Search form

10 for 2016 on Data Privacy

By Jason C. Gavejian and Joseph J. Lazzarotti
  • January 28, 2016

In honor of Data Privacy Day, we offer the following “Top 10 for 2016,” a list of critical areas in data privacy that businesses should know about. These are intended to help inform businesses about data privacy and security and the steps they can take to protect the information they maintain.

EU/U.S. Data Transfer (Safe Harbor)

The Court of Justice of the European Union (CJEU) has ruled in Schrems v. Data Protection Commissioner (Case C-362/14) that the voluntary Safe Harbor Program, used extensively by organizations that needed to transfer data from the EU to the U.S., did not provide adequate protection to the personal data of EU citizens. Since the October 6, 2015, decision, U.S. companies have been unclear how they may transfer data out of the EU in a compliant manner. The resolution of this issue is one of the most worrisome privacy topics for 2016.

People Analytics, including Employee Tracking/Wearables

The Federal Trade Commission’s January 2016 report on “big data” should alert businesses to the issues of data analytics as both consumer data and the application of big data tools in the workplace. People analytics, generally, a data-driven approach to managing an organization’s human capital, likely will be a significant trend for employers. Some of the data to perform the analysis is collected through devices employees use and wear. For example, as GPS- and RFID-enabled devices become ubiquitous, employers must balance the workplace risks against their ability to obtain information about an employee’s whereabouts, information that can substantially increase productivity. Privacy and discrimination risks surface where, to gain substantial benefits and help control healthcare costs through analytics, wellness programs seek to incentivize employees (including household members) to live “healthier” lives and wearable technology, such as Fitbit, collect data.

Risk Assessment/Written Information Security Program

Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’s critical information assets must be the first, and perhaps the most important, step in tackling information risk. Adequate safeguards cannot be erected for something of which one is unaware. Moreover, businesses may be subject to federal or state penalties for failing to conduct a risk assessment. Even if adopting a written information security program (WISP) to protect personal information is not a legal mandate in your state (some states, including California, Connecticut, Florida, Maryland, Massachusetts, and Oregon, have such a mandate), having one is critical to limiting information risk. An organization’s WISP also should account for company data outside of the company’s control, such as data or information provided to vendors who provide services to an organization. Not only will a WISP better position a company to defend claims related to a data breach, it will aid in managing and safeguarding critical company information. It may even help avoid a breach from occurring in the first place.

Telephone Consumer Protection Act (TCPA)

According to data compiled by WebRecon LLC, 3,710 TCPA lawsuits were filed in 2015, a 45 percent increase over 2014, marking the eighth year in a row of increasing TCPA suits. Moreover, 23.6 percent of suits (877) were filed as putative class actions. With the recent U.S. Supreme Court decision making defense of class actions under the TCPA more difficult, the number of such suits likely will continue its upward trajectory in 2016. Many of these suits are aimed not just at large companies, but often at small businesses that may violate the TCPA unknowingly. With statutory damages ranging from $500 to $1,500 per violation (e.g., per fax/text sent or call made), these suits can result in potential damages in the hundreds of thousands, if not millions, of dollars. See our FAQs for the TCPA to take the first step in complying with the TCPA.

Industry-Specific Guidance

Whether they are regulated by the U.S. Food and Drug Administration (FDA) or the U.S. Commodity Futures Trading Commission (CFTC), organizations must ensure industry-specific rules or guidance on cybersecurity and the safeguarding of the information they maintain are followed.


Recognizing the risks of allowing employees to use their own electronic devices in the workplace, many businesses are turning to Bring Your Own Device (“BYOD”) programs, but without considering all of the risks and other related issues. Some organizations are sticking with Corporate Owned Personally Enabled (“COPE) programs. Review our comprehensive BYOD issues outline and determine whether BYOD or COPE is the better option for your organization.

Social Media Investigations

Social media use continues to grow on a global scale. The content available from a user’s profile or account often can be sought in connection with litigation or employment decisions. While publicly available content generally may be viewed without issue, employers improperly accessing content available only privately can find themselves facing serious repercussions. Moreover, the list of states legislation protecting social media privacy continues to grow.

Federal Trade Commission (FTC), Federal Communications Commission (FCC) Enforcement

Both the FTC and FCC continued enforcements actions in 2015 for companies’ alleged failure to properly safeguard data. FCC actions resulted in consent decrees that included penalties in the hundreds of thousands of dollars and mirrored previous consent decrees entered into by the FTC. However, last year’s decisions in cases stemming from the FTC’s actions found the FTC may have difficulty proving that a company’s alleged unreasonable data security practices caused substantial consumer injury or that a consumer whose personal information was maintained by a company suffered any harm as a result of the alleged conduct. Just how far the FCC and FTC will go in 2016 is unclear. Nevertheless, organizations must be conscious of the statements or promises they make about their data security practices and implement appropriate safeguards to protect the personal information they maintain.

HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it will launch Phase 2 of its audit program in early 2016 to measure compliance with HIPAA’s privacy, security, and breach notification requirements by covered entities and business associates. Having the right documents can go a long way toward helping an organization survive an OCR HIPAA audit. It is clear that these audits are coming and covered entities and business associates should invest the time now to identify and close any HIPAA compliance gaps before an OCR investigator comes knocking. The largest HIPAA settlements have been less about harm, and more focused on compliance.

Plan for Breach Notification

All state and federal data breach notification requirements mandate that notice be provided as soon as possible (with some setting specific time periods). Failing to respond appropriately could result in significant liability. Among data breach issues, the leading cause of breaches is employee error. Developing a breach response plan is not only prudent, but also may be required under federal or state law. A proactive approach is often the simplest and cheapest way to avoid liability.


Managing data and ensuring its privacy, security, and integrity is critical for businesses and individuals. These activities have become the subject of broad, complex regulation. Companies must address state legislation and industry guidance. Organizations, therefore, must be vigilant to remain compliant and competitive.

Please contact your Jackson Lewis attorney if you have any questions.

©2016 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

July 11, 2018

Fitness Industry Legal Update - Summer 2018

July 11, 2018

Social media can be a great way for companies in the fitness industry to build and engage their communities. The hazards of social media as to employees, companies, and privacy, however, should not be ignored. This is especially true if social media is key to a business’s marketing or employee-recruitment goals. In this issue, we cover... Read More

July 9, 2018

Brett Kavanaugh Nominated to U.S. Supreme Court

July 9, 2018

In the wake of Justice Anthony Kennedy’s retirement, President Donald Trump was presented with the rare opportunity to make his second U.S. Supreme Court nomination in as many years, nominating the Honorable Brett M. Kavanaugh to succeed Justice Kennedy. If confirmed by the Senate, Judge Kavanaugh would bring more than a dozen years of... Read More

April 9, 2018

State Data Breach Notification Laws: Overview of the Patchwork

April 9, 2018

The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally... Read More