Subscribe
Share
Share
Embed
A chat with Shook Partners Al Saikali, Colman McCarthy and Camila Tobón about privacy trends to watch in 2022.
A series of chats with Shook's attorneys that discuss current topics in the world of privacy and data security.
00:00.85
Al Saikali
Hello and welcome to shu's ongoing podcast series exploring legal and business issues impacting national and global companies I'm Al Saikali and I chair shook's privacy and data security practice. Ah, today we're going to talk about privacy and cybersecurity trends to watch in 2022 I'm joined today by my colleagues partner Coleman Mccarthy who is a partner in our Kansas City office and focuses his practice entirely on privacy and cybersecurity issues. Coleman is an expert in all things California privacy. He is the go to person for helping companies respond to cybersecurity incidents and help them with incident response. So Coleman's on today Coleman you want to say hi.
00:51.11
Colman McCarthy
Hey to everybody out there on the inner tubes. Thanks for joining us Hello Hello Welcome to our podcast.
00:54.61
Al Saikali
All right? That's a radio voice. You got there man. That's really good also joining us is Camila Devan Camila is a partner in our Denver office and Camila's practice focuses in it. Number of areas of data privacy law but she is certainly known to be the go to person in our firm for all things. International privacy Camila has performed a number of seccumbents with larger clients of the firm that have given her some wonderful practical insight into How do you apply many of these privacy laws. So Camila welcome. You want to say hi all right? Great. So let's get started and we'll start with Coleman.
01:35.91
Camila Tobon
Hi everyone. Thanks, happy to be here.
01:47.25
Al Saikali
Coleman what? what do you think about the legislative trends us legislative trends to watch in 2022. What are you looking at I know that you've given some of it away on this amazing email that you send out every couple of weeks to in-house lawyers ahs but and by the way anyone who's listening to this who's interested. Please contact Coleman if you want a really entertaining and informative underground update on all things privacy.
02:13.79
Colman McCarthy
Yeah, well, ah you know, hopefully just as entertaining and informative on both sides I I like to prefer to provide minimal substantive content because you know we're all tired of reading about legal stuff but there is some substantive stuff in there and. Ostensibly it is dedicated toward State privacy legislation tracking bills that get introduced all over the country and al I I have identified a few trends. Um I have I have have no fear.
02:41.30
Al Saikali
Have you now please spontaneously please share with us with those friends.
02:48.55
Colman McCarthy
Yes, yes, it's just out the top of my head here. No the the first one and one that I'm sure everybody is paying attention to right now is the introduction of comprehensive privacy bills you know along the lines of ccpa cp r a the new Virginian Colorado laws. You know this is a ah trend that we've seen. Since ccpa came into existence you know at first ccpa was was basically its own kind of bees because of the ballot initiative process that that gave birth to it and until Virginia and Colorado came along last year and showed us that these laws could be passed through regular order. We were you know I was skeptical that. That we'd see anymore. But now that we've seen a couple I expect you know at least 1 to 2 to pass this year and we've already seen laws that have been prefiled or introduced in this you know early here in the legislative session. Plus we we see ah bills that have carried over from last. Years session in in states that have carryover so states that that already have bills pending New York Washington Alaska Indiana Oklahoma Pennsylvania New Jersey Ohio and of course Florida um, and I know al you are on top of all that Florida legislative activity and. I'll be sure to throw back you on that. But I do want to get to the other trends because I I love hearing my my own voice and I I want to continue talking. So um, the next the next? yeah, go ahead.
04:09.78
Camila Tobon
can I can I before you go to your next? Yeah before you go to the next one something that I find interesting too worth mentioning because this whole pivot like to comprehensive privacy legislation as opposed to like industry specificific or activity specific legislation. We're used to here in the us is um, the notice.
04:25.41
Colman McCarthy
Then.
04:28.82
Camila Tobon
Of the advanced notice of proposed rulemaking by the Ftc signaling that they want to put some sort of safeguards and guardrails in place for using personal information while it's not legislation. It is something that's significant at the federal level in the absence of a federal privacy law which I think will be really hard to come by.
04:46.38
Colman McCarthy
Is.
04:48.36
Camila Tobon
Um, it seems like the Ftc is really focused on these issues as well.
04:51.29
Al Saikali
Yeah, absolutely and and and it looks a lot like the New York department's financial services cyber securityity requirements the and niic see cybersecurity model and model law and it looks like that you know we're seeing regulators kind of come around to some. 10 to 15 things that every company needs to be doing on the cybersecurity side. But yeah I think that's great.
05:14.30
Colman McCarthy
Yeah, no I I think that's absolutely right and Camille it's a great point about the Ftc becoming more active in the space given that. It's it's highly unlikely that we'll see a ah federal comprehensive federal privacy law I think anytime soon just because of current political realities. Um, but you know if if there's enough activity in other sectors such as you know state laws. Ah you know federal regulators state regulators. You know, maybe it it. It reaches a critical mass at which point congress might act. So but it's it's a great point that you we're seeing step of activity in in all sectors in all areas right on this that going back to the trends. Um, the second trend that I've kind of got my eye out. On is state tcpa laws and I know you know whether tcpa is is really considered privacy legislation or not I'd you know I'd I'd like to keep it on eyeing it because it's at least privacy adjacent and with last year's supreme court decision in the Facebook versus dogood case which by the way. There's ever been a case name that is ripe for some puns and jokes I you know I can't see how that case hasn't generated many so far I mean I'm um, I'm um, I'm trying to think of some myself but I'm um, I'm not quite that witty so in anyway that case. Really narrowed the federal tcpa but states have started stepping up into the Gap Florida last year amended its telemarketing law to kind of take over what was given up by the the Facebook case and we also have seen a bill introduced in Washington already. Um, that would also kind of cover. That kind of activity that you know, no longer is covered by the federal tcpa so that's another another trend on watching and then finally ransomware payment bills. Ah you know the the scourge of ransomware has has grown to such an extent that you're seeing states. Introduce laws that either require reporting if you make a ransom repairment or prohibit it altogether. You know we've seen 2 or 3 state laws or state bills introduced. They haven't gone anywhere yet. But. You know, considering that ransware is going to continue to be a huge issue. Um, you know I can see those bills making making a comeback so. There's your answer i.
07:39.59
Al Saikali
Brilliant and concise as always, um Camila maybe tell us a little bit about other areas around the world and regions that you're watching in 2024
07:50.99
Camila Tobon
Yeah, so I think the eu for sure is a region to watch I mean they're essentially setting the baseline right? internationally? Ah, a lot of the new laws that you're seeing in countries like Brazil and others are patterned on the gdpr. So for sure. Eu a place to watch I think there's 2 specific areas in the eu want the first is enforcement. So the Dpas in Europe continue to be really active in their enforcement activities and some of the trends that we're seeing they're enforcing against companies. For example, aren't providing adequate notice so issues around transparency what they're doing with personal information how they're using it who they're sharing it with also legal bases for processing issues surrounding consent when you're processing personal data about individuals in the eu. You have to have a legal basis for processing. It doesn't necessarily have to be consent. It could be something like legitimate interest. It could be something like necessity for purposes of a contract but you have to have that documented and if in particular, you're relying on consent. You have to have the consent documented and you have to have the ability for the individual to withdraw it. So we've seen some enforcement around that cookies which aren't specifically a gdpr regulated issue. The consent piece is but really cookies are regulated by the e privacy directive which is implemented in each member state and to their national law and so you can end up with um. Sort of nuanced requirements depending on which country you're in There's been a lot of activity particularly by the Kal the data protection authority in France on cookies and consent and adequate use of cookies and obtaining consent for that and then lastly also data transfers. Huge issue. Um, the court of justice of of the european union's decision and sharem's two sort of upended transfers again. Privacy shield is gone companies are looking to standard contractual clauses. New clauses came out this summer starting September Twenty Seventh companies that are entering into new. Transfer agreements have to use these new clauses and so it's essentially a game changer for the contracting and data transfer piece. So definitely those are areas to watch on the legislation side. Also this is not specifically privacy but privacy adjacent and we've as we've been talking about for example with the tcpa. The um digital markets act and the digital services act which are proposed regulations. They're going to regulate gatekeepers. So think about search engines social media companies cloud computing providers and I think they're going to be.
10:30.69
Camila Tobon
Really significant and how they're going to regulate regulate these companies. What these companies are able to do with personal information limiting their ability to aggregate and use personal information collected in different contexts limiting their ability to offer multiple services. Um, to individuals based on you know, data collected with in one and using that data for a different service. So really, those are still a ways away because the digital markets act at least is just entering trilog negotiations which can take over a year but that's definitely. Something to watch and if we think about an analog. All that discussion about section. 2 30 of the communications decency act here in the us I think that's similar to the digital services act. What's going on there and so I think these are these are issues at at least for companies you know that are operating in the tech space and handling large amounts of of customer information. And then another piece of legislation that's privacy adjacent is the draft act on artificial intelligence and that's trying to put guardrails around Ai systems identifying you know requirements for high risk systems transparency. We've seen a little bit of movement on that front in the us I would say mostly in the states. And not so much at the federal level but still the use of algorithms do individuals know how their information is being used the decisions that are being made about them and the impact of those decisions. Those are all things that I think legislatures across the pond and here are struggling with. And this draft act on artificial intelligence or Draft Regulation On Artificial Intelligence in the eu I think is ah is a good starting point and then I'll just mention 2 other jurisdictions also China passed their personal information protection law in November I mean it became effective in November. And that imposeds significant requirements on companies operating China canada has also um, seen a lot of activity quebec just updated their law and so there's new requirements that are going to take over you know in the staggered way in the next two or 3 years but definitely it's we're seeing movement and privacy legislation and privacy requirements and enforcement outside of the us and so if companies are thinking about operating in a new area or undertaking a new project. It's definitely worth taking a look at the specific requirements because they're constantly changing.
12:53.78
Colman McCarthy
Yeah, and I think I mean it seems like we have a theme on this podcast but and it's it's the the fact of increasing legislation and legislative efforts that we're seeing and I know you know last year here in the us one of the biggest. Um, stories that we had was what was going on in Florida and how close they came to passing a comprehensive privacy law and we know we all know hopefully everybody listening here knows that al was right in the middle of all that and has already started blanketing the airwaves with coverage of of what's going on currently with. With Florida introducing new versions of that legislat. So Al'll tell us what's going on Florida 1 minute
13:34.60
Al Saikali
That was such a smooth transition that was great. Good job. Yeah, so Florida is is really sort of a nice microcosm of I think generally the south in terms of what we might expect to see and right now is it. You know I guess to sort of recap where things were last year it ended with a house Bill h b nine six nine that would have had the most comprehensive privacy law in the United States it would have created a a private right of action that would have applied. Ah, to data breaches of not only sensitive information like the ccpa but any kinds of personal information defined very broadly and and what we've we've seen now this year. We've got 2 bills in the House. We've got h b nine and the senate Bill. We've got 18 64 under the house bill that still includes a private right of action. But it's been dialed back significantly. It's no longer a private right of action for data breaches. But there is a private right of action for a failure of a company to comply with a request to delete or. Request to correct or request for information about what the company's collecting about the the consumer in that instance, the consumer can seek 100 to seven hundred and fifty dollars per individual and can obtain attorney's fees and only the plaintiffs can. Obtain attorney's fees if he or she prevails so it'll be interesting to see what happens there. One of the things that I'll be pushing for personally and working with certain contacts on the legislative side will be obviously to eliminate the private right of action altogether but assuming. Because that's going to get abused right? It's going to get abused by the professional plaintiffs that we deal with all the time in privacy legislation individuals who will start flooding different companies saying delete my stuff correct my my information and you only got ten days to do it under certain provisions of the Florida law. If. You don't do it I'm to hit you with a lawsuit right away and so it's silly right and and you could end up as a company paying $100 to that person and then an additional I don't know thirty fifty thousand dollars to the person's lawyer who represented them as they'd be entitled to attorneys fees as well. So you know that needs to be removed assuming it doesn't get removed I think that you know one of the things that will help it will be adding some write secure right? So okay, sorry we messed up we didn't delete your stuff within the ten days.
16:13.96
Al Saikali
You've now given us notice. We'll have thirty days and we will do it within that thirty days and if we don't then you have your right to sue so we'll see how that all shakes out but that's an important point on the house side and then on the senate side. We have no private right of action there. It's going to be enforced only by the a g's office. And the law looks very much like most privacy laws that are out there now in the United States Virginia Colorado it's it's very much like that model. You know there is something interesting in that it would create a dedicated privacy unit within the Florida attorney general's office who would. Enforce the privacy law and it might then you know I don't think that's on many people's radar right now as a potential concern given you know who is sort of occupying the Florida attorney general seat right now. But of course that always changes depending on elections and. That is a tool that could be used pretty aggressively against businesses here in Florida moving forward if that were to remain as part of the law and then of course you just have the general concern of the cost of compliance with these laws. You know there are still a number of companies significant number of companies here in Florida that don't do business in California or one of these other states and for them this is going to cost hundreds of thousands of dollars to get into compliance with these laws. So I'll be making all of these arguments as I am now to to the. Legislature at some point and in my blog and and and singing it to the many people who will never listen but you try and we'll see how it how it shapes up in this legislative term we have until I think the legislative term ends first week of I want to say April so if it doesn't happen between now and then. Then then that's it for this year but last year it came really down to the wire and I think where this will end up this year is we will see at least 1 if not both houses pass. You know the house and the senate and then it comes down to sort of. You know the the horse trading right? because the house will probably pass one with a private right of action in some form and the senate will not and so then the question becomes okay well which one becomes law and here in Florida and probably many state legislatures the answer to that depends on which bill does which would like the speaker of the house versus the president. The president of the senate want more right? Maybe they want a gambling bill and they'll yeah I'll take the gambling bill and you can have your privacy law that's where laws ultimately come out here in the Florida legislative legislative session. So it'll be interesting to watch and see watch how things unfold here. So I guess just kind of.
18:55.34
Al Saikali
Ending it. You know last sort of question for the group any sort of practical advice for for our clients or for anybody listening who may be corporate counsel at a company to help them mitigate some of these risks that we've been talking about for 2022 Camille you want to take the first stab.
19:12.54
Camila Tobon
You sure I mean I think the trend is um the earlier you think about privacy and your use of personal information. The better. Ah, you know we've talked about potential more states coming online with comprehensive privacy laws but not waiting till that moment. Um I think it's a matter of when not if so if you think about these things early on you start building you know, internal awareness about privacy. So good security posture policies in place about handling personal information. Risk assessment methodologies. Anytime you're going to use sensitive data for example or if you're going to undertake a new project. A new use of personal information. What are the risks to individuals. How can those be mitigated the earlier you think about those things I think the better and a lot of things. Um. Lot of times we've been working with organizations who want to build scalable privacy programs. So they don't want to be reactive and just say okay, we're going to build this program to comply with California Virginia Colorado but they want to build something that's more principles based so we've had a lot of success with the nis privacy framework and helping companies do gap assessments. How can they turn their current procedures into a principles-based program. That's more easily scalable as they expand into new jurisdictions or new uses of data and so just thinking holistically about how information is used where it's stored how it's secured who it's shared with. I think is of a lot of value and something that that should have resources devoted to it.
20:52.49
Al Saikali
Coleman what are your thoughts.
20:53.60
Colman McCarthy
I think I'm gonna kind of break with the themes we've had throughout the podcast and and dive a little bit more into cyber security. Um, my practical advice to to entities and people out there is to take ransomware very seriously be proactive about the measures that you can. But in place to avoid ransonware attacks rather than crossing your fingers that is not going to happen to you and you know cyber insurance is is one of those good things to have don't rely on that as your ranssonware protection right? Take the steps make sure that you have secure backups. You know, a lot of times rents where crews are going after the backup so you can restore make sure your backups are you know are secure put in place you know network monitoring solutions edr xdr edr you know there are various forms out there. All very helpful. You know multifactor authentication. Get some get some training business email compromise is also going to be huge again in 2022 and that comes a lot down to to human training so be proactive to protect yourself. Don't. Don't think that you're in a good spot. Always continue to strive to be better with your cyber security.
22:06.90
Al Saikali
Yeah that's a great the all great points and I think you know just kind of adding real quickly on all of these maybe data minimization too. I mean how many times have we seen clients incur you know data breaches that would not have been breaches. Um, because they never really needed the information that was impacted the personal information that was impacted. It's just sitting out there and they don't think that either a they never needed to collect it in the first place or b they should have gotten rid of of it a while ago and that comes down to sort of the more global thought of. Thinking about your data and what you have and what you're doing with it and understanding that to Camila's point so that you know you know what the laws are that that apply to you as well. So no I agree with all of that. Okay, so last question as we as we take this home. This is totally unscripted because none of this was scripted anyway. But I'm just saying this was also. This is also an unscripted question and nobody knows what you're going to say and I want to see what you guys say what is your favorite podcast that you are listening to now or recently.
22:57.78
Camila Tobon
And.
23:07.86
Camila Tobon
Oh my gosh Sway Kara swisher of The New York Times she has this amazing podcast called sway she interviews not just tech people but players big players in the tech industry and legislators and it's a fantastic podcast and it's. Usually 30 minutes max so it's easily you know you can listen to it on a run you can listen to it while you're commuting. But I highly recommend sway from the New York Times
23:35.96
Al Saikali
All right Coleman have you you got one, you're listening to? yeah.
23:40.29
Colman McCarthy
Dad' I like to listen to risky biz I don't know if you've heard about that. But what it's ah it's it's a podcast by Patrick Gray who's an aussie and his co-host is adam boy low who's ah, who's a kiwi and they're you know there're. Ah, you know old-time hackers from like the 90 s so it it mixes. Um, you know, current cybersecur news with a lot of humor. Um, so it's it's great, fun to listen to but also stay up up to date on all the you know current stuff big stuff that's happening and stuff that you haven't even heard of so.
24:14.20
Al Saikali
So mine is smart list. You guys heard of this one? Okay so smartless is hosted by Jason Bateman will Arnett and Sean Hayes and they bring in these most amazing guests like people a-list stars and and people in the political area and it's.
24:14.80
Colman McCarthy
Highly recommend it.
24:18.36
Camila Tobon
Um.
24:33.72
Al Saikali
It is the so entertaining. Highly recommended, really good I mean it's not a whole lot to do with privacy and data security. But it's really funny. You want like to fill half an hour of your day or an hour. These guys are just hilarious. So anyway, those are some 3 great recommendations. Well guys. Thank you so much for your time and and for all of the people who are listening both of you. Thank you for listening and for taking the time to for to be to to listen know our thoughts today and hopefully look forward to doing another one of these at some point soon. So. Thanks, everyone.
24:57.18
Colman McCarthy
As if with it that.
25:07.90
Colman McCarthy
Thanks everybody.
25:08.85
Camila Tobon
Thank you.