Privacy Compliance Strategies
Virtually all businesses today collect information relating to their employees, clients, customers, patients, or other parties. Because myriad international, federal, and state privacy laws and regulations cover not only rights of those parties but also matters of national security and crime prevention, it is not unusual for one business to be subject to overlapping privacy laws and regulations. Thus, businesses face the challenge of complying with all relevant privacy laws and regulations and ensuring that safeguards are in place to prevent the improper use or disclosure of this information.
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group helps clients understand and stay compliant with the privacy standards and industry best practices that are applicable to the collection, use, and transfer of their confidential information. Since the key to privacy compliance is establishing a strong, effective, and well-documented privacy program, our services include:
- Advising on compliance with privacy-related international, federal, and state laws, rules, and regulations, including, among others, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Computer Fraud and Abuse Act, the EU-U.S. Privacy Shield program, the European Union’s General Data Protection Regulation (GDPR), the Family Education Rights and Privacy Act, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), the Genetic Information and Nondiscrimination Act, the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry Data Security Standard requirements, the Telephone Consumer Protection Act (TCPA), and the Telemarketing Sales Rule
- Helping clients document that appropriate privacy and cybersecurity policies are in place and compliant, assisting in employee training and awareness of the policies and standards, and helping clients in developing internal enforcement mechanisms
- Providing counsel on compliance with Federal Trade Commission (FTC) rules, including the ID Theft Red Flags Rule, the Address Discrepancy Rule, and other disclosures and safeguards for online, mobile, and social media information collection, use, and sharing practices
- Updating clients on new developments in privacy laws, regulations, and standards, and reviewing and revising policies, practices, procedures, where needed, to ensure compliance with those developments
Workplace Privacy Strategies
Ever-changing privacy laws and requirements, along with advances in technology, have been creating new challenges and opportunities for employers. For instance, employers face restrictions on the type of information about employees and job applicants that they can collect and utilize in order to make shrewd business and employment decisions. These restrictions relate to such areas as background checks, employee monitoring, employee biometric information, and the transfer and maintenance of employee data and employee health-related information. Workplace privacy-related issues also arise under the Americans with Disabilities Act, the FCRA, the GDPR, and the FACTA, among other laws.
The Privacy, Cybersecurity, and Data Asset Management Group at Epstein Becker Green has the knowledge and experience necessary to effectively guide employers through the complexities of workplace privacy and cybersecurity.
We help employers properly balance privacy considerations with workforce management concerns and employee data collection and protection. Our services in this area include the following:
- Advising employers on international, federal, state, and municipal laws, rules, and requirements relating to the privacy, protection, cybersecurity, and/or use of sensitive employee or job applicant data
- Counseling on the proper methods for the collection, maintenance, disclosure, and transfer of personnel, financial, and health-related information, and helping draft notices and procedures, consent forms, and agreements relating to privacy concerns in the employment relationship
- Reviewing (and revising, where necessary) employers’ current policies and procedures to ensure compliance with laws and requirements relating to the privacy and protection of employee and job applicant data and in anticipation of internal audits and corporate transactions (i.e., mergers, acquisitions, sales, and joint ventures)
- Preparing employee privacy and data protection policies (including policies relating to Internet use, social media, blogging, and acceptable use of company technology) and procedures in accordance with rules relating to workplace monitoring
- Creating training materials and compliance programs for employers and management to ensure that sensitive employee and job applicant data and health-related information are properly collected and managed
- Developing policies and procedures to protect and secure business assets, such as trade secrets and intellectual property, while respecting the rights of departing employees
- Conducting insider threat assessments and developing insider threat programs to protect the privacy and security of information
- Counseling employers on security breach mitigation strategies
Health Data Privacy Strategies
At Epstein Becker Green, we provide daily counsel to clients throughout the health care industry to structure business, clinical, and administrative operations in compliance with health data privacy laws and regulations, including HIPAA and its privacy, security, and breach notification rules; HITECH and its regulations; and federal and state privacy laws regarding mental health and substance use disorder data. We work with our clients to facilitate the development of health data privacy strategies that complement their business strategy.
The members of our Privacy, Cybersecurity, and Data Asset Management Group are prolific authors and sought-after lecturers on health information privacy and security topics, and also serve on the advisory boards of publications such as Thompson's Employer’s Guide to HIPAA.
Because we want to ensure that clients comply with health privacy laws, our Privacy, Cybersecurity, and Data Asset Management Group’s services include:
- Advising on the applicability of HIPAA and other federal and state privacy laws to clients
- Providing advice on the use, disclosure, transfer, retention, and destruction of health information
- Advising clients on risk-mitigation options, such as data encryption and access controls
- Developing and implementing recordkeeping, documentation, access, and complaint and disciplinary procedures
- Conducting HIPAA- and HITECH-related educational seminars and training programs
- Developing and implementing a comprehensive privacy and cybersecurity compliance program
- Updating privacy policies and procedures to comply with new developments and requirements
- Advising on HIPAA and other privacy compliance strategies during recruitment and the conduct of clinical trials
- Assisting with developing behavioral health integration strategies that facilitate data-sharing in compliance with 42 CFR Part 2 and other mental health and substance use disorder privacy laws
- Drafting, reviewing, and negotiating business associate agreements and other data protection and data use agreements
Since no compliance program is foolproof, if a privacy violation occurs, we assist the client with remedial measures and incident responses, and we defend the client in any investigations and litigation concerning the violation.
TCPA Compliance Strategies
The TCPA and implementing regulations by the Federal Communications Commission (FCC) impose complex restrictions on business communications. The TCPA protects consumers from unsolicited auto-dialed and prerecorded phone calls, text messages, and faxed advertisements.
Businesses need to understand the scope and magnitude of the TCPA. Even a company with a strong compliance program could find itself facing allegations that its call, text, or fax activities violated the TCPA. And just one TCPA violation could have serious legal, insurance, reputational, and financial consequences—recipients of such unsolicited communications are allowed to sue for damages of $500 (an amount that a court can treble) for each unlawful call, text, or fax. Not surprisingly, damages for TCPA violation can easily run into the millions of dollars.
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group knows the nuances of the TCPA, and the severe consequences of noncompliance. We provide TCPA counseling to clients of all sizes and various industries—including, among others, health care, financial services, technology, hospitality, retail, communications, and transportation. Our services consist of the following:
- Counseling clients on the TCPA and its accompanying FCC regulations
- Designing and implementing (or revising) marketing and communications programs, as well as existing policies, procedures, and business practices, to minimize risk and ensure compliance with the TCPA and its accompanying FCC regulations, applicable FTC telemarketing rules, and state-specific telemarketing statutes
- Advising health care clients on the interplay between the TCPA and HIPAA
- Revising contracts with third parties and consumers to ensure compliance with the TCPA
- Training personnel on the TCPA’s impact on telemarketing and debt collection
- Monitoring new TCPA-related developments and updating compliance programs, as necessary
In addition, we represent clients in TCPA class action lawsuits filed in federal and state courts. We know the complex defenses available under the TCPA and the FCC’s implementing regulations as well as the bases for defeating class certification. And because we’re sensitive to the limits on a client’s time and resources, we evaluate the prudence of seeking an early resolution of the case (through pretrial motions, an alternative dispute resolution method, or favorable settlement). When litigation is the better strategy, our litigators are distinctly qualified to provide the superior caliber of services upon which Epstein Becker Green has built its outstanding reputation.
GLBA and Financial Services Industry Compliance Strategies
Since the passage of the GLBA in 1999, securing the privacy and cybersecurity of consumer financial data has become a high priority to the financial services industry. New York State has implemented Cybersecurity Requirements for Financial Services Companies. The National Association of Insurance Commissioners has adopted a model cybersecurity law, which has been adopted by certain states. The GLBA and its implementing regulations, and these state requirements, specifically require financial and other covered institutions in the United States to create an information security program to ensure the security and confidentiality of customer information, guard against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
However, innovations in technology—such as new mobile payment platforms and novel means of analyzing consumer financial data—are creating complex challenges for financial services institutions seeking to comply with the GLBA and other relevant privacy and cybersecurity laws.
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group guides financial services clients through this highly regulated and rapidly changing environment. In addition, services provided by members of the group include:
- Counseling clients on applying the GLBA and existing federal and state privacy and cybersecurity laws to new strategies and emerging technologies
- Reviewing and revising, where necessary, clients’ existing privacy policies and programs, information sharing procedures, data safeguards, and opt-out notice provisions
- Advising on information security “best practices” for assessing, updating, and managing company policies, procedures, and data protection programs
- Creating training materials and compliance programs for employers and management to help ensure that consumer financial information is properly collected and managed
- Drafting confidentiality and privacy agreements between financial services clients and their business partners or third parties regarding the sharing, management, and protection of financial data
- Updating clients on new changes to the area of financial privacy and data protection, and revising client policies, programs, and practices, where necessary, to conform to those changes
- Representing clients in investigations and administrative proceedings concerning alleged violations of the GLBA and state law
- Representing clients in data breach litigation
GLBA and the Cloud
GLBA’s Financial Privacy Rule requires financial institutions to provide an annual notice to customers explaining how the customers’ data is maintained and shared as well as the steps that are taken to protect it. Additionally, the GLBA Safeguards Rule requires institutions to implement an information security program. However, the introduction of “cloud computing” and the use of the services of an outside cloud provider can complicate matters greatly. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption.
At Epstein Becker Green, we advise clients on cloud computing and other attractive and inexpensive storage technologies. We help our clients evaluate the risks of storing information in the cloud and then identify legal solutions—such as creating policies and procedures to ensure compliance with the GLBA’s Financial Privacy and Safeguards Rules and managing cloud providers—so that our clients are able to take advantage of these cost-saving technologies.
Privacy and Security Due Diligence
Any company—especially an entity in a highly regulated industry (such as financial services, health care, hospitality, retail, technology, and telecommunications)—seeking to sell, acquire, or merge with another company needs to carefully consider the privacy and cybersecurity concerns related to the sensitive business and personal data flowing through the target company. A thorough review of a target’s privacy and cybersecurity compliance programs is, therefore, a must before entering into any transaction. Compliance costs and litigation can significantly affect the value of a company, necessitating a careful assessment of any target’s potential liabilities or compliance costs that are likely to be passed on after the transaction.
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group undertakes privacy and cybersecurity due diligence reviews and provides support capabilities to clients in the context of sales, acquisitions, mergers, and joint ventures. We help clients understand what data is being stored by the target and if it is protected; whether the target has put in place proper response and remediation processes and policies; and what, if any, disclosures are needed. Given our deep and longstanding experience in privacy and cybersecurity, we advise clients concerning potential liabilities and vulnerabilities in the target’s information security and data privacy practices.
Specifically, our due diligence reviews typically include the following components:
- a review of the target company’s privacy and cybersecurity policies, including compliance with relevant international, federal, and state laws and regulations
- an examination of the target company’s protocols, procedures, controls, or other implementation directives to ensure that the adopted policies are properly integrated into the target’s business practices
- an examination of the target company’s network security, risk assessments, and other cybersecurity safeguards to protect against unlawful disclosures of sensitive data
- verification that the target company has entered into appropriate data use agreements with any entity with which it has shared sensitive data, and a review of the content and implementation of those agreements
- a review of the target company’s regulatory history, including if it has been (or is currently) the subject of a government investigation regarding privacy and cybersecurity, as well as the manner in which the investigation was resolved
- an investigation into whether the target company has been (or is) the subject of private litigation relating to a violation of applicable privacy laws
In addition, Epstein Becker Green stays involved throughout the transactional process to ensure that sensitive data is transferred in accordance with all relevant laws, rules, and regulations. We identify, evaluate, and calculate risk to our client and then develop representations, warranties, indemnities, and other contractual provisions and protections, as well as negotiate licenses, service contracts, and supplier and other agreements, to safeguard confidential information and to shift or mitigate that risk.