Data Privacy and Security: An Overview and Best Practices for In-House Counsel

Understanding Data Privacy and Security Regulations

Data privacy laws exist to protect consumers by legislating how entities collect, use, and store personal information. The need for such legislation is obvious in our digital world. Yet securing—and managing—your company's compliance can be a monumental task, particularly given the lack of any comprehensive federal law in this area. Instead, companies must navigate the complicated patchwork of sector-specific federal regulations as well as various levels of state and local regulation. Further complicating the matter is the fact that a company may not only be subject to data privacy regulations where the company is located, but in all locales where its consumers may be found. Regardless of the complexity of the landscape, companies in the United States are nevertheless held accountable for implementing clear policies related to the handling of such data, ensuring the data collected and used is legitimately relevant to the company's business, and ensuring proper protection of personal data from unauthorized third parties.

The Current Data Privacy and Security Landscape

As noted above, there is no single, comprehensive federal data privacy law in the U.S. What exists is a complicated overlay of sector-specific federal regulations (and oversight by several federal agencies) as well as more comprehensive state and even local privacy laws. At the federal level, comprehensive bills have been proposed—such as the bipartisan American Privacy Rights Act of 2024—but not passed.

Federal Data Privacy and Security Laws

Existing federal laws related to data security are specific to certain sectors, such as finance, telecommunications, credit reporting, healthcare, motor vehicle registration, children's online privacy, telemarketing, email marketing, biometrics, and communications. One notable federal regulation is the Children's Online Privacy Protection Act ("COPPA") which protects the personal data of children under the age of 13 and requires companies to obtain parental consent before collecting such data and to provide clear privacy notices and ensure data security. Enforcement of this act has led to some high-profile enforcement actions. COPPA was updated as recently as January 2025.

Separately, the Federal Trade Commission (FTC) and to some degree the FCC (Federal Communications Commission) are tasked with enforcing privacy laws in the U.S. and do so through individual enforcement actions, resulting in an ever-evolving federal landscape. In particular, the FTC takes actions related to data breaches, misleading privacy policies, and inadequate security measures.

State Data Privacy and Security Regulations

In light of the gap at the federal level, at least 20 states have enacted (or are in the process of enacting) their own privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, Virginia, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island. While California's regulations are the more stringent, Colorado and Virginia are also leading the way in comprehensive legislation at the state level. California, on its own, currently has 25 state privacy and data security laws in place, including the California Consumer Privacy Act ("CCPA") and its update, the California Privacy Rights Act ("CPRA"), both of which grant citizens substantial rights over their own personal data, including the right to know exactly what data is collected and how it is used, stored, and ultimately protected from unauthorized disclosure, including the ability to opt-out of the sale of their personal data. The update to the CCPA established the California Privacy Protection Agency and further enhanced the protections afforded "sensitive personal data" such as health and biometric information. The California regulations are unique in that they apply to the personal data of consumers as well as the human resources and business-to-business sectors. Other states appear to have been inspired by California, quickly following suit each with their own version of data security regulation. Generally speaking (and with the exception of California), the remaining states' laws are consistent with one another (albeit with differing deadlines, notice requirements, etc.) and are generally inapplicable to employee and business relationships.

Additionally, state consumer protection laws focused on unfair or deceptive business practices (such as the Texas Deceptive Trade Practices Act) are another means by which companies can be evaluated—and assessed—regarding their data privacy and security policies and practices.

The Risks of Data Privacy and Security Non-Compliance

While the investment of time and money necessary to ensure a company's compliance with existing data security regulations is significant, the risk of non-compliance can be greater, resulting in lawsuits, penalties, fines, other regulatory actions, and loss of goodwill and trust in the marketplace, as demonstrated in prior data breaches involving Yahoo and Equifax.

Case Study: Yahoo's Data Privacy and Security Breach

In August 2013, unknown hackers breached Yahoo's system, exposing the personal data of every single Yahoo user at that time. Still recognized as the largest data breach in U.S. history, the incident put at risk the personal data of 3 billion users. The event went undetected for three years without triggering any of the security alerts built into the system. In addition to incurring litigation costs and expenses associated with both a class-action lawsuit and a securities fraud lawsuit brought by investors, Yahoo ultimately paid a $117.5 million class-action settlement and an $80 million settlement to shareholders. The public scrutiny also led to an SEC investigation, which resulted in Yahoo paying a $35 million fine due to its late disclosure of the breach. The breach—and Yahoo's handling of the breach—further resulted in a $350 million drop in Yahoo's sale to Verizon and undoubtedly diminished the public's perception of and trust in the tech giant. On a more individualized level, Yahoo's CEO Marissa Mayer lost more than $12 million in bonuses based on her handling of the breach and Yahoo's legal, IT, and compliance departments faced intense investigation by the FBI, SEC, and Congress following the breach.

Case Study: Equifax's Data Security Incident

Equifax faced a similar debacle in 2017. From May to July of that year, the sensitive data of 148 million Americans was exposed due to a breach in Equifax's system, including the credit card numbers of more than 200,000 consumers. As a result of the incident, the U.S. government ultimately indicted four members of the Chinese military on claims of hacking. Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC) jumped on the chance to make an example of Equifax—and the U.S. government—in addresses to the Senate in 2017 and to the House in 2018. Rotenberg emphasized what, in his view, was a failure of the U.S. government to safeguard data from foreign adversaries and called for the prompt passage of the Online Privacy Act, HR 4978. He also urged the Consumer Financial Protection Bureau (CFPB) to take action against Equifax and ensure a thorough investigation of the event, creating a further media storm and sparking increased scrutiny of Equifax.

Ultimately, Equifax agreed to pay $575 to $700 million in a global settlement with the FTC, CFPB, and all 50 states. The settlement included the payment of $300 to $425 million to a fund for consumer claims, as needed to resolve all claims; $175 million to the 50 states; and $100 million in civil penalties to the CFPB. Equifax was further required to: (1) designate an employee to oversee the information security program; (2) conduct annual assessments of internal and external risks to data security and identify safeguards to address those risks; (3) obtain and produce annual certificates of compliance from its Board of Directors; (4) regularly test and monitor its security systems; and (5) ensure those who access the information stored by Equifax also have adequate data security protections in place.

In addition to highlighting the risks of non-compliance, and the importance not only of the actual security measures and policies in place but the handling of any data breach, the Yahoo and Equifax incidents also identify clear "best practices" for all companies with regard to data security.

Data Privacy and Security Best Practices

The list of requirements imposed on Equifax as a result of its 2017 data breach (while quite broad) certainly highlights some best practices related to data security.

Minimize the Collection, Use, and Storage of Personal Data

The first, and most basic, best practice is to limit the collection, use, and storage of consumer personal data to only that information necessary to fulfill the functions and express goals of your organization. The over-collection of data only increases the risk and scope of a potential breach—and any attendant penalties, fines, or settlements. It may also prove worthwhile to consider any past practice of selling consumer data. As a precautionary measure, and likely in an attempt to avoid more stringent regulations, a number of consumer giants—Google, Facebook, Amazon, Apple, and others—now offer consumers the ability to "opt out" of the sale of their personal data. For example, Google customers can now "opt in" to having their personal data saved (or conversely "opt out"), while Instagram users can identify which third-party apps should have access to their personal data.

Regularly Assess Internal and External Risks to Data Security

Perhaps equally damaging to Yahoo in the 2013 data breach was not just the breach, itself, but Yahoo's failure to detect and correct the breach for three years. Internal policies that require regular assessment of internal and external risks to a company's data protection processes and system will allow the company to shore up any weaknesses before a breach can occur or, in the event of a breach, allow for the fastest and most efficient recovery from a data breach, resulting in less risk of a breach in the first place or, in the event of a breach, minimizing the overall damage resulting from the event. These are commonly referred to as Data Protection Impact Assessments ("DPIAs") and may be required by law depending on the industry and applicable federal and state regulations.

Institute Regular Audits and Testing of Data Security Processes and Procedures

Another, similar, step is regularly auditing and testing internal procedures to ensure that they are properly accomplishing their end-goal, which is the safe collection, use, and storage of personal data. Ensuring that internal policies work as designed adds an additional layer of protection and could also help to minimize damage in the event of a breach.

Assign Data Privacy and Security Oversight Responsibilities

Finally, assigning to someone (or even a team) within the company the role and responsibility of safe and proper data collection, use, and security will also increase a company's chance of staying "in the lines" of applicable federal, state, and local regulations. Such a role would also indicate to any investigating body (federal or state) the import of such task to the company while also reducing risk of a breach or, in the event of a breach, identifying and remedying the breach promptly.

Technology Solutions for Data Privacy and Security Compliance

Given the importance of this issue to companies and consumers, alike, a number of platforms and software exist that may be helpful to a company's internal safety measures.

• Consent Management Platforms – Consent Management Platforms allow for the transparent communication of a company's privacy policy to consumers and ensure legal compliance and accommodation of user preferences. Such platforms can be vital for businesses that communicate directly with consumers as a means of ensuring the requisite consumer consents have been obtained.

• Software or Other Technology to Assist with DPIAs - Various software or other technologies exist to assist in conducting DPIAs, and the number of available options is likely to grow only larger. While it likely is not sufficient to rely solely on software to conduct DPIAs, such technology may make the overall process more efficient.

• DSAR Tools – Data Subject Access Requests (DSAR) automate the identification, review, and delivery of information in response to consumer requests regarding what data is retained, how it is processed, and how/whether it is shared with third parties. Ensuring clear and prompt responses to consumer requests specific to personal data further minimizes risks and helps ensure compliance with all applicable regulations regarding notice and response to consumers.

Conclusion

The importance of clear and effective data privacy and security policies and procedures cannot be overstated given the risk to companies of significant penalties, fines, legal expenses and settlements, and damage to the company's brand in the marketplace, as well as the risk to company executives and overall responsibility to shareholders (in publicly traded companies). Given the complexity of federal and state regulations, following key best practices in data privacy and security—and utilizing available software and technology where appropriate—can help ensure compliance with applicable regulations and reduce the overall risk of a data breach and any resulting damages to the company.

Klemchuk PLLC is a leading IP law firm based in Dallas, Texas, focusing on litigation, anti-counterfeiting, trademarks, patents, and business law. Our experienced attorneys assist clients in safeguarding innovation and expanding market share through strategic investments in intellectual property.

This article is provided for informational purposes only and does not constitute legal advice. For guidance on specific legal matters under federal, state, or local laws, please consult with our IP Lawyers.

© 2025 Klemchuk PLLC | Explore our services