What to know about new privacy and cybersecurity laws

2021 has been quite the year for privacy and cybersecurity, with the passing of wide-ranging new laws (both domestically in the US and internationally), hard hitting regulatory actions, and increasingly sophisticated cyber-attacks. 

As we approach the year end, let’s review some of the main issues Colorado businesses will need to address as a result of these developments. 

Colorado Privacy Act (CPA) 

On July 8, 2021, Colorado joined California and Virginia to become the third US State to pass a comprehensive privacy law. 

The CPA goes into force in just over 12 months’ time, on January 1, 2023 and will apply to companies that do business in Colorado and either (i) process or control the personal data of 100,000 or more Colorado residents or households in a calendar year, or (ii) derive revenue or discounts from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents or households. 

The CPA places significant obligations on Colorado businesses, including broad consumer rights and the need for consent to process ‘sensitive’ personal data, along with other backend or operational requirements such as requirements for vendor contracts and data protection impact assessments. 

China’s Personal Information Privacy Law (PIPL) 

China’s first comprehensive privacy law, the PIPL took effect on November 1, 2021. 

This law is part of a broader bucket of privacy and security laws which form an overarching framework governing data protection, cybersecurity, and data security, in China. 

Similar to the European Union’s General Data Protection Regulation (GDPR), the PIPL applies to organizations that process personal data outside of China if the purpose of that processing is to (i) provide products or services to individuals in China, or (ii) analyze or assess the behavior of individuals in China. 

The PIPL includes a number of requirements that emulate those of the GDPR, including requirements for a lawful basis for processing, appointment of a local representative, individual rights to notice, access, correction, erasure, and portability of personal data, together with restrictions on international transfers of personal data. 

Of note, individuals will have the right to bring legal actions against organizations if they fail to honor requests to exercise those individual rights. 

New Standard Contract Clauses 

On June 7, 2021, the European Commission finally adopted the long awaited new standard contractual clauses (SCCs) for the transfer of personal data outside of Europe. One of the most noteworthy issues with the new SCCs is the requirement to undertake an analysis of the impact of any transfer covered by the clauses. 

This requirement is generally addressed in a ‘Transfer Impact Assessment’ or ‘TIA’ and requires a review of the regulatory landscape of the importing country, particularly with respect to the ability of government agencies to access personal data and any legal redress that individuals may have. 

Depending on the nature of the personal data being transferred and the processing activities of the importer, technical measures such as encryption may need to be applied. 

In some cases, where the processing activities cannot be undertaken with personal data in encrypted form and are more likely than not to attract government access concerns, the European Commission has stated that it may not be lawful to transfer such data. 

Vendor Risk 

Following a number of significant data breaches impacting major service providers in 2021, it is more important than ever to ensure that organizations conduct due diligence on their vendors. 

Because organizations are responsible for the personal data they collect, steps need to be taken to ensure vendors implement and maintain appropriate privacy and security practices and protocols.

While liability can be adequately shifted through contract drafting (indemnification and limitation of liability provisions), this strategy only addresses costs and does not account for other issues that may arise from poor vendor management (e.g. reputational harm).

Organizations should always request appropriate privacy and security documentation (e.g. policies and procedures, security reports, breach assessments, etc.) to ensure personal data remains protected.

Vendor due diligence is also an exercise that should be continuously conducted because industry standards and vendor operations are always changing. 

Ransomware 

The statistics surrounding ransomware, and security breaches in general, have continued to worsen in 2021. Ransomware can cause significant liability for any organization. The cost of paying a ransom and remediating these incidents are expensive.

However, regulatory enforcement has also increased in this space, as organizations are now instructed to implement meaningful steps to defend against such attacks and to only pay ransoms when necessary. We have also seen increased scrutiny from regulatory authorities such as the SEC regarding appropriate disclosures of cyber incidents. 

While 2021 has been a landmark year for changes to the legal landscape monitoring and regulating data privacy, these trends are likely to continue as companies that hold data continue to be increasingly targeted by attacks.  

If you’re an employer with questions about how to comply with new privacy regulations or protecting your business from attacks, please contact an attorney for guidance.

Visit Polsinelli’s website to learn more about Polsinelli’s Privacy & Cyber Security practice. 

 Liz Harding is a Shareholder in Polsinelli’s Privacy and Cybersecurity practice and is dual-qualified attorney in Colorado and the United Kingdom.  She counsels clients on data privacy, advertising and technology licensing matters. Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years, mainly focusing on EU and UK privacy matters. Liz has significant experience counseling clients on how to comply with their enterprise wide privacy obligations and US federal and state, and international, privacy and cybersecurity regulations. 

 Aaron Ogunro is an Associate in Polsinelli’s Privacy and Cybersecurity practice. His practice primarily focuses on domestic and international data privacy compliance and negotiating privacy and technology agreements. 

(Sponsored content for this article provided by Polsinelli)