Cybersecurity

Forget soap operas: The U.S. and privacy are shaping up to be the ultimate will-they-or-won't-they story. A new survey from e-discovery and managed review provider Consilio showed that a large number of legal professionals were holding out hope that a federal privacy regulation could be passed in 2020. However, the reality could be that even without the threat of COVID-19, there are still too many obstacles that would prevent such legislation from passing before the end of the year.

The survey is comprised of 120 respondents, including legal professionals working inside law firms, corporations and government-affiliated entities. Consilio collected the responses in early February during the Legalweek New York conference, prior to the COVID-19 related business shutdowns and social distancing measures that were implemented across the country the following month.

At the time, it would seem that attitudes regarding the prospect of a federal privacy regulation were at least mildly optimistic, with 70% of respondents indicating that it was either "somewhat likely" or "very likely" that such a regulation would be passed in 2020. Matthew Miller, vice president of global information governance advisory services at Consilio, attributed this to the attention gained by various state privacy laws such as the California Consumer Privacy Act (CCPA).

Of course, respondents may have also been caught up in some wishful thinking. "I think the feeling of the community is this would be so much better. It would be easier for organizations to comply if there were some universal standard for data privacy. I think it was more of an aspirational hope," Miller said.

Miller added that he believes the COVID-19 outbreak will likely delay a national privacy law beyond 2020.

Christopher Ballod, a partner at Lewis Brisbois Bisgaard & Smith, agreed that it would be unlikely to see federal regulations on the subject while so many attorneys general already have their hands full addressing the various ramifications imposed by the pandemic.

However, he's also not confident that a federal privacy law would have been any more likely absent the virus. Compliance can be an expensive process, and politicians may be reluctant to come across as "tough on business" during an election year. Plus, Ballod indicated that many of his clients are not building their privacy compliance programs under the assumption that a national standard is imminent.

"Nobody is expecting it … None of my clients are saying, 'Well, can we wait for the federal standard?' The idea is even written off. At this point it's, 'What do we do to deal with the patchwork of 50 states that are going to be passing these [privacy laws]?'" Ballod said.

To be sure, the emerging patchwork of state privacy laws was identified by the majority (56%) of respondents as their top concern regarding information governance regulations, followed by international federal privacy regulations (51%), the Federal Rules of Civil Procedure (34%) and potential forthcoming federal privacy regulations (30%). But achieving simultaneous compliance with a multitude of state privacy laws may not be as arduous as it sounds.

"In most senses, they are overlapping duties or obligations placed upon a corporation by the different states," Miller said.

Ballod at Lewis Brisbois often advises clients to aim for compliance with the very rigorous CCPA, since that will ultimately tick many of the same boxes laid out by other states. "If you have a CCPA-compliant program, there's not a lot more you have to do. But it does mean you have to have a privacy infrastructure. If a company isn't willing to do that, it doesn't really matter," Ballod said.

And there does seem to be some concern among survey respondents that their organization's information governance posture isn't quite where it needs to be. Only 48% indicated that they were "very confident" in their company's standing compliance policies, procedures and technologies.

Per Ballod, because the reputational harm associated with befalling a data breach or cyber incident is diminishing as the public becomes increasingly used seeing those events make headlines, companies outside the purview of the CCPA or other formidable privacy regulations may not have much incentive to prioritize information governance. However, Miller at Consilio thinks COVID-19 may be forcing companies to reemphasize data privacy as they adapt to a more virtual workforce and the threat of hackers deploying pandemic-themed phishing attacks.

"That means each corporation is still fighting, if not harder than they had to before, to protect the consumer's personal information that they maintain," Miller said.