Powered by recent privacy laws, lawsuits for wrongful data collection have been rapidly increasing. The result is a growing body of caselaw, many unanswered questions, and a new landscape for companies to navigate.
I recently had the opportunity to discuss the expanding number of wrongful collection lawsuits with several experts at Beazley. Based in Denver, Katherine Heaton is the Focus Group Leader for Cyber Services and InfoSec at Beazley. Amanda Thai is a Cyber TPL Specialist in Beazley’s New York office.
A federal comprehensive privacy law in the United States? Can it really be true? Could this finally be the time it happens?
Eventually, maybe the lion really will lie down the lamb. Maybe the Loch Ness Monster will be located. Maybe Congress will finally join 150+ other countries around the world and pass a comprehensive privacy law. Maybe, just maybe . . .
The United States recently inched closer to this occurrence. I see hope breaking out all over the Twitterverse. The American Data Privacy and Protection Act (ADPPA) advanced out of Committee. This is still an early round in the Squid Game of making a law in this country, but this law might have what it takes. It could go all the way.
I’ve learned not to put too much faith in Congress. I am not going to be Charlie Brown with the football. Back around 2005, after the ChoicePoint data breach, as states all started eyeing California’s breach notification law with envy and started to craft laws of their own, I thought for sure Congress would pass a federal data breach notification law.
But I was wrong. Congress failed. Breach notification was an easy issue for Congress to address – far easier than a comprehensive privacy law which is swamped with a multitude of complicated issues. But maybe this is the time. After all, in the movies the hapless underdog somehow finds a way to win. Sometimes, life imitates the movies, and we all need a feel-good story during these dark summer days.
Grading the ADPPA: Is it Any Good?
The ADPPA bill itself isn’t too bad. In my view, Congress is generally a D student when writing laws, and the ADPPA is a B+.
This cartoon involves a common phishing scam – the inheritance email. For decades, phishers have been sending out the same email scams. One would think that after a while, people would learn about the common scams, and they wouldn’t work anymore. Unfortunately, people keep falling for the same scams over and over again. Even a very low response rate still works for hackers because they send out their email messages so widely.
If you couldn’t make it to my webinar to discuss privacy and innovation, you can watch the replay here. David Keating (Alston & Bird), Ashley Massengale (Porsche) and Nameir Abbas (Okta), and I discussed practical approaches and tips for assessments of new technologies under privacy regulatory standards.
If you couldn’t make my webinar to discuss cross-border data transfers, you can watch the replay here. Justin Antonipillai of Wirewheel, Josh Harris of BBB National Programs and I discussed the new framework between the US and the EU for cross-border data transfers as well as the CBPRs. We also discussed steps that companies should take today and what to expect in the future.
I was invited by Shepherd to list my recommendations for the 5 best books about privacy. Shepherd is a site that posts lists of best books recommended by experts about various topics. It has excellent lists.
I was delighted to have the chance to share my admiration for superb books by Woodrow Hartzog, Danielle Citron, Neil Richards, Anita Allen, and Ari Waldman. There are many other excellent books about privacy, but I was asked to list just 5, so I had to exclude many other very worthy works.
The Law’s Obsessive and Unproductive Focus on Data Breaches
“Too much of the current law of data security places the breach at the center of everything. Turning data security law into the “law of breaches” has the effect of over-emphasizing the conduct of the breached entities while ignoring the other actors and factors that contributed to the breach.” (p. 11)
“Data security law has an unhealthy obsession with data breaches. This obsession has, ironically, been the primary reason why the law has failed to stop the deluge of data breaches. The more obsessed with breaches the law has become, the more the law has failed to deal with them.” (p. 39)
“Breaches are already very costly and painful, so when regulators come along and add a little more to the pain, it often is not a game changer. This is especially true because the penalties are often far smaller than the overall costs of the breach.” (p. 55)
Data Security Is a Delicate Balance
“Current data security rules fail to address risk effectively. In many circumstances, the law penalizes breaches with little regard to considerations of risk and balance. Other times, the law levies no penalty against organizations even though their actions created enormous unwarranted risks.” (p. 12)
Here is a recording of my interview with Jodi & Justin Daniels of Red Clover Advisors with their series, She Said Privacy/He Said Security,
In this interview I discuss how to educate your team on data privacy and security. I also reveal how to lead engaging training sessions on privacy laws, the different types of privacy laws that employees should be aware of, and tips and tricks on personal security and privacy.
Here is the recording of my debate with Prof. Jane Bambauer. We discussed state privacy laws and the pros and cons of the Uniform Law Commissions model privacy law, the Uniform Personal Data Protection Act (UPDPA).