Privacy Statements for Apps and Websites
Everyone who has spent a little time on the Internet has seen or been asked to review an online privacy statement. Privacy statements are intended to inform consumers about how their data is collected and used.
Privacy statements, sometimes referred to as privacy “policies” or “notices,” are not only required under many laws spanning the globe, but they are also often treated by regulators and courts as binding promises which can result in legal liability and reputational harm if broken. It is therefore important to provide privacy statements that explain what and how information is collected and handled, that comply with applicable legal requirements and that also provide flexibility so that your business is not hampered every time data collection, sharing, and usage practices are modified.
Privacy and Cybersecurity Policies
Asset protection is crucial to the success of your company. Securing your assets requires having adaptable data protection policies in place for properly securing those assets and handling ever-evolving security threats.
Our team can assess your needs and develop an internal privacy statement to set guidelines for members of your organization to follow as to the collection, storage, and maintenance of consumer and other personally identifiable and sensitive information at your organization. We can craft cybersecurity policies to set acceptable use and remote access standards as well as data breach response and recovery plans in line with your organization’s needs and expectations. Having these policies in place can enhance your company’s credibility and help to limit liability in the event of a data breach.
Legal and Regulatory Compliance
Privacy laws differ among states, countries, and regions and are constantly being enacted and changed. Privacy laws revolve around the protection of individuals’ personal information and must be considered carefully in view of business needs and to assure compliance with applicable laws.
We are well-versed in the various state and federal privacy laws in the United States, including the much-publicized California Consumer Privacy Act (“CCPA”) and the successor California Privacy Rights Act (“CPRA”) effective in 2023. We advise and provide strategic planning for clients on domestic and global privacy laws, industry self-regulatory codes, and guidance including laws in other jurisdictions, such as the General Data Protection Regulation (“GDPR”) in Europe, as well as other domestic laws such as the GBLA, COPPA, HIPAA and FERPA. With our expertise, we can evaluate your circumstances to tailor practical data protection policies and compliance procedures that satisfy your needs. For instance, policies and procedures can be adapted for a larger company doing business in California and collecting customer information or for a small business engaged in clinical trials for a medical treatment and maintaining patient records. Compliance determinations and any appropriate actions should be undertaken by businesses of all sizes before collecting any personal information or otherwise as soon as possible to avoid potentially substantial penalties. Our team also provides pre-incident and post-incident counseling and support for new ventures, corporate transactions, and securities offerings.
Data Collection and Management
The Internet of Things (IoT) and modern cellphones enable large-scale data collection that may lead to user privacy issues. Data, such as financial information, healthcare data, fitness data etc., that is collected from users is typically provided with the expectation of privacy.
We assist clients in the planning and management of data collection to address Big Data legal issues that surround the analysis, collection, and use of massive data sets. We also counsel the use of cloud computing resources where security of confidential information is of the utmost importance.
Privacy and Cybersecurity Audits
Key to protecting your data and your customers’ data, both practically and legally, is obtaining a documented third-party privacy and cybersecurity audit. An audit reviews your organization’s compliance with privacy and cybersecurity policies and existing laws. For companies that want to avoid potentially hefty fines, regular audits can identify gaps prior to mishaps.
A third-party audit is sometimes a legally required step and a very effective way to better understand your infrastructure and practices so they withstand external and internal threats. Conducting regular audits can show your organization’s commitment to data security and mitigate damages in the event of a breach. Our team of attorneys and network of technical specialists can help you obtain legally effective audits and provide you with comprehensive remediation strategies.
More than 80% of data breaches are due to an employee doing something they should not have, such as opening an email attachment from an unknown sender or sharing a password. Implementing good data security policies and regularly training your employees to follow these policies will go a long way towards making sure your data stays secure.
Privacy and Cybersecurity Related Agreements
Today’s businesses, in high-tech industries and beyond, often rely on cloud-based software. Whether your business is engaging directly with end users or acting as a vendor, our team can assist your business with the preparation and negotiation of Software as a Service (SaaS) Agreements, Master Service Agreements (MSAs), Statements of Work (SOWs), Terms of Service (TOSs), and other contracts that involve data privacy and cybersecurity legal issues. Our team can also provide such services in the context of mergers and acquisitions.
Due Diligence and Counseling for Mergers and Acquisitions (M&A)
Data security landmines may lie hidden and should be identified and addressed before an acquisition or merger deal is done.
Assessing risks associated with data and information handled by a target to be acquired should be high on the list of due diligence activities for a purchaser. A review of a target’s data security infrastructure, policies, and procedures should be considered. The scope and source of personally identifiable information (PII) should be identified as consent from consumers, employees, or others may be needed to ensure that use, storage, and maintenance of the PII is permissible. Third-party service contracts should also be reviewed to assess compliance and transferability to the purchaser. Our team is fully equipped to handle these needs.
Data Sharing and Transfer Management Agreements
Through our knowledge of international and domestic laws directed to privacy complemented by our technological expertise, we assist clients through drafting and negotiating agreements with vendors, business partners, potential buyers or targets, and other third or even intracompany parties to ensure that any data handled by these parties is done so properly consistent with your organization’s needs and applicable laws.
Our team works with clients to set up procedures to control and anonymize personal information as needed. As part of our planning, we also take into consideration the obligations of the parties in the event of a data breach or other inappropriate activities. Of course, we always work closely with our clients to determine their specific needs and to plan for the future. This may involve the development of strategies for ongoing communication between the parties to the agreement and planning for follow ups to evaluate compliance with the agreement. Agreements on data transfer are crucial to assure compliance with applicable laws, including instances where data is shared across borders, and to avoid situations where the action or inaction of another person or business with whom you share information could be deemed your responsibility.
Corporate data breaches amount to hundreds of millions of dollars in losses annually. To add insult to injury, breached companies can be subjected to fines and damages for failing to adequately protect their data.
Data breaches do not just come from outside threats but can be caused internally. Regardless of how your data may be breached, the possibility is very real, and you should be prepared in the eventuality that it occurs. Preparedness includes having a comprehensive incident response and data breach plan in place which may vary depending on the nature of your business and the applicable laws. Our team can help you get prepared and stay prepared.