Data Privacy Law: Not Just For the Big Guys

By Peter McClelland

As we begin the new year, data security and privacy law are definitively in vogue. Between Russia’s social media campaigns,[1] renewed tensions with China that include their industrial cyber theft operations,[2] breaches at major U.S. companies like Equifax,[3] Facebook,[4] Yahoo,[5] and Marriot,[6] and the unending barrage of privacy policy updates that the European Union’s General Data Protection Regulation (“GDPR”) has spurred,[7] cybersecurity and privacy issues can justifiably jump to the top of the list of issues lawyers need to address as soon as possible. And that urgency comes even before the technology skills gap is taken into account: at the time of this posting, only Florida and North Carolina require lawyers to have technology training as part of their continuing legal education.

The NCBA’s Board of Governors has approved the Privacy and Data Security Committee’s application to become a full-fledged NCBA Section. Find more about the Section and how to join here.

The situation has improved from just a few years ago. Many of the organizations with the most sensitive industrial data have made real improvements to their security procedures, and the National Institute for Standards and Technology has given them the tools to mitigate the risks going forward. However, while many major industries and businesses are making real progress in securing their systems, the supply chains of these larger industry participants are likely to face significant threats. These supply chains consist of distributed networks that can span multiple jurisdictions and coalesce in the production of a larger entity’s goods or services. As such, supply chains in the United States tend to consist of smaller businesses and the security of the information held by those businesses will affect downstream industries. Therefore, the threats to these supply chains and their impacts on the larger economy are great enough that the Department of Homeland Security has launched a Task Force[8] to sure up a lingering and major vulnerability.[9]

The problem with supply chains is that it is rare for an entity to fully control its supply chain, yet they are ubiquitous. For manufacturers, any given input may come from a different source, creating the traditional supply chain. But for finance companies, consumers themselves are often part of a type of “supply chain.” For other service providers, their supply chains often include software companies, cloud service providers, and computer manufacturers at a minimum. If systems are compromised at any of these “links” in the supply chain, it may not matter that the big companies poured thousands of man hours into shoring up their own systems: a breach may occur just the same. This has national security implications to be sure[10], but it also affects liability, which makes this a legal problem for most businesses.

Larger organizations in particular need to worry about how these vulnerabilities will affect Federal Trade Commission (“FTC”) enforcement[11], but small and medium-sized businesses (“SMB”) that comprise the supply chain are not immune from legal problems after a data breach. Indeed, both larger organizations and SMBs can fall within FTC jurisdiction, though the Commission does focus its resources on larger offenders. The possibility of a data breach by a supplier brings in the prospect of contract damages, negligence litigation, unfair or deceptive trade practices under state law, and other ramifications like their obligations under the North Carolina Identity Theft Protection Act[12]. The prevalence of SMBs in the supply chain and the vulnerabilities associated with such organization only heightens that risk for both parties. However, the main differences between how liability will affect SMBs as opposed to larger entities are that any real legal jeopardy for SMBs is likely to harm not just profitability of a business but its ability to continue operating[13] and that SMBs are less likely to have a plan in place for recovery and resiliency[14].

To that end, attorneys counselling SMBs should consider advising them to at least, take the first steps towards discovering where their vulnerabilities are by conducting a risk assessment. Larger companies that utilize SMBs’ services in its supply chain should make sure their contracts set expectations for security—though this is far from a foolproof plan. Beyond that, a risk-based approach that emphasizes mitigating risks will allow as much protection for data as the SMBs can afford. Finally, attorneys should follow the National Institute for Standards and Technology (NIST) as they come out with new tools for SMBs[15] and privacy generally[16], in addition to NIST’s already influential Cybersecurity Framework[17].