One of the frustrations of being a lawyer is the imperative to recommend the least-risky course of action, even knowing that our clients’ success often requires taking risks. This imperative arises because the lawyer who advises the most thorough (and expensive) approach is beyond reproach when things go bad, whereas the lawyer who tries to give more practical guidance may not be. Being a naysayer becomes the safest bet.
This is especially true in the context of privacy and data security. The requirements imposed by various jurisdictions can be Byzantine. The consequences of shortchanging privacy and data security can be serious. As a result, lawyers rarely (if ever) advise their clients that less-than-perfect measures may be “good enough.” In-house counsel who turn to specialized privacy practitioners for guidance are far more likely to be told that they need to spend hundreds of thousands of dollars improving their privacy practices than that what they’re doing is probably good enough. I’ve given such advice myself. What may be lacking in such recommendations, though, is enough background and context to enable useful cost/benefit analysis. Clients may end up overwhelmed, panicked or confused.
This is unfortunate, because things are not as bad as many people seem to think. In the hope of providing some balance for the risk-avoidant advice that I and other privacy practitioners provide, here are five reasons why not. Caveat: This is not legal advice and should not be relied upon by anyone at any time. (See what I mean about risk avoidance?)
1. We’re mostly just talking about consumer data.
There are many reasons why you may want to protect the security of your own data and communications. But the complex and rapidly-evolving regulatory framework surrounding privacy and data security doesn’t require you to. Efforts to implement company-wide global privacy practices can lose sight of practical reality that if you keep consumer data secure and only use it in permitted ways, you may be compliant enough to satisfy most statutory mandates.
2. We’re mostly just talking about specific data fields.
Credit card numbers, social security card numbers, passwords, and driver’s license numbers are the usual suspects – this is the data that you have to protect (health records too, of course - more on this below). Most privacy and data security laws don’t impose any requirements with respect to other kinds of data about consumers, as long as it’s collected using proper means.
3. Most consumer data has little or no monetary value.
Although your customers’ order history or shopping habits may be fascinating to your marketing department, they probably don’t have much value on the open market, which means that the servers on which this data is stored shouldn’t have much appeal to hackers. This doesn’t provide any actual protection against data breaches, of course, but it may offer a little bit of peace of mind that reasonable security measures will suffice for this type of data. It also means that consumers may not suffer legally cognizable harm if your servers are breached.
4. Absent identity theft, plaintiffs are having trouble establishing cognizable harm when their credit card numbers are stolen.
When credit card numbers are stolen but not used for fraudulent purchases, courts have consistently held that no cognizable harm has occurred. See, e.g., Reilly v. Ceridian Corp. (increased risk of identity theft resulting from a breach not a cognizable harm); Krottner v. Starbucks Corp. (same); and Worix v. MedAssets, Inc. (same, collecting cases). Although plaintiffs’ attorneys are still trying to get over this hurdle, to date they have not succeeded.
5. You may already be compliant.
As noted above, data security laws generally only protect specific kinds of data. Those same kinds of data – especially credit card data, medical records, and financial data – were subject to various security requirements before the current attention to data privacy, and many organizations have long-established policies and processes for protecting them. For example, all credit card data is subject to Payment Card Industry Data Security Standards (PCI-DSS), and businesses that comply with PCI-DSS requirements should be in compliance with most other regulations applicable to that data.
This is not to say that companies should not invest in reviewing and improving their data privacy and security standards – they should. But the situation may not merit the level of stress that I have seen in some of my clients.