Privacy and Security
Most commercial products that collect Personally Identifiable Information (PII) must comply with a variety of legal regulations. Developers should recognize that the use of PII carries with it serious privacy and security risks. These challenges are best addressed during the initial product planning stages. Doing so may protect developers from legal liability, enhance product integrity, and instill user trust.
For mobile apps, web properties, and other digital products, a compliance assessment should be performed to determine what regulations apply to the product. Based on the intended use cases, specific rules may impact the product's design and underlying business model. A privacy impact assessment should be performed to develop controls concerning the collection and use of personal data.
In the current era of privacy regulation, failure to build-in compliance can lead to liability. Product developers must consider not only the multiplicity of regulations, but the more nebulous privacy and security risks as well. These include enforcement actions by the FTC, lawsuits by plaintiffs whose privacy or security are violated, and other impermissible uses of data.
Privacy by Design
The idea of privacy by design is a fairly new concept, having become mainstream through the EU General Data Protection Regulation (GDPR). Its prevalence in the U.S. is on the rise and will become the default approach to privacy under the California Consumer Privacy Act (CCPA) to take effect in 2020. Developers must understand privacy by design in order to build products that are structurally compatible with the law.
From a planning perspective, there are really two aspects to privacy by design. The first involves designing products in a way that incorporates necessary mechanisms directly into the product itself to meet regulatory requirements. The second involves embedding privacy into the product such that the product's purpose can be achieved using the least of amount of data possible, thus reducing privacy risks.
Privacy by design can be a difficult concept to grasp, as it flies in the face of the unbridled, mass collection of data that has become ubiquitous. However, the law will soon reshape that approach, and smart companies, like Apple, are embracing it to their advantage. A privacy by design analysis should be performed by a skilled attorney using a formal methodology to assess the risks and develop policies and controls.
In addition to privacy, several laws require products to ship with minimum security features. No doubt, privacy and security are becoming inseparable concepts. The overarching intent of security rules is to safeguard user privacy, prevent exploits of sensitive information, and reduce the threat of command and control-style attacks.
Security-related requirements should be evaluated concurrent with a privacy assessment. Some security requirements are widely known, such as the Security Rule governing electronic protected health information (ePHI) under HIPAA and its subsequent HITECH and Omnibus expansions. However, others are more obscure.
Several state laws regulate the privacy and security of biometric data. California's new IoT Cybersecurity Improvement Act requires certain minimum safeguards for connected devices. There are other states, including Massachusetts, which require specific security policies to be implemented to protect personal data.
Regulatory rules comprise only a small fraction of the security-related legal concerns for developers. Other issues that give rise to liability include the security of the product itself, encryption standards and practices, authentication and password policies, vulnerabilities in source code, user permissions and access logs, data backups, and the product's ability to detect and prevent intrusions.
An attorney knowledgeable in data security should be consulted to determine what regulations apply to the product and to perform a formal risk assessment using a structured framework. Doing so will ensure the product is legally compliant and will help establish the product's overall security posture. By engaging a licensed attorney in these matters, the client may benefit from the protection of the attorney-client privilege.
The attorney should also assist the developer with other issues that create security-related exposure, such as the establishment of a safe harbor for a bug bounty program that allows the developer to properly and safely engage security researchers. Additionally, compliance audits, such as SOC 2 for cloud services and PCI DSS for payment card processors are commonly negotiated as part of software development and maintenance agreements.
Data Breach Response
No issue presents a greater nightmare for product developers than a data breach involving their product. Liability arises from a variety of sources, including state, federal, and international breach laws, which often carry devastating penalties. A data breach may precipitate an investigation by the FTC for failing to adequately protect user privacy. Likewise, it is common for data breach victims to file class action lawsuits.
In 2018, the U.S. Ninth Circuit Court of Appeals held in In Re Zappos.com, Inc. that the plaintiffs, whose data was stolen in a data breach, had standing to sue based on the mere risk of identify theft. This means that victims of a data breach need only show that it is possible that their stolen data could be used to commit identity theft. This makes virtually every breach a serious situation.
Responding to a data breach is complicated and should be handled with the utmost care. Courts have held that an attorney's use of forensic experts to investigate a breach is protected by the attorney-client privilege, offering some protection if litigation ensues. An attorney knowledgeable in breach laws as well as best practices for responding to, investigating, and remediating a breach should be consulted as soon as a breach is discovered.
It is critical that product developers not wait to retain counsel following a breach and not attempt to "clean up" or conceal the breach. The law in most jurisdictions allows very little time for the responsible party to provide notification and such notifications must be made in very specific and nuanced ways to be legally sufficient.
Privacy and Security Risks
Enforcement actions by regulatory authorities
Civil actions by aggrieved parties
Damage to reputation
Disruption to services
Loss or corruption of data
Cost of breach response and remediation
Product developers should take proactive steps to reduce their privacy and security risks. Smaller developers should especially consider the potential consequences of a data breach or regulatory investigation. There are reasonable measures that product developers can take to reduce their risk. Even small amounts of focused resources can have a meaningful impact.
The key to managing privacy and security risks lies in identifying risks, addressing compliance gaps, and adopting policies and practices that reduce exposure. Product developers should view compliance, privacy, and security as interdependent concepts, each having its own place in the developer's broader risk management strategy.