- Don’t Ignore Employee Privacy. Certain privacy laws now also apply to data collected from individuals in the employment context, including from employees, contractors, and board members. Companies must have separate privacy policies that specifically address this type of employment data, in addition to the data from individuals companies usually consider e.g. website users and consumers. Employees have further rights to access data, ensure inaccurate data is corrected and to have data deleted. Companies will need to adjust their employee handbooks, internal policies, and consider notes they take and retain for hiring and review efforts.
- Do Address Dark Patterns. Dark patterns are aspects or features of a user interface designed to, or do indeed, confuse or manipulate the user or encourage the user to take a certain action that may not be in their best interest. For example, a dark pattern may exist if you see a cookie banner with two buttons: one button in a shaded or lighter color with the option to decline cookies (or manage cookie preferences) alongside a second more prominent, or brighter button to have the user consent to all cookies. If your interface choices draw an individual’s eye to the less privacy protective choice, this is likely a problem. These practices deceive users and may have the effect of limiting their meaningful choices under applicable laws. The FTC and State Attorneys General are watching for dark patterns and bringing enforcement actions against companies for them.
- Do Train Employees on Privacy and Security. Make security, and training personnel on security a priority. We have seen multiple data breaches, in some cases of information that is considered sensitive, because an untrained employee fell victim to a phishing scam or other malicious scheme or what looked to be an innocent download or click. According to a recent study, the human element was the cause of 82% of security breaches in 2022. Having various security measures and policies in place is a first step. But, internal policies must be circulated and enforced, and employees should be kept abreast of and periodically trained (and tested) on evolving threats and changes in data security.
- Do Address Data Retention. To further mitigate risk, companies should implement a data retention policy that balances their different legal obligations to retain data with the need to minimize it. Whether it is employee, consumer, or customer data, know how long you are legally required to retain it and then destroy what should not or does not need to be retained. Many companies hoard data in case they might want to use it, without any current legal or business justification. In doing so, they substantially increase risks in the event of a data breach. The more data you have, the more you have to lose. Not only is there increasing risk of class actions with respect to data security breaches with laws such as the CCPA, which carry a private right of action (including class actions) with statutory damages, but State Attorneys General are also bringing enforcement actions against companies for failing to adequately secure data when such failure results in a security breach.
- Don’t Ignore Vendor Relationships. State privacy laws include requirements that companies have certain contracts in place with contractors and service providers. Contracts must allow some level of due diligence for businesses to conduct due diligence to ensure compliance and security. Companies should update or implement a data processing agreement or addendum for each vendor, which agreement or addendum must contain specific language for vendors that qualify as service providers or contractors. State laws, such as the CCPA, even require specific language be included in contracts with third party vendors that are not processing data on behalf of a business and that use data for their own purposes.
- Do Get Cyber Security Insurance. Cyber security insurance is necessary these days, with more security breaches than ever before, and more breaches likely to come in a recession economy. The cost of security breaches and the reputational fallout can be significant and insurance coverage can mitigate the costs. It is important to keep in mind security should be a priority and insurance coverage may be at stake if a company chooses to ignore privacy and security regulations. Even for companies that do obtain insurance coverage, in the event of an incident, they could be left hanging if their insurers determine they were not sufficiently proactive in implementing privacy and security practices