Sarah Hutchins wrote an article in Law.com’s Cybersecurity Law & Strategy newsletter providing an overview of what’s been happening – and what’s likely to happen next – in the world of data privacy and security.

“Data privacy is one of the most rapidly changing areas of law as regulators and lawmakers are often playing catch-up to groundbreaking technologies that have transformed society in irreversible ways,” Sarah wrote. “This process has brought significant implications for businesses and corporate legal departments of all shapes and sizes, which must now retroactively incorporate various data privacy and cybersecurity considerations into their existing structures.”

“As other states are likely to enact laws in the coming months – and data privacy professionals anticipate further governance requirements for certain industries at the federal level – it’s more important now than ever that businesses focus on their data privacy and security posture,” she continued. “While the path to compliance is unique to each business based on applicable law, industry best practices, risk scope and tolerance plus other factors, the focuses of these state laws direct businesses to do the following now:”

• “Know your data: It is difficult to comply with notice obligations, data assessment requirements and consumer demands if a business does not know its data practices, needs, and locations. Knowing your data has the added benefit of identifying data that is no longer necessary for your business — retention of which is a regulatory and security risk.”
• “Update and ensure the accuracy of your internal and external privacy notices and policies: Many of the enforcement actions to date are focused on data practices that mislead the consumer — saying one thing at collection but doing another. Not only do public privacy notices need to be reviewed and updated regularly to keep pace with changing notice requirements, but they also need to be accurate as businesses’ data practices change with strategy and technology developments.”
• “Provide necessary opt-outs and rights and implement a methodology to execute a consumer’s request that meets the requirements of current laws: Again, saying one thing and doing another risks putting businesses squarely in the crosshairs of regulators. A promise to delete data without full and timely compliance can open a business to serious regulatory and litigation risk.”

Subscribers can read the full article here: Preparing Companies for Impending Data Privacy, Cybersecurity Changes

Law.com is one of the country's premier websites for legal news, reaching more than 1.5 million readers each month. Its Cybersecurity Law & Strategy newsletter is a leading source of cybersecurity news for in-house counsel and others in the legal industry.