What’s new in information security? A licensed exchange

We now have all clicked buttons on webpages and apps agreeing to or opting out of certain makes use of of our non-public information. Nonetheless what are the licensed concepts that are driving the companies working these platforms to create these buttons, exchange their privateness insurance coverage insurance policies or in another case work together clients concerning the utilization of information?

On-line clients rising rely on companies to be thoughtful about their use of information, and the Federal Commerce Charge (FTC), amongst totally different regulators, has elevated regulatory scrutiny of smaller companies. And since 2014, the FTC’s information security program has acquired further sources, ensuing within the imposition of additional fines.

The underside line is that in case your group is gathering non-public information by way of an web website, app or platform, you need to to have an web privateness protection that complies with evolving authorized pointers governing information security. With that in ideas, we interviewed information security specialists Phil Yannella and Gregory Szewczyk to dive into what rising companies ought to consider within the case of information security. That’s what they wanted to say:

If my enterprise is on-line, is it matter to all 50 states’ privateness authorized pointers and guidelines?

Often, no. Most authorized pointers fall into three completely totally different lessons: breach response authorized pointers, which govern what you need to do if non-public information has been compromised; information security authorized pointers, which govern what protections you need to have in place for personal information; and privateness authorized pointers, which govern how you use non-public information and what disclosures or consents you could current. The first two styles of authorized pointers generally relate to further delicate varieties of personal information, nevertheless the third usually applies to any information that is capable of being linked to an individual. The applicability of these authorized pointers is often triggered based mostly totally on the place the individuals whose information you is perhaps gathering reside, nevertheless there could also be totally different applicability thresholds.

All states have breach responses authorized pointers, and about half have information security authorized pointers. These authorized pointers shouldn’t have amount thresholds, so if a corporation collects any lined information, will most likely be matter to that laws regardless of whether or not or not it has any bodily presence inside the state.

To this point, solely 5 states — California, Colorado, Connecticut, Utah and Virginia — have handed full privateness authorized pointers, which regulate how companies collect and use non-public information. These authorized pointers, nonetheless, solely apply to companies that meet certain thresholds referring to how so much non-public information is collected and/or gross annual revenue. In several phrases, most youthful startups just isn’t going to be matter to these authorized pointers if they don’t meet these thresholds.

Nonetheless there are dozens of funds launched all by the nation for model new privateness authorized pointers. So besides the federal authorities passes a laws with preemptory affect, the patchwork is extra more likely to broaden. Sadly, that signifies that startups must assess their compliance requirements based mostly totally on their specific operations and processing and must be fascinated by not solely the place they’re proper this second nevertheless when their corporations might attain these thresholds and be ready when the time comes.

What are the next “scorching” enforcement areas that youthful companies ought to start preparing for?

Whereas there are quite a few areas ripe for enforcement, the three that we’d highlight at this stage are biometrics, web-scraping and regulation of crypto.

All people has a million passwords as of late, so clients rising favor biometric recognition software program program as an easy answer to log in to apps or internet sites. Biometrics comprises fingerprints, voiceprints, and facial and retinal measurements. Nonetheless new biometric identifier authorized pointers put builders at risk. These authorized pointers require companies to amass prior written consent sooner than gathering biometric information that may be utilized to find out an individual, along with publicly put up certain aspects of their retention insurance coverage insurance policies.

In 2008, Illinois grew to turn into the first state to enact a biometric information privateness laws (BIPA). Although it has been on the books for a while, this laws has gained traction solely all through the previous couple of years. In 2018, a case generally known as Rosenbach v. Six Flags Leisure Corp. broadened the impression of that laws by making it clear {{that a}} client does not should endure an exact injury to have the suitable to sue a corporation for breaching the Illinois BIPA laws. Which suggests the buyer may make a declare solely by benefit of the reality that a corporation collected the information with out the buyer’s consent — even when there was no impression to the buyer from that information assortment.

Whereas most biometric privateness authorized pointers have not been enacted (or have extreme repercussions for companies), new companies should maintain a be careful for this evolving area of ​​the laws.

The uptake from that has been a flood of lawsuits with big dollars at stake. For example, in 2019, Facebook settled a BIPA class action lawsuit called Patel v. Facebook, Inc. for $650 million to resolve claims that Facebook collected user biometric data without consent.

Currently, only Illinois, Texas and Washington have enacted biometric laws, and only Illinois allows its citizens to sue noncompliant companies. But in 2022, seven states — California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York — have all introduced biometrics laws generally based on BIPA. There is even potential for a national biometric privacy law. Senators Jeff Merkley (D-Ore.) and Bernie Sanders (D-Vt.) introduced the National Biometric Information Privacy Act of 2020, but as of this post’s publish, it has yet to be enacted.

While most biometric privacy laws have not been enacted (or have serious repercussions for companies), new companies need to keep an eye out for this evolving area of ​​the law, which could result in exposure for young companies. Even if a young company is not sued in connection with a biometric law, the company may still need to consider these laws for purposes of making itself attractive to investors or potential buyers. Compliance with biometric laws may be an area that investors increasing diligence (both to ensure compliance with the law and to ensure that their portfolio companies are respecting user privacy as a matter of reputation).

Startups and young companies often develop business models focused on optimizing consumer interactions with Amazon, Facebook, and other major platforms. These startups use application programming interfaces (APIs) or web-scraping technologies that have been the source of significant litigation. Web-scraping involves the mass collection of data from publicly accessible sources. While the law on web-scraping is still somewhat murky, egregious cases of web-scraping will spark privacy and security concerns and could lead to potential litigation.

The crypto space also sees potential for increased litigation. Numerous crypto thefts have led to litigation, as well as the likelihood of federal regulation — including know your customer (KYC) rules for crypto exchanges. Crypto start-ups should be aware of the changing KYC requirements to maintain compliance as regulators are going to clamp down on anonymous crypto transactions.

What language should companies watch out for in data processing agreements that vendors or enterprise customers send?

Startups should be wary of significant data security requirement “traps” that companies will often add in data processing agreements that go beyond what is required by the law and increase legal risk. These additional requirements are often not reasonable in light of the contractual processing activities. For example, enterprise clients may impose unrealistic timelines for reporting security incidents to the client — often 24 or 36 hours. Unless there is a regulatory reporting need for such a quick turnaround, and the clause is limited to breaches that are confirmed or reasonably suspected to involve client data, startups should push for more workable reporting times. Likewise, startups should be wary of onerous indemnification requirements, particularly in connection with data breaches that go well beyond the value of the underlying contract. In this regard, it can be very helpful to have these agreements reviewed by a knowledgeable attorney to help circumvent these “traps.”

If a startup is using a service provider, the startup may want to insist that the service provider provides a list of sub-processors or gets permission in order to use a sub-processor that will handle personal data on behalf of the processor/startup. Often, the service provider will not pass along the same contractual security requirements to the sub-processors without specific instruction to do so. Also, startups should be on the lookout for language allowing the service provider to move personal data outside the United States, potentially triggering foreign data privacy laws.


Kim’s Corner is a sequence of articles by Ballard Spahr’s rising companies and enterprise capital attorneys. The column should not be licensed advice. The substance of the column is derived from our experience working with founders and particulars a lot of the current necessary factors coping with startups.

Examine further about Ballard Spahr