It Was a Very Good Year
More consumer privacy laws were brought into play by state legislatures and regulatory agencies in the first half of 2019 than in all of 2018. The number of states with data security laws has doubled since 2016. As perceived security risks to personal identifying information have increased, state legislatures are taking a more active role in requiring businesses to protect that data. At least 25 states now have laws that address data security practices of private sector entities. For example, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), signed into law in July 2019, took effect on March 21, 2020. The SHIELD Act expands New York’s breach notification requirements and imposes heightened data security requirements to prevent breach.
Most of the new data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain “reasonable security procedures and practices” appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Over 120 jurisdictions globally have proposed or passed privacy regulations, and billions of dollars in fines have already been issued. Nevertheless, 79 percent of companies are failing to comply or struggling to keep up with these new regulations.
High Hopes for Legislative Clarity
Until recently, data has been a commodity that was used and exchanged in an unrestrained fashion because there was no comprehensive privacy regime in the United States, said Michelle Reed, a partner at Akin Gump, in a recent interview. With the introduction of the CCPA and similar legislation pending in other states, companies are having to change the way they do business. With the advent of more prescriptive privacy and cybersecurity requirements, companies are having to conduct new analyses.
Regulators are requiring companies to implement specific measures such as privacy by design. And while the points embodied in much of the legislation were best practices, they were not necessarily spelled out in most U.S. statutes, as is the clear trend now, said Natasha Kohne, also of Akin Gump, in a recent article. The onslaught of data privacy legislation comes at a price. Fines for violations can be hefty. Moreover, some state laws create a private right of action. As such, “privacy could turn into a class action nightmare,” said Cynthia Cole of Baker Botts in a recent interview. Besides reputational costs, says Cole, “the largest penalty in the U.S. is the cost of private litigation.”
The demand for privacy and data protection legal counsel has grown along with the evolving regulatory landscape. In a recent General Counsel Up-At-Night Report, 63 percent of respondents reported privacy and data security as a very important challenge. Within this, the top three concerns were phishing/malware, hacking, and compliance obligations.
The Market for Data Privacy Legal Services report indicated that in-house privacy staff has increased at a rate of as much as 33 percent year over year. It was also noted that 76 percent of multinational corporate respondents are using outside counsel for privacy and data security matters. Of the responding U.S. companies, 84 percent are using outside counsel. Almost half the companies reported spending growth and increased budgets for outside legal counsel. Importantly, many reported that they would be willing to pay outside counsel a premium for litigation and for interacting with regulators.
Information privacy is something every company must worry about. The global proliferation of laws dictating how businesses handle individuals’ personal data has translated into significant demand and opportunities for data privacy lawyers. Most of the Am Law 100 firms now have dedicated privacy practice groups with many more firms styling hybrid-like teams with governance, risk, or security. “There’s no question,” said Joel Wuesthoff of Robert Half Legal Consulting Solutions, “[privacy] is definitely a very hot space.”