logo NTT APPSEC
Web Application Security

A Solid Data Privacy Program can be a Safe Harbor

A Solid Data Privacy Program can be a Safe Harbor

The rate at which Data Privacy Laws in the U.S., Europe, and other countries are evolving is not slowing down.

One trend is the addition of a Private Right of Action clause, which is expected to lead to a proliferation of frivolous and burdensome lawsuits for businesses.  A Private Right of Action enables a private individual or entity, as opposed to a government or public body, to sue organizations for data privacy violations related to their personal information.  This is in addition to government penalties and other enforcement actions.  A Private Right of Action is included privacy laws in Europe, California, Virginia, and in drafts of laws in Washington and other states.

The creation of standalone data privacy enforcement bodies is also on the rise and expected to increase investigations leading to a corresponding increase in the prosecution of violators.  The Federal Trade Commission is the enforcement agency on a federal level but is believed to wear too many other hats to handle the increasing enforcement workload needed to hold companies responsible. Several proposed U.S. federal privacy laws include the creation of an independent federal agency for privacy enforcement. Several states have also created agencies tasked solely to enforce state privacy law.

However, one positive trend for companies is the inclusion of Safe Harbor protections in several new privacy laws.  “Safe Harbor” means that through the law, a company is protected from a penalty or other ramifications when certain conditions are met.  This comes into play in the event of a security incident or breach.

 A solid Data Privacy Program that includes sufficient IT security practices is the main “certain condition” that must be met to obtain Safe Harbor.  For example, the HIPAA Safe Harbor Bill effective in January 2021, incentivizes healthcare entities to implement security best practices. California and Virginia privacy laws also include Safe Harbor provisions which are dependent on a company maintaining adequate security practices.

State and national regulators pay close attention to the cybersecurity aspect of preparedness due to the sheer number of data thefts and leaks in this space. Assessing web applications and addressing vulnerabilities is key to demonstrating adherence to cybersecurity standards in order to obtain Safe Harbor protections.