Celesq Webinar: Responsibility for Protecting Data Privacy Increasingly Falling on In-House Counsel

Topics: Celesq, Corporate Legal, Cybersecurity, Law Firms, Q&A Interviews, Thomson Reuters


In-house counsel don’t have to look much further than the latest news accounts about recent data privacy breaches at major corporations to understand how important that issue is becoming in today’s computer-connected world. Now, as most company management increasingly look to their in-house counsel for guidance in complying with quickly evolving data privacy laws, it’s more important than ever for counsel to get an understanding of these laws.

Legal Executive Institute recently spoke to Jason D. Haislmaier, a partner at Bryan Cave LLP. Jason represents emerging and established companies in technology and intellectual property transactions, with an emphasis on data privacy and data security issues. On Sept. 2, he will be hosting a live webcast, called “Data Privacy Boot Camp: A Crash Course for In-House Counsel”

LEI: Certainly data privacy issues are in the news right now—how is that impacting in-house counsel?

Haislmaier: With such high-profile data breach cases, you have management now paying a lot of attention, both to data security and also to data privacy. They are reaching out to their in-house counsels to help them understand the law in this area. So you suddenly have attorney and others folks in these companies who certainly five years or ten years in the past, didn’t have responsibility for data privacy or security, now having that on their plate. They are often scrambling to figure out what they need to know to do their job.

LEI: What are the most important things for in-house counsel to know in this area?

Haislmaier: Whether it is data privacy or data security, one example I like to bring up is how well does your company really knows its data? Has management ever mapped company data or taken the time to understand the flows of data through the company? That seemingly basic understanding is not often something company management has taken the time to obtain. But, it is the cornerstone to understanding and compliance when it comes to data privacy. This is something that we’ll focus on in the webinar.

How well does your company really knows its data? Has management ever mapped company data or taken the time to understand the flows of data through the company?

LEI: I know the webinar is focusing on the law—Is this an area where regulators and legislators are increasingly active?

Haislmaier: It is one that is receiving increasing focus, although that’s been true for quite some time. The Federal Trade Commission (FTC), for example, has been active in this area for well over a decade. Recently, they’ve gotten more active, certainly  in enforcement but also disseminating information, holding seminars and events, and really trying to educate and raise awareness around data privacy.

In-house counsel are right to look at all this activity and ask “What does this mean for my company?” We will spend some time on this issue in the webinar as well.

LEI: Can you give an example of how enforcement is being applied in data privacy?

Haislmaier: The FTC has provided us with a host of examples of how they are enforcing their jurisdiction under the FTC Act to go after what they would view as unfair and deceptive practices involving companies’ claims about their data privacy protections. Recently, the Federal Communications Commission (FCC) has also become active doing the same thing under the Federal Communications Act. We have seen other examples from other federal agencies as well.

While this activity has directly touched a relatively small number of companies, it has caused many companies to take the step of outfitting their contracts to essentially utilize many of the same standards imposed in these enforcement actions on the counterparties to the contract (vendors, licensees, contractors, outsourcers, etc.). This has made the effective scope of enforcement far larger than the actual number of companies subject to an enforcement action—it has often been referred to as legislation by consent decree.

Regulators have been largely successful in entering into these consent orders with a growing number of companies. And from those consent orders, we’re able to sometimes develop patterns and learn insight.

I think those lessons are what companies need to take away.