FTC, FCC, SEC, NYDFS, AGs… you name it, the acronym exists! There are countless regulators that are weighing in on Data Privacy. As #GDPR approaches and stories about data misuse or breach mount up, you need to know the regulatory players.

In this episode of “Are You DataSmart?” the Ward brothers discuss how each government, department, and even State regulator will likely be involved in data privacy and data security.

TRANSCRIPT

Jay: “Are you DataSmart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today, we’re gonna dive into the long arm of the law, Jay. You know, we’ve talked in past podcasts and you certainly blog an awful lot about the regulatory authorities that are, let’s just say in charge of making sure every one of those…I don’t know. I’m not counting, how about 6,000 click-through terms and disclaimers that I’ve clicked in the last few years are somehow being regulated or somehow being analyzed. And I know in the past we’ve talked a little bit about the FTC, we’ve talked a little bit out just really in each country, the European data protection authority. But, you know, why don’t we start there with a couple of the big ones. But let’s start with the FTC and what that jurisdiction looks like.

Jay: Yes. So, you know, we’ve talked a little bit about how the FTC gets its authority and it’s primarily derived from their statutory role as the consumer watchdog in this country. It’s their job to make sure that in the marketplace, consumers are protected, you know, in one sense that’s what the antitrust authority is. It’s, you know, we’re protecting consumers from monopolies although people as varied as Alan Greenspan and some kid who was in my first year contracts class said, “Well, how can it be really protecting consumers if it’s keeping prices low?” To which we all say, “Shut up.” But the theory is basically we’re protecting consumers from bad things that can happen to them. And that’s where the FTC gets its power because they can prevent or they can enjoin, they can sue to correct unfair deceptive trade practices. And we’ve talked a little bit about how a cyber breach or data breach, whatever you wanna call it, something that goes awry with the data you have or how you are protecting the data you have can be unfair. But the FTC…

Christian: Well, just out of curiosity, I mean, when you talk about a data bridge like that, I know we’ve also talked about, you know, what are people’s plans for it, how do they prepare for it, and then how do they respond. I know you do that a lot in your work with some your customers, but explain a little bit like, how do you prepare for something like that particularly as it relates to the FTC?

Jay: Well, it’s…You actually prepare the same way for any regulator because there’s a lot of overlap. You know, the FTC regulates protection for consumers, but the FCC regulates telecommunications companies. The FTC make sure that promises made to customers in a privacy policy or statement on a term and condition is actually being enforced, but the securities and exchange commission make sure that promises made to investors in a prospectus statement are truthful. And they also make sure that if you’re the CIO of Equifax, the night before the breach you’re not dumping a million dollars worth of stock and googling…I’m sorry, binging what are the effects of a data breach on stock price.

Christian: I don’t wanna laugh, but it’s just…

Jay: I mean, so many things wrong with that sentence. It’s just that…there’s nothing good about that.

Christian: Just terrifyingly sad, but actually that brings up another one because as you know in our past, we’ve worked with…certainly with some Wall Street firms, but they ran afoul of the attorney generals back in the day when there are some deceptive practices around equity research. That was kind of shocking because it really wasn’t a federal step and it was the New York attorney general at the time who later became famous for other reasons. But in this case it was mostly about, really it seem like unfair practices. How did the attorney general fit into all this?

Jay: Well, you know, in this country, the majority of data security law is state law and so the states’ attorneys general are truly responsible for enforcing really the only statutory law there is on the subject and that state data breach notifications. And then sort of the baby of FTC Act, you know, each state has a false or deceptive unfair trade practices act. And, you know, sometimes these attorney general are much more aggressive, you know. I’m sure you were referring to Elliot Spector who as we all know was famous because his show on MSNBC really didn’t do very well. And when they get aggressive, the goal I think is to either demonstrate their chops at taking on a big industry or prepare themselves for a nationwide run for office.

But the reality is regardless of why they’re doing it, they’re empowered to take the steps in states attorney general coordinate with one another, they have working groups. And these are bipartisan groups focused on these issues. There’s one right now dealing with data security and cyber breach. And the National Governors Association does the same type of thing. Interestingly, some states have empowered other agencies to sort of take the lead and the archetypical one that I’m thinking of is in New York, the department of financial…the Division of Financial Services or DFS. They have one of the most aggressive cybersecurity laws in the country and it actually just became effective last month. And it’s like epoch-making when it comes to state regulation because the states, I think recognize that in the absence of a GDPR style statute in the U.S. it’s going to be incumbent on the states to take the lead. And that’s exactly what New York has done.

Christian: And we had talked about that in the past, you know, you are saying highly unlikely that we see any sort of national equivalent to the GDPR here in the United States. But you think that the states will pick up that mantle and run with it?

Jay: I think they might. I think it’ll at least be pressure on in the state industries, you know, California has long been the leader in cybersecurity and data protection. They had the CalOPPA or the California Online Privacy Protection Act way before there was anything even closely analogous. They were the first state that effectively said, “If you’re selling to people in California, you need an online posted privacy policy.” And they were doing this back when, you know, the internet was mostly dancing babies on GeoCities sites. So, they have been very aggressive. They’ve been leaders, but the rest of the states are catching up. And I think you can be confident that even in the absence of a broad regulatory regime imposed from Washington, the states are gonna have their own agendas to pursue.

Christian: We’re also seeing that. I mean, look we’ve got Facebook headquartered there with the news today as you and I were talking about before the show of, you know, that the revelation of Cambridge Analytica actually using profiles to clone other profiles and to target them. Kind of what every marketing platform out there right now does just seems kind of crazy. But, you know, with Facebook headquartered in California, I don’t know if that also play into continuing to evolve their approach.

Jay: Yeah. I mean, there’s a lot of dog bites, man stories when it comes to what people are doing with data. And that in and of itself is a problem, right? Because you talked about the 6,000 terms and conditions that you’ve accepted without reading because honestly who has ever read the terms and conditions or an end user license agreement.

Christian: I read them all, I read them all.

Jay: I know you do and this is why you’re fond of parties. But for, you know, the vast majority, the rest of us are not doing that. And what happens is there’s a serious disconnect between what people believe is happening with their data and what’s actually happening with their data, and more to the point what they’ve consented to have happen with their data. And, you know, the courts are gonna grapple with this. And to one extent when it’s a regulatory action there’s like, this cabin authority for these regulatory agencies, the Administrative Procedure Act and, you know, the rules around what agencies can do at the federal level, that’s really a developed body of law. But in the states, states’ attorney general and state regulatory agencies can effectively pursue whatever theory they want. And if the judiciary in a certain state says, “Yeah. You know what, even though we all click okay, we can’t really be expected to agree to all of these terms, these adhesive contract terms. And so, we’re gonna let you avoid some of those agreements or strike out the provisions that are problematic.”

Christian: That’s amazing.

Jay: And there’s no way to prevent that. That’s the way our republic works. That’s the way the structure of government in this country work. So, you could have an enormous array of legal regimes across the U.S. and I think when that happens over the years of a situation where we have that type of divergence, then you really might see Congress step in an act. Because that’s effectively what prompted the GDPR in Europe. Data protection in Portugal didn’t look anything like data protection in Denmark. And so, they wanted to find a way to rationalize and harmonize that. And that would be I think a real impetus behind a general data security law in the U.S. But as I said, I think we’re years from there.

Christian: Yeah. And I think you can also expect, that’ll be some of the messaging and fall out of the Cambridge Analytica sort of story today. It’s just, it’s gonna continue to unearth things we thought we clicked okay on, maybe we weren’t so okay with and perhaps that will wake up more jurisdictions to the need for action. But this brings me to another question which is, you know, ultimately why should boards care about the individual, you know, legal authorities that they’re dealing with, why should they care about as officers about who are these parties that are potentially both enforcing the current regulatory environment, and also like you just point out, could be negating what was already sort of settled if they decide, “No, we didn’t really understand what we’re clicking on.” So, how do boards and officers deal with that?

Jay: Well, I think you remind them of three simple words, shareholder derivative lawsuit. That is…If that’s not an encouragement to a board to take action, I don’t know what is. It has been held in Delaware, no less it has been held a potential breach of fiduciary duty for a board to be ill-informed about data security and to not take steps to safeguard the data security of the information that their company possesses. So, when it comes to…

Christian: How new is that, Jay? Is that relatively new?

Jay: Three or four years now. I mean, that’s just been something that’s been brewing for a while. These are cases that make it pass the motion to dismiss stage in Delaware and, you know, that doesn’t mean anything to non-lawyers. But it’s like hitting for the cycle in baseball. That’s a big deal.

Christian: Wow.

Jay: So, you know, I’ve done both. So, the idea here is if you can make it pass a motion to dismiss then you’re into discovery and that’s where the money really piles up. So, directors and officers who face the same liability have an obligation to inform themselves and to take care that the information they possess is being secured. And if you’re not following those requirements, and we’re not even gonna talk about shareholders now, if you’re not talking about those requirements and following through on them, a regulator is gonna come after your business. So, then once the regulator is done with you there for their lawsuit against you has become the prefab, precursor to a plaintiff’s derivative lawsuit against you.

So, the idea is if you don’t incorporate data security into the operations of your company at the highest level, and this doesn’t even have to be if you’re a board-run company, not every company has a board. But if you’re incorporating these principles into how you operate, you’re not being data smart. And you’re putting yourself at risk for a regulatory action that’s costly or a regulatory action that costly, plus an extremely expensive litigation with plaintiffs. So, you got to be focused on these issues.

Christian: Wow. That’s a…Well, if you hadn’t lost your appetite before joining us, hopefully, that will make you do so. That’s pretty scary stuff, but at the same time it really just does pay to focus on these issues. Now, get prepared, have your plans in place, and certainly understand all of the regulatory authorities, and the long arm of the law. Thank you, everyone, for listening to this edition of “Are you DataSmart?” and we look forward to talking to you next time.

Jay: Thanks again.