An Effective Data Breach Agreement Will Shield Your Company From Economic Loss From Federal and State Entities
TechLawLogy™: eDiscovery and Privacy Blog
Cell phones have become more than just a means of sending and receiving calls and messages; for most, they have evolved into a lifeline of daily activities. Many companies, such as Uber, are capitalizing on this notion, and tracking their consumers’ every move through the use of mobile devices. An uphill battle has begun with top tech companies on one hand and both federal and state regulators on the other to blur the “God view” feature that many tech companies use to track their consumers. Take Uber for instance, a self-sufficient, high tech company that allows their workers to make their own hours, all while providing immediate service to their consumers. But what about the privacy rights of drivers and consumers? States are addressing this issue under a variety of approaches. Take New York, for example, where Attorney General Eric T. Schneiderman recently announced that Uber must encrypt riders’ GPS information and adopt authentication measures before any of their employees can access rider’s sensitive personal information.
Uber’s “God View” feature is not only a breach of consumer’s sensitive information, but it also exposes an Uber driver’s name and license plate number. In September 2014, Uber’s data breach troubles were just beginning, as over 50,000 license plate numbers and drivers’ names were compromised from a data breach. Aside from the security requirements made by Attorney General Schneiderman, Uber was also fined $20,000 for failing to provide timely notice to drivers after the breach. Typically, the Federal Trade Commission (FTC) has regulated data security practices, however, State Attorneys General have grown increasingly adamant on protecting the digital privacy of consumers in their States.
Attorney General Schneiderman has placed a larger emphasis on enforcing privacy, and keeping consumers and employees alike protected from any potential data breach, than most states. Nevertheless, all but three states have data breach notification laws that mandate timely reporting of breaches and, in most cases, for companies to implement safeguards that protect personal data.
Attorneys General in Maryland, California, Illinois, Connecticut and New York have been designating units since at least 2012 that are specifically directed to privacy and data security concerns by bringing standalone actions against tech giants. In California, Comcast Corporation got hit with a $33 million fine for their lack of data security; Google Inc. also saw synchronizing efforts by over three-dozen Attorneys General to fine them for data breaches. Since 2012, other states like Maryland, California, Illinois, and Connecticut have begun to establish units specifically for privacy and data security; they have made an increase in their enforcement footprint by bringing both standalone actions, such as the California regulator’s $33 million fine against Comcast.
The settlement between the State of New York and Uber will serve as notice to Uber and other tech companies that they need to patch up the holes in their regulatory systems, and take steps to encrypt the information of all riders that purchase their services. So what can a tech company do to protect itself and its online data from being subject to the harsh state regulation? Implementing three basic features is a good start:
- Eliminate The Problem Before A Data Breach Can Occur. Prevention is key in ensuring that large issues like that compromise sensitive consumer information. It is also important to make timely reports of any data breach that may occur.
- Do Damage Control. While it is your duty to protect your company’s privacy, it is also just as important to report any suspicious online activity in order to reduce the damage that may occur to a company’s data.
- Seek Legal Advice. One of the most effective ways to understand the changing legislation on privacy regulations is to reach out to an attorney who is well versed in enhanced data security legislation. Understanding the changes in privacy laws is key to protecting your company’s assets from any potential compromise.