Friday, June 12, 2015

News Flash!!! Congress Enacts Privacy Legislation

We can all breathe easier now that Rand Paul has finally stopped talking.

On June 2, Congress passed the USA Freedom Act (the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act). The National Security Agency (NSA) will no longer be in the business of the massive collection of telephone metadata (the collection of phone numbers and date/time of calls, not content) that had been authorized under the U.S. Patriot Act. Legal authority for the bulk collection by the NSA of such phone data expired on June 1, 2015. 

The USA Freedom Act represents a rare collaboration, with support from the most liberal Democrats as well as conservative Republicans. It allows the NSA to continue such bulk collection of our phone metadata in the name of national security for six more months. Telecoms, such as Verizon and AT&T, will then be required to collect and retain this data unless and until requested by a court order.

I feel much better knowing that the NSA will not maintain a record that I called my mother’s dentist this morning to confirm her 7:00 am appointment. And I feel no less safe allowing AT&T to hold on to this information for national security purposes. Way to go Congress.

So now that my privacy rights have been restored and our spying and intelligence-gathering capabilities have not been compromised, Congress can focus on privacy legislation important to the business community, such as passing a federal data breach notification law.

Not likely. Ten years ago Senator Patrick Leahy (D-VT) first introduced federal breach notification legislation, and each year bills have been introduced and considered. But nothing has passed.

While Rand Paul, Edward Snowden, and other privacy advocates may find some vindication in the USA Freedom Act, the reduced role of the NSA has probably not been a key agenda item at corporate meetings.  

When faced with a data breach, a business must immediately respond to the breach as well as navigate a patchwork of federal and state data privacy and security laws and regulations. A decade of proposed federal legislation has failed to enact a comprehensive data breach notification law and Congress has yet to make life any easier for a business responding to a data breach.

Corporate directors and officers have however taken notice of the increase in data breaches. Privacy and data security issues have moved from the server room to the board room. Businesses facing Chinese, North Korean, Russian, and other foreign and domestic hackers are looking for more—not fewer—tools to prevent nefarious activities on the World Wide Web and to protect against potential data breaches. They worry about the real impact of a data breach on their business and potential exposure to damages and liabilities. 

In today’s world, it is not a matter of if your business will be faced with a data breach but when and how often. No need to tell Target, Home Depot, or Sony how damaging a data breach can be. Computer forensics, legal, and public relations costs can be excessive and have a serious impact on the bottom line. 

So while the business community waits for Congress to pass meaningful data privacy and security legislation, a business should take steps to mitigate the risks and costs related to a data breach, including:
  • Appoint a person to manage privacy compliance and a board committee to focus on data protection
  • Adopt a data security plan tailored to the company’s risk profile
  • Hold information and training sessions to increase privacy awareness at all corporate levels
  • Create an incident response team and plan to be ready in the event of a data breach 
  • Review insurance coverage regarding security incidents and data breaches 

By taking such proactive measures and demonstrating attention and care to privacy and data security matters, a business can be better prepared for a data breach. The business will also be better positioned to defend itself against any government investigation or lawsuit challenging the efforts made by the business to implement adequate data security.

And someday—we hope—we will finally have a comprehensive federal data breach notification law. 

No comments :

Post a Comment