Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”

  • Janet Peyton – Ransomware: “2020 saw an uptick in, and increased sophistication of, ransomware attacks; the frequency and ambition of such attacks is unlikely to let up in 2021, as evidenced by the SolarWinds breach, in which hackers infiltrated a government vendor’s software update and ultimately gained access to multiple federal agencies. Companies should continue to be mindful of their own security policies and procedures as well as those of their vendors. Guidance regarding paying ransom in response to such attacks continues to evolve with FinCEN and OFAC opining on the dangers, and possible illegality, of paying ransoms for the release of data.”
  • Anne Peterson– Expanding remote workforce: “As the pandemic continues and remote workforces continue to grow, legal challenges presented by remote employees show no sign of stopping. We expect a trend toward increased regulator oversight of remote employee privacy and security as well a significant increase in compliance obligations. Additionally, while there is always a threat of hackers and malicious actors, simple negligence by employees just trying to get through their day poses significant security exposure for employers.”
  • Justin Yedor – California Again: “While the CPRA is (and should be) getting a lot of attention right now, don’t forget about the CCPA, which still applies for the next two years. If you haven’t updated your privacy policies or looked back at your vendor contracts since CCPA came into effect, now is the time – the law continued to evolve as the Attorney General published regulations well into the Fall of 2020, but it seems like the regulations might finally be complete. Plus, a solid baseline of CCPA compliance will have you in good shape when CPRA comes into effect.”
  • Ashley Matthews– Vendor Management: “The recent surge in high profile vendor data breaches – most recently the widespread SolarWinds hack – have put vendor cybersecurity and data protection issues center stage.  Gone are the days of conducting cursory interviews of prospective vendors and signing their forms as-is.  In our new reality, (i) the cybersecurity infrastructure of vendors with access to sensitive data should be thoroughly diligenced (using a comprehensive Vendor Security Questionnaire), (ii) strong contractual protections should be put in place, including those relating to protecting systems and data, indemnification and limitations on liability, and (iii) monitoring should be conducted to ensure the vendor is complying with its contractual obligations on an ongoing basis.  And companies should ensure they know every piece of data that is managed or accessed by its vendors, and have controls in place for when there are changes to the covered data.”
  • Tom Spahn– Privilege/Work Product Issues with Data Breach Reports: “Erroneously emphasizing form over substance, some companies think they can assure valuable attorney-client privilege or work product protection simply by involving a lawyer.  It is common in the data breach context to have the company’s law firm retain the outside forensic expert, but several incidents this year have shown that that procedure alone will not guarantee such protection.  To deserve privilege protection, each communication must be primarily motivated by the client’s need for legal advice. To deserve work product protection, each document must be primarily motivated by anticipated litigation, and would not exist in the same form but for that anticipated litigation.  A large law firm itself (Clark Hill) recently was unsuccessful in seeking protection for a forensic investigation conducted after a data breach exposed its client’s private information.  That a prestigious law firm’s careful steps failed to assure either attorney-client privilege or work product protection should serve as a wake-up call for all companies.”

Feel free to contact our Data Privacy & Security Team to learn how we can help you navigate these and other data privacy and cybersecurity challenges. And follow our Password Protected blog to stay up to date on the latest news and developments.

Print:
EmailTweetLikeLinkedIn
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace.

Photo of Bethany Gayle Lukitsch Bethany Gayle Lukitsch

Bethany concentrates her practice in complex civil litigation and class actions, including the defense of antitrust matters, mass tort and product liability claims and commercial disputes. She represents global clients, including Fortune 100 companies and various product manufacturers, as national counsel in various…

Bethany concentrates her practice in complex civil litigation and class actions, including the defense of antitrust matters, mass tort and product liability claims and commercial disputes. She represents global clients, including Fortune 100 companies and various product manufacturers, as national counsel in various federal and state courts around the country and has significant first chair and liaison counsel experience in multidistrict litigation and complex civil and class action litigation. Bethany frequently prepares internal client witnesses for testimony, interacts with expert witnesses and counsels clients regarding complex discovery proceedings, including international discovery.

Photo of Janet P. Peyton Janet P. Peyton

Janet practices in the area of data privacy and security, and assists clients with both preventive data security as well managing compliance issues in the aftermath of a data breach. Her experience includes auditing and evaluating clients’ data security policies, drafting website privacy…

Janet practices in the area of data privacy and security, and assists clients with both preventive data security as well managing compliance issues in the aftermath of a data breach. Her experience includes auditing and evaluating clients’ data security policies, drafting website privacy notices and internal corporate privacy policies, negotiating cloud computing agreements from both the vendor and customer perspective, and compliance with breach notification laws.

Photo of Anne S. Peterson Anne S. Peterson

Anne focuses her practice on data privacy and security, incident response, information governance and e-discovery. She routinely advises clients on a broad array of issues related to federal, state and industry compliance, as well as defensible internal policies and procedures to protect and…

Anne focuses her practice on data privacy and security, incident response, information governance and e-discovery. She routinely advises clients on a broad array of issues related to federal, state and industry compliance, as well as defensible internal policies and procedures to protect and leverage sensitive information.

Photo of Tom Spahn Tom Spahn

Tom regularly advises a number of Fortune 500 companies on such issues as creating and preserving attorney-client privilege and work product protection when conducting corporate investigations and dealing with the government. He recently published a two-volume 1,500 page book entitled “The Attorney-Client Privilege…

Tom regularly advises a number of Fortune 500 companies on such issues as creating and preserving attorney-client privilege and work product protection when conducting corporate investigations and dealing with the government. He recently published a two-volume 1,500 page book entitled “The Attorney-Client Privilege and the Work Product Doctrine: A Practitioner’s Summary Guide.” Tom was selected as the 2013 metro-Washington DC “Lawyer of the Year” for “Bet the Company Litigation” by The Best Lawyers in America (Woodward/White, Inc.).

Photo of Justin T. Yedor Justin T. Yedor

Justin specializes in creative solutions to client problems of all types and sizes. In addition to maintaining a robust litigation practice, he handles complex contract negotiations, trademark work, and anti-hacking investigations for clients ranging from startups to Fortune 500 companies.