FRA Associate Director, Lewis Ripple, spoke on a panel at The Sedona Conference Working Group on Data Security and Privacy Liability 2018 Mid-Year Meeting. The Mid-Year meeting also was host to a number of programs that covered current topics including privacy case law updates and recent developments in data security and privacy in the healthcare field. Below, Lewis shares key insights from the meeting.
- US Judicial Enforcement of Orders Entered Under the EU General Data Protection Regulation (GDPR)
The panel discussed the unique facets of GDPR and how they may relate to application of existing US laws, including Constitutional grounds under the First Amendment, which could easily be implicated in attempts to enforce a GDPR judgment against US companies. US Companies and organizations without obvious EU ties may find themselves without comprehensive GDPR compliance programs, potentially putting them at risk pending how initial attempts at EU enforcement actions proceed.
2. Data Security and Privacy Case Law Updates
During a case law update session a number of recent decisions regarding data security were discussed. The recent LabMD case led to the first court decision that overturned an FTC Cybersecurity action. As a result of the recent Equifax data breach event, and the small claims lawsuits that followed, Vermont became the first state in the US to regulate “Data Brokers” – companies that buy and sell personal information. The recent regulations state that brokers must disclose exactly what information they are collecting, and provide customers the opportunity to “opt out” of such collection.
3. Recent Developments in Data Security and Privacy in Healthcare
There have been 145 Biometric Information Privacy Act (BIPA) cases in Illinois in the past year. Employers using fingerprint scanning for their time recording have largely been the targets of these cases. The attendees discussed these cases, in addition to other current topics in the industry. Information governance and “data mapping” continue to be a driving force in GDPR compliance across industries, not just in healthcare. The panel also discussed the difficulties in navigating differing notification regulations across state borders. Ultimately, working with state regulators early on in the breach event lifecycle can help companies better understand the rules and regulations to avoid penalty.
Visit the Sedona Conference website for further details