Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
A Six-Step Data Privacy Program Health Check
In your organization, who owns the responsibility of managing data privacy and security risks? One of the biggest misconceptions surrounding today's data privacy and security challenges is that the responsibility lies solely with an individual function, usually thought to be either the legal or information technology departments. The truth is, data protection is the responsibility of every individual in the company, and the legal and IT departments should only be drafting contractual languages, policies, and guidelines while working in tandem with each other.
As data privacy laws become increasingly complex, one of the biggest challenges facing companies today is the determination of which set of regulatory standards it should apply within the organization. Currently, security and privacy law is comprised of directives that have created a convoluted patchwork of laws. A directive can be interpreted and enforced by each individual state. Europe is aiming to fix this convoluted approach by making a universal regulation, which would be enforced by a centralized governing body, or a “one-stop shop.” Any complaints that cover security/privacy abuse, for any company processing EU data, would go to this central authority. Currently, we know that the European commission's privacy reforms are expected to set the standards around the world on data privacy and will likely be finalized before the end of 2015.
The current indications are that the European commission will allow for a two-year transition period before the regulations take effect, but proactive legal and IT departments should start preparing to meet the new standards now in order to minimize overall risk.
This article provides e-commerce organizations with an easy-to-follow Data Privacy Health Check Assessment in six steps that will allow them to meet the upcoming regulatory changes. If followed, they will ensure your organization is set up for success when the new regulations go into effect.
Step 1: Accept That Privacy Change Will Happen
The first step to accepting this change is to instill in all employees an understanding of the importance of data privacy and protection of sensitive data. This starts with the leadership of the company, and requires that leadership enforces clear guidelines and expectations for the employees. Protecting sensitive data needs to be a top, strategic objective for any company, regardless of industry.
The second task is to understand the impact that data privacy has on everyone within your company. Security cannot be thought of as strictly the IT department's job ' the majority of data breaches occur due to human error. Every individual employee within the company needs to understand how they can better safeguard sensitive data, physically and electronically.
Lastly, your organization needs to understand the penalties for any misalignment with the new regulations. Currently, the expected regulatory fines are being reported at up to 100 million Euros or 5% of a company's global revenue, whichever is higher.
Step 2: Understand New Roles and Obligations
Companies must accept that their role in the security and privacy landscape has changed, and need to understand the definitions in the regulation and what this translates to for the business.
Under the proposed regulation, any data by which an individual can be identified is the responsibility of both data processor and data controller. A company must realize that even if they only process data, they will now be held to the same standards as the controller of the data. A company will no longer make the decision if their security is adequate; instead, the commission will institute a role for certifying a company's security standards. Another role impact will require a company to establish or outsource a data protection officer (DPO). Generally, this requirement is anticipated to be based upon the amount of data processed and relevance of the data.
In addition, clients will now gain an increased ability to control their data. This will require companies to implement obligatory practices, such as the complete transparency of user data and their rights. All companies must inform users of their rights in a documented manner, with user acknowledgement, and must grant a user-distributed report of their data usage upon request (with a 20-day response period). All data must be processed with “explicit consent,” which communicates to a user exactly how his or her data will be processed.
A client also has the power to object to any data processing he or she doesn't want, without reason. This requires a company to understand where each client's data resides and the data retention policy of that data so these requests can be handled effectively.
The last obligatory item is to make sure any user data that is processed falls within “legitimate interest,” meaning that any data processing must benefit the data owner.
Step 3: Implement Secure System Development Lifecycle (SSDLC)
One of the biggest changes under the new reforms is that security will need to be built in at all phases of an organization. Systems and organizations must be designed in such a manner that they will be data minimizing and implement data protection-friendly settings. In addition, companies must protect themselves from all vulnerabilities that occur at multiple layers, such as the application and network layer. While most lawyers may not focus on development standards, they are a key component of overall business risk.
The first item a company must implement, if applicable, is the redefinition of its software design phase. There is no defined standard for making your development secure, but you must have some type of secure coding practices to follow in your organization. Free standards are readily available on websites such as OWASP secure SDLC.
The second task is implementing a proper testing, or QA, phase. Many organizations will simply bypass this stage due to budget restraint, ignorance or indifference, but it is an imperative step. Validation and quality assurance testing should be rigorous and the testers need to have a solid background of security issues.
The last piece of the SSDLC will be deployment. Any software deployment or network must be set up by employees with proper security training or the system will inevitability be compromised. This will help prevent any network layer vulnerabilities.
Step 4: Adjust Contractual Language
One of the most overlooked items in security management is focusing on detailed contract language. Security must be started as early as the contractual phase.
The first best practice in adjusting contractual language is to explicitly state terms in an easy-to-comprehend manner. No longer can blanket terms be used to classify data processing and how it occurs.
The second adjustment is that companies should stop providing the “opt-out” approach or “opted-in” by default. Companies need to form their contract such that clients are “opted-out” by default and have to choose to “opt-in.”
The final adjustment will be to address issues with current third-party contracts that your organization has in place. Based on the projected regulations, organizations will be required to clearly understand and be able to trace the data usage, localization, and data retention associated with all sensitive data.
Step 5: Ensure Encryption and Proper Key Management
Now that the groundwork of processes and culture has been touched upon, you need to make sure that your technology is equally secure.
It is imperative that you first establish whether your goal is to protect data or to protect data while making it seizure-proof. This determination will influence who should have access to the encryption keys. Protected data will allow both the processor and owner access to the encryption key. Seizure-proof would require the data owner/client to be the only entity who has access to the encryption key.
The next step is to implement some form of encryption or tokenization. Making data unreadable and protected has become a common expectation with clients, but it will now be expressed in the form of a regulation.
Finally, your company must consider proper key management, an often overlooked aspect of data protection. If your company wants to protect the data, then you can encrypt the data and manage the keys. If the goal is for seizure-proof data, then you cannot encrypt the data and manage the keys. Keys need to be managed in some manner that makes it inaccessible to your company, such as a third-party device or by becoming the client's responsibility.
Step 6: Implement Software For Contracts, Policy and Data Management
Now that data is properly secured, how can it be managed? Companies will need to implement some type of information management technology that will provide them with the functionality to manage data, find/trace, archive and delete data.
First, ensure that the organization has strict and secure company information governance policies. These policies would prevent downloading user data, which would make complete transparency and traceability unachievable. A company must operate off of a set of clearly defined and documented policies that will be easily accessible to all employees.
Secondly, the organization should utilize software that can store data, policies, contracts, and obligations and then make them accessible to all employees. A well-written policy or contract will mean nothing if employees have no ability to access them.
Finally, you must have the ability to delete data upon user request, ideally within a centralized software platform. This falls into three categories: 1) the right to be forgotten; 2) the right to be de-listed; 3) and the right to erasure. These rights must occur quickly and without any financial costs to the client. If data is not managed on a centralized platform that can ensure data traceability and deletion, including backups, then a company would not be able to fulfill these obligations.
Conclusion
Times are changing in the privacy landscape. With the vast amount of changes in the pipeline, e-commerce counsel can create a competitive advantage for the organization by working hand-in-hand with it by implementing this simple Data Privacy Health check Assessment. Do so before the privacy landscape and the business opportunities that go with it move on without you.
Kristoph Gustovich is the Director of Hosting & Security at Mitratech. Prior to joining Mitratech, Gustovich served as the Director of Statewide Enterprise Architecture for the State of Texas. He was also Director of Infrastructure for the Texas Comptroller of Public Accounts, managing Security Operations and Infrastructure.
'
SPECIAL OFFER: Get an online subscription to e-Commerce Law & Strategy for only $299. Click here, select Digital Only and use promo code ECOMOL299 at checkout. This offer is valid for new subscribers only.
'
In your organization, who owns the responsibility of managing data privacy and security risks? One of the biggest misconceptions surrounding today's data privacy and security challenges is that the responsibility lies solely with an individual function, usually thought to be either the legal or information technology departments. The truth is, data protection is the responsibility of every individual in the company, and the legal and IT departments should only be drafting contractual languages, policies, and guidelines while working in tandem with each other.
As data privacy laws become increasingly complex, one of the biggest challenges facing companies today is the determination of which set of regulatory standards it should apply within the organization. Currently, security and privacy law is comprised of directives that have created a convoluted patchwork of laws. A directive can be interpreted and enforced by each individual state. Europe is aiming to fix this convoluted approach by making a universal regulation, which would be enforced by a centralized governing body, or a “one-stop shop.” Any complaints that cover security/privacy abuse, for any company processing EU data, would go to this central authority. Currently, we know that the European commission's privacy reforms are expected to set the standards around the world on data privacy and will likely be finalized before the end of 2015.
The current indications are that the European commission will allow for a two-year transition period before the regulations take effect, but proactive legal and IT departments should start preparing to meet the new standards now in order to minimize overall risk.
This article provides e-commerce organizations with an easy-to-follow Data Privacy Health Check Assessment in six steps that will allow them to meet the upcoming regulatory changes. If followed, they will ensure your organization is set up for success when the new regulations go into effect.
Step 1: Accept That Privacy Change Will Happen
The first step to accepting this change is to instill in all employees an understanding of the importance of data privacy and protection of sensitive data. This starts with the leadership of the company, and requires that leadership enforces clear guidelines and expectations for the employees. Protecting sensitive data needs to be a top, strategic objective for any company, regardless of industry.
The second task is to understand the impact that data privacy has on everyone within your company. Security cannot be thought of as strictly the IT department's job ' the majority of data breaches occur due to human error. Every individual employee within the company needs to understand how they can better safeguard sensitive data, physically and electronically.
Lastly, your organization needs to understand the penalties for any misalignment with the new regulations. Currently, the expected regulatory fines are being reported at up to 100 million Euros or 5% of a company's global revenue, whichever is higher.
Step 2: Understand New Roles and Obligations
Companies must accept that their role in the security and privacy landscape has changed, and need to understand the definitions in the regulation and what this translates to for the business.
Under the proposed regulation, any data by which an individual can be identified is the responsibility of both data processor and data controller. A company must realize that even if they only process data, they will now be held to the same standards as the controller of the data. A company will no longer make the decision if their security is adequate; instead, the commission will institute a role for certifying a company's security standards. Another role impact will require a company to establish or outsource a data protection officer (DPO). Generally, this requirement is anticipated to be based upon the amount of data processed and relevance of the data.
In addition, clients will now gain an increased ability to control their data. This will require companies to implement obligatory practices, such as the complete transparency of user data and their rights. All companies must inform users of their rights in a documented manner, with user acknowledgement, and must grant a user-distributed report of their data usage upon request (with a 20-day response period). All data must be processed with “explicit consent,” which communicates to a user exactly how his or her data will be processed.
A client also has the power to object to any data processing he or she doesn't want, without reason. This requires a company to understand where each client's data resides and the data retention policy of that data so these requests can be handled effectively.
The last obligatory item is to make sure any user data that is processed falls within “legitimate interest,” meaning that any data processing must benefit the data owner.
Step 3: Implement Secure System Development Lifecycle (SSDLC)
One of the biggest changes under the new reforms is that security will need to be built in at all phases of an organization. Systems and organizations must be designed in such a manner that they will be data minimizing and implement data protection-friendly settings. In addition, companies must protect themselves from all vulnerabilities that occur at multiple layers, such as the application and network layer. While most lawyers may not focus on development standards, they are a key component of overall business risk.
The first item a company must implement, if applicable, is the redefinition of its software design phase. There is no defined standard for making your development secure, but you must have some type of secure coding practices to follow in your organization. Free standards are readily available on websites such as OWASP secure SDLC.
The second task is implementing a proper testing, or QA, phase. Many organizations will simply bypass this stage due to budget restraint, ignorance or indifference, but it is an imperative step. Validation and quality assurance testing should be rigorous and the testers need to have a solid background of security issues.
The last piece of the SSDLC will be deployment. Any software deployment or network must be set up by employees with proper security training or the system will inevitability be compromised. This will help prevent any network layer vulnerabilities.
Step 4: Adjust Contractual Language
One of the most overlooked items in security management is focusing on detailed contract language. Security must be started as early as the contractual phase.
The first best practice in adjusting contractual language is to explicitly state terms in an easy-to-comprehend manner. No longer can blanket terms be used to classify data processing and how it occurs.
The second adjustment is that companies should stop providing the “opt-out” approach or “opted-in” by default. Companies need to form their contract such that clients are “opted-out” by default and have to choose to “opt-in.”
The final adjustment will be to address issues with current third-party contracts that your organization has in place. Based on the projected regulations, organizations will be required to clearly understand and be able to trace the data usage, localization, and data retention associated with all sensitive data.
Step 5: Ensure Encryption and Proper Key Management
Now that the groundwork of processes and culture has been touched upon, you need to make sure that your technology is equally secure.
It is imperative that you first establish whether your goal is to protect data or to protect data while making it seizure-proof. This determination will influence who should have access to the encryption keys. Protected data will allow both the processor and owner access to the encryption key. Seizure-proof would require the data owner/client to be the only entity who has access to the encryption key.
The next step is to implement some form of encryption or tokenization. Making data unreadable and protected has become a common expectation with clients, but it will now be expressed in the form of a regulation.
Finally, your company must consider proper key management, an often overlooked aspect of data protection. If your company wants to protect the data, then you can encrypt the data and manage the keys. If the goal is for seizure-proof data, then you cannot encrypt the data and manage the keys. Keys need to be managed in some manner that makes it inaccessible to your company, such as a third-party device or by becoming the client's responsibility.
Step 6: Implement Software For Contracts, Policy and Data Management
Now that data is properly secured, how can it be managed? Companies will need to implement some type of information management technology that will provide them with the functionality to manage data, find/trace, archive and delete data.
First, ensure that the organization has strict and secure company information governance policies. These policies would prevent downloading user data, which would make complete transparency and traceability unachievable. A company must operate off of a set of clearly defined and documented policies that will be easily accessible to all employees.
Secondly, the organization should utilize software that can store data, policies, contracts, and obligations and then make them accessible to all employees. A well-written policy or contract will mean nothing if employees have no ability to access them.
Finally, you must have the ability to delete data upon user request, ideally within a centralized software platform. This falls into three categories: 1) the right to be forgotten; 2) the right to be de-listed; 3) and the right to erasure. These rights must occur quickly and without any financial costs to the client. If data is not managed on a centralized platform that can ensure data traceability and deletion, including backups, then a company would not be able to fulfill these obligations.
Conclusion
Times are changing in the privacy landscape. With the vast amount of changes in the pipeline, e-commerce counsel can create a competitive advantage for the organization by working hand-in-hand with it by implementing this simple Data Privacy Health check Assessment. Do so before the privacy landscape and the business opportunities that go with it move on without you.
Kristoph Gustovich is the Director of Hosting & Security at Mitratech. Prior to joining Mitratech, Gustovich served as the Director of Statewide Enterprise Architecture for the State of Texas. He was also Director of Infrastructure for the Texas Comptroller of Public Accounts, managing Security Operations and Infrastructure.
'
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 Opt In
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.