{"id":15247,"date":"2019-05-03T08:10:02","date_gmt":"2019-05-03T16:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/05\/03\/news-8996\/"},"modified":"2019-05-03T08:10:02","modified_gmt":"2019-05-03T16:10:02","slug":"news-8996","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/05\/03\/news-8996\/","title":{"rendered":"The top six takeaways for corporate data privacy compliance"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Fri, 03 May 2019 15:00:00 +0000<\/strong><\/p>\n

For nearly two months, Malwarebytes Labs has led readers on a journey through data privacy laws around the world, exploring the nuances between \u201cpersonal information<\/a>\u201d and \u201cpersonal data,\u201d as well as between data breach notification laws in Florida, Utah, California, and Iowa<\/a>. <\/p>\n

We explored the risks of jumping into the global data privacy game, comparing the European Union\u2019s laws<\/a> with the laws in China, South Korea, and Japan. And we also examined current legislative proposals<\/a> in the United States to better protect Americans\u2019 data. <\/p>\n

But all that information was delivered across five separate blogs of more than 10,000 collective words. Look, we get it\u2014it\u2019s a lot to read through. So, we\u2019re offering some help. <\/p>\n

Before fully closing out our data privacy and cybersecurity law series, we are providing the top six takeaways for corporate data privacy compliance. From emerging startups to burgeoning enterprises, these rules should help businesses not just with legal liability, but also to better understand\u2014and gain\u2014user trust. <\/p>\n

Here we go. <\/p>\n

1. Write and post a privacy policy<\/h3>\n

In 2004, California changed the online privacy landscape for companies everywhere. The Golden State\u2014which would soon become a pioneer in data privacy law\u2014passed the California Online Privacy Protection Act<\/a>. <\/p>\n

The law is simple. Any company, organization, or entity that runs a website which also collects the personally identifiable information of California residents must also post a privacy policy on their site. <\/p>\n

The privacy policy must explain the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process\u2014if any\u2014for a user to review and request changes to their collected information. <\/p>\n

Because the law applies to any website that collects Californians\u2019 information, it applies far beyond the state\u2019s geographic borders. This isn\u2019t just for California-based companies like Apple, Google, Twitter, and LinkedIn. It’s also for Washington-based Microsoft, New York-based Verizon, and Texas-based Dell. <\/p>\n

Also, the law requires that every privacy policy be easy to find. Even Big Tech doesn\u2019t challenge this requirement: In 2007, after reporting by the New York Times<\/a>, Google decided to more prominently display its privacy policy on its website. <\/p>\n

2. Do not lie in your privacy policy<\/h3>\n

This should be obvious, but in case it is not: Do not lie to your users about what you do with their data. You can collect their data, store their data, share their data, even sell their data, so long as you tell them the truth. <\/p>\n

Any company that lies about its data protection practices could be hit with a lawsuit from a state Attorney General or, pending some legal hoops to jump through, an individual user. That\u2019s because, in the US, data protection rights can still be asserted under an area of the law that prohibits \u201cunlawful, unfair, or fraudulent\u201d business practices, along with \u201cunfair, deceptive, untrue, or misleading\u201d advertising. <\/p>\n

Lee Tien, senior staff attorney at Electronic Frontier Foundation, explained this area of consumer privacy law. <\/p>\n

\n

\u201cMost of consumer privacy that\u2019s not already controlled by a statute lives in this space of \u2018Oh, you made a promise about privacy, and then you broke it,\u2019\u201d Tien said. \u201cMaybe you said you don\u2019t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it\u2019s not true, you can get into trouble.\u201d<\/p>\n<\/blockquote>\n

These lawsuits have been successfully filed against companies before. Last year, Uber agreed to pay $148 million to settle a lawsuit<\/a> alleging the company\u2019s misconduct when covering up a 2016 data breach. The lawsuit was brought by every single state Attorney General in the United States, plus the Attorney General for Washington, DC. <\/p>\n

3. If you want to expand beyond the US market, consult a data privacy lawyer first<\/h3>\n

Data privacy and cybersecurity laws abroad are not like the laws in the US. <\/p>\n

For example, the European Union recently bestowed upon its citizens the new rights to access, control, transport, and delete information that companies collect on them<\/a>. China\u2019s cybersecurity law grants its government the right to inspect and even copy the source code of incoming software products. South Korea\u2019s cybersecurity laws include fierce penalties and even possible jail time. Singapore, often viewed as a friendly country for US expansion, has its own cybersecurity law that protects \u201cessential\u201d services, a definition that does not exist here in the US. <\/p>\n

Expanding into a new country is, most of all, a question of risk: Can you afford\u2014quite literally\u2014the cost of compliance?<\/a>\u00a0<\/p>\n

4. Personal information is not the same as personal data<\/h3>\n

The terms \u201cpersonal information,\u201d \u201cpersonal data,\u201d and \u201cpersonally identifiable information\u201d get thrown around a lot, sometimes even interchangeably, but these terms have specific legal definitions that do not carry over so easily from one to another<\/a>. The definitions for the terms do vary, however, depending on which law in which state or country you consult.<\/p>\n

The important thing to remember is that these terms describe types of information that companies are legally required to protect. Protecting one law\u2019s definition of \u201cpersonal information\u201d is not the same as protecting another law\u2019s definition of \u201cpersonal data,\u201d and mixing the two up could lead to compliance mishaps. <\/p>\n

The best advice is to, once again, consult a data privacy lawyer. Getting lost in an array of country-specific, legal rabbit holes does not help anyone. <\/p>\n

Michelle Donovan, intellectual property and cyber law partner at Duane Morris LLP put it clearly: <\/p>\n

\n

\u201cWhat it comes down to, is, it doesn\u2019t matter what the rules are in China if you\u2019re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.\u201d<\/p>\n<\/blockquote>\n

5. Get ready for comprehensive data privacy legislation in the US<\/h3>\n

In the past year, at least four US Senators have proposed comprehensive, federal data privacy legislation<\/a>. Each bill seeks to improve Americans\u2019 online privacy. <\/p>\n

Sen. Ron Wyden\u2019s bill, for example, proposes that dishonest tech executives face potential jail time. Sen. Amy Klobuchar\u2019s bill, on the other hand, focuses on making corporate privacy policies clear and understandable. Sen. Marco Rubio\u2019s bill would ask the country\u2019s trade enforcement agency, the Federal Trade Commission (FCC), to propose its own rules on data privacy, which Congress would later vote on. And Sen. Brian Schatz\u2019s bill would place a new \u201cduty to care\u201d requirement on companies handling user data. <\/p>\n

None of the above-mentioned bills have received a vote in Congress, but this area could move fast, and many assume that data privacy will become a lynchpin issue in the 2020 presidential election.<\/p>\n

6. Respect and protect your users\u2019 data<\/h3>\n

Your users have few legal options in asserting their data privacy rights<\/a>. Despite this, your company should take it upon itself to treat user privacy with respect. <\/p>\n

You will not be alone in this proactive decision. Apple, Mozilla<\/a>, Signal, WhatsApp, CREDO Mobile, ProtonMail, Helix DNA, and several other companies already understand that meaningful user privacy can serve as a competitive advantage.<\/p>\n

As Malwarebytes Labs showed this year, people care immensely about online privacy<\/a>. Listening to your users should not be a matter of legal compliance, but a matter of respect. <\/p>\n

Join us next week for another set of data privacy takeaways, this time for consumers in the US.<\/p>\n

The post The top six takeaways for corporate data privacy compliance<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Fri, 03 May 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Here are Labs’ top six takeaways from our data privacy and cybersecurity law series on corporate data privacy compliance. From emerging startups to burgeoning enterprises, these rules help not just with legal liability, but also user trust. <\/p>\n

Categories: <\/p>\n