Each month, we will feature a Stubbs Alderton & Markiles, LLP practice area to aid our readers in getting to know our firm, and providing insights into these areas of law that may impact your business most often. This month, we put the Spotlight on the Privacy & Data Security Practice team.
Tell us about your background as Privacy & Data Security attorneys. What spurred your interest in this area of practice?
I began my journey into privacy and data security law accidentally, when it was still a burgeoning, undefined field. A client inquired as to whether I could provide guidance on privacy issues his company was facing. I hesitated, but he pressed on, commenting, “no one knows what they are doing in this field yet, I’d rather have you learn it.” The skills I used then are the same I use now. These laws are constantly evolving and the ability to learn, and interpret, a new law quickly is both invaluable and essential. This is also what keeps me engaged. The practice of privacy and data security law requires adaptability and creativity. Every business operates differently and requires advice that suits their needs; there is no cookie cutter approach to this practice.
I think for me, my interest in privacy and data security was spurred by my interest in technology and the impact it has had in areas like business and communications. In college I studied finance and information systems and after college, I took a job in the technology risk management group of a large global bank. I was responsible for conducting various risk assessments on new applications. It was interesting to be there at a time when the bank was moving toward developing a significantly larger mobile app portfolio. As such, there was a strong emphasis on security and privacy issues. Over the course of my time at the bank, I became more closely involved in regulatory issues that impacted the bank’s technology and risk department. I enjoyed the subject matter so much I decided to go to law school and become a technology attorney.
I started my career in Europe working on transatlantic issues. Right around the time I moved back to the United States, the General Data Protection Regulation (GDPR) in Europe was passed, which affected numerous US companies. Because of my transatlantic experience, my practice naturally gravitated to the GDPR and global privacy and technology. I ultimately decided to stay in privacy and technology because it is exciting to be a part of an industry with so much innovation that affects our daily lives on a global scale.
What is the difference between privacy and data security?
The difference is an important one because although they intersect, privacy and data security do not overlap completely.
Privacy is generally viewed as protecting individuals’ personal information and the rights individuals have over that information. Privacy laws concern how data is collected, shared, and stored. Privacy laws are typically highly regulatory in nature and include regimes such as the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, the General Data Protection Regulation (EU/EEA), and the Personal Information Protection and Electronic Documents Act (Canada), to name a small few. These laws create a patchwork of overlapping and sometimes contradictory rules for companies to follow.
Data security is generally viewed as a broader term that relates to safeguarding the confidentiality, integrity and availability of information. Data security applies to more than just personal information – it applies to any data that a company may hold, particularly sensitive information like trade secrets or material nonpublic information. Data security standards are often less formally regulated and can vary from industry to industry and state to state. However, in the event of a data breach, the severity of damages, fines, and other remediation measures may be dependent on the data security standards implemented at your business.
If I think there has been a data breach or cyber incident at my company – what are the first steps that I need to take?
This is a tough question to answer as cyber incidents or breaches come in many forms. The most important steps should be taken even before an incident occurs. Company’s should be thinking about developing an incident response plan and creating an incident response team – the team may include members from the IT, operations, HR and communications functions as well as a digital forensics team and outside counsel. The company should also test the incident response plan so that when an incident occurs, it is set up to respond quickly and efficiently.
If a company has experienced a breach, one of the first steps is to assemble of team to respond to the incident. For various reasons, this team should include outside counsel. The next steps after that can vary and may require a few different workstreams, including forensics, remediation, developing and updating a communications plan, and assessing legal obligations and notification requirements. In the event of a suspected breach, please do not delay in taking action.