Location: 18th Floor
Over the past decade, in the wake of a continuous string of high profile data breaches (Target, Home Depot, Sony, Yahoo, Equifax, Marriot, the list goes on), state legislatures and federal regulators have begun to pass laws and rules governing data security. Eighteen states have now implemented data security laws requiring that companies implement reasonable data security. The FTC also uses reasonableness as the standard for data security. Similarly, Europe's new privacy law, the General Data Protection Regulation (GDPR), requires that companies implement appropriate data security controls. But what does this abstract concept or reasonableness mean in practice? Is MFA or encryption sufficient? Is a company obligated to conduct annual pen testing? Few laws provide clear guidelines or standards. This issue is of critical importance to companies because the California Consumer Privacy Act (CCPA) goes into effect in January 2020 and allows for statutory fines and a private right of action, where a company’s failure to maintain reasonable data security controls results in a data breach. The GDPR allows for penalties up to $10 mm euros, or 2% of worldwide revenue for the same failure. The reasonableness of a company's data security programs is also a central issue in data breach litigation, a growing and costly trend in the US.
For technology companies, like Comcast, the changing legal landscape presents an innovation opportunity. How can companies develop cost-effective information security technology solutions that meet business needs and are legally compliant? In this presentation, I will first address the issue of what reasonable data security means under U.S. state and federal law, exploring existing legal standards and projecting, based on my 20 years of litigation experience, how the issue of “reasonable” data security is likely to be addressed by U.S. courts. Using the GDPR as a recent example, I will then explore the potential technology-focused solutions that Comcast and similar companies can use to meet these new legal standards and shape the security ecosystem.