Access the on-demand version of the presentation and follow along with the rich insights provided in this webcast transcript; we are confident that it will both inform and inspire your approach to considering and complying with data privacy law.

[Webcast Transcript] Notable Trends in US Privacy Law

Expert Panelists

+ Christopher Wall
DPO and Special Counsel for Global Privacy and Forensics
HaystackID

Chris Wall is DPO and Special Counsel for Global Privacy & Forensics at HaystackID. In his Special Counsel role, Chris helps HaystackID clients navigate the cross-border privacy and data protection landscape and advises clients on technical privacy and data protection issues associated with cyber investigations, data analytics, and discovery.

Chris began his legal career as an antitrust lawyer before leaving traditional legal practice to join the technology consulting ranks in 2002. Prior to joining HaystackID, Chris worked at several global consulting firms, where he led cross-border cybersecurity, forensic, structured data, and traditional discovery investigations.

+ David Moncure
Data Privacy and Security, eDiscovery, and Information Governance Counsel

David Moncure is a data privacy and security, eDiscovery, and information governance counsel with experience supporting multinational Fortune 500 organizations in both in-house and law firm settings across various industries. Most recently, David was VP / Associate General Counsel for DaVita, overseeing eDiscovery and information governance globally, as well as serving as the lead legal advisor for data security and protection compliance.

Prior to joining DaVita, David served as International eDiscovery and Data Privacy Counsel for Shell Oil Company. He advised Shell businesses and functions on international eDiscovery issues, data breach response situations, IT security, and various other data privacy and cybersecurity-related issues. He began his practice at Norton Rose Fulbright, where he assisted clients with eDiscovery, information governance, and data privacy issues. David’s practice spans work throughout the US, EU, Latin America, Middle East, and APAC. He is a frequent speaker and author of numerous articles on eDiscovery and data protection issues, particularly on cross-border issues. David is Chair Emeritus of the Steering Committee of The Sedona Conference Working Group 11 on Data Security and Privacy Liability (WG11).

+ Kenneth K. Suh
Senior Counsel
Lock Lord

Ken Suh is an entrepreneur and technology attorney who advises clients on legal issues related to cybersecurity, data privacy, and intellectual property. In addition to his legal practice, Ken is a co-founder and board member of a telemedicine start-up that was awarded first prize in the prestigious Global New Venture Challenge (GNVC) at the University of Chicago Booth School of Business.

Prior to joining the Firm, Ken managed a team at a leading cyber and technology Lloyd’s of London Syndicate, where he guided strategic decision-making on hundreds of cybersecurity, data privacy, privacy class action, and intellectual property matters, including those involving ransomware attacks, cyber breaches, biometric data collection (BIPA), HIPAA, FCRA/FACTA, and the TCPA.

Ken has previous private practice trial experience litigating bet the company intellectual property matters involving smartphone software and hardware, hybrid engine control unit, rocket engine, and radiation oncology device controller technologies. Prior to law school, Ken was a technical project manager at IBM, where he managed the design and development of custom software for financial services clients.

+ David Wallack
Lead Privacy & Security Counsel
Motive

David Wallack serves as Motive’s Lead Privacy and Security Counsel, with significant experience in complex issues involving cyber incident response and mitigation, crisis management, data privacy program implementation using AI, and data privacy and security terms negotiation. David’s work also focuses on international and US data privacy laws.

+ Patrick Zeller
Chief Privacy Officer, Legal, and Compliance
Amgen

As the Chief Privacy Officer, Information Governance and Cyber Security Counsel, at Amgen (Formerly, Horizon Therapeutics), Patrick leads the company’s global privacy and information governance office.

Patrick has 15 years of experience in leading global privacy programs for Fortune 100 companies. Prior to joining Horizon, Patrick served at Abbott Labs as the DVP Global Privacy and at Gilead Sciences as the Enterprise Privacy Officer. Additionally, Patrick supported Europe, Canada, APAC and Latin America for Information Governance, Records, eDiscovery and Privacy. He is a former litigator and federal computer crimes prosecutor.

Patrick is a frequent author and speaker on Privacy and data protection issues, including such topics as GDPR, cross-border discovery, data protection and privacy, developing trends, technology-assisted review, and privilege and ethics in eDiscovery, Privacy, and Information Governance. He is an Adjunct Professor at the John Marshall School of Law, where he teaches a JD/LLM course, “eDiscovery, Digital Evidence and Computer Forensics,” and “Computer Crime, Information Warfare and Economic Espionage.”

Presentation Transcript*

Moderator

Okay. We have quite a few people in the room, so I’m going to start the session now. Okay. Hello, everyone, and welcome to today’s webinar. We have a great session lined up for you today.

Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions that you have and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool and a member of our admin team will be on hand to support you.

And finally, just to note, the session is being recorded and we’ll be sharing a copy of the recording with you via email in the coming days. Without further ado, I’d like to hand over to our speakers to get us started.

Chris Wall

Thank you, Sandra. Hello, everybody. And I hope everybody’s having a great week. And for those of you in the US, a chilly week. But welcome, everyone. My name is Chris Wall, Data Protection Officer at HaystackID. And on behalf of the entire team at HaystackID, I’d like to thank you for attending today’s presentation in our discussion on Notable Trends in US Privacy Law.

And I’m excited, absolutely thrilled to guide today’s discussion as part of Haystack’s ongoing educational series. These webcasts are designed to provide helpful insights to help you stay ahead of the curve in achieving your cybersecurity, information governance and eDiscovery objectives.

Today’s webcast is being recorded, as Sandra mentioned, for future on-demand viewing. After today’s live presentation, we’ll make the recording and a complete presentation transcript available on the HaystackID website. Joining me today are four very respected panelists who are truly luminaries in the privacy field, David Moncure, Ken Suh, David Wallack, and Patrick Zeller.

And I’ll add here what’s now become the standard disclosure by saying that all of our panelists today are speaking on their own behalf and their comments or their views that they may express, may or may not reflect the views or positions of their respective employers or the organizations that they work for. With that, let’s take just a moment and let each one of you introduce yourselves. And let’s lead off with Mr. Moncure.

David Moncure

Hello, I’m David Moncure. I’ve practiced in the area of privacy, security, eDiscovery information governance for about 20 years now, and overseeing programs in-house, building out privacy and data security items and issues.

Chris Wall

Thanks, David. Ken.

Ken Suh

Good afternoon or good morning, depending on when you are viewing this. My name is Ken Suh. I’m an attorney at Locke Lord. My practice is centered around data privacy, cybersecurity compliance, incident response, and litigation. I also have a small practice, a growing practice in compliance related to M&A work. And I think some of that will come into play later today.

Chris Wall

Thanks, Ken. David, Mr. Wallack.

David Wallack

Hello, David Wallack. I’m lead privacy and security council at Motive Technologies. I think much like everybody else on the call, my practice is centered around cybersecurity privacy incident response. I’ve been in the field for about 15 years. And looking forward to the webinar today and bringing a little in-house perspective.

Chris Wall

Thank you. Patrick.

Patrick Zeller

Good morning or good afternoon. Patrick Zeller, currently the chief privacy officer and also cybersecurity council at Amgen, formerly Horizon Therapeutics. Recent acquisition in November. Been in-house for close to 20 years, dealing with eDiscovery, privacy, information governance and cybersecurity.

Chris Wall

Thanks, Patrick. Finally, as I mentioned, my name is Chris Wall. I’m DPO, in-house counsel and chair of the privacy advisory practice at HaystackID. And HaystackID of course is an eDiscovery, privacy, data security and forensic investigations firm. And my job at HaystackID is to guide our clients through the privacy and data protection thicket as part of our cyber investigations, information governance exercises or traditional discovery and down whatever paths or jurisdictions that our clients may tread.

More immediately today, my job is to guide this discussion with our four fantastic panelists about where privacy in the US is trending. And as a housekeeping matter, this webinar is designed to help you. We’ve got about 100 participants on today’s webinar, and so we welcome your input. We want to make this time valuable to you. I’ll watch and all of the panelists here will watch. And if you have a question, please drop it in the chat feature and we’ll try to address those questions as we go.

Gentlemen, let’s start off with why are we here? What’s the big deal with privacy and data protection and why is it trending? And I’ll lead off with stats as we often do with these webinars. According to Gartner, those folks that do research and provide consulting on businesses across the tech sector, large organizations, their average annual budget for privacy will exceed two and a half million by the end of 2024.

Let’s remember that the broad umbrella term privacy does include some very important sub-parts like cyber security and information governance. Going back to the Gartner study, it’s 2024. And let me just say I’d love to belong to an organization that has two and a half million dollars to throw out privacy. But what’s driving this need and what’s driving that urgency that Gartner thinks is going to require so much time and money? Let’s start with Ken. You come at data protection and privacy from a unique perspective. What do you see driving it?

Ken Suh

Sure. And I think we can all agree that generally speaking, privacy protection is a good thing for consumers, for businesses, and we want to protect legitimate private data. I think the path to get there unfortunately has been a little difficult. And so, this year in particular, we’ve seen a lot of high-profile data breaches.

And there’s multiple ways of looking at that. One way of looking at it is saying, “Well, yeah, the high-profile companies finally had a data breach.” But I think the more likely explanation is that these are starting to catch the attention of the media so that people understand what happens when they see data breaches in the news.

We’ve had high-profile ones. We’re all familiar with the MOVEit incident. I was reading about one in the news that a client has to be implicated in. And I think it’s one of the first times we’re starting to see popular media pick up on ideas about data breaches and what it means for individual privacy.

And I could just tell you it is also the first time that my 70-year-old parents have asked, “Well, what happens when I put my face to my iPhone and unlock it? What’s going on there and how does that magic work?” And so now we’ve captured everybody right, from the Google and Facebooks of the world up to my 70-something-year-old parents.

Chris Wall

Well look, if we can cross that generational divide and our parents and grandparents are now talking about data protection and privacy issues, then I think it has become a table or kitchen table topic. Mr. Wallack, what else are you seeing? What’s driving this increased public awareness?

David Wallack

Well, I think to Ken’s point, we can all agree that privacy is a good thing. And what the data breaches are revealing are really not just an exfiltration or a loss of PII, but they’re also exposing what sort of privacy compliance mechanisms and accountability mechanisms were in place before the breach occurred. It’s really exposing, were you transparent with why you were collecting the data, how long you were supposed to be collecting the data for before disposing of it? Were you transparent in your notices?

And so, all of that sort of privacy program implementation or lack thereof becomes really transparent in the breach itself. You’re seeing people becoming much more concerned about how their data is being used as it’s being exfiltrated in some of these breaches.

Chris Wall

Patrick, David mentioned some of the flow of data and understanding where that goes. What are some of those considerations for you in-house?

Patrick Zeller

Looking at what we’re seeing in Europe and elsewhere, I think there’s increased scrutiny on not only what a company’s doing with the data that they receive. Specifically, the scrutiny out of Europe is obviously with European data and what privacy protections we have once it hits the company, moving it around a global company.

But then what protections do we have with third parties, with our vendors, with our law firms to protect data with… And as the data flows down, if there’s subcontractors working with the vendors, it’s what they’d call in cybersecurity, a supply chain issue.

Making sure that everybody involved touching the data and the supply chain is up to speed using some of the mechanisms David Wallack just talked about, that the proper protections are in place. And notices, if they have an incident, when are people getting notice of the incident? How’s that getting passed along? How quickly is that happening for proper reporting?

Chris Wall

I think we’ll want to dive into that when we talk about various new states’ data protection and privacy laws coming online between now and the end of 2025. But Mr. Moncure, clearly there’s a lot of talk today about privacy, a lot more than there was before. What’s driving the culture shift here from your perspective?

David Moncure

Yeah. And that’s a good word there as far as culture shift, cultural awareness, because picking up where Patrick was talking about the EU, it was always a fundamental right, privacy was a fundamental right in the EU. And in the US, going back to something that Ken said with respect to the 80-year-old generation now being aware of this, for so long in the US we have very flippantly given our personal information to give a 10% discount on whatever or you name it.

And now there is a lot more thought about that here. The US is trying to manage the business of personal information, but people are also becoming aware of it and it’s becoming a brand issue. Privacy and security is becoming a brand issue for companies. And people are seeing it in the news and becoming more just culturally aware of it day-to-day as far as literally a kitchen table topic as you have written on the slide.

Chris Wall

Yeah. Thanks, David. Look, we’re going to answer some of these questions as they come in here. One of the questions is will these slides be available? Yes. We’ll make these available to folks. If you just want to reach out to one of us or to me after the presentation’s done, we’re happy to send these out.

Hey, look, let’s talk about the evolution of data protection here in the US. Because look, I sit in-house. This is one of my core functions at HaystackID and we deal in data. And so we are potentially subject to all of these state laws coming online, as are my three in-house council fellow panelists here. It’s a big deal. And if we go back to that Gartner study, and I think this is backed up by IPP by the end of 2024, we expect that 75% of the world’s population is going to have personal data covered under some modern privacy regulation. And that evolution has been the dominant catalyst for making privacy just a way of life in corporate America.

And the rest of the world aside, what about the 332 million people just living here in the US? I mean, this is a discussion about trends in US privacy. Europeans of course kicked off the comprehensive privacy regulation in 2018 with the GDPR. And in the US California quickly picked up the privacy banner as we have illustrated on this slide.

But greater enforcement was on our list for last year’s data privacy trends, of course, with Virginia a year ago, followed by Colorado Connecticut and then Utah just a couple of weeks ago. Mr. Wallack, where have we gone from CCPA, or we’re now CPRA, and other states? Where have we gone and how did we get to where we are today? And then maybe we’ll talk to all four of you about what we can expect between now and January 1st of 2026.

David Wallack

No, I was going to say I saw a question from one of the audience members regarding good advice for in-house counsel that are trying to comply with sort of the patchwork of US state laws without an enormous outside council budget. And I think it’s a great segue into the topic because they are becoming numerous in their proliferation and there several states that are in the process of adopting an even more complicated patchwork regimen of US privacy laws.

I think one of the typical strategies for in-house counsel that are trying to manage all of these in the US is to bucket them into CCPA and then a little bit of everything else. And that is primarily how we look at most of the US privacy laws, with some exceptions of some idiosyncrasies that do take place. But for instance, the CCPA is still the only US privacy law that does not exempt employee and B2B data primarily.

That makes it much more difficult to comply with, particularly for a company like ours, which is a solely B2B solution. Whereas, we have been exempt from several state privacy laws due to the data that we handle and the way that our product works.

Today, we’re finding those exempts and sun-setting even with some stays in enforcement by the CPPA, we have increased obligations coming up. But at least it helps you chunk it up, I think into some basic building blocks of building a privacy program. I don’t necessarily know that having an individual matrix or compliance mechanism for each state is going to work for a company. It’s too complex.

I think for us really, we just try to go to the gold standard in whatever jurisdiction we’re in. For us that would be CCPA as amended by CPRA. And then, really as opposed to trying to get really cute or nuanced with it, we implement that at a company-wide level. If that’s the obligation jurisdictionally, then we just say that’s the obligation that we’re going to play to. I think that makes it a little bit easier for smaller in-house teams to comply with all of these different laws. And that’s been my experience here so far as bucketing them.

Chris Wall

Would you say then, is it accurate to say, and maybe I can ask Ken or Patrick or Mr. Moncure this, if you solve for CCPA as amended by CPRA and then make exceptions for or make modifications for those other jurisdictions as necessary, or you also are subject to data protection loss? Is that the approach? Ken.

Ken Suh

I think the way we try to advise our clients and David’s exactly right, there’s no easy way to comply. And I may be surprised or not surprised depending on where you work to hear that companies with one-man legal teams face the same problem with companies that have 100. There’s just not enough. There’s never enough.

And so we try to prioritize, get a sense for the business risk appetite in terms of some the regulatory issues. And doing all of that, we generally try to bucket everything. We say California, if you’re subject to California, CPRA, CCPA, and then everyone else. And everyone else has followed the earlier model that California decided not to follow.

It’s not a perfect categorization, but if you’re able to comply with California and if you’re able to comply with Virginia, you’re in okay shape. You’re almost there. And then depending on the industry you’re in, your risk and budget appetite might say, this gets us 95% of the way. And so we feel like this is an okay place. Or you might say, “We have to button everything up.”

If you’re in financial services, you don’t want to take those risks because you could be taking a very large risk with regulators. Versus maybe a consumer facing brand where you have to trade off between spending that next dollar on compliance versus developing a product. That’s how we try to work through this issue with our clients.

Chris Wall

Well, we’re at, what, 13 states now, right? Mr. Moncure, we’re at 13. Okay, that’s manageable. We’ve got 37 more. How are we going to manage that as the 37 more come online over the next couple of years?

David Moncure

Well, hopefully before 37 more come online, there’ll be a federal privacy legislation that supersedes the…

Yeah. No, I mean I think just from a practical standpoint, as David and Ken said, it is hard to answer that question of how do you comply with this patchwork? You can take the approach of the California and everything else. And then mostly everything else, sure there are nuances, but they’re less and less. You’ve certainly focused on nuances with incident reporting or breach response reporting that different states may have. But I do think the advice of the California and everything else is, going back to that question, if you’re not hiring outside council and trying to manage it, that’s certainly a good baseline approach.

Chris Wall

Okay. Patrick, anything you want to add here?

Patrick Zeller

Yeah, I mean, just to reiterate what’s been said before as a baseline approach. And one of the ways I try to explain it to the business units is when we focus on our notice and consent, what we’re doing with the data, that’s our contract with our customer. We want to be clear on what we’re doing, what we’re not doing.

My son’s got me hooked on TikTok, so now I wonder if there should be a TikTok video that explains your privacy policy or a video online. But something to make it easily explainable, what we’re doing, what we’re not doing, what we’re going to do with the data. And then of course, if you’re changing what you’re doing with the data, you got to change your notice. We’re going to see more and more of those changes as these laws come online.

Chris Wall

I think we’ll see more changes. I think you’re right, Patrick, more changes then we’ll probably see more explanatory effort here to span from Ken’s grandparents to my kids.

Patrick Zeller

Right. And a lot of these laws are new; their definitions aren’t clear. We’re still trying to figure out what it means, what the impact is. There’s a lot happening.

Chris Wall

Well, let’s turn to one of the other drivers of all this privacy activity in 2024, and that’s privacy in big tech. And I don’t want to pick on Google, but we did hear about good news coming out of Google about the slow but eventual killing off of third-party cookies. But there’s other news coming from Google that drives this privacy discussion. Google settled a $5 billion class action privacy lawsuit claiming the company had secretly tracked consumers in incognito mode.

And then just this month, federal judge ruled that Google or Alphabet technically had to defend itself against antitrust charges brought by 16 states. And that probably came at Google a little faster than they’d hoped. Anyway, when we look at risk, we look at it with these big tech companies because obviously that risk is scaled exponentially with the size of the organization. Ken, what are you seeing in terms of deal risk and privacy intersectionality just between, well, broad risk deal risk and privacy? Oh, we lost your mic there, Ken.

Ken Suh

Sorry. I’ve been coughing in between, so I keep going on and off mute. I was joking as we were preparing. A few years ago, you used to get an email before a deal’s closed and said, “Hey, we’re closing this deal. You have a week to do all your diligence.” And it was a checkbox like, “Hey, we looked at it, we see these issues and we will fix it after the fact maybe.”

As Facebook, Google, Amazon, as these high-profile issues keep popping up, I think businesses are understanding just what risk exposure they have during deals. And so that could be anything from an M&A to enrolling new vendors in your vendor management program, and those tend to be much smaller in scale. I do think clients are paying more attention, whether they’re Google or Facebook or they’re a mom-and-pop shop that operates regionally. And they’re understanding what these risks actually mean, what they’re inheriting. Or potentially what they’re selling and how privacy regulations interact with that.

I always try to spin it to positives. One of the positives of all of this is that there is more certainty during deal-making. And I think that’s something that… I’m not an M&A lawyer, but I think everybody in the space really likes… They like understanding their risk and having certainty around those things. Whereas before, I think people were looking at privacy as just something to know maybe and do and move on to the next part of it.

And just last part is I think some of that has to do with the regulations. We like to pick up California, but California really led the way in saying what you have to have in contracts. You have to know what your relationship is in these deals that you’re having with vendors, service providers, joint ventures. And now you have to work that out ahead of time. We can quibble about whether it’s clear and there’s more to be done there. But I do think the stricter regulations along with the publicity has played a big role in this.

Chris Wall

Well, I think you’re absolutely right. And in the sense that privacy is absolutely needs to be part of the deal-making analysis and the risk associated with it. I mean, we saw in the EU in their decision against Meta of course, that an antitrust enforcer can find data protection violations as well. You’ve got that overlap between deal review just for traditional competition analysis, but also privacy playing a component of that.

And when we talk about that regulatory structure, look, I’m going to pick on you, Mr. Wallack, here. You’re in an industry that’s heavily influenced by outside investments, PE especially. And how your industry gets money to bring to market the next big thing. What are you seeing, especially as investors are looking at ESG investments and the effect of ESG’s on their investments?

David Wallack

Yeah, ESG has become a material component of raising money in capital markets. There’s no question that even just within the governance of ESG, data security, cybersecurity, privacy, consistently rate in the top right quartile of any materiality assessment. You will see them right up there at the top of the list of things that resonate most heavily with investors and where their concerns are.

It’s not just investors, however. The beauty of privacy and really the advent of the GDPR created this is it’s created a hook for almost everybody in the chain. Functionally speaking, it’s very difficult to sell to a customer if you cannot meet their own privacy obligations. While I can sit as an attorney for my own company and say what we are or not subject to, it really doesn’t make a difference If functionally the product is not alienable to a customer.

If you can’t go out and sell it because your privacy and security posture makes it difficult to survive the RFP process, which is now very intense for products like ours, then it really doesn’t make a difference where you are in the chain, so to speak. You still have the same privacy and security obligations. Certainly from an ESG component, we see it from an RFP component. We see it consistently.

And of course, you’re going to see it with your insurance carriers as well. They’re going to want to know what your postures are on all of these matters and where you stand in your compliance framework before they’re going to issue a policy. And then again, that policy is going to get looped back into an RFP someplace.

The reality is that we’re all caught up in this whether or not we want to be. Which has, I think the intended effect of these laws is that the entire supply chain will be forced to bring their privacy codes and standards up to a place that offers the rights to individuals and enforces accountability mechanisms on service providers that should be in place.

Chris Wall

One of those accountability measures that we know and love in the privacy industry are privacy impact assessments and documentation of everything that we do from a privacy standpoint. And so, Mr. Moncure, how do we use those to our advantage today in this new risk environment where privacy is top of mind?

David Moncure

Well, first of all, with the privacy impact assessments, I think going back to our discussion about the laws and regulations you’re seeing that become more a requirement as well, a legal requirement. But I think in using them to our advantage, if I’m understanding your question correctly, there’s been a theme on this slide and our discussions throughout talking about being transparent. What are we doing with the data? When are we collecting it, what are we collecting? How are we using it?

And going back to those themes and making sure we’re using it for the reasons that we’re collecting it. And then, not collecting extraneous data. The important thing is for the companies to continue to recognize that transparency to the consumer. And that’s where we’re seeing a lot of the scrutiny come down as consumers and regulators feel like that trust, if you will, has been violated with that respect. And so, your impact assessment may show that you are collecting things for one reason when, in fact, you’re collecting five more data points and using it for something wholly differently.

Chris Wall

Thanks. Patrick, anything you want to add here?

Patrick Zeller

Yeah, I mean, I think a lot of the points that have already been touched on. One of the things that I think about is we can’t have privacy without cybersecurity. There’s a lot of new cybersecurity regulations and reporting, new requirements for the board, on the board to be briefed on the risks that David Wallack and both David Moncure were talking about.

And so it’s getting a lot of attention internally. There’s new challenges on how to brief the board, how do we identify those risks. And again, they go hand in hand in cybersecurity. In all those M&A deals and everything, when we’re looking at the cyber issues, it’s another tick on the list of things that we need to review, including privacy. It’s getting a lot of new attention from all directions.

Chris Wall

Thanks. Let’s look at one of the other areas. And that’s a good segue about things that are getting a lot of attention these days, especially in 2024, and that’s biometrics. And I’ve got two panelists here from Chicago. And I’m sure they’ll argue a little bit that biometrics has been trending for a lot longer than just 2023 and into 2024. I’ll stick with you, Patrick. Would you say Illinois is something of a trendsetter in this area? I mean, BIPA was pretty revolutionary in terms of biometrics regulation, but what would you say about BIPA and Illinois’s place?

Patrick Zeller

I’m not sure I think it’s something we want to take credit for, but we probably deserve the credit for it. To state it another way, I think we’ve had 2000 lawsuits under BIPA since 2018. There’s been some very large settlements. For those that don’t know, BIPA regulates taking facial images, fingerprints, voice prints, retina scans, and other images.

We still don’t know what the inclusive definition is. The plaintiffs’ bar has been very active in this space. I believe Facebook had a $650 million settlement in this area, 650 million, Google, 100 million. There’s been very large lawsuits. A lot of states are looking at copying this. It’s been a very active area for the plaintiff’s bar. A lot of states are looking at something similar, so it’s something to be aware of. Even if you’re not doing business in Illinois and collecting information, other states are copying it.

Chris Wall

Yeah. And I think that’s important to point out here. And among the states that are enacting these biometric regulations, you’ve only got two there. California has one that we don’t have on the screen. But anyway, California touches on biometrics, and Texas. Those are the only two of these that have comprehensive privacy laws on the books today. Interesting those are the only two that have overlap. But Ken, you want to compare us? For instance, New York probably gets probably the next large amount of press, probably because it’s New York, with respect to biometrics.

Ken Suh

Yeah. I think we’ll take New York and then maybe the rest because I think it’s more accurate to say New York City, it’s the only city with a biometric data regulation. And obviously we have clients and many folks on this call know people who are in New York. And it tends to get pressed maybe not because of the regulation, but maybe because of how it’s used. It’s a high-profile instance where somebody was recognized at Madison Square Garden using this technology.

And that’s partly what started the big exposure. What does it regulate? Where is it used? And by and large, it regulates the law, regulates use of biometric technology and essentially consumer welcoming establishments. Bars, restaurants, Madison Square Garden, places like that. And it was revolutionary in one sense because it was a city taking action, but I think the use of it maybe helped introduce the idea to a larger segment of the population.

I’m in Chicago, we’re in flyover country as far as New York’s concerned. But if we look at the other laws where I think Illinois was really pushing the boundaries was this private bite of action. It’s the idea that if my biometric data was taken or information was taken and analyzed and used to identify me, then I had the ability to sue that entity. And-

Chris Wall

Without your consent, right? Without your consent.

Ken Suh

Without my consent, correct. Without proper consent. And of course, there’s statutory damage associated, so I don’t even have to prove financial harm. We’re seeing places like Washington look at that private right of action. Whereas places like Texas does not have a private of action and only the attorney general can enforce the law.

That it’s not always good news though, because as we have all seen and talked about, the Texas Attorney General filed a lawsuit himself against Facebook. In terms of the number of lawsuits, certainly the private right of action, places like Illinois makes it more concerning. But in terms of the overall exposure to a big business, private right of action may not tip the scales on its own.

Chris Wall

Certainly presents an opportunity for the plaintiffs’ bar, right? For those that do provide for private right of action.

Ken Suh

Absolutely.

David Wallack

I was just going to say, I would add that under the Cothron and White Castle Illinois decision that it’s not just consent, it’s any violation of the law, period.

Chris Wall

Thanks for clarifying, David.

Ken Suh

David, that’s a great point that decision clarified certain things, but it made other things more confusing because there’s some things you can’t get consent for. And so how do you comply or show compliance with that?

Chris Wall

We’ve mentioned GDPR a couple of times here, moving on from biometrics. But I think it’s probably illustrative of the major trend going into 2024. And that’s the data protection laws outside of the US are going to affect what decisions US companies make here at home. And we have to keep in mind that there is so much more than just the GDPR. We have the patent PR of course. But we also have GDPR-like on in countries like Brazil and Canada and privacy laws coming now in India and Scandinavia.

In fact, as of the end of 2023, at least 120 countries now have comprehensive data protection laws in the books. Not the US, but we’ll touch on that data later. Pat, you’re part of a global organization and you have data coming in all from over the world. And not just any kind of data, some of the most sensitive health-related kinds of personal information. As a US company anyway, how would that affect or how does that affect your policy, your procedures, and your approach to data protection? Sorry, I’m loaded with long, compound questions.

Patrick Zeller

I was going to say we handle it very carefully, and just end it there. No, it makes it quite complicated. Being a global organization, everything started with GDPR. Privacy is viewed as a fundamental right in Europe. And some of the things we saw early on with some of the US regulations where they were copying some of the content from the European laws. Generally, in the US, they take an approach to regulate the commerce of personal information.

The interesting thing is we generally get to very similar laws, but again, it’s like what we mentioned about California. Using GDPR as a baseline, we’re now seeing in other areas of the world, Japan, Brazil, others copying very similar GDPR-like laws. And what we saw early on in Europe is the focus on high-risk processing of European data. Now they’re looking at not only processing high risk, but transferring the data. What are you going to do with that data once it transfers? Because a lot of times the data will transfer to a European affiliate and then come to the US. You have to have those transfer mechanisms. How’s the data being processed?

And then again, what we talked about earlier. Then where’s the data going once it leaves your company? In the pharmaceutical world, clinical trials and information has to be shared in a highly regulated environment. But then also, is it being transferred to vendors, processors, law firms? And do they have the proper protections in place to protect that data?

There’s a lot of work in the contracts world, making sure those protections are following the data wherever it goes. And we’re going to see these similar trends of these laws popping up elsewhere and then also in the US, as we just talked about as well.

Chris Wall

Yeah. Mr. Moncure, like Patrick, I know that you have a lot of experience building privacy programs. This is a really dynamic area of the law and it’s really difficult to know where we’re going to be at the end of 2024. How do you construct that privacy program to make sure you’re compliant with all of what’s coming at you and coming at you so quickly?

David Moncure

Yeah. To build a little bit on what Patrick was saying, another just a practical standpoint is having that data map of data flows. Because as Patrick mentioned, understanding where the transfers are going and both within the company and then when data leaves the company, who it’s going to.

And maintaining a data map of that, I think often companies have a data map of systems, but it’s also important to have it of that flow as well. So that you’re understanding when you open up businesses into countries, what types of data are both within that country. And then going to or leaving it or just originating and staying within it.

And you’re right, there are privacy regulations popping up at varying levels all around the world with, as Patrick mentioned, Brazil being big ones. Some now in the Middle East a lot. And so, the old school reliance on the GDPR and that solving all of your problems is really not the approach any longer.

Chris Wall

Thanks. Mr. Wallack, anything you want to add here?

David Wallack

I think it’s been pretty well covered, but just going back to an earlier comment, I think that the way that the laws are structured now, the analysis might be different depending upon where you sit. And certainly, that’s a big part of the lift from a compliance perspective is determining whether you’re a controller or you’re a processor. But regardless, you’re going to have to figure out where you sit in the chain. And your customer’s obligations are going to effectively become your obligations or they’re not going to be your customers anymore.

Especially for any large scale processor or controller, there isn’t any getting around it anymore. For a while, I think that there were some… There’s a feeling that maybe people could hide behind a few different walls, but those days seem to be coming to a fast end.

I think that to David Moncure’s point, making sure that your data flows are mapped out, that you do understand where you’re the controller and where you’re the processor. Where you have a direct obligation to help the exercise of privacy rights under a given regulation. Or where you simply functionally have to help your customers and clients, help their end consumers exercise their privacy rights. But regardless, you’re going to have to have a system in place for this to take place. I think that it’s affecting everybody.

Chris Wall

Yeah, thank you. And I think in largely speaking, it’s similar to our state approach here in the US. You look at where you’re subject. And then in a lot of ways it’s like whack-a-mole, but you comply with the most strict where you can and then figure out where else you’re subject.

Let’s move along a little bit here. And I’ll admit in creating this outline, I intentionally used the word that I did for the title of this section of the discussion, and that’s the word breach. And it’s triggering for a lot of people. Although I have to say, as the recipient of what seems like a new breach notification in the mail every month, it’s a little less triggering to me these days. But it’s still an incendiary term for sure.

And it’s also, as we were discussing before, it’s also a conclusory term. Once you declare that a breach has occurred, then a whole set of processes and obligations kick in. Let’s start with Patrick here. Let’s stick with you. When do you see, or not just when, but who do you see making the decision or the conclusion about whether a breach has occurred? Is it IT, is it legal? Have you turned to outside counsel to make that determination? And then, maybe I’ll turn to Ken and see and have a little his perspective from outside and look at what the process looks like from there.

Patrick Zeller

Yeah, I think the best way to summarize it is that it takes a village. It’s a combination of in-house counsel and outside counsel working with consultants to help you determine exactly what happened. A breach is a legal conclusion. I like to remind our cybersecurity folks that it’s very similar to using the term premises liability or something else that’s a legal conclusion.

What we do, and I believe the Sedona conference originally put this together, they have a paper on an information governance approach, a true information governance approach. And that’s the combination of the way they define information governance is really records retention, eDiscovery, privacy. As we mentioned earlier, you can’t have privacy without cybersecurity. Really, all of those groups working together.

The last couple companies I’ve been with, we’ve had an oversight committee with different titles and names, but essentially it’s an information governance committee. And then, when we have an incident, we involve our cybersecurity outside counsel. A lot of times outside counsel will have agreements with our third parties. And then we’d run separate calls to investigate what happened to make that conclusion.

And we usually run two sets of calls, one that’s fact-based and then the other one that’s led by outside counsel. And where those conversations are privileged, to maintain privilege. Where we’d make that decision in combination with those folks on that committee because then it triggers a number of reporting requirements once you reach that conclusion of a breach.

Chris Wall

Thanks. Ken.

Ken Suh

Yeah, I think Patrick covered my thoughts exactly. The conclusion that a breach has occurred has to be done with facts in mind. Those facts, it’s not that different from litigation. You have facts, you have to build up those facts, and then you have a legal conclusion.

Chris Wall

Let’s assume a breach has occurred. Okay. And you’re potentially required to provide notice in 10 different states in the US and three different countries outside of the US. It’s a big breach. How do you handle knowing what your individual breach notifications are in all of those different jurisdictions?

Ken Suh

Yeah. And this is again subject to other opinions, but I personally would not declare a breach having occurred unless I know what I’m basing that off of. Part of the facts that Patrick talked about feeds into a process where we look at the jurisdictions that might be implicated.

Just as a very generic example, different states protect different information. Date of birth is protected by a very small number of states, but not others. If you have name, address, and date of birth for people in 50 states, you may have a breach in some states and you may not have a breach in other states.

And so that conclusion can only be determined after we know where the individuals reside. And if there’s a small bucket of people that you need to find their state of residence, you can do that. It’s a flexible approach, but it’s hard to determine whether or not there’s been a breach outside of that context.

Chris Wall

Yeah, a lot of legwork that we’ll have to go into that. Obviously a lot of investigation to see where you’re subject to breach notification rules. Mr. Wallack, how do you see that handled?

David Wallack

Well, I mean, I suppose I very much look at a breach or security incident from the NIST framework, which is containment, eradication, recovery, and then post-incident analysis. The post-incident analysis, of course, will take into account whether or not you have tripped over any state or federal notification requirements.

But again, usually those requirements are only invoked, as Ken mentioned, once you actually have defined it as a breach. You do have some time there to do the forensics. This is really an area of course, where you are going to lean heavily on your outside counsel and resources. But as far as preparation is concerned, this really is where the incident response plan is of crucial importance, that everybody knows what their role is in the breach. I think Patrick Zeller already alluded to this, making sure that you have separate streams of work that’s performed in the ordinary course of business by your vendors versus work that’s performed in an incident.

And then also making sure that you’re aligned with your commercial contracting teams, that they’ve documented either what their standard language is for customer notification in the event of security incidents. Or if there are outliers where you have certain customers that need to be notified under different sets of terms on a very prompt basis. Sometimes it might be that you have to notify a customer when you actually know that there’s proof that their data has been compromised.

Sometimes if there’s even an inclination, if there’s anything afoul at all, you have to notify that customer. Even if it may not impact their data directly, it might be other customer’s data. Making sure that all of those contractual adaptations are documented helps keep some of the chaos out of the room in the event of a security incident.

But yeah, certainly planning goes a long way to having the smooth as possible outcome in the incidents, which tend to be by definition chaotic. And none of them are the same. It’s hard to say that any of them really are a peaceful environment. I don’t think anybody has ever lived through one of those, but the documentation that you can do beforehand does go a long way.

Chris Wall

Really does. Let’s move on to our next topic here in the interest of time if we can. I mentioned earlier the Meta judgment from 2023 in the EU of course. And that’s the court’s in action, obviously in that case in Europe. But what are we seeing in terms of enforcement and fines here in the US? Are we seeing yet what we’re worried about in 2023, this idea of weaponized privacy? Mr. Moncure, want to start off? What are you seeing and do we see this as a trend?

David Moncure

Yeah, sure. Just real quick, in the interest of time, I think you are seeing increased scrutiny from the state attorneys general. And certainly as more states come online with their own privacy laws, state specific laws, you’re seeing that enforcement power also coming online. And I think you’re also seeing more collaboration between the states. And so, there’s 10, 20 sometimes upwards of, in one case against Google, 40, State Attorney General coming together, collaborating, and going after particular situations and instances where there has been a lack of transparency or what have you with consumer data.

Chris Wall

Thanks. Ken.

Ken Suh

Yeah, just to build on top of that, at the federal level, I know we are all hoping for federal regulation that’s comprehensive. But you’ve got on the screen, the FTC has some jurisdiction, the SEC has some jurisdiction, FDIC, NCUA. You throw out the acronyms. And we’re seeing at minimum, interest in incidents and also privacy issues. I know we’ve seen the fines from the FTC. I think Amazon was fined last year, and there’s been scrutiny on antitrust. But I think we’re going to see more of that as these federal agencies try to understand how they can apply their current mandate into these privacy issues that we see coming up.

Chris Wall

Yeah. We mentioned earlier when we were talking about biometrics, the potential weaponization, I guess by the plaintiffs’ bar of some of these privacy laws, specifically the biometrics laws. And where there are private rights of action, that’s obviously an opportunity for plaintiffs to take action.

But Ken, you also mentioned a couple of times this idea of federal legislation. We’ve brought it up four times. I was counting. I might’ve missed one, but at least four times during our conversation here in the last 45 minutes about federal privacy law. And so, let’s talk about that with a final word… Well, not a final word, but at least a word about a federal privacy regulation in the US.

It’s still kicking out there. The American Data Privacy and Protection Act, or ADPPA. It made its way through the Energy and Commerce Committee with a bipartisan 53 to two vote way back in July of 2022. But lawmakers still haven’t made the time frankly, to formally consider that proposed legislation. The Biden administration has said it’s willing to sign it if it gets to the president’s desk. But Mr. Wallack, do you see us getting to a US GDPR in 2024?

David Wallack

No. In the interest of time, no. Unfortunately, the one party that has the willpower to enact such an omnibus law also has some of the most vocal opponents against enacting that law. And so, the paradox lies within, but the short answer is no.

Chris Wall

All right. Patrick, do you see the same way?

Patrick Zeller

I agree. And I believe the sticking point is going to be the private right of action. There’s also some other issues with the inherent ability under the state attorney generals, like David Moncure was talking about. They have this inherent regulatory authority over consumer fraud as well. There’s some balancing there, but I think the biggest sticking points can be the private right of action.

Chris Wall

I think you’re right. David or Ken, anything else you want to add here? It’s not dead, it’s not gone. It’s still out there. There’s still hope. It’s just almost dead, maybe on life support. But keep an eye on it. But I think the consensus here is we won’t see it in 2024.

All right. In the last couple of minutes here, let’s look at some takeaways for 2024. If you had three practical takeaways for our attendees today, what would they be? Mr. Moncure, let’s start with you. If you had one, whether it’s on the screen or not, what to watch for in 2024?

David Moncure

I’ll take one on the incident response side. I think just a very practical takeaway. Seems easy, not many if any companies do this, but you put in place, I think it was Mr. Wallack mentioned the incident response plan that the company should have in place. And doing a tabletop exercise, understanding your key players, understanding your key vendors, understanding who to call and when, you do that exercise on an annual basis, typically within a corporation.

For the other 364 days, typically nothing is done. People don’t remember where they should go, people don’t remember who they should call. And I think as a practical takeaway, creating some mechanism for not just an annual exercise of understanding those elements of your incident response plan, and how you were determining when you may actually define something as a breach. And keeping that top of mind, however you do it, in the culture of your company throughout the year as well.

Chris Wall

Thank you. Ken.

Ken Suh

Yeah. I’ll take the Watch the States with a little twist. I think as federal legislation continues to stall for the reasons we’ve all talked about, it’s going to be continuous political pressure at the state level to pass some sort of partial or comprehensive privacy legislation. We will start to see it more states who have talked about it before pass legislation. And states who had never talked about it before, start to talk about it.

Chris Wall

Yep. David, Mr. Wallack.

David Wallack

I think the other panelists have summed it up. I think those are really all the hot topics. But yes, preparation would be my number one takeaway is making sure that you have a good plan in place. And making sure that you’re taking into account not only your own obligations under these laws, but functionally the business obligations vis-a-vis your customers and, or end users. Because really, just beyond what your own obligations are, there’s the operational reality of all companies, which is revenue and everyone’s obligations are becoming everybody else’s. Understanding where you sit in the chain and understanding what your customer’s obligations are is just as important as understanding your own.

Chris Wall

Fantastic. Patrick, I’m going to give you the last word here.

Patrick Zeller

Watch Washington and Nevada, their new laws dealing with cookies that go into effect in March. They have a very broad definition of customer health data requiring consent to collect an authorization to share. No one’s really sure what that means, but it’s something to keep an eye on in the short term, first part of the year.

Chris Wall

Great, thank you. And I’ve got one more takeaway. Everybody watch these four panelists here in 2024. I linked to them on LinkedIn. They’ve got cool and awesome stuff to say throughout the year.

I think we addressed most of the questions as they came in. I’m certainly happy to make myself available to any participants who would like to reach out and ask their questions offline. And I’m sure the other panelists would be happy to field those questions as well.

We thank all of you for joining us for today’s HaystackID webcast. We know your time is valuable and we appreciate your taking an hour out of your day to share it with us. We really hope that the panelists insights and perspectives that they’ve shared today have helped to enhance your understanding of current privacy law and where it’s heading in the United States.

As we mentioned at the outset, this webcast has been recorded and will be available for on-demand viewing on the HaystackID website along with a complete discussion transcript. We also want to give everyone a heads-up about the next HaystackID educational webcast on February 21st. That’s where we’ll have a panel of experts that’ll take a deep dive with M365 purview.

And on that note, keep informed, keep ahead in your privacy and compliance efforts and make it an awesome day. Thanks, everybody.

*Assisted by GAI and LLM technologies.

+Data Privacy and Security, eDiscovery, and Information Governance Counsel

++Lock Lord
+++Motive
++++Amgen