The upcoming year will continue to hold challenges for data privacy programs. The Quarles Privacy Week 2024 programming from this week has provided an overview of the upcoming issues and challenges that are on the horizon. However, budgets and time are not unlimited, so how do you prioritize? Below are our top five recommendations for the most bang-for-your-buck priorities, worth your limited budget spend to help decrease risk, stay up to date with the current (and evolving) regulatory landscape, and set yourself up for a strong compliance program into 2024 and beyond.
1. Refresh Your Website Privacy Policy in Light of the Evolving Regulatory and Enforcement Landscape.
An annual review of your privacy policy should be your minimum cadence, but newly effective state laws and state/federal enforcement actions may prompt more frequent review. The key to any compliance program is understanding what privacy laws apply to your organization; but the world of data privacy and security is changing quickly, and it can be difficult to keep track of what impact these changes may have. Q1 2024 comes with a number of privacy laws going into effect. Our 2024 U.S. Privacy Timeline helps break down what is on the horizon for 2024 and beyond. Familiarize yourself with the new laws applicable to your business and double check your privacy program documents for compliance.
As you undertake this task, don’t forget to pay attention to laws addressing specific industries and types of data (e.g., AI, health data, the protection of minors, breach reporting, and financial transactions). For example, if you are in the health care industry, you should familiarize yourself with Washington and Nevada health data requirements and the HHS AI transparency rule.
Remember that an inaccurate website privacy policy can invite a Federal Trade Commission enforcement action under Section 5 of the FTC Act which prohibits “unfair and deceptive trade practices.” The FTC has been very active in its privacy-related enforcement actions, and we do not expect that to slow down in 2024. In addition, as state enforcement ramps up, including the California Privacy Protection Agency, we will see what tactics state regulators take in enforcing their own laws.
2. Understand Your Data Disclosure and Transfer Practices.
Knowing where your organization’s data is going should also be part of your compliance program (likely in the form of a data map). For 2024, we specifically recommend revisiting this with an eye toward (a) the upcoming privacy laws (discussed above) and (b) whether your organization transfers data across borders and determine whether this is prohibited or restricted by applicable law. As you are giving thought to these data transfers, don’t forget to address data transfers that may be taking place in AI tools (input, output, and everything in between).
If you are transferring data across borders, specifically out of the European Union, give thought to whether the Data Privacy Framework is a good fit for those data transfers now that it is effective. The Data Privacy Framework is an optional self-certification for organizations to ensure cross-border transfers are consistent with European Union law. If the Data Privacy Framework is not workable, be sure at least that you have the correct Standard Contractual Clauses in place, using the updated forms published by the European Commission in 2021.
3. Take Steps Regarding AI.
AI can no longer be something we wait until tomorrow to contemplate. AI is here to stay and in all likelihood, your organization is using AI as you are reading this, whether directly or through a vendor. You need to understand how your organization is using AI, including the use cases and the type of AI (e.g., open vs. closed systems, predictive vs. generative AI). For more information on privacy considerations of AI, take a look at our Privacy Week primer on AI and check our Privacy Week webinar on Hot Issues and priorities for privacy in AI.
Be prepared to document the use cases, authorization for data collection, transparency of the algorithm, bias, and data use rights for AI and build rights and responsibilities into your software contracts. To this end, identify your high value, high risk, integral software tools and review the applicable contracts for those tools. If those contracts are more than 3 years old, it’s likely time to revisit the terms and any applicable data impact assessments given the changes in technology and the changing regulatory and litigation landscape.
Particularly if you are developing AI, take a look at the developing legal authorities, including the HHS AI Transparency Rule (Dec. 2023) and the EU AI Act (Jan. 2024), as consensus begins to build around AI best practices and governance.
4. Get a Vendor Management Process in Place.
No matter what industry you are in, the size of your organization, or the maturity of your privacy program, implementing and maintaining an ongoing vendor risk management process is necessary to ensure your organization is protected. Vendors are one of the most significant privacy risks to your organization.
As 2024 gets under way, we recommend the following as best practices in vendor management:
- Assess and update your due diligence practices and policies. Ensure you understand what data the vendor will process, what security practices they have in place, and whether they are able to comply with privacy and security requirements that are applicable to your organization.
- Determine whether a data processing agreement, data transfer agreement, (or business associate agreement) is necessary. Update your templates in light of new requirements.
- Track vendors that have access to your data and understand the scope of that data. Tracking vendors should not be based on organizational spend but should focus on the type and amount of data that vendor can access. Terminate access rights when contracts terminate and confirm data access and sharing comply with privacy and security requirements additional requirements under evolving laws and regulations.
- If you have budget money and capacity, build a feasible audit program to review vendor compliance with security and regulatory requirements through. Do not set yourself up for audit obligations that you cannot meet.
- Remember that vendor management is not a one-time process during contracting.
We recognize that vendor management is a big lift. Demonstrating steps to a robust vendor management program will go a long way with regulators. We are happy to help you prioritize initial steps.
5. Do Not Forget About Security.
We do not expect security incidents to slow in 2024. We are also seeing updates to current breach reporting laws at both the state and federal levels and expect more sophisticated cyberattacks with the use of new technologies (e.g., AI, deep fakes).
Legal and information security teams should work together to get some baseline security practices in place and up to date. Where is your data maintained and processed? Do you have offshoring or data localization requirements applicable to your organization? Is all of your organization’s personal information encrypted? Do you have appropriate access controls? Are your employees trained on current practices? Do you have any end-of-life software in your environment? As you give thought to these questions, consider the below:
- Ensure that your organization has an incident response plan. Key players in your organization should have access to the plan offline (in case you go down), and you should test your incident response readiness with an attorney-client privileged tabletop exercise. Statistics show that organizations with tested incident response plans have significantly less expensive security incidents. Consider how your vendors and customers fit into this plan.
- Get a security analysis to identify threats and vulnerabilities, but complete the audit under attorney-client-privilege. Don’t just put the report in your files. Prepare a documented risk mitigation plan with your legal and compliance teams.
- Engage vendors before you experience a security incident (e.g., forensics vendor, legal counsel, public relations firm, etc.). Negotiating terms of these arrangements before an incident occurs will save your company from investing time and resources into those negotiations when those resources are needed to respond to the incident at hand.
- Analyze your insurance coverage- specifically, your organization’s cyber insurance coverage to determine whether it is appropriate based on your organization’s industry, practices, and risk tolerance.
While no two organizations are alike, given the current landscape of privacy laws, evolving technologies, and risks of noncompliance / security incidents, it has never been more important for an organization to prioritize privacy this year. These priorities can be operationalized in organizations of all sizes and industries.