not be complete without a mention of the cybersecurity challenges President Trump will face during his administration. Recently, Trump announced that Rudy Giuliani will serve as a cybersecurity advisor helping to bridge the gap between the government and private sector. Tom Bossert will also serve as an adviser on national security, terrorism and cybersecurity and will be equal in status to incoming national security adviser and former Army Lt. Gen. Michael Flynn. Bossert currently works as a private consultant on homeland security matters and formally worked in the Bush administration as a deputy homeland security adviser.  Bossert, who previously held a position with the Small Business Administration, said this about his new position:

We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.

Bossert’s mention of the private sector comes as no surprise. The Trump administration will likely seek to ensure that any protection the government offers citizens in the form of new regulations will be balanced by strong support of technological innovation, free market enterprise and national security.