Next year will be full of growing pains as both the public and private sector interpret, implement, and refine their efforts to comply with the GDPR. Large, multinational companies with a presence in the EU (and who are at the greatest risk of EU enforcement actions) will put pressure on their vendors across the globe to adopt practices compliant with the GDPR. In parallel, US companies that market into the EU or who create products that analyze EU consumers’ behaviors will be coming to terms with their potential responsibilities.
One area that will be particularly affected by these trends is digital advertising. The GDPR’s provisions are not well-designed to accommodate current models of digital advertising. In the near term, this may lead some companies to switch to contextual advertising in Europe until there is a consensus understanding of their obligations. It may also lead to consumers seeing less-relevant advertising and a degrading of the Internet experience as companies determine their compliance obligations. Relatedly, US and European counsel alike should continue to follow development of the draft ePrivacy Regulation, which is still in flux.
Advertising and data use isn’t the only concern with the GDPR. With the new data breach provision, requiring breach reporting for breaches of EU citizen personal data within 72-hours of discovery, companies will have to step up their time table for breach reporting. Security-savvy counsels should be preparing IT, Security, Business and Senior Leadership colleagues for this new reality through preparatory exercises and tighter communications plans.
FTC – Connected Devices and Emerging Technologies
Privacy will remain a major focus of the Federal Trade Commission in 2018, with increased attention paid to how and what information is collected by connected devices and similar “smart” technologies. As consumers continue to adopt these devices at breakneck pace seeking greater efficiencies in their daily lives, the FTC will be carefully watching to see how the operators of these devices inform consumers of their data collection, use and sharing practices. We have seen just by the tip of the iceberg in agency cases involving wireless home security systems and remote baby monitor apps, topped off by a late year statement by the FTC expressing concerns with digital personal assistants that may be accessed by children.
Security remains a threat for connected devices. Companies will continue to improve the security of IoT devices, given the large Mirai botnet as well as smaller attacks this year. Given that many IoT devices reside in the home, monitor health/wellness or can encounter the activities of children, regulators will expect more secure development due diligence from companies. Security-savvy counsels will work with engineering and development teams throughout the product design process to document risk mitigation activities.
There is no question that the intersection of consumer protection and emerging technologies will continue to collide in the coming year with the FTC keeping its seat at the helm in navigating these turbulent waters, including its increased role in overseeing ISP privacy practices, per its Memorandum of Understanding with the Federal Communications Commission.
2017 was not kind to security professionals and company lawyers alike. Risks proliferated with the continued rise of nation-state attacks and daily phishing of companies, widespread distributed attacks (such as, NotPetya, WannaCry and BADRABBIT), and the Equifax breach that cost the CEO, CIO and CSO their jobs, and put some of the general counsel’s decisions in the spotlight. Information security risk has moved from an IT concern to a struggle squarely within the boardroom, spilling over into to the legal department. Next year, expect the technical threats, business difficulty and legal complexities to continue. In addition to the other security topics discussed in the relevant sections, we should pay attention here:
- Company Cloud Migrations Will Continue – As companies find continued ways to do more with less, data will continue to move from on-premises locations or data center solutions to cloud providers. A cloud migration can enhance security, where teams understand the benefits and limitations of their cloud providers, but the failure of internal teams to adequately plan can be disastrous. As companies move to the cloud, legal counsel should test this internal knowledge a little – ask design teams tough questions regarding their cloud and virtualization architecture to ensure security.
- Ransomware Remains Ridiculous – Ransomware is still the malware de jour with 60 percent of malware payloads deploying a ransomware variant in Q1 of 2017 according to Barkly and Malware bytes. Legal counsel should be walking through specific plans for ransomware detections, response and continuity of operations as a part of routine security planning.
- Security Automation and AI Products Will Increase – Given information security personnel staffing shortages, companies will continue to automate, outsource and use machine-learning techniques to perform threat identification, hunting and activity correlation. Legal counsel should spend time with those deploying these technologies to understand what functions the automated product replaces and where companies may have security team gaps, despite the acquired tools.
OCR’s enforcement of HIPAA picks back up again after a half-year lull. We see the HIPAA desk audit results for business associates and a wrap-up report on the HIPAA audit program later in the year, but no onsite audits. There is a possibility of proposed regulatory changes to HIPAA to reduce regulatory burden.
ECPA is not amended (again) and, in a close decision in Carpenter v. US, SCOTUS will find that imprecise cell tower location data can be obtained by a 2705(d) court order based on reasonable suspicion, but the in the amalgam of separate opinions the court seems to suggest that accessing more precise data (like GPS) will require a warrant based on probable cause.
Privacy and Security Legislation
Privacy and cybersecurity remain bipartisan issues. Even though a more business-friendly administration is in Washington, consumer risk is a political liability for any political party. We can expect regulators, legislators, and state officials to be tough on companies that face security liability. Legal counsel recognizes this reality and will continue to work with their business units, IT, security and senior leadership to improve their security program even in this political climate.
Even so, it is unlikely Congress will be able to pass meaningful privacy legislation or federal data breach legislation in a midterm election year. In the absence of federal legislation, some state legislatures will revive efforts to pass online privacy laws targeting internet service providers while their attorneys general challenge the FCC’s “Restoring Internet Freedom” order in court, including the FCC’s attempt to preempt any such state laws. In addition to ISP privacy, states will continue to focus on privacy and security legislation generally, including attempts to update data breach notification laws to address perceived delays in consumer notification.