In episode 2, Meribeth Banaschik, Travis LeBlanc, and Randy Sabett provide insights on privacy under differing regimes.
Topics discussed include, among other things:
- Certain important privacy regimes
- The challenges created by remote work
- Biometric data and the related privacy concerns
- Healthcare data and the privacy trade-offs
Flyers and Resources
Thanks for checking out our additional content! Additional content was written/prepared by the Host or present/past Georgetown Law team members.
Our Articles may contain references to, or short excerpts from, specific statements in the Compliance & Legal Risk podcast episodes. Please note, to benefit the Article format, in many instances, statements referenced or quoted in an Article may have been edited or shortened, may only focus on one portion of a speaker’s answer to a question or commentary on an issue, or may have had certain interim questions/statements removed. We also repeat certain phraseology in all or many of our articles to aid listeners in comparing articles across episodes and to ensure our listeners have easy access to helpful episode information. For additional context and complete speaker answers, we always encourage you to listen to the full relevant podcast episode!
Why I’m Excited About This Episode
“First, we all know privacy issues seem to be everywhere given all the work from home during the pandemic and the expectation that certain positions and certain work may become permanently remote. Second, you may recall that, back in Episode 1, we discussed eDiscovery, social media, and ephemeral data, and one of our guest speakers on episode 1 was Jennifer Joyce, and she alluded to privacy legislation. Now we couldn’t get into the specifics of privacy in that episode because it was outside of the scope, so I’m excited to hear more from our speakers today about privacy. And lastly, the National Law Review reports that only this month, Colorado’s Governor signed the Colorado Privacy Act, which makes Colorado the third U.S. state (after California and Virginia) with a comprehensive law on data privacy. Needless to say privacy is likely top of mind for a lot of people right now, I know it certainly is for me.”
Meet Our Guest Speakers
I asked our guests to “tell us a little bit about themselves, what they do and how they got there.”
“My name is Meribeth Banaschik. You can hear my American accent. I was born and raised in Dallas, Texas. I am a trained litigator, American litigator, but I’m also a British solicitor. Living in Germany for the past 12 years; was supposed to be one. But despite that legal education, I am a technology Partner at EY. I am a Partner in our practice here and the Forensics Global Privacy Leader.”
“My name is Travis LeBlanc. I am a Partner at Cooley in our cyber data privacy practice and also one of the leaders of our litigation department at the law firm. I come at privacy from both the private sector law firm experience as well as substantial experience in the public sector, in federal government as well as state government, and working in particular on issues around regulatory approaches to privacy and security as well as governance within corporate environments, and also really looking at defense of our clients who find themselves having to deal with privacy and security challenges.”
“So I come at the privacy topic from more of a cybersecurity perspective. I got my start in this area at the National Security Agency, where I was a crypto engineer many, many years ago and essentially have gone from helping to defend our country’s important communications to helping to defend our clients and put our clients into a mode where they are protecting themselves and their data and those sorts of things. I’m part of the cyber data privacy practice at Cooley involved in, you know, I would much rather be involved on the proactive side and helping to defend, like I said, what our clients are doing, but inevitably clients get into issues, and so I also am actively involved in incident response. And that then carries into a lot of the privacy topics that we’ll be talking about today.”
Important U.S. Privacy Regimes
Travis LeBlanc described some of the important privacy regimes in the United States:
“In the U.S., that would be California’s Consumer Privacy Act, as well as equivalent versions from Colorado and Virginia. An additional one would be Illinois’ Biometric Privacy Law, which has been on the books for a number of years, but states and cities have gotten much more involved in the last few years in regulating biometric privacy.
In fact, today in New York City, a brand new biometric privacy law goes into effect for commercial establishments that will be required to post a privacy notice if they collect biometric information, and also could be subjected to private rights of action lawsuits with very substantial penalties for violations if you’re a commercial establishment New York. All this is to say, there’s a lot of regulatory activity that is ongoing right now at the state and city levels in the United States with regard to privacy. And, just this week, you see the action in Colorado and New York City are just two examples of how much change is happening now.”
What is the GDPR?
Meribeth Banaschik provided a short description of the GDPR:
“You should know that it stands for General Data Protection Regulation. And maybe the “R” at the end is the most important part; that it’s a regulation as compared to a directive, because this means that it was, let’s say, incorporated into the law of all the countries.
And that directive, which over here, we would call the 95 directive, the GDPR sought to harmonize all those differences and all the different countries’ laws. And this harmonization was one of the major goals of the GDPR. And also you should know that it applies to data controllers. So this data controller is someone who makes decisions about data. That’s, I think, the easy way to remember the very complicated definition that exists. And it applies to data processors, who can be different individuals or entities who are handling data in some way for the controller. And there are some key buzzwords like accountability, privacy by design, and, I believe, it’s 11 different individual rights that were created, which maybe distinguish it from some of the other legislation around the world.”
Where are Things Heading?
I asked our guests about where this area was “heading in the next year.”
“I think that data is power. And so I would expect to see, I mean, we already see that this has become a very political topic with antitrust claims, with sanctions. I think in the EU, in the next year, we will become more critical of ourselves, of whether or not the GDPR is a success.
If it’s being enforced the way that we thought that it would be. Of course, we see the UK adequacy decision coming out, but Brexit still brings a lot of question marks. And I think as the CCPA comes out, all the European countries that now have their compliance management systems in place will need to decide if they might need to over-comply in certain jurisdictions to have a global uniform privacy program, or if they choose to have a non-uniform compliance program that strictly complies only with the requirements in each individual country, which if we have 20, 30, 40 different privacy regulations around the globe, can get pretty complicated pretty quickly.”
I asked our guests for one “actionable, monetizable takeaway” for our listeners.
“I’ll actually give two quick ones. One, from a company perspective, I would say cyber insurance is almost a necessity these days, in the sense that it covers both privacy and cybersecurity issues, although as the products mature, you have to look at the policies carefully.
On the individual side of things, I would say to the folks in the audience that are looking to become more visible in these fields, get involved in public speaking. There are all kinds of opportunities available, and if you have some good ideas about these different topics, you can get in front of an audience and become well known. I think it definitely is an indirect way of monetizing things.”
Advice for Starting Out
I asked our guests if “a student or someone more junior would like to do what you do or get into your area, what advice would you give them?”
“When I was in law school, we did not have any privacy classes at all; privacy, security. If you were interested in technology, your only real option was an intellectual property class and maybe it’ll cover copyrights, trade secrets, and trademarks. And that was about it.
These days, just about every major national law school offers a curriculum in privacy, or security, or other issues around technology. It could be even artificial intelligence. But even if the law school doesn’t offer it, I’m willing to bet that another school in the university, it could be the business school, it could be the public policy school, it could be the philosophy department, offers some class or classes that are relevant to privacy, security, technology policy. And I would encourage anyone that’s currently in school to take advantage of those resources. Those are resources that I’m willing to bet Randy and Meribeth also didn’t have access to when they were students.”
I asked our guests to “recommend an article, book, blog, website, talk, or other resource” for our listeners.
“I think, one good place, and a set of publications that they put out both in privacy and security, is NIST, here in the U.S., which has a cybersecurity framework, a privacy framework. They have an entire collection called the 800 series of more discrete topics in privacy and security.
I believe that, even though they are technical in nature, especially the framework documents give you a good complete picture of the very basic concepts: identify, detect, protect, respond, recover. Those five verbs are the basis for the entire cybersecurity framework. And they take you through and build on that and help to bridge, as Meribeth mentioned earlier, the C-Suite, and the non-security and privacy people don’t necessarily speak the same language. This is a great way of bridging that gap, so I would recommend the NIST website.”
Thought Leader Spotlight Series
Meribeth Banaschik co-authored a piece with an EY colleague in September 2021 entitled “How COVID-19 continues to affect data privacy in employment”. The piece states, among other things:
“According to Article 9 of the General Data Protection Regulation (GDPR), processing personal health data has a wide definition and is generally prohibited, but the article provides exceptions in relation to processing. While employee consent is required to collect and process sensitive personal data to the extent the data is essential to meet the purposes of the employment relationship, employers can lawfully request disclosure and processing of employees’ health data by virtue of the existing employment relationship, or for reasons of public interest.”
It also discusses, for instance, vaccinations and other employee issues.
Meribeth Banaschik authored a piece in December 2020 entitled “How to comply with data subject access requests”. The piece states, among other things:
“One of the biggest challenges of creating an efficient DSAR [Data Subject Access Request] workflow is coordination among various stakeholders, not just the legal and compliance function. The IT team will become increasingly critical as DSAR workflows require the support of various technologies and systems. Cybersecurity professionals need to provide input on data protection issues as personal data moves from secured storage to delivery. The client-facing functions can be an excellent resource for creating workflows that align with customer experience.”
The piece also includes a helpful flow chart.
Randy Sabett contributed to a piece in March 2021 entitled “Virginia Becomes Second US State to Enact Comprehensive Privacy Law”. The piece states, among other things:
“Importantly, the CDPA’s [Consumer Data Privacy Act’s] substantive requirements apply only to personal data about ‘consumers,’ which are defined as Virginia residents acting in an individual or household capacity. As such, the requirements do not extend to information about individuals acting in a commercial or employment context. The CDPA exempts several categories of information regulated by other laws and standards, including protected health information under HIPAA and various other categories of regulated health-related personal data, certain data about clinical trial participants, certain information regulated by the Fair Credit Reporting Act, information regulated by the federal Driver’s Privacy Protection Act, student information regulated by the federal Family Educational Rights and Privacy Act, and personal data processed in compliance with the Farm Credit Act.”
Randy Sabett contributed to a piece in May 2021 entitled “The Long-awaited 2021 Cyber Executive Order”. The piece states, among other things:
“Sec. 7 focuses on vulnerability and incident detection. To address this issue, the EO [Executive Order] proposes an Endpoint Detection and Response initiative. Sec. 7(b) describes EDR activities to support detection of cyber incidents within federal government networks, ‘active cyber hunting,’ containment of incidents followed by appropriate remediation, and incident response. Other parts of Sec. 7 require information sharing with CISA related to threats and vulnerabilities within federal civilian systems, improvement of detection of cyber incidents through various potential operating models and a report to be generated describing how authorities for sanctioning threat hunting activities without prior authorization are being implemented. In addition, Sec. 7(j) seeks to align DoD Information Network directives and directives applicable to the Federal Civilian Executive Branch Information Systems by mandating procedures for sharing information between the two.”
Travis LeBlanc contributed to a piece in April 2020 entitled “AI and Algorithms: FTC Issues Guidance for Companies Amid Heightened Scrutiny”. The piece states, among other things:
“The guidance emphasizes that companies that mislead consumers about the use of automated tools, such as AI chatbots that deceive consumers into believing they are communicating with a live person, could face FTC enforcement. The guidance highlights the FTC’s 2017 Ashley Madison enforcement action based in part on allegations that the website used fake ‘engager profiles’ and its 2019 Devumi enforcement action that alleged that the company sold fake followers, subscribers, views and ‘likes’ to users of social media platforms. The guidance also notes that the FCRA [Fair Credit Reporting Act] may require a company to provide an ‘adverse action’ notice and the right to correct inaccurate information, if the company relies on information, such as credit history, criminal records, shopping history or the like to automate decision-making about eligibility for credit, employment, insurance, housing or similar benefits and transactions.”
LeBlanc contributed to a piece in July 2021 entitled “GDPR Three Years on the Road: The 10 Key Developments You Should Know”. The piece states, among other things:
“Looking at the past three years of enforcement by the national data protection authorities, we have seen some kind of evolution in the enforcement area:
~ From June to the end of 2018: National authorities were setting up and reorganizing their teams to align their internal structure and resources with their new roles under the GDPR. This resulted in very few enforcements
~ Year 2019: The enforcement increased in 2019, but it consisted mainly of small fines and small companies being targeted
~ Year 2020: National data protection authorities started imposing very high monetary penalties, but many of these were appealed
~ Year 2021: This year, we have started to see more mature and sophisticated enforcement decisions”.
Cooley put out a piece in June 2021 entitled “US Supreme Court Narrows Scope of Computer Fraud and Abuse Act in Van Buren”. Travis LeBlanc is one of the related contacts. The piece states, among other things:
“The Van Buren decision appears particularly favorable to cybersecurity researchers, whose work often involves accessing computer systems in ways that violate terms of service or other policies. For instance, a researcher might send automated requests to a website or computer network for the purpose of detecting security vulnerabilities. Many websites publish terms of service that forbid all types of automated requests, even if those requests are limited to public URLs and cause no damage on their own. Many white-hat researchers have thus been deterred by the threat of criminal prosecution under the CFAA for exceeding authorized access.”
Cooley put out a piece in May 2021 entitled “FTC Expects Board-Level Cybersecurity Oversight”. Travis LeBlanc and Randy Sabett are two of the related contacts. The piece states, among other things:
“Boards are ultimately responsible for data security. According to the FTC, ‘data security begins with the Board of Directors, not the IT Department.’ Boards should set high expectations regarding data security, build a team of stakeholders from throughout the organization, establish formal board-level oversight and hold regular security briefings. While there is no one-size-fits-all approach, a board-level cybersecurity committee or subcommittee can be an effective way to foster board engagement.”