While it’s still subject to mostly a patchwork of state laws, regulations around data security continue to be an important topic for business owners. A recurring study written by Lathrop GPM and published on the website of the Minnesota Department of Employment and Economic Development aims to provide straight answers on the issue.
Michael R. Cohen, a Lathrop attorney, was the primary author of this year’s edition of “A Legal Guide to Privacy and Data Security.” He said The General Data Protection Regulation (GDPR), a European law that established protections for privacy and security of personal data about individuals, has had a ripple effect on U.S. data policies.
“There clearly is a movement toward more rights for individuals,” Cohen said. “California is our federal privacy bellwether. Most businesses do some business there or have customers there, so if California passes a law, they more or less have to comply with it.”
California passed its own data-privacy law not long after the GDPR passed in 2018. An updated version of the law brought in significant rights: consumers can ask to have their data deleted, learn what data is being collected, and for what purposes. Colorado, Virginia, Connecticut and Utah are among states that have similar laws.
“Minnesota doesn’t have a similar law yet, but there have been efforts to introduce legislation that’s similar to these other state laws,” said Cohen. Most of them aim to follow the California law, which is the most stringent. We don’t yet have a law here. So I have to counsel my clients that these are the laws that you have to comply with.”
Two years ago the Minnesota Consumer Data Privacy Act was introduced as HF 1492 in the Minnesota House of Representatives. As introduced, it would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, as long as the companies process personal data of at least 100,000 consumers or generate more than 25% of their gross revenue from the sale of personal data.
The bill gives consumers a variety of privacy rights, including the right to verify, correct, delete, access and opt out of processing of their personal data. No hearings on the bill have been scheduled so far.
“Every state has its own data breach notification law,” said Cohen. “Federal laws that apply to different sectors – if you’re in health care it’s HIPAA. If you’re in finance, it’s Gramm-Leach-Bliley. No one federal law covers privacy.”
The Lathrop/DEED guide advises businesses to establish a customized program around data privacy. If your company doesn’t collect much customer information, compliance program and training is likely to be a lot different than it would be for a business that collects, uses, and shares personal data as a primary part of its business.
A company’s plan to deal with a data breach should be proactive, the guide advises. The plan should include an incident report system that can track security incidents and data breaches as they happen. A simulated security incident might help test the plan and evaluate the report system.
If a company is faced with a breach that requires notifying customers, the media or a government agency, notification letters should be ready to go. Even if the data breach is handled with little legal risk, media coverage of a breach by the media can be harmful, so a proper communications plan can help reassure consumers about containment of the breach.