Akin Gump Cybersecurity Heads Discuss Cybersecurity and Privacy Obligations with Corporate Counsel Business Journal

Michelle Reed and Natasha Kohne, co-leaders of Akin Gump’s cybersecurity, privacy, and data protection practice, were featured in the Corporate Counsel Business Journal article “Cyber’s Singular Nature: Spanning Industries, Boundaries and Precedent.” The two discuss the importance of adhering to the many privacy obligations that affect a company, as well as the regulators that enforce them.

Reed and Kohne begin by looking at some of the core issues the Federal Trade Commission has been trying to address in the past year and a half and what companies can do to protect themselves. Reed said the FTC’s main focus “is really on whether companies are doing what they’ve said they’ll do in terms of protecting privacy and securing data, and making sure they have the proper administrative, physical and technical safeguards in place to meet their promises.” The commission is also asking whether the way companies have handled data is so egregious that it is, by its very nature, an unfair practice. To date, however, Reed noted that the FTC has not defined what fair cybersecurity or privacy practices are.

In short, Kohne said, “the FTC continues to play its role as the data privacy and security guardian for consumers, and it continues to cast a broad net across many issues and industries.” She predicts that it will continue to pursue certain cases as the EU-U.S. Privacy Shield framework faces increased pressure and as the EU continues to scrutinize international data transfers.

Some of the other topics covered included:

• How to advise clients on compliance if they suffer a breach and how might that differ from one jurisdiction to another? Since all 50 states have their own identity theft protection statutes, Reed said it is imperative “to drill down very quickly into what happened, what data was impacted and, typically, where those individuals whose data was impacted reside.” Kohne added that Akin Gump has developed its own “proprietary matrix that tracks the specific requirements of all 50 states’ data breach laws” that allows for efficient input of information related to a breach that can be turned turn it into advice in a very short time frame.
• What are some best practices to ensure that companies are compliant with privacy regulations? Reed said it is critical to know your data flows. “If you don’t know what your data is, where it’s coming from and how you use it,” she said, “there’s no way to protect it.” It’s also very important to make sure you have “fundamental protections” in place to assess privacy. Kohne said another key area “is starting up a robust third-party vendor management program to minimize risk against third parties that routinely receive your data or access your systems.”
• Trends in data breach litigation: Kohne cited a ruling by the U.S. Court of Appeals for the 11th Circuit “that the FTC must specifically provide a company with the actions that the commission believes violate the law, and the FTC must tailor a corrective action plan to those particular violations, rather than simply asserting a blanket order to implement ‘reasonable security.’” Reed pointed to a Supreme Court decision holding that “there is a constitutional Fourth Amendment problem with providing cell phone location information without a warrant.”

To read the full Q&A column, please click here.