Collins | Navigating Complex Privacy-Cybersecurity Laws

Last week, at Media Outlook 2020, attorney Mary Hildebrand explained to attendees that “Privacy and Cybersecurity Laws Move at Lightning Speed,” offering the “Top Five Things You Need to Know for 2020.” In addition to raising awareness of regulatory obligations (or more accurately frightening all of us), the presentation was an opportunity for Hildebrand to expand upon the article she, and colleague Carly Penner, wrote for the current issue of MFM’s member magazine, The Financial Manager (TFM).

In preparing for the event, I did some research on the current state of data breaches in the U.S. As of July 2019, technology news source CRN says 11 of the top 13 announced breaches are against medical or health care organizations. The two outliers are Georgia Tech, which had between one and three million records affected, and the Federal Emergency Management Agency — FEMA — which had 23 million records taken. All of these breaches exposed sensitive personal data such as names, Social Security numbers, and protected health information.

Hildebrand began her presentation by explaining that, unlike in Europe and some other countries, the U.S. does not have a set of federal laws to address privacy and cybersecurity. Instead, federal laws tend to be industry-specific.

Examples of these include the Health Insurance Portability and Accountability Act (HIPPA), covering the healthcare industry, the Gramm-Leach-Bliley Act, covering financial service companies, and the Children’s Online Privacy Protection Act, focused on activities involving children.

Using its powers under Section 5 to prohibit unfair trade practices, the Federal Trade Commission has become the de facto regulator of many online activities including privacy and security standards.

With so much at stake, and a federal government focused elsewhere, it’s no surprise that states are stepping in to protect their citizens. The result is 50 different state data breach laws as well as specific laws covering Guam, Puerto Rico and the Virgin Islands. In general, if your personal information is included in a data breach, your rights are determined by where you live. This means that companies’ responsibilities, including whether to notify and what remedies to offer, may vary widely among affected parties.

BRAND CONNECTIONS

For better or worse, Europe’s GDPR (General Data Protection Regulation), may also come into play for U.S. businesses in one of two ways. First, and most straightforward, is in the case of companies that process personal information on individuals located in the EU. The second is that GDPR’s principles and terminology are heavily reflected in the new California Consumer Privacy Act (CCPA) that takes effect Jan. 1, 2020, as well as in other U.S. laws and proposed legislation. Fines under GDPR are steep — the greater of 2% to 4% of a company’s worldwide revenue or $20 million.

Having laid out these challenges, Hildebrand went on to offer five privacy and cybersecurity touchstones that businesses need to be focused on in the coming year.

New U.S. Laws

California’s CCPA has far-reaching implications, even for businesses that do not have a physical operation or location in California. As the article explains, “Under CCPA, a ‘business’ is any for-profit entity that does business in California; collects (or has collected) consumers’ personal information; determines the purpose and means of processing such information and satisfies one or more of three thresholds:

The business has an annual gross revenue in excess of $25 million.
Alone or in combination, the business annually buys, receives for commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices.
It derives 50% or more of its annual revenues from selling consumer personal information.”

Keep in mind that entities that do not meet the definition of a “business,” may be considered a “service provider” or “third party,” with different obligations under CCPA.

CCPA, according to Hildebrand and Penner, is about consumer choice and transparency. The focus is on consumers’ rights to object to the sale of their data with the term “sale” being broadly defined. Website visitors must be allowed to opt out of letting the business sell their data via a button placed directly on the site. California is proving to be a bellwether state; comprehensive privacy laws are also being considered in New Jersey, New York, Massachusetts and Maryland.

Data Breach

Companies that sustain a data breach will need to be aware of applicable federal, state and foreign laws, the authors write. Breaches generate a mélange of regulatory investigations, lawsuits, fines, reputational damage, drops in stock prices, and business disruption. Whose information is taken determines the company’s obligations.

The authors advise that preparation is the key to staying out of the news, “it is essential that organizations have a formal written incident response plan in place, conduct appropriate training, and consider purchasing cyber insurance.”

Business Websites

Hildebrand and Penner explain that privacy policies have evolved to include not only descriptions of data-related activity on business websites, but data practices associated with the company’s products and services. “A website’s privacy policy creates a contract with every user and/or visitor to the site and, as applicable, customers that purchase a company’s products and services.” This means that privacy policies must reflect reality; they cannot be aspirational statements. Topics common to most policies include:

What personal information is collected from visitors and/or customers; the purpose of collection; and how the personal information is used and shared;
Disclosure of the use of cookies or third-party analytics providers;
S. companies should be aware of the restrictions around collection of children’s personal information; in the case of websites not intended for children, the authors recommend including a statement advising against its use by persons under the age of 13, and that they should not provide personal information.

Of course, both the company’s geographic location and that of its websites’ users will affect the information that should be included in a privacy policy.

Overall, Hildebrand and Penner advise: “To avoid fines or consumer distrust, privacy policies must be clear, concise and transparent regarding all processing of all personal information.”

Adtech

When talking about adtech, Hildebrand asked attendees how many of their companies had business websites. Of course, everyone raised a hand. She then recommended that attendees go back to talk with their sales and marketing departments to find out how much they rely upon data from third parties to improve retention and/or customer satisfaction.

The issue is that the information used “often passes through intermediary adtech companies on the way to” the business. Hildebrand and Penner say there “is a genuine risk that sharing with adtech companies will also be prohibited.” They believe that this prohibition has the potential for “adverse business impact” that “should not be minimized or ignored.”

Know The Flow

Finally, Hildebrand and Penner offer that managing privacy and cybersecurity risk starts with understanding the basics about data flow within the organization. That includes managing the who, what, where, why and how. They recommend that all companies begin by asking the following six questions:

What personal information is collected, received and/or acquired.
Where and how personal information is collected, received and/or acquired, and from whom.
Who are the individuals related to the data (and where they are located).
What data is disclosed to third parties (including the recipients and their locations).
How and why the data is used by the organization.
Where/how the data is stored, retained and destroyed.

Mary Hildebrand is a partner, founder, and chair of the privacy and cybersecurity practice at Lowenstein, Sandler LLP. Carly Penner is an associate in the same practice. I encourage you to read their article in its entirety. It includes two pertinent sidebars: one about how different meanings can be attributed to common terminologies around cybersecurity and privacy; the other is about an FTC data breach settlement with Wyndham Worldwide that has the company laboring under two decades of stringent information security obligations.

These issues are tough, will evolve over time and require large amounts of financial and people resources, but getting privacy right will be beneficial for all of us.

Fall Entertainment Finance Summit In Los Angeles

Mary Hildebrand’s presentation was part of MFM’s Media Outlook 2020 program in New York. Next month, in Los Angeles, MFM will be presenting a second forward-looking seminar for West Coast members. Join us on Tuesday, Oct. 15, for a program that includes a look at trends in media; information about how video consumption is changing; an update on sports, esports, and video games; and a look at the ongoing transformation of media businesses. More information is available on the MFM website – https://www.mediafinance.org/.

Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary, the media industry’s credit association. She can be reached at [email protected] and via the association’s LinkedIn, Twitter or Facebook sites.

Collins | Navigating Complex Privacy-Cybersecurity Laws

Comments (0)

Leave a Reply Cancel reply

Stay Connected

Subscribe

Events

Streaming Revenue Strategies for Local TV 16 May 2024

Collaboration and News Production in 2024 23 May 2024

Media Jobs

Digital Platform Specialist

Account Executive – Trainee/New Business Development

Director of Sales

Reporter

Sales Manager, Senior Newscast Producer and Digital Video Producer

Executive Producer, Meteorologist and Weekend Anchor/Senior MMJ

TVN Video

NewsTECHForum 2023 Keynote Panel —Democracy, Technology, TV Journalism and the 2024 Election

NewsTECHForum 2023 - Chasing AI: Threatening or Enhancing the News?

NewsTECHForum 2023 - Adapting to a Culture of Continuous Crisis

TV2025 2023 - Collaboration and the Future of Content Creation

TV2025 2023 - Building a Breakout Hit in a Multiplatform World

Webinar: Tech Leaders on Trends in 2024

Talking TV: Emily Barr on Sinclair's Shuttered Newsrooms

TV2025 2023 - Station Group Leaders on the State of the Industry

TVN Webinars

All TVN Videos

Sponsored Content

Generate more ad revenue with sponsored UGC segments

Drive audience engagement with streaming weather

Navigating the AI revolution in media sales: challenges, trust and harnessing custom AI solutions

Megaphone TV launches new interactive sponsorship platform

Elevate your media sales game: embracing data for a competitive advantage

The 4 walls of television interactive sponsorship sales

The future of cyber insurance: Navigating the complex digital landscape

Why an alerting strategy will help win customers in a multi-platform world

Future-proof compliance with AI speech-to-text technology

Applied AI: An unseen revolution in local TV advertising

Real-time news polls have never been this easy

The year of getting everything connected

Local stations continue to see interactive sponsorship success

What the latest AI breakthroughs mean for live and archive content

How top broadcasters expand compliance logging to embrace OTT monitoring

Delivering creativity on budget and without technological constraints

Byron Allen: Too much talk, not enough action on advertising equity

Market Share

WLBT CSD’s Balancing Act For Commercial Production And Station Promotion

WJZ’s First Hours Responding To Baltimore Bridge Collapse

Jobs Posted To TVNewsCheck

Special Reports

NewsTECHForum: The Complete Videos

In 2024, Spot TV Is All About Political

Updated Top 30 Station Groups: Nexstar Retains Top Spot, Gray Now No. 2 As FCC-Rejected Standard General Drops Off

Streaming Revenue Strategies for Local TV

16 May 2024

Collaboration and News Production in 2024

23 May 2024