For businesses large and small, compliance with federal, state, and foreign privacy laws andregulations has become an essential business obligation. A company’s innocent or inadvertentfailure to legally collect, store,use, share, and delete personally identifiable information (“PII”),protected health information (“PHI”), and payment card information (“PCI”), or its failure totimely and fully disclose how it performs such tasks,can make it a target for regulatory and civilclass actions as well as reputational damage. Indeed, government regulators and class actionplaintiffs’ attorneys are targeting companies that may be noncompliant in these areas (or whohave suffered data breaches), with many lenders, customers and potential customers alsoconducting “audits” of their clients’ and business partners’ electronic environment to ensure thatthey comply. This makes it critical for business owners and managers to invest the time andresources needed to comply with these new standards by adopting required plans and policies,performing mandatory employee training, and conducting timely audits and assessments toensure that their organizations meet today’s mandates governing the security and privacy of datathey hold.For over 15 years, we have counseled business entities on their regulatory obligations andtrained their employees on regulatory and legal compliance and strategies designed to lower thecompany’s risks and exposures arising from its collection, storage, use, disclose, and deletion ofPII, PHI and/or PCI, including those of its customers, clients, employees, potential employeesand business partners.I.FEDERAL, STATE, AND INTERNATIONAL REGULATORY SCHEMESUnited States:Privacy legislation at the federal level remains largely industry-specific, such as the mandatesimposed on healthcare providers and insurers under the Health Insurance Portability andAccountability Act (“HIPAA”), financial institutions under the Gramm-Leach Bliley Act(“GLBA”), and all regulated entities and individuals under the Federal Trade Commission Act.To fill in the gaps created by federal law, a myriad of state data security and privacy laws havebeen enacted (and continue to evolve almost on a monthly basis). These laws typically regulateentities of all sizes, regardless of whether they have one employee or an infinite number ofemployees, so long as they own or are in possession of consumers’, employees’ and potentialemployees’ PII, PHI, and/or PCI. For example, in 2004, California became the first state to enact privacy legislation designed toprotect its residents’ PII, known as the California Consumer Privacy Act (“CCPA”). So too,New York has enacted theStop Hacks and Improve Electronic Data Security Act(“SHIELDAct”), which imposes data security obligations on companies that collect information concerningNew York residents. Indeed, all fifty states, as well as most U.S. territories and possessions, theDistrict of Columbia and the New York Division of Financial Services, have adopted apatchwork of laws requiring the protection of data and notice to affected persons in the event of aprivacy incident.International:At the same time, many businesses are subject to the European Union’s (“E.U.”) General DataProtection Regulation (“GDPR”), which applies to every organization that has a web presenceand markets products or services in a direct manner to consumers in the E.U.Canada, Australia and other non-U.S. countries have adopted their own privacy regimes, withrespect to which you should be knowledgeable and compliant if your company does business inone or more of those countries, II.WHAT SHOULD COMPANIES BE CONCERNED ABOUT?A.Employee TrainingDo your company’s employees know the difference between PII and non-protected data? Dothey know what constitutes PII, PHI and PCI in the jurisdiction(s) where your business operates?While some examples of PII may be obvious, such as Social Security numbers, there is far moreto it than that.Do your employees know the internal policies and regulations that apply at each stage? Whilesome organizations differ, there are typically seven stages: creation, processing, storage, use,sharing, archival, and destruction. To avoid regulatory fines, consumer and shareholder classactions and the associated legal fees, employees should know how to collect informationappropriately, classify and update it accurately, share it responsibly, and delete it when it is nolonger of use.B.Data Handling Outside the OfficeThe security of information kept on mobile devices is oftentimes overlooked. Some of the mostcommon threats include loss or theft of mobile devices, use of unsecured public wi-fi spots, andshoulder surfing in public spaces – all issues that need to be addressed in corporate policies andemployee training to ensure that your workforce know how to avoid these kinds of risks. Withmore people working remotely, the question of how to protect data outside the office is moreimportant than ever.C.Payment Card Industry Data Security StandardThe Payment Card Industry Data Security Standard (“PCI DSS”) mandates that all companiesthat accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS applies to any organization, regardless of size or number of transactions, thataccepts, transmits or stores cardholder data. Different requirements apply to organizationsdepending on their transaction volume over a 12-month period. At their acquirers’/serviceproviders’ discretion, businesses that do not comply with PCI DSS may be subject to fines, cardreplacement costs, costly forensic audits, and other expenses in the event of a privacy incident.III.OUR SERVICESBusinesses must recognize that they cannot ignore or take a relaxed approach to their datasecurity and privacy compliance; it is a necessary and critical component of a company’soperations. While the requirements for each business will be different, depending on the relevantindustry, location, and other factors, there are some general practices we train a businesses’employees to follow so that they meet their and your compliance obligations:Create and memorialize regulatory compliance policies and procedures thataccount for your specific business model;Provide compliance training to your key personnel to ensure that yourcompany’s business culture comports with applicable regulatory schemes andregulators’ expectations;Inventory and assess the PII, PHI and PCI you collect so you know what youhave and what needs to be protected;Update your website home page to comply with applicable laws;Collaborate with experienced technical service providers to ensure that“reasonable security procedures” are in place and data is properly protected;Address nondiscrimination issues to provide consumers with the right to equalservice and price;Implement and regularly update appropriate incident response and businesscontinuity plans; andAuditand/or obtain an assessment certification from your vendors and otherswith access to your electronic infrastructure to ensure that the third parties arecompliant with governing law and have cybersecurity protections, includinginsurance, at least as robust as yours. You’re only as strong as your weakestlink.In short, a company’s failure to comply with data privacy laws can have disastrous consequencesif not managed properly. An effective data privacy program will go a long way in avoiding themyriad threats that could befall a non-compliant entity. A company’s future viability could beshort-lived without it.IV.CRC’S VALUE ADDED SERVICE OFFERINGS