This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
2. 1 What are the legal implications of privacy + data security risks
as they relate to your company’s specific circumstances?
2 How is your company assessing + managing privacy and data
security risk?
3 What is your understanding of the privacy + data security
regulatory environment and how your customers’ expectations
could impact your business if there is an incident?
4 What strategies do you have in place to recover from an
incident?
5 Does your company need a privacy or data security steering
committee or similar group?
3. Key Topics We’ll Cover
Best Practices
+ Key
Questions
Current State
of Privacy +
Data Security
Basic Nuts
+ Bolts
4. Current State of
Privacy + Data
Security in the U.S.
Patchwork sectoral system
Federal schemes focused on industry +
unique circumstances
50 different state laws with various
breach notification requirements
10. Ohio Data
Protection Act
SB220
Bill passed with bipartisan support and was
signed by the governor on August 3rd
Will go into effect November 2, 2018
It is an affirmative defense to certain tort claims
11. Ohio Data
Protection Act
What tort
claims does
it defend
against?
Any cause of action sounding in tort brought
under the laws of Ohio or in the courts of Ohio
that alleges that, “the failure to implement
reasonable information security controls resulted
in a data breach concerning personal information”
In general, such claims may include negligence
and invasion of privacy claims
12. Ohio Data
Protection Act
Who can
use the
defense?
Covered Entities, as defined in §1354.01 – a
business organized in any state or country that
accesses, maintains, communicates or processes
personal information or restricted information
through one or more systems, networks or services
located in or outside of Ohio
13. Ohio Data
Protection Act
What does
a covered
entity need
to do?
Create, maintain, and comply with a written cyber
security program that reasonably conforms to one
of the approved frameworks
14. Ohio Data
Protection Act
Is it a
silver
bullet?
No – SB220 does not provide complete
protection in Ohio
May not be used as a defense against claims not
brought under Ohio law in courts outside of
Ohio, even if they are tort claims
16. GDPR
In general, many of the concepts existed in the
1995 European Union Data Protection
Directive (Directive 95/46/EC), which was
replaced by the GDPR
The
concept
is not
new
17. GDPR
The
concept
is not
new
The core
requirements
are different
from those
in the U.S.
In the U.S. many of our laws focus on providing
individuals with notice and obtaining consent
Under the GDPR, the focus is on the individual
– data subjects are provided with specific rights
Before personal data of a data subject is
processed, you must have a lawful basis
18. GDPR
The GDPR applies to organizations established
outside of the EU, if the organization:
offers goods or services to EU data subjects, or
monitors behavior of data subjects in the EU
Who does
the GDPR
affect?
20. PERSONAL DATA
Any information relating to an identified or identifiable
natural person ('data subject'); an identifiable natural
person is one who can be identified, directly or
indirectly, in particular by reference to an identifier
such as a name, an identification number, location
data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural
person. Article 4(1)
21. PERSONAL DATA
Any information relating to a data subject
DATA SUBJECT
An identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person
22. PROCESSING
Any operation or set of operations which is performed
on personal data or on sets of personal data, whether
or not by automated means, such as collection,
recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise
making available, alignment or combination,
restriction, erasure or destruction. Article (4)(2)
Why is this important?
Before you process personal data, you
must have a legal basis
24. DATA SUBJECT RIGHTS
Article 15:
Right of Access
Article 16:
Right of Rectification
Article 17:
Right to Erasure
Article 18:
Right to Restriction
of Processing
Article 20:
Right to Data Portability
Article 21:
Right to Object
26. ARTICLE 83
Administrative Fines – “Lower Tier”
or 2% of the total annual
turnover of the preceding year,
whichever is higher
27. ARTICLE 83
Administrative Fines – “Higher Tier”
or 4% of the total annual
turnover of the preceding year,
whichever is higher
28. The GDPR provides a private
right of action, even in the
event of non-material damage
for breaches of the GDPR
ARTICLES 80 + 82
Private Right of Action
31. California Consumer
Privacy Act of 2018
What is
protected?
Personal information is defined broadly
Definition includes identifiers such as real
name, alias, address, unique personal identifier,
IP address, email address, account name, SSN,
driver’s license #, commercial information,
biometric information, geolocation data,
employment information and much more
32. California Consumer
Privacy Act of 2018
Who must
comply?
Companies around the world that receive personal
data from California residents, AND exceed one of
the following requirements:
annual gross revenues of $25 million, or
obtains personal information of 50,000
California residents (or more) annually, or
derives more than 50% of its annual revenue
from selling California residents’ PI
34. Fund + Implement
New Systems and
Processes to
Respond to Access
Requests
Make available methods for
submitting data access requests
Respond to access requests
within 45 days
35. Prepare Data
Maps/Inventories
to Enable Required
Disclosures +
Updates to Privacy
Policies
Privacy policies to be updated to
include specific required information
Business must disclose categories of
third parties with whom the business
sold PI in the preceding 12 months
36. “Do Not
Sell”
Button
Provide a clear and conspicuous “Do
Not Sell My Personal Information”
link on the business’ Internet
homepage enabling users to opt-out
of the sale of personal information
38. California Consumer
Privacy Act of 2018
Civil action
penalties
Up to $2,500 per violation, $7,500 per
intentional violation
Private Right of Action with prescribed statutory
damages between $100 and $750 per
California resident, in the event of an incident,
where nonencrypted or nonredacted personal
information is subject to unauthorized access
and exfiltration, theft, or disclosure
39. 1 What are the legal implications of privacy + data security risks
as they relate to your company’s specific circumstances?
2 How is your company assessing + managing privacy and data
security risk?
3 What is your understanding of the privacy + data security
regulatory environment and how your customers’ expectations
could impact your business if there is an incident?
4 What strategies do you have in place to recover from an
incident?
5 Does your company need a privacy or data security steering
committee or similar group?
40.
41. David M. Wilson
Director + Chair, Privacy + Data Security Practice
dwilson@keglerbrown.com
keglerbrown.com/wilson
614-462-5406
Doug Davidson
Director of Information Technology Services
ddavidson@gbq.com
614-947-5340