Privacy Laws and Cybersecurity Issues for Businesses

The privacy and cybersecurity legal framework is an area under rapid development. It is becoming increasingly newsworthy as more and more businesses are suffering hacks and breaches to their networks and valuable data. It is important for every business to have a basic understanding of privacy and cybersecurity issues and their implication on operations. Below are a few areas that business executives and leaders should be aware of to keep their businesses safe:

Privacy Laws

The United States does not have a single comprehensive privacy law. Instead, the U.S. uses a multi-level approach to privacy regulation. The U.S. follows industry-specific federal laws, including HIPAA/HITECH in the medical industry, the Gramm-Leach-Bliley Act for financial institutions/insurance companies, and FERPA for educational institutions. The Federal Trade Commission and states’ attorney generals are empowered with more general enforcement oversight for unfair and deceptive trade practices relating to privacy claims. Many states are passing laws (which often include extra-jurisdictional enforcement) governing businesses that collect, control, process or possess personal information of the applicable state’s residents requiring such businesses to implement commercially reasonable data security frameworks. This includes New York and California.

New York’s SHIELD Act, applicable to any entity that processes the personal information of a New York resident, provides some direction on what would be considered commercially reasonable. Each company is required to implement commercially reasonable administrative, technical, and physical data security practices that protect the security, confidentiality, and integrity of personal information in the company’s possession. Often companies that are HIPAA- or GLBA-compliant are exempt from complying with the state laws, but this should be reviewed on a case-by-case basis as new state laws are implemented.

Person logging into phone

Website Privacy Policy & Terms of Use

Every business with a website needs a customer-facing privacy policy and terms of use. On the surface, a privacy policy and terms of use for a website might appear simple, but such policies can also give rise to an unfair and deceptive trade practice claim if the business does not abide by the terms of its policies. There are ongoing serial lawsuits targeting businesses that violate their own policies. Regardless of the ultimate success of these lawsuits, the suits cost the defendant businesses significant time and expense.

The privacy policy and terms of use create a binding contract between the website owner and the user. Newly effective state laws have varying requirements of what rights users from those states have relating to their personal information and the website policies need to be tailored to satisfy those requirements. It is also important that businesses understand that, even if they are physically located in a specific state, they may still need to abide by the laws where the end user is viewing their website. All businesses must review their policies on an annual basis to be viewed as reasonable by most enforcement agencies.

Third-Party Vendors

Many businesses use third-party vendors for their data security. The review of these agreements, including licensing arrangements, is important to protect a business. The EU model for privacy frameworks places the burden on ensuring third-party contractors have reasonable data security practices on the initial data controller or the party obtaining the information for its business purposes. This model has been making its way into U.S. operations. It is important that, when businesses contract or negotiate with a vendor, the binding agreement is reviewed on the front end to ensure that the business is properly protected.

Assessments on Data

Businesses should consider conducting a privacy impact assessment. This can be, in its most basic form, documenting the flow of information through data mapping from data intake, access, storage, and deletion. Mapping allows a business to understand vulnerabilities and where potential legal exposure exists. From this assessment, a business can develop its internal privacy policy (differing from the website policy) on how it protects, maintains, and deletes personally identifiable information. A privacy impact assessment also allows a business to have effective discussions and exercises regarding how the business would respond to a cybersecurity incident.

A risk assessment can also prevent possible issues and the potential misuse of personally identifiable information. A risk assessment looks at each user in a business and identifies who should and who should not have access to the information (personally identifiable or otherwise) necessary for that user to carry out its business purpose.

Person typing on laptop

Cyber Insurance

A business can invest in cyber insurance to protect the business and the data it houses. Like all insurance policies, cyber insurance policies are only as effective as their exclusions. It is important to review or have legal counsel review the cyber insurance policy to make sure that the policy properly covers a business. One increasingly popular provision excludes coverage if payments have been made on a ransom demand. It is also important to review a company’s other insurance policies, as business interruption related to cyber events can, in some instances, be covered by general business interruption insurance.

For questions about how to protect your business in the ever-changing world of technology and cyber security contact the author, Justin Molitoris, a business attorney and Certified Information Privacy Professional (US) by the International Association of Privacy Professionals, or a member of the Cybersecurity team at Barrett McNagny. 

tag Tagged Attorneys
Barrett McNagny LLP

Legal Disclaimer

The information contained in the Barrett McNagny LLP website is for informational purposes only and should not be considered legal advice on any subject matter. Furthermore, the information contained on our website may not reflect the most current legal developments. You should not act upon this information without consulting legal counsel.

Your transmission and receipt of information on the Barrett McNagny LLP website, or sending an e-mail to one of our attorneys or staff, will not create an attorney-client relationship between you and Barrett McNagny LLP. If you need legal advice and want to establish an attorney-client relationship with Barrett McNagny LLP, please contact one of our attorneys by telephone, email, or other means of communication, and allow the attorney to confirm that the firm does not represent other persons or entities involved in the matter and that the firm is willing to accept representation. Until such confirmation is provided by one of our attorneys, you should not transmit information to us that you consider confidential. If you do provide information to us, and no attorney-client relationship is established, the information will not be considered confidential or privileged, and our receipt of such information will not preclude us from representing another client in a matter adverse to you.

Any links to other websites are not intended to be referrals or endorsements of those sites.

Privacy Policy

Terms of Use

ADA Compliance

Transparency Cover Rule: Machine-Readable Files

Contact Us
My name is
and I am a(n)
seeking legal counsel in the area of 
me at
as soon as you can.

Thank you for contacting us!

A representative will be in touch with you shortly.

An attorney-client relationship will NOT be formed merely by sending an email to Barrett McNagny, LLP or to any of its attorneys. Please do not send any information specific to your legal needs until you obtain approval from a Barrett McNagny, LLP attorney, as the content of such email will not be considered confidential or privileged. By sending us an email, you confirm your understanding of this notification. If you agree, you may use the e-mail links on this page to contact an attorney.