By Lisa Yi Hamond
Hunton Andrews global privacy and cybersecurity attorney discusses California’s new consumer privacy act.
With technology advances come increased vulnerability to cybercrimes. October is National Cybersecurity Awareness Month and this year’s theme is personal accountability and proactive behavior in cybersecurity. Whether it is making sure a link is legitimate before clicking on it or keeping security software current, we all have a role to play in staying safe. According to Lisa Sotto, "Every business regardless of industry sector, needs to prepare for the inevitable security breach." Lisa is managing partner of the New York office of Hunton Andrews Kurth LLP and chairs the firm's Global Privacy and Cybersecurity practice. She is also the editor and lead author of Privacy and Cybersecurity Law Deskbook.
Lisa spoke with Wolters Kluwer about some of the changes in the privacy and cybersecurity field since she began working in this practice area.
How did you get started in the privacy and cybersecurity arena?
By the late 1990s, it became clear that the Internet was here to stay, and that meant data would be the currency of the future. I was an environmental lawyer at the time and began to understand that data privacy rules were regulatory in nature, and the concepts of hazardous waste leaks and data privacy exposures were analogous. The transition from environmental law was relatively simple given the paucity of privacy laws at the time (and complete lack of data security laws). The Gramm-Leach-Bliley Act and HIPAA were just on the horizon. The first data breach notification law was passed in California just a couple of years later. In the U.S., this area was in its infancy. I got lucky—I couldn’t have timed it better.
How has the practice grown at Hunton?
California was the first state to pass a law on privacy with the California Online Privacy Protection Act of 2003. In 2018, it passed the California Consumer Privacy Act (CCPA). Since then, other states have followed suit. Do you consider the CCPA the new de facto national standard or are there key differences with other state legislation?
This is an extraordinary time in the privacy world. We are witnessing a sea change in the way Americans think about their personal data, and governments are responding to the call for action. In the face of federal inaction, states are stepping up to the plate, with California leading the way with the CCPA. Unfortunately, data, like water, cannot be constrained by state boundaries -- so local regulation in this space makes little sense. While I wouldn’t consider the CCPA to be the new de facto national standard, I would consider it a critical benchmark against which every upcoming U.S. data privacy bill will be measured.
What are key differences between the European Union’s General Data Protection Regulation (GDPR) and CCPA?
Although the GDPR and CCPA are both comprehensive privacy laws, and they share some of the same key privacy principles, the laws are quite different from each other and require distinct compliance frameworks. That said, companies that implemented the GDPR have a leg up: they already had to take steps to understand their data flows and implement processes and protocols to provide individuals with privacy rights. The detailed requirements of the CCPA demand significant focus to get it right in advance of the January 1, 2020 compliance deadline.
What are the top five cybersecurity preparedness activities that lawyers should help their clients with?
Cybersecurity is among the most vexing issues facing every global organization today. Every business, regardless of industry sector, needs to prepare for the inevitable security breach. This includes:
- Tabletop exercises, which provide an opportunity for key personnel to practice their response to a cyber event, are a must.
- Incident response plans also are crucial, providing a roadmap for the company to follow when the inevitable event occurs.
- In addition, it is important to establish relationships with external experts in advance, both identifying those law firms and forensic investigators who will be tapped and retaining them in advance of an event.
- We also urge companies to engage with law enforcement early and often.
- Finally, cyber insurance is now considered mandatory as a risk management tool.
At Hunton, we assist clients with these cyber preparedness activities and routinely advise C-suites and boards of directors, who are now laser-focused on this issue. Although data breaches are not abating, preparation will mitigate harm.
What accomplishments are you most proud of?
Aside from the deep pride I take in my family, I am immensely proud of our privacy and cybersecurity team at Hunton. Our group has grown organically over the years, and each of my colleagues, to a person, is both talented and affable. I have the great fortune to work with the smartest, nicest, and most cohesive group of people. Beyond the immense talent of our global group, I’m equally proud of our global seamlessness and unwavering commitment to our clients.
MainStory: StrategicPerspectives GeneralNews HealthInformationTechnologyNews NewsFeed
Interested in submitting an article?
Submit your information to us today!Learn More
Health Reform WK-EDGE: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health reform legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.