This Week in Data Privacy

This Week in Data Privacy, we will be touching on a number of interesting developments in the world of privacy, but first, we want to take a moment to welcome the newest addition to the Red Clover Advisors team!

Emma Banze is now joining us as our Privacy Program Manager and will be bringing her consulting experience as well as legal operations experience to Red Clover Advisors, and we can not wait to see her in action!

Thank you for joining our team!

Now, let's jump into some privacy news.

First up, I want to share my latest Forbes publication, The Convergence Of Data Privacy And Digital Trust, which explains how building trust about your handling of consumer data can differentiate your organization from the competition.

In addition, we're discussing Iowa finalizing a new state privacy law, AT&T confirming a data breach that exposed 9 million customer accounts, as well as tips for how to plan for data privacy in business acquisitions.

Make sure you never miss an issue by clicking the "Subscribe" button in the upper right corner of the page!

The Convergence Of Data Privacy And Digital Trust

Unfortunately, the devices we use are often not designed with data privacy in mind. But without the careful application of privacy strategies and practices, businesses can quickly erode digital trust between their business and consumers.

Digital Trust is the confidence a consumer or employee has in an organization’s protection and privacy of their data

Having consumer trust is important, but as data breaches accelerate in severity and frequency, digital trust is a delicate commodity. And the cost of losing trust can be sizable. Luckily, the commodity of digital trust can be protected.

In a highly competitive digital ecosystem, companies must maintain trust with their consumers—and prioritizing privacy is one of the best ways to do so.

So, how is digital trust is built? From numerous actions businesses take over time. For example:

Plan collaboratively: Privacy programs shouldn’t exist in a silo. You need?

1. cross-departmental engagement for processes and practices to be sustainable and align with organizational goals
2. buy-in from leadership and stakeholders to ensure that everyone has the resources they need, from training support to appropriate budgets.
3. Collaboration to establish a robust culture of privacy within your organization as a part of a sustainable privacy program.

Recognize that privacy regulations don’t equal digital trust: Instead of solely relying on legislative requirements to guide your privacy program, consider implementing a privacy-by-design framework (PBD).

PBD is based on a proactive, transparent and user-centered approach that makes privacy the default setting for businesses. As a result, your business defaults to processes and practices that promote digital trust rather than ones that aim for the bare minimum.

Train your staff on privacy best practices: Training your entire staff is essential to building trust with consumers. The greater knowledge everyone on your team has about privacy policies, the more effective your privacy efforts will be.

Share your good privacy work: Building trust of any kind requires communication. Are you telling your customers what steps you’re taking to protect their personal information? If so, they might not be aware that they can trust you.

There are lots of opportunities to spread the good word about your good privacy work—don’t overlook them.

Align trust and privacy with the right strategies: Digital trust isn't something that's built overnight. It may seem like a big undertaking, but with the right steps, you can position your company as one your customers will feel confident in trusting.

Read the full article here: https://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/forbesbusinesscouncil/2023/03/17/the-convergence-of-data-privacy-and-digital-trust/amp/

Iowa set to finalize sixth US comprehensive state privacy law

Iowa is set to become the sixth state to pass comprehensive legislation after a unanimous vote to approve Senate File 262. The bill is set to take force Jan. 1, 2025.

Covered entities under SF 262 must:?

1. control or process personal data on 100,000 Iowan consumers
2. derive 50% of revenue from selling the data of more than 25,000 consumers.?

The bill offers:?

1. some consumer rights
2. 90-day periods for data subject request responses?
3. A nonsunsetting right to cure violations
4. exclusive attorney general enforcement

Missing are:

1. the private right of action
2. required data protection assessments?
3. and the ability to opt out of targeted advertising.?

"This bill represents a wish list of industry-sought provisions, which is to say that it pretty much affirms the status quo by offloading all the responsibility for privacy protection onto the individual with almost no substantive limitations on how companies collect or process data," said Consumer Reports Policy Analyst Matthew Schwartz .?

Read the full article from IAPP here: https://iapp.org/news/a/iowa-set-to-finalize-sixth-us-comprehensive-state-privacy-law/

AT&T Confirms Third-Party Data Breach Exposing 9 Million Customer Accounts

AT&T exposed 9 million customer records in a third-party data breach. AT&T said the breach exposed Customer Proprietary Network Information (CPNI) such as the number of lines or subscribed wireless plan. This information is highly regulated by U.S. federal laws.

AT&T said the third-party data breach exposed:

1. customers’ first names
2. wireless account numbers
3. wireless phone numbers
4. And email addresses.?

Some wireless accounts also leaked the rate plan name, past due amount, monthly payment amount, monthly charges, or minutes used.

Thankfully the third-party data breach did not expose “credit card information, Social Security Number, account passwords or other sensitive personal information.”

Telecommunications companies have always been a lucrative target for financially-motivated hackers and state-sponsored threat actors.

The American government considers telecommunication companies crucial elements of the nation’s critical infrastructure, whose disruption would seriously impact the economy and national security.

Read the full article by CPO magazine here: https://www.cpomagazine.com/cyber-security/att-confirms-third-party-data-breach-exposing-9-million-customer-accounts/

How to Plan for Data Privacy in Business Acquisitions

In business, data can be an asset or a liability—and many times it can be both. For those interested in buying a business, data privacy considerations have changed in the past few years

Buyers interested in business acquisitions have to know what they could potentially be taking on in terms of opportunities or risk.?

Before you sign on the dotted line, weigh the following considerations when it comes to potential acquisition, privacy concerns, and protecting your interests.?Here are some privacy-related issues to include in your audit.

How data is collected

1. How does the business collect information from both consumers and employees?
2. In which jurisdictions does this business operate and collect data?
3. Does the business’ data collection procedure align with current policies in places it operates, with the correct privacy notices?

What data is collected

1. Find out exactly what categories of personal information the business collects. Does any of it qualify as sensitive or special categories of personal information as defined by applicable jurisdictions?
2. Does this collection practice align with the business’ policies and disclosures??
3. Has personal data been correctly cataloged??
4. At what scale does the business collect personal information? Does it only collect employee or client data, or does it also collect other third-party information?

How data is stored

1. Where does the business store its collected data??
2. How does the business protect personal data stored on paper (such as any printed files), compared to data collected and stored electronically?
3. What storage system does it employ??
4. How does it maintain records of consent for shared data?

Who else has access to the collected data?

1. What vendors or third parties may have access to any information the seller collects??
2. What are the business’s vendor policies and third-party agreements? How are third parties using any collected data??
3. How does data access vary across employees? Do all employees have access to the same systems? How are employees vetted??
4. What contracts does the company have with vendors? What level of data access do the contracts grant vendors? Do the contracts include provisions for privacy and security measures??

Current compliance procedures?

1. How does the seller currently disclose its data privacy procedures??
2. How do its policies vary across platforms, such as social media platforms or email marketing??
3. Are the business records up to date??

Security and history of data protection

1. Does the business have a history of data breaches or security incidents??
2. How has the company reacted to changing privacy laws and regulations??
3. Does the business have any outstanding claims or investigations related to data privacy??
4. What security does the company have in place? This can vary from physical security to electronic firewalls, network security, authentication requirements, and personnel authorizations.

The prospect of buying a business is exciting and can be incredibly rewarding. When it comes to acquisitions, knowledge is power. The more you know about a business, the more effectively you can hit the ground running.

For more on all the considerations and information to gather to avoid unexpected data governance liabilities read the full RCA article here: https://redcloveradvisors.com/2023/03/21/how-to-plan-for-data-privacy-in-business-acquisitions/