Countdown to Data Privacy Day 2022

January 19 - January 28, 2022

World Data Privacy Day 2022: The Importance of Data Privacy in an Increasingly Digital and Remote World 

January 28, 2022

By: Cybersecurity and Data Privacy practice

Today is World Data Privacy Day, an international event aimed at raising awareness about data privacy and protection. At Bond, we are celebrating by prompting dialogue about changes in the legal landscape of data privacy, encouraging compliance efforts and promoting best practices for the protection of data. We have been counting down the days to World Data Privacy Day by highlighting relevant data privacy matters around the world including new or amended U.S. state privacy laws, the sharp increase in class action data privacy litigation, privacy risk mitigation in vendor contracts and in mergers and acquisitions, the intersection between HIPAA laws and general data privacy, New York State Education Law §2-d and China’s new Personal Information Protection Law (PIPL). For more information on these topics, see below.

With the increased risk of cybersecurity incidents coupled with new and evolving domestic and foreign data privacy legislation, having a comprehensive data privacy compliance plan is key to keeping up with the rapidly evolving landscape in the data privacy and cybersecurity world. Given the shift to a remote work environment due to the COVID-19 global pandemic, data privacy and cybersecurity will become even more relevant to all people and businesses in 2022. 

2022 is likely to give rise to more data privacy laws and may be a year in which the world sees more enforcement and greater penalties for violations of data privacy protections. Additionally, cybersecurity incidents, breaches and ransomware attacks are increasing at an alarming rate, and with them, the costs associated with such attacks. This is especially true in light of the parallel shift in challenges to obtaining effective cybersecurity insurance. All people and businesses should be aware of the significant risks associated with cybersecurity attacks and the compliance efforts recommended to help reduce those risks.

In observance of World Data Privacy Day, it is an ideal time to take stock of your data privacy and cybersecurity practices. Bond attorneys assist and advise clients with an array of data privacy and cybersecurity matters. With attorneys who have extensive knowledge in different facets of these critical issues, our clients have the benefit of deep industry experience in a wide variety of contexts. 

For more information regarding the laws mentioned above or the specific compliance efforts businesses should be taking, please contact any attorney in the Cybersecurity and Data Privacy practice.

 

Higher Ed’s New GDPR: What Your Institution Needs to Know About PIPL

January 27, 2022

By: Amber L. Lawyer and Shannon A. Knapp

Higher education institutions have become all too familiar with the extraterritorial approach of international privacy laws. When the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, higher education institutions were heavily impacted, and had to quickly adjust and implement various compliance mechanisms. Just when the dust has settled on GDPR, China passed its own comprehensive privacy law, the Personal Information Protection Law (PIPL). These institutions should take note on PIPL’s applicability and certain steps to comply with this new law. For additional background information on PIPL, please visit our previous post summarizing the new law before it went into effect.

How does PIPL apply to higher education institutions? 

PIPL went into effect recently, on Nov. 1, 2021. Like GDPR, PIPL is a national law with extraterritorial scope, meaning it applies to entities doing business both within and outside of China that process personal information on natural persons within the territory of China. PIPL’s objectives are to protect the rights and interests of individuals, regulate personal information processing activities and facilitate reasonable use of personal information. Higher educational institutions may be subject to PIPL if they process personal information of Chinese residents for the purposes of (i) providing products or services to individuals in China, (ii) “analyzing” or “assessing” the behavior of individuals in China, or (iii) as provided in Article 3 of PIPL, for other purposes to be specified by laws and regulations. As a result, any higher education institution that, for example, obtain admissions’ applications from Chinese citizens while the individual is located in China, conduct recruitment in China, respond to requests for information from individuals located in China, conduct research using data from Chinese citizens (that is not anonymized) or work with Chinese academic institutions or organization, may potentially be implicated by PIPL.

What is the definition of personal information? 

The law defines “personal information” broadly as all information related to identified or identifiable natural persons, but makes it clear that anonymized data does not trigger PIPL. Like GDPR, there are also sensitive information categories that requires additional safeguards, which may include information on medical, financial or location information. When processing this type of data, higher educational institutions will likely be required to obtain an individual’s informed consent. 

Does PIPL require lawful basis for processing?     

Yes, like GDPR, PIPL requires institutions to justify their data processing via certain enumerated lawful bases. However, unlike GDPR, PIPL does not provide a “legitimate interest” catchall as a lawful basis for processing personal data. Overall, PIPL appears to be a more consent driven regulation than GDPR and requires individual and specific informed consent for numerous processing activities. PIPL’s definition of consent is very similar to GDPR, and requires the consent to be informed, freely given, demonstrated by a clear action of the individual and must be allowed to be withdrawn.

Are there fines for noncompliance with PIPL? 

PIPL includes substantial fines for noncompliance. Failure to comply with this law could potentially result in steep fines of over $7 million or up to 5% of your organization’s annual revenue of the previous fiscal year. PIPL does contemplate individual liability. Further, like GDPR, there is a private right of action for individuals. Therefore, if your higher educational institution processes data of individuals located in China, taking critical steps to comply with PIPL is essential.

Has there been any further information about PIPL since it went into effect? 

There are still many unanswered questions about PIPL that will be answered in the coming months and years. However, looking to other laws in China may give some guidance on PIPL compliance. PIPL is the newest law surrounding the regulation of personal information, but it will likely function in collaboration with portions of two other existing laws, the Cybersecurity Law (CSL) (effective since 2017) and the Data Security Law (DSL) (effective since Sept. 2021). At the end of November, the Cyberspace Administration of China (CAS) published draft regulations for public comment on Network Data Security Management. Once effective, the draft regulations will impose even greater compliance obligations on PIPL covered entities, including strict data beach reporting obligations, record retention obligations and compliance reporting. 

What action(s) should your organization take?

Although there are still unanswered questions concerning PIPL, there are a number of steps that higher education institutions can take towards compliance. This includes, as a first step, identifying students who may be affected as a result of this new law. In addition, institutions should update their public-facing privacy policies to include the necessary disclosures under PIPL, as well as update internal policies and procedures concerning consumer requests, secure transfer and processing, etc., as well as update their vendor contracts. Lastly, because consent is imperative to compliance with PIPL, institutions should develop consent mechanisms and implement them as soon as possible. 

For more information regarding China’s Personal Information Protection Law and to discuss compliance efforts businesses should be taking, contact Amber Lawyer, CIPP/E, Shannon Knapp, CIPP/US or any attorney the Cybersecurity and Data Privacy practice.

Thank you to Associate Trainee Hoda Moussa for her help drafting this information memorandum. 

 

Why it is Time to Update Your Privacy Policy

January 26, 2022

By: Shannon A. Knapp

In Bond’s January 25 Business in 2022 Webinar, cybersecurity and data privacy attorney Shannon A. Knapp, CIPP/US, recorded a short video discussing the importance of privacy policies given the rapidly changing data privacy legal landscape and consumers increased online presence.

Over the last couple of years, important consumer privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been passed and gone into effect. Such laws have influenced other states and countries to follow suit with their own comprehensive consumer privacy laws. Although there is no general federal law that requires privacy policies, they are highly encouraged by the FTC and have becomes the standard feature of a legitimate commercial website, and many industry specific federal laws such as the Gramm-Leach-Bliley Act (GLBA) require certain information disclosures. All these laws have resulted in increased obligations for organizations, and a privacy policy is one of the most important compliance and notice mechanisms to develop. 

Privacy policies are not a one size fit all document and should be drafted to comply with each organizations’ particular practices. Important information that is required to be in a privacy policy includes: notice about what information is being collected, how it is being collected (such as through voluntary disclosure or through automated means such as cookies), how the information is used, if the information will be shared and why, how the data is protected, as well as ways to opt out of such practices. Also, it is important to include the organizations contact information for consumers to use when they have questions or requests about their personal data.

If you have any questions about the information presented during the webinar, please contact Shannon Knapp, CIPP/US, or any other attorney in Bond’s Cybersecurity and Data Privacy practice

To view this webinar in its entirety, or to sign up for Bond's weekly COVID webinar series, click here

 

CMS Tool for HIPAA Compliance

January 26, 2022

By: Gabriel S. Oberfield, Esq., M.S.J.

The pandemic has accelerated the U.S. healthcare system’s ascent into the digital age – and privacy standards are along for the ride. Recognizing this, the Federal Centers for Medicare and Medicaid Services (CMS) of the U.S. Dept. of Health and Human Services recently promoted a tool and related refreshed resources to help organizations and individuals determine whether they are a Covered Entity (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (A reminder: a CE is subject to HIPAA regulations.) The tool has particular salience in relation to HIPAA’s standards for electronic transactions

Early in January 2022, CMS republicized a decision-tree template, the “HIPAA Covered Entity Decision Tool,” to help health care providers and organizations determine whether they are a CE under the law. This resource is replete with hyperlinks intended to provide practical direction on whether an entity’s activities rise to the nature of electronic health care transactions contemplated under the HIPAA standards. The tool walks users through hypotheticals intended to identify whether they (whether providers, clearinghouses or health plans) fall in, or outside of, HIPAA. For those of a certain age (including this writer) who may remember the popular “Choose Your Own Adventure” book series targeted to middle schoolers during the 1980s and 1990s, the tool similarly relies upon the reader to make selections that drill the user downward to the final answer – here, whether the user is a CE under the circumstances presented.

We encourage Bond clients operating in the healthcare space to familiarize themselves with the tool, to view a recent Bond Health Law Outlook on the larger HIPAA regulatory environment in the context of the pandemic, and to take stock of the broader healthcare data privacy environment and its regulatory overlay. This is especially important when (as Bond recently reported) ransomware attacks are on a rapid rise in healthcare settings – and cybersecurity is of such prominence that it even has profound implications for global peace. 

If you have any questions about the information presented in this memo, please contact Gabriel S. Oberfield, any attorney in our Health Care practice or the attorney at the firm with whom you are regularly in contact.

 

What's on the Horizon? 2022 State, Federal and International Data Privacy Action

January 25, 2022

By: Fred J.M. Price

The momentum for state legislation concerning consumer data privacy is at an all-time high. Data privacy regulation continues to evolve dramatically to keep up with developments in technology and the surge of online activity. Since the California Consumer Privacy Act (CCPA) was enacted in 2018, an increasing number of state legislatures have followed suit by proposing similar legislation aimed at protecting consumers in their states. 

At least 38 states introduced more than 160 consumer privacy-related bills in 2021, compared to 30 states in 2020. A more comprehensive approach to privacy regulation was a common trend and was introduced in at least 25 states. Heading into 2022, there are now three states with comprehensive consumer data privacy legislation. Virginia and Colorado followed California’s lead by enacting Virginia’s Consumer Data Privacy Act (VCDPA) on March 2, 2021, and the Colorado Privacy Act (CPA) on July 8, 2021, respectively. The CCPA, VCDPA, and CPA share similar provisions that expand consumer rights to access, correct, delete and obtain a copy of personal data provided to or collected by a company. They also provide the option to opt out of the processing of personal data for purposes of targeted advertising, sale or profiling of the personal data. Each state varies in certain provisions such as exemptions, opt out rights and other aspects. Virginia’s and Colorado’s new data privacy laws reflect the growing trend among states to enhance consumer privacy protections. 

2022 will likely see continued upward trend in data privacy regulation enacted here in the U.S. and abroad. The COVID-19 pandemic continues to increase business and non-business online activity forcing many legislatures to consider the need for stricter and more comprehensive data privacy regulations.

At least 15 state legislatures are poised to consider comprehensive consumer privacy legislation in 2022 with lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi and Washington confirming they will be introducing bills. Additionally, Maryland has pre-filed a privacy bill and eight other states have bills that will carry over from the 2021 session. 

At the federal level, efforts to pass privacy legislation have been ongoing for years. Dozens of proposals for a comprehensive federal law that governs data privacy in the U.S. have worked their way through the halls of Congress to no avail. Numerous legislators from across the aisles have worked together on legislation addressing all facets of privacy, including individual rights and business obligations, special protections for sensitive information, access to records by law enforcement and emerging technologies such as facial recognition and artificial intelligence. Congress, industry, civil society and the White House have all taken steps toward the creation of a U.S. federal privacy law. It is still very much in question what this law will look like or if and when it will even happen, however, it is looking more likely that a federal law could be enacted.

Although the U.S. has yet to implement national legislation, there has been movement at the federal level to recognize the importance of privacy and data protection. Since 2017, the U.S. General Services Administration (GSA) has implemented data privacy related training in its annual requirements for federal contractors. The training covers GSA’s policies on protecting Personally Identifiable Information (PII). The GSA requires all employees and contractors to complete privacy and security awareness training upon employment and each year thereafter. The Federal Trade Commission (FTC) has exercised its broad enforcement power and authority to regulate on behalf of consumer protections by pursuing privacy and data security cases in myriad areas, including against social media companies, mobile app developers, data brokers, ad tech industry participants, retailers and other companies. Moving forward, the FTC is focusing its efforts on improving the agency’s effectiveness at protecting Americans’ privacy. The FTC has even put forth proposals to increase its budget, resources and personnel in an effort to perform as the country’s de-facto privacy regulator. 

Outside the U.S., for example, there has been an increase in ambiguity surrounding international data transfers by entities subject to the GDPR. On Nov. 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the GDPR’s territorial scope and its international transfer provisions. The guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term. The new guidance includes a three-part definition of what constitutes an international data transfer as the EDPB interprets it under the law. The facets of the definition include identifying whether the processing activity falls under the GDPR, an exporter-to-importer transmission and the geographical location of the importer. The guidelines provide some clarity on international data transfers, however, the EDPB has raised questions by requiring transfer mechanisms for onward transfers of personal data that originate in the European Economic Area (EEA) but take place outside the EEA, for example by a U.S. company to its U.S. processors. Even where there is no “transfer” under the draft guidelines, the EDPB effectively requires an assessment of the risk of government access to European personal data, including any need to implement additional measures. The guidelines are currently under a longer-than-usual consultation period until Jan. 31, 2022. 

The Austrian Data Protection Authority (DPA) recently issued a decision that the use of Google Analytics violates the GDPR. The DPA rules that in providing the Google Analytics service, the company collects and transfers personal data to the U.S. while failing to protect it from U.S. government surveillance. The DPA determined that configuration abilities for customers, such as truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government. The decision also determined that supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient. The DPA’s decision could have far reaching implications if other EU regulators take the same view, considering the similar issues would then arise with many other services provided by entities outside of the EU, especially those in the U.S. 

The need for data privacy continues to be recognized across the globe, and the progression toward greater privacy and data-related laws is only gaining speed. For more information or guidance concerning any of the topics above, please contact Fred Price or any one of our attorneys in the Cybersecurity and Data Privacy practice.

Thank you to Associate Trainee Gianelle Duby for her help drafting this information memo. 
 

Buyer Beware: Privacy and Cybersecurity in M&A Transactions

January 24, 2022

By: Elizabeth L. Lehmann

The mergers and acquisitions market is hot. But with the increasing number of data breach incidences and the ever-growing list of new privacy laws, it is crucial for a buyer to do their homework to identify privacy and cybersecurity vulnerabilities of its target.

Due diligence is critical. There may be host of data implications for all types of companies – including manufacturers, service providers and distributors – that may not be entirely obvious from the onset. As a baseline, a buyer should request from the seller information such as: a description of the data security infrastructure; the categories of personally identifiable information (PII) collected and descriptions of the practices regarding the use, collection, transfer, storage and sharing of PII; and all policies related to the collection of data in jurisdictions that have data privacy laws.

Once the scope of data collection and its use by the target is understood, it may impact the transaction structure. If due diligence identifies privacy and cybersecurity vulnerabilities of the target, a buyer may shy away from acquiring the target’s shares or membership interests due to the potential risk involved with thereby acquiring all of the liabilities of the target. An acquisition of the target’s assets will likely be preferable in that instance, because the transaction can be structured to limit target liabilities assumed by the buyer. For example, a buyer could acquire only relevant technology and not acquire any data or customer contracts that may implicate data security and privacy liabilities. A buyer also may negotiate terms and conditions in the definitive agreement to provide adequate protection, such as an escrow or holdback. Finally, good due diligence enables a buyer to determine the terms of sale and use, and privacy and other policies, that it should adopt post-closing.

In sum, while data security and privacy may not always be at the forefront of a deal, buyers should be aware of the potential risks to avoid any future liabilities attributable to the misuse of their predecessor’s data.

For more information or guidance concerning any of the topics in this information memo, please contact Elizabeth Lehmann or any attorney in Bond’s Mergers & Acquisitions practice

 

New York State Education Law § 2-D: Where Are We Now?

January 21, 2022

By: Kristin Warner

Two and a half years have now passed since the New York State Board of Regents put regulations implementing New York State Education Law §2-d into effect. Since then, educational institutions across the state have faced many difficulties ensuring that their technologies, safeguards and practices align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST) and that their third-party vendor contracts comply with this multifaceted data privacy law. Education Law §2-d applies to school districts, charter schools, universal pre-K providers and BOCES. It also applies to special education schools that have contracted with the NYS Education Department or local school districts. 

Under Education Law §2-d, educational institutions must protect students’ personally identifiable information (PII) by ensuring that the use and disclosure of PII benefits students. It also prohibits the inclusion of PII in public reports or other public documents. Schools are also now required to use industry standard safeguards and best practices, such as encryption, firewalls and passwords to ensure data privacy and security. 

In addition, schools must publish a Parents’ Bill of Rights for Data Privacy and Security (Bill of Rights) on their website and include it in all third-party contracts where the third-party contractor will receive student data or teacher or principal data. This Bill of Rights sets forth the rights a parent (or eligible student if over 18) has with regard to their child’s data. Included among these rights are that: data will only be disclosed as necessary to achieve educational purposes; data cannot be sold or released for commercial purposes; the parents have the right to inspect, review and correct their child’s education record; parents have the right to make complaints about possible breaches and unauthorized disclosures by filing complaints to the School or directly to the State Education Department; and parents have a right to be notified if a breach or unauthorized release occurs. 

Education Law §2-d is also triggered when an educational institution contracts with a third-party contractor for a service where that third-party will receive student data or teacher or principal data. “Student data” is defined broadly as PII. This includes, but is not limited to: the student’s name, address, personal identifiers such as social security number or school ID number, date or place of birth, mother’s maiden name, special education status, etc. However, “teacher or principal data” is more narrowly defined as PII relating to their annual professional performance reviews (APPR). Supplemental information must be included in every third-party contract where data is exchanged that spells out: the purpose for the data disclosure, how the data will be handled after the contract’s termination, what training will be provided to employees regarding data privacy, how the data will be protected, etc. 

In addition to contractual obligations and data privacy concerns, other tangential aspects of daily school practices and procedures have been affected by Education Law §2-d in a rather unforeseen manner. For example, Freedom of Information Act requests. The federal Family Education Rights and Privacy Act (FERPA) allows for the disclosure of certain types of PII, without parental consent, that have been classified as “directory information.” Directory information includes information such as a student’s name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports and dates of attendance. Schools in New York were previously able to disclose this information without parental consent so long as it gave public notice of the types of information it had designated as “directory information” and allowed parents or guardians to opt out of disclosure. Prior to Education Law §2-d, if a parent or guardian did not opt out of disclosure, schools could disclose directory information in response to FOIL requests and other standard information requests, such as media inquiries regarding sports events. However, guidance issued by New York State following the implementation of the §2-d regulations suggests that this may no longer be the case for all inquiries. These inquiries should be examined on a case-by-case basis. In instances where a school can show that disclosure of a student’s directory information in response to an information request, such as a media inquiry, would benefit the student and the school district, then disclosure is likely permissible. While not an easy process, over the past two and a half years, schools and their vendors/contractors have become much more adept at recognizing the potential dangers of a data incident or breach and are working to minimize the possibility that a student’s data will be compromised. 

If you have questions about the topics referenced in this memo, please contact Kristin Warner, any attorney in Bond’s School Law practice, or the attorney at the firm with whom you are regularly in contact. 

 

Your Privacy New Year’s Resolutions: What You Need to Know for 2022

January 20, 2022

By: Amber L. Lawyer and Shannon A. Knapp

To kick off the countdown to World Data Privacy Day, we want to provide businesses, organizations and individuals with a few important reminders going into 2022. With the increase in data privacy laws and enforcement, data privacy best practices should be imperative New Year’s resolutions for organizations. Here are some important statutory and regulatory privacy issues and topics that businesses should keep in mind heading into the new year:

CPRA Lookback

Although the California Privacy Rights Act (CPRA) does not officially go into effect until Jan. 1, 2023, its lookback period began on Jan. 1, 2022. As a reminder, on Nov. 3, 2020, California voters approved Proposition 24, also known as the CPRA, which was designed to supplement and amend the California Consumer Privacy Act (CCPA). Under the CPRA lookback period, that data collected during 2022 is subject to the terms of the CPRA starting in 2023. This means that any personal information that your business may collect throughout 2022 should be collected in compliance with CPRA on Jan. 1, 2023 if you intend to use it from that point on, and businesses must disclose it in a consumer right to know request. As a result, all covered businesses should bring their policies and collection practices into compliance with the CPRA as soon as possible. 

Biometric Information Privacy Act 

Over the last couple of years, class action lawsuits under the Illinois Biometric Information Privacy Act of 2008 (BIPA) have steadily increased and continue to bring about groundbreaking data privacy litigation. BIPA was the first law of its kind, and comprehensively regulates business’ collection of biometric data. An important component of BIPA is its broad private right of action, which allows “any person aggrieved by a violation of [the] Act” to sue for large damage amounts as well as fees, costs, injunctive and other relief. Between its passage and August of 2021, this private right of action enabled over 750 class action lawsuits to be filed across federal and state courts and have led to substantial settlement amounts. In 2022, there will likely be an increase in class action filings under BIPA, specifically concerning biometric information collection as part of COVID-19 health screenings. Recent litigation has increased individual rights as well, including issues involving statute of limitations and evidentiary standards. As a result, businesses are facing greater exposure to liability for failing to follow BIPA regulations. 

BIPA requires any private entity in possession of biometric information to: (i) develop a written policy; (ii) inform the owner of the biometric information in writing about the purpose for collecting the information and the length of time it will be stored; (iii) obtain written consent for the collection and storage of the data; and (iv) refrain from selling, leasing, trading or otherwise profiting from that biometric information.1 

So far this year, Maryland, Massachusetts, Kentucky, and West Virginia are considering their own BIPA-like biometric privacy legislation. Given the increased BIPA litigation and biometric privacy law legislative trends developing in other states, businesses should ensure they are in technical and procedural compliance with BIPA provisions as soon as possible. 

Massachusetts Written Information Security Plan

When an entity experiences a data breach, important lessons are often learned too late. The 2010 Massachusetts data security regulations require every entity that owns or licenses personal information about Massachusetts’ residents to implement a written information security plan (WISP) that helps safeguard such personal information. Despite this requirement, many covered entities, especially those that do not have a physical presence in Massachusetts, only learn about these regulations when they experience a data breach. 

Although the WISP requirement is not new, Massachusetts amended its data breach notification law in 2019 to require businesses to report to the Massachusetts Attorney General its WISP status at the time of the breach. Since Massachusetts does not have a threshold limitation for Attorney General data breach reporting obligations or for the implementation of a WISP, a business wholly located outside of Massachusetts that maintains a small amount of residents’ data could be subject to these requirements. Failure to maintain a WISP could lead to increased fines and enforcement penalties for covered businesses. 

Massachusetts is not the only state that requires a WISP. As of 2021, numerous other states including Rhode Island, Texas, California and Oregon also had WISP requirements. Given this increased risk of liability, covered businesses should make it a priority to develop, implement and maintain a WISP that complies with Massachusetts’ strict data security regulations. 

Privacy Risk Mitigation of Vendor Contracts

Vendor risk management helps ensure that third-party vendors, products and services do not disrupt an organization’s services or cause financial, reputational or other damage. Many businesses outsource at least part of their services to third-party vendors. As a result, these vendors have access to intellectual property and other sensitive information, including personal information of employees, customers, students or others. As vendors have increased access to important and sensitive information, a business’ risk profile for reputational, operational, legal or cybersecurity risk multiplies. Ensuring that the contractual relationship between the parties delineates required compliance mechanisms and data protection safeguards is essential to managing these risks. Given the rise in cyberattacks and the increased regulatory arena of data privacy, it is imperative to review and revise vendor contracts to ensure data protection safeguards are incorporated into agreements. 

Vendor contracts frequently include provisions that allocate the majority of risk to the business partner. This includes placing the majority of the cost and risk of a data breach or privacy compliance obligations on the business. These agreements typically include disclaimers for breach damages and limitations on liability for privacy and cybersecurity losses. Businesses should take extra precautions when reviewing vendor agreements and should develop standard data privacy and security terms to ensure vendors sufficiently protect data. Importantly, vendor contracts should consider reporting and response obligations in the event of a cybersecurity incident, including allocation of cost and responsibility for handling any resulting liability. Businesses should also review their cybersecurity insurance policies regarding required vendor diligence and risk assessment. Addressing these risks upfront can lower privacy and cybersecurity risks and streamline compliance efforts moving forward. 

For more information or guidance concerning any of the topics in this information memo, please contact Amber Lawyer, CIPP/E, Shannon Knapp, CIPP/US, or any attorney in Bond’s Cybersecurity and Data Privacy practice

Thank you to Associate Trainee Dustin Dorsino for his help drafting this information memo. 


1  740 ILCS 14/1, et seq.
 

Countdown to Data Privacy Day 2022

January 19, 2021

By: Cybersecurity and Data Privacy practice

World Data Privacy Day is an international event that occurs each year on January 28. This event is aimed at raising awareness and promoting best practices related to privacy and data protection. The date commemorates the Jan. 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. The celebration of World Data Privacy Day encourages individuals and businesses to become more aware of the rights and responsibilities associated with data privacy. 

Given the growing digital presence in the modern world, particularly in light of the COVID-19 pandemic, privacy and data protection are relevant to all businesses—no matter the size. The ever-changing data privacy legal landscape influences the way we think about, collect, use and safeguard data. Few, if any, areas of the law have changed and developed as rapidly as data privacy over the last few years. Staying up to date on these new and amended laws and regulations is essential to ensure compliance and best practices. 

The attorneys in Bond’s Cybersecurity and Data Privacy practice are committed to providing comprehensive and practical advice to our clients, while staying up to date on the data privacy landscape. We will be counting down the days to World Data Privacy Day by providing you relevant information on various data protection matters. This campaign will feature information memoranda, articles, webinars and podcasts dedicated to highlighting relevant data privacy topics. Look out for more information from our group including information relating to: the importance of privacy policies; what’s on the horizon for privacy; Education Law §2-d; HIPAA; privacy risk mitigation in vendor contracts; China’s new Personal Information Protection law (PIPL); privacy risks in mergers and acquisitions and so much more. As we count down the days to World Data Privacy Day, there is no better time to assess your organization’s privacy and data protection policies and procedures. The attorneys at Bond are equipped with the industry experience to assist you in this process.

For more information regarding the information above or the specific compliance efforts businesses should be taking, contact any attorney in Bond’s Cybersecurity and Data Privacy practice.