Collins | Navigating Complex Privacy-Cybersecurity Laws

Companies that sustain a data breach must be aware of applicable federal, state and foreign laws. Breaches generate a mélange of regulatory investigations, lawsuits, fines, reputational damage, drops in stock prices and business disruption. Whose information is taken determines the company’s obligations. Preparation is the key to staying out of the news.

Last week, at Media Outlook 2020, attorney Mary Hildebrand explained to attendees that “Privacy and Cybersecurity Laws Move at Lightning Speed,” offering the “Top Five Things You Need to Know for 2020.” In addition to raising awareness of regulatory obligations (or more accurately frightening all of us), the presentation was an opportunity for Hildebrand to expand upon the article she, and colleague Carly Penner, wrote for the current issue of MFM’s member magazine, The Financial Manager (TFM).

In preparing for the event, I did some research on the current state of data breaches in the U.S. As of July 2019, technology news source CRN says 11 of the top 13 announced breaches are against medical or health care organizations. The two outliers are Georgia Tech, which had between one and three million records affected, and the Federal Emergency Management Agency — FEMA — which had 23 million records taken. All of these breaches exposed sensitive personal data such as names, Social Security numbers, and protected health information.

Hildebrand began her presentation by explaining that, unlike in Europe and some other countries, the U.S. does not have a set of federal laws to address privacy and cybersecurity. Instead, federal laws tend to be industry-specific.

Examples of these include the Health Insurance Portability and Accountability Act (HIPPA), covering the healthcare industry, the Gramm-Leach-Bliley Act, covering financial service companies, and the Children’s Online Privacy Protection Act, focused on activities involving children.

Using its powers under Section 5 to prohibit unfair trade practices, the Federal Trade Commission has become the de facto regulator of many online activities including privacy and security standards.

With so much at stake, and a federal government focused elsewhere, it’s no surprise that states are stepping in to protect their citizens. The result is 50 different state data breach laws as well as specific laws covering Guam, Puerto Rico and the Virgin Islands. In general, if your personal information is included in a data breach, your rights are determined by where you live. This means that companies’ responsibilities, including whether to notify and what remedies to offer, may vary widely among affected parties.


For better or worse, Europe’s GDPR (General Data Protection Regulation), may also come into play for U.S. businesses in one of two ways. First, and most straightforward, is in the case of companies that process personal information on individuals located in the EU. The second is that GDPR’s principles and terminology are heavily reflected in the new California Consumer Privacy Act (CCPA) that takes effect Jan. 1, 2020, as well as in other U.S. laws and proposed legislation. Fines under GDPR are steep — the greater of 2% to 4% of a company’s worldwide revenue or $20 million.

Having laid out these challenges, Hildebrand went on to offer five privacy and cybersecurity touchstones that businesses need to be focused on in the coming year.

New U.S. Laws

California’s CCPA has far-reaching implications, even for businesses that do not have a physical operation or location in California. As the article explains, “Under CCPA, a ‘business’ is any for-profit entity that does business in California; collects (or has collected) consumers’ personal information; determines the purpose and means of processing such information and satisfies one or more of three thresholds:

  • The business has an annual gross revenue in excess of $25 million.
  • Alone or in combination, the business annually buys, receives for commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices.
  • It derives 50% or more of its annual revenues from selling consumer personal information.”

Keep in mind that entities that do not meet the definition of a “business,” may be considered a “service provider” or “third party,” with different obligations under CCPA.

CCPA, according to Hildebrand and Penner, is about consumer choice and transparency. The focus is on consumers’ rights to object to the sale of their data with the term “sale” being broadly defined. Website visitors must be allowed to opt out of letting the business sell their data via a button placed directly on the site. California is proving to be a bellwether state; comprehensive privacy laws are also being considered in New Jersey, New York, Massachusetts and Maryland.

Data Breach

Companies that sustain a data breach will need to be aware of applicable federal, state and foreign laws, the authors write. Breaches generate a mélange of regulatory investigations, lawsuits, fines, reputational damage, drops in stock prices, and business disruption. Whose information is taken determines the company’s obligations.

The authors advise that preparation is the key to staying out of the news, “it is essential that organizations have a formal written incident response plan in place, conduct appropriate training, and consider purchasing cyber insurance.”

Business Websites

Hildebrand and Penner explain that privacy policies have evolved to include not only descriptions of data-related activity on business websites, but data practices associated with the company’s products and services. “A website’s privacy policy creates a contract with every user and/or visitor to the site and, as applicable, customers that purchase a company’s products and services.” This means that privacy policies must reflect reality; they cannot be aspirational statements. Topics common to most policies include:

  • What personal information is collected from visitors and/or customers; the purpose of collection; and how the personal information is used and shared;
  • Disclosure of the use of cookies or third-party analytics providers;
  • S. companies should be aware of the restrictions around collection of children’s personal information; in the case of websites not intended for children, the authors recommend including a statement advising against its use by persons under the age of 13, and that they should not provide personal information.

Of course, both the company’s geographic location and that of its websites’ users will affect the information that should be included in a privacy policy.

Overall, Hildebrand and Penner advise: “To avoid fines or consumer distrust, privacy policies must be clear, concise and transparent regarding all processing of all personal information.”


When talking about adtech, Hildebrand asked attendees how many of their companies had business websites. Of course, everyone raised a hand. She then recommended that attendees go back to talk with their sales and marketing departments to find out how much they rely upon data from third parties to improve retention and/or customer satisfaction.

The issue is that the information used “often passes through intermediary adtech companies on the way to” the business. Hildebrand and Penner say there “is a genuine risk that sharing with adtech companies will also be prohibited.” They believe that this prohibition has the potential for “adverse business impact” that “should not be minimized or ignored.”

Know The Flow

Finally, Hildebrand and Penner offer that managing privacy and cybersecurity risk starts with understanding the basics about data flow within the organization. That includes managing the who, what, where, why and how. They recommend that all companies begin by asking the following six questions:

  • What personal information is collected, received and/or acquired.
  • Where and how personal information is collected, received and/or acquired, and from whom.
  • Who are the individuals related to the data (and where they are located).
  • What data is disclosed to third parties (including the recipients and their locations).
  • How and why the data is used by the organization.
  • Where/how the data is stored, retained and destroyed.

Mary Hildebrand is a partner, founder, and chair of the privacy and cybersecurity practice at Lowenstein, Sandler LLP. Carly Penner is an associate in the same practice. I encourage you to read their article in its entirety. It includes two pertinent sidebars: one about how different meanings can be attributed to common terminologies around cybersecurity and privacy; the other is about an FTC data breach settlement with Wyndham Worldwide that has the company laboring under two decades of stringent information security obligations.

These issues are tough, will evolve over time and require large amounts of financial and people resources, but getting privacy right will be beneficial for all of us.

Fall Entertainment Finance Summit In Los Angeles

Mary Hildebrand’s presentation was part of MFM’s Media Outlook 2020 program in New York. Next month, in Los Angeles, MFM will be presenting a second forward-looking seminar for West Coast members. Join us on Tuesday, Oct. 15, for a program that includes a look at trends in media; information about how video consumption is changing; an update on sports, esports, and video games; and a look at the ongoing transformation of media businesses. More information is available on the MFM website –

Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary, the media industry’s credit association. She can be reached at [email protected] and via the association’s LinkedInTwitter or Facebook sites.

Comments (0)

Leave a Reply

More News