“Cybersecurity” has emerged as one of top risks facing organizations. Considering the steady stream of massive data breaches affecting millions (sometimes billions), the debilitating effects of ransomware on an organization’s information systems, the intrigue of international threat actors, and the mobilization and collaboration of national law enforcement to thwart these attacks, it’s no wonder. Notions of privacy have long underpinned critical principles and rights in our legal system, yet actors in the space typically do not have names like LockBit or Black Basta using applications called Colbalt Strike, and [yawn] may not trigger concerns as seemingly compelling as cybersecurity. But that may be changing, at least in the minds of insurance underwriters and persons focused on compliance.

As a recent DarkReading article points out, there is a growing sense that the “mishandling [of] protected personally identifiable information (PII) could rival the cost of ransomware attacks.” The article discusses several reasons driving this view, citing among other things, the recent uptick in pixel litigation. That is,  litigation concerning the handling of website users’ personal information obtained from tracking technologies on websites without consent.

However, the article also alludes to the vast patchwork of nuanced privacy laws across numerous jurisdictions as support for an increasing number of insurance professionals viewing privacy as the “top insurance concern.” In addition to the onslaught of litigation over the use of website tracking technologies, the challenges of navigating the ever expanding and deepening maze of privacy law seem to present much greater compliance and litigation risks for organizations.

A Insurance Journal article, “The Cyber Risk Pendulum,” echoed these sentiments earlier this month and observed:

In 2024, there is a greater focus [by carriers] on controls related to “wrongful collection” coverage – the collection of data in a manner that could run afoul of privacy regulations – whether it be on a state or federal level.

This makes sense considering the emergence of state comprehensive privacy laws, most notably the California Consumer Privacy Act (CCPA). Consider that the first “Enforcement Advisory” issued by the California Privacy Protection Agency, the agency charged with enforcing the CCPA, focuses on “data minimization” – a requirement that includes assessing the collection, use, retention, and sharing of personal information from the perspective of minimizing the personal information processed for the intended purpose(s).   

For many organizations, different privacy laws can apply depending on a range of factors, including without limitation: industry, business location, categories of customers, types of equipment used, specific services provided, methods of marketing and promotion, the categories of information collected, and employment practices.

Consider a health care organization:

  • Industry: Of course, most if not all have at least heard of the Health Insurance Portability and Accountability Act (HIPAA). Covered entities and business associates (defined terms under HIPAA generally including healthcare providers and service providers to those entities) must comply with a comprehensive set of privacy regulations regulating the use and disclosure of all protected health information, regardless of format.
  • Where it does business: All states have long-standing health laws regulating the use and disclosure of patient medical information. Indeed, HIPAA provides that covered entities and business associates have to comply with more stringent state laws that conflict with HIPAA, a particular challenge for multi-state organizations. In addition to state health laws affecting the use and disclosure of patient information, common law privacy rights and obligations also need to be considered.
  • Types of customers: A healthcare provider might provide services to or on behalf of government entities, in which case it may have to comply with certain contractor mandates. Or, it may focus its health services on minors versus adults, requiring it to understand, for example, the specific rules around consent pertaining to medical information pertaining to minors. Mental healthcare providers may have an additional layer of privacy obligations concerning their patients.
  • Equipment it uses: Whether dealing with medical devices, GPS tracking of vehicles, biometric devices used to verify access certain drugs, or smart cameras for facility surveillance, healthcare organization must consider the privacy issues related to the different types of equipment used in the delivery of care and operations. The increasing use of biometrics, as one example, has become a major risk in and beyond the healthcare industry, particularly in Illinois. By some counts, alleged violations of the Illinois Biometric Information Privacy Act (BIPA) have led to nearly 2,000 putative class action cases. The BIPA, a privacy statute, creates a remedy for, among other things, failing to obtain a consent or written released in connection with collecting a biometric identifier or biometric information.
  • Types of services:
    • University hospitals, for example, also have compliance obligations under the Family Educational Rights and Privacy Act (FERPA).
    • Providers running certain federally assisted programs involving substance use services must comply with the substance abuse confidentiality regulations issued by the Substance Abuse and Mental Health Services Administration. See 42 USC Part 2 (although recent regulations finalized in February strive to align these two privacy frameworks).
    • When treating certain highly contagious diseases, providers also must consider laws regulating the use and disclosure of information related to those diseases which often provider stronger protections and limitations on disclosure.
    • A healthcare provider that performs genetic testing services must consider the applicable genetic information privacy laws, which exist in just about all 50 states. One such law is the Illinois Genetic Information Privacy Act (GIPA) passed in 1998. This law may become the next significant privacy target for the Illinois plaintiffs’ bar. Arguably more nuanced than its sister statute, the BIPA, the GIPA has been the subject of an increasing number of case filings in the past year. Compliance can be challenging. For example, the GIPA incorporates some familiar laws – GINA, ADA, Title VII, FMLA, OSHA, and others – requiring that certain entities, including employers, treat genetic testing and genetic information (including certain family medical history information) in a manner consistent with such laws. So, it is not just the GIPA that organizations need to worry about in order to comply with the GIPA.
  • Marketing its services: In addition to the use of tracking technologies referenced above, other means of collecting and sharing personal information to promote the organization’s business may have significant privacy consequences under federal and state consumer protection laws. Examples include emailing and texting, use of employee and patient images and likeness in advertisements, and sharing personal information with third parties in connection with marketing and promotion activities.
  • Categories of personal information: Not all “personal information” is the same. The post at the link just scratches the surface on the various definitions of data that may drive different compliance obligations, including for healthcare organizations.
  • Employment practices: The processing of personal information pertaining to employees, applicants, contractors, etc. creates an additional layer of privacy obligations that touch on many of the items noted above. Areas of particular concern include – increasing use of AI in hiring and promotion, workplace surveillance, methods of identity verification, managing employee medical information, and maintaining employee benefit plans. Each of these areas raise particular issues under federal and/or state law and which are shaped by the categories of information at issues.

Attempting to track, never mind become compliant with, the various privacy laws affecting each of these facets of the business is no easy task. We have not even considered the broader and more detailed and comprehensive privacy frameworks established internationally, such as the EU General Data Protection Regulation (GDPR). And, of course, it is not just healthcare providers that face these privacy challenges at various levels of their operations. Keeping information secure from cyberattacks is one thing and it too is quite challenging, but there are established frameworks for doing so that share many common threads. In the case of privacy, there seems to be many more subtle considerations that are critical for compliance.

For instance, in most cases establishing a password policy under a cybersecurity law to protect personal information is solving for one issue – requiring persons to develop a relatively strong password that will make it difficult for an unauthorized person to gain access the protected system. This may be oversimplifying, but the point is a good password policy might suffice under many different cybersecurity laws, regardless of state, type of business, category of data, etc. Complying with a privacy law regulating the disclosure of health information, on the other hand, likely will require several factors be considered: the type of entity, where it does business, the specific type of data, the individual’s age or medical condition, the reason for the disclosure, the intended recipient, etc.

Regulatory compliance is not the end of the story for privacy. For example, organizations can cause self-inflicted wounds when they make assertions about the handling and safeguarding of the personal information they collect, and fail to meet those assertions. A good example is the privacy policy on an organization’s website. Stating in such a policy that the organization will “never” disclose the personal information collected on the site may create a binding obligation on the organization, even if there is not a law that requires such a rule concerning disclosure. Check out the Federal Trade Commission’s enforcement of these kinds of issues in its recently issued 2023 Privacy and Data Security Update.

Is privacy a bigger risk than cyber? Maybe. Regardless, trying to keep track of and comply with the wide range of privacy law is no easy task, particularly considering so much of the application of those laws are determined by many factors. For this reason, it is not hard to see why underwriters may view privacy as their top concern, and why organizations need trusted and experienced partners to help navigate the maze.   

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.