The past year has been marked by a flurry of data privacy
activity in the United States. Recent policy and enforcement
initiatives by the Federal Trade Commission (FTC), proposed
cybersecurity regulations from the Securities and Exchange
Commission (SEC), new state legislation, and developing
international data privacy standards make clear that data privacy
is a priority for the government—and therefore must be
prioritized by businesses.
FTC adopts new policies and steps up enforcement
Recent data privacy policies
2023 so far has seen the FTC address data privacy matters with
vigour, issuing a series of policy statements bolstered by several
enforcement actions.
In a February 2023 blog post addressing its
approach to data privacy, the FTC laid out three practices that
market participants should follow to “effectively protect user
data”:
- offer multi-factor authentication for consumers and require it
for employees; - require that connections within a company’s systems be both
encrypted and authenticated; and - require companies to develop, publish and adhere to a data
retention schedule.
Further, the FTC issued a policy statement in May 2023 outlining
the types of practices it considers violations of section 5 of the
FTC Act, which governs unfair or deceptive practices nationally,
including:
- false or unsubstantiated marketing claims relating to the
validity, reliability, accuracy, performance, fairness or efficacy
of technologies using biometric information; - failing to assess foreseeable harms to consumers before
collecting biometric information; and - failing to provide appropriate training for employees and
contractors whose job duties involve interacting with biometric
information or technologies that use such information.
Recent data privacy enforcement
Recent FTC enforcement actions in the telehealth and home
security industries further demonstrate the FTC’s commitment to
protecting the privacy of U.S. consumers’ data.
The FTC brought enforcement actions against telehealth service
providers GoodRx and BetterHelp for improperly sharing patient
health data in violation of the Health Breach Notification Rule, which
requires vendors of personal health records to notify the FTC,
consumers and, in many cases, the media, of health record data
breaches. In settling these cases, the FTC required these companies
to obtain users’ affirmative consent before disclosing health
information to third parties and implement comprehensive privacy
programs to protect their customers’ data.
Data privacy is a priority for the government—and
therefore must be prioritized by businesses impacted by these
developments.
In the home security industry, the FTC brought an enforcement
action against Amazon’s home surveillance product, Ring, for
consumer privacy breaches. The breaches impacted at least 55,000
U.S. customers and were largely the result of unchecked employee
access to private video recordings of customers’ homes. The
FTC’s proposed order, pending approval by a federal court,
targets malicious insiders, including restricting access to
databases so that only employees on authorized networks can access
them.
Through these settlement orders and newly adopted policies, the
FTC appears to be providing a roadmap applicable across industries
for best practices to mitigate patient and consumer data
breaches.
The SEC tackles issuers’ cybersecurity through new proposed
rules
The SEC has given greater attention to data privacy matters, by
increasing transparency for investors and leveraging its oversight
of registered companies to improve cybersecurity.
As we discussed in an April 2022 bulletin, the SEC proposed new
rules that, if adopted, would impose significant new
cybersecurity-related disclosure obligations on U.S. reporting
companies. These rules are expected to be finalized soon.
The SEC’s Fall 2022 Unified Agenda of Regulatory and
Deregulatory Actions further articulated cybersecurity agenda items, including to 1)
create additional rules addressing registrant cybersecurity risk
and related disclosures; 2) amend rules to better inform investors
about a registrant’s cybersecurity risk management, strategy
and governance as well as to provide timely notification of
material cybersecurity incidents; and 3) promulgate rules to
enhance fund and investment adviser disclosures and governance
relating to cybersecurity risks.
The SEC has articulated plans to amend rules to better
inform investors about a registrant’s cybersecurity risk
management, strategy and governance.
While the proposed SEC rules are not yet final, the pending rule
proposals should give U.S. public companies a sense of potential
regulatory requirements in the future.
The patchwork of state data privacy legislation continues to
grow
An increasing number of states are enacting comprehensive data
privacy laws that have introduced a complex weave of potentially
overlapping and divergent requirements for companies doing business
in the United States.
As noted in our Spring 2022 Torys Quarterly, California,
Colorado, Utah and Virginia have already enacted comprehensive data
privacy legislation, with California continuing to lead the way in
the scope and requirements for companies doing business with its
residents. In the past year, several additional states, including
Connecticut, Florida and Texas, likewise have adopted comprehensive
legislation that generally protects consumer rights, including the
right to access, delete, correct and opt out of targeted
advertising, sale and certain forms of profiling.
Considering the continued absence of U.S. national data privacy
legislation, businesses and individuals alike need to keep a close
eye on the rapidly evolving legal environment at the state
level.
The EU and the U.S. reach a deal on data transfer
On July 10, 2023, the European Union (EU) formally approved the
EU-U.S. Data Privacy Framework, a deal under which the EU
recognizes the U.S. as ensuring sufficient protection for
Europeans’ personal data under the EU’s General Data
Protection Regulation. The agreement paves the way to facilitate
the transfer of data between the EU and the U.S. without the need
for additional safeguards and approvals.
U.S. businesses will certify compliance with the framework by
adopting certain privacy principles with respect to, for example,
data collection and retention, and obligations regarding data
security and sharing data with third parties.
The FTC will enforce compliance by U.S. businesses, while EU
individuals can seek redress in a newly created Data Protection
Review Court.
Proactivity is key
While the increasing activity and wide range of international,
federal and state approaches to data privacy protection signals
positive outcomes for individual consumers, it undoubtedly creates
a difficult and ever-changing field to navigate for entities doing
business in the U.S. and abroad—ultimately emphasizing for
organizations that proactivity will continue to be key to
compliance.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Click Here For The Original Source.
