and nd Em Emergin rging g Priv ivacy acy Laws Kaylee Cox - - PowerPoint PPT Presentation

▶

Mar 13, 2023 193 likes •320 views

Octo tober r 16, 2019 019 Th The Secur urity ity Im Implications ications of Ne f New and nd Em Emergin rging g Priv ivacy acy Laws Kaylee Cox Bankston on Counsel, Manatt, Phelps & Phillips LLP Liz Heier Director, Global

SLIDE 1

Octo tober r 16, 2019 019

Th The Secur urity ity Im Implications ications of Ne f New and nd Em Emergin rging g Priv ivacy acy Laws

Kaylee Cox Bankston

Counsel, Manatt, Phelps & Phillips LLP Liz Heier Director, Global Data Privacy, Garmin International, Inc. Drew Bagley Drew Bagley, VP & Counsel, Privacy & Cyber Policy, CrowdStrike, Inc.

SLIDE 2

Th The Secur urity ity Im Implications ications of Ne f New and nd Em Emerging rging Privacy vacy Laws

Purpose of Session

This panel will focus on the potential security implications of the new and evolving privacy regulatory frameworks in the U.S. and abroad, including the California Consumer Privacy Act. Panelists will discuss the potential impact of new privacy requirements on data security investigations, business operations, security controls, liability exposure, and more.

SLIDE 3

In Intro trodu duction ction & L Land ndscape scape

Historical U.S. State and Federal legislative activity
Data Security
Data Privacy
Breach Notification
EU General Data Protection Regulation (GDPR) and global impact
Trending: California Consumer Privacy Act (CCPA) (and more states to come)
Emerging standards and common themes
Threat landscape
Nation-state threat actors showing no signs of diminishing
Extraterritorial

Reach

Expanded

Definition of Personal Information

Transparency and

Notice

Data Subject

Rights

Data Security and

Breach Notification

Third-Party

Oversight

Governance and

Risk Assessments

Liability

SLIDE 4

Tr Transparency nsparency and nd Secur urity ity

Definitions of personal

information keep expanding

Data Subject Rights
Access, Deletion,

Portability, etc.

Fiduciary Duties
Proposed laws like the New York Privacy Act would impose fiduciary duties on

any legal entity that collects, sells, or licenses personal data, and defines those duties broadly

Data Processing and Security Disclosures
Privacy Notices
SEC Disclosures
Potential Dichotomy: Transparency and Compliance vs. Security and Risk Exposure

SLIDE 5

Cross

ss-Border

Border Im Impacts cts

Certain data privacy frameworks prohibit transfers of personal data

without lawful transfer mechanisms in place (e.g., SCCs, Privacy Shield Frameworks, BCRs, etc.)

Supervisory authorities may request copies of documentation

associated with these transfer mechanisms for review

Additionally, some data privacy and security frameworks may allow

data subjects to impact how companies use personal data given the increasing availability of data subject rights

Impact on security operations and information sharing

SLIDE 6

Im Impact ct on n Produ

duct

ct Of Offer ferings ings

Emerging privacy and data security frameworks generally attempt to be “technology-

agnostic”

Government entities or industry groups may promulgate non-binding guidance to

assist companies in developing and implementing best practices

For example, in respect of medical devices, the FDA has many resources to help

companies adopt best practices regarding pushing regular security patches to consumers in the world of IoT

Practical effect may impact technological solutions
Supply chain and operational security also play a role

SLIDE 7

Re Reasonable

nable Secur

urity ity

Reasonableness in data security is fluid given the rapid pace of change in information

technology and cyber threats

What is “reasonable” is context-specific and provides companies with options given

their size, complexity, and the nature of their activities and the data they collect and use

Flexibility can also result in subjectivity
Impact on litigation risks
Changes in the threat landscape may also affect how reasonableness is defined
Some states (e.g., Ohio) point to certain recognized security frameworks (e.g., ISO

and NIST) as examples of reasonable data security

SLIDE 8

In Incide ident nt Re Response

nse and

nd Liability bility Ex Exposure

sure
Increasingly, privacy and data security laws grant a private right of action in the

event of a data breach

Some legislative proposals would consider expanding to other privacy violations
Anticipated that plaintiffs’ lawyers will continue to challenge companies and

directors in data breach litigation (e.g., assertions of breaches of fiduciary duty and corporate negligence)

GDPR enforcement is ramping up with two significant fines announced this summer:
British Airways – €204,600,000 ($222,917,838)
Marriott – €110,390,200 ($120,273,435)
Approximately 22 enforcement actions with varying fines announced by various

supervisory authorities in the last 4 months alone

At the Congressional level, we see attempts to place liability at the executive level

along with board oversight requirements

SLIDE 9

Go Governa ernance nce

Challenges exist regarding how to address privacy and data security

issues as a top line risk and ensure directors and executives fulfill applicable fiduciary duties under U.S. and international law

Continuing uncertainty in boardrooms and executive suites exists as to

what risk means for individual directors and executives

Allocation of duties
Resource management and investment
“Cybersecurity is a team sport”

SLIDE 10

Ta Takeaway aways

Emerging trends in privacy and data security frameworks
Legislative considerations
Role of security versus privacy
Top tips for companies in a constantly evolving and potentially conflicting

legal environment?

SLIDE 11

Q&A

Questions?

SLIDE 12

Que uestio stions ns + Conta ntact ct

Kaylee Cox Bankston

Counsel Manatt, Phelps & Phillips, LLP kbankston@manatt.com Liz Heier Director, Global Data Privacy Garmin International, Inc. liz.heier@garmin.com

Drew Bagley

VP & Counsel, Privacy and Cyber Policy CrowdStrike, Inc. drew.bagley@crowdstrike.com